Applies To:
Show VersionsBIG-IP APM
- 16.1.5
BIG-IP Analytics
- 16.1.5
BIG-IP Link Controller
- 16.1.5
BIG-IP LTM
- 16.1.5
BIG-IP PEM
- 16.1.5
BIG-IP AFM
- 16.1.5
BIG-IP DNS
- 16.1.5
BIG-IP FPS
- 16.1.5
BIG-IP ASM
- 16.1.5
BIG-IP Release Information
Version: 16.1.5.1
Build: 7.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
The blue background highlights fixes |
Cumulative fixes from BIG-IP v16.1.5 that are included in this release
Cumulative fixes from BIG-IP v16.1.4.3 that are included in this release
Cumulative fixes from BIG-IP v16.1.4.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v16.1.4 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.5 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.4 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.3 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v16.1.3 that are included in this release
Cumulative fixes from BIG-IP v16.1.2.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v16.1.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.1 that are included in this release
Known Issues in BIG-IP v16.1.x
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1615861-2 | 3-Major | TMUI hardening | 16.1.5.1, 15.1.10.5 |
Cumulative fixes from BIG-IP v16.1.5 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
983073-3 | CVE-2024-41727 | K000138833 | Certain traffic to ixlv & iavf can cause memory leak. | 17.1.0, 16.1.5 |
1507913-2 | CVE-2023-50868 | K000139084, BT1507913 | CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources | 16.1.5 |
1507569-2 | CVE-2023-50387 | K000139092, BT1507569 | KeyTrap: Extreme CPU consumption in DNSSEC validator | 16.1.5 |
1506049-2 | CVE-2023-4408 | K000138990, BT1506049 | Parsing large DNS messages may cause excessive CPU load | 16.1.5 |
1105589-2 | CVE-2024-39778 | K05710614, BT1105589 | HSB lockup using stateless virtual server | 17.1.1, 16.1.5 |
989373-7 | CVE-2020-14314 | K67830124, BT989373 | CVE-2020-14314 kernel: buffer uses out of index in ext3/4 filesystem | 16.1.5, 15.1.9 |
948725-7 | CVE-2024-41723 | K10438187, BT948725 | An undisclosed iControl REST endpoint may provide a list of usernames to unauthorized users | 17.1.1, 16.1.5 |
1308269 | CVE-2022-4304 | K000132943, BT1308269 | OpenSSL vulnerability CVE-2022-4304 | 17.1.1, 16.1.5 |
1295017-4 | CVE-2024-41164 | K000138477, BT1295017 | TMM crash when using MPTCP | 17.1.1, 16.1.5, 15.1.10 |
1026873-7 | CVE-2020-27618 | K08641512, BT1026873 | CVE-2020-27618: iconv hangs when converting some invalid inputs from several IBM character sets | 16.1.5, 15.1.9 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
737692-5 | 2-Critical | BT737692 | Handle x520 PF DOWN/UP sequence automatically by VE | 17.1.1, 16.1.5, 15.1.3.1 |
1069441-3 | 3-Major | BT1069441 | Cookie without '=' sign does not generate rfc violation | 17.1.1, 16.1.5, 15.1.10 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1395081-2 | 1-Blocking | K000137514, BT1395081 | Remote users are unable to generate authentication tokens | 17.1.1.1, 16.1.5 |
1147633-2 | 1-Blocking | Hardening of token creation by users with an administrative role | 17.1.1, 16.1.5 | |
997793-3 | 2-Critical | K34172543, BT997793 | Error log: Failed to reset strict operations; disconnecting from mcpd★ | 16.1.5 |
776117-1 | 2-Critical | BT776117 | BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type | 17.1.1, 16.1.5, 15.1.10 |
1593681-2 | 2-Critical | Monitor validation improvements | 16.1.5, 15.1.10.5 | |
1410953-2 | 2-Critical | BT1410953 | Keymgmtd coring or restarting in loop when we have an empty crl file inside crl_file_cache_d path. | 16.1.5 |
1394445-2 | 2-Critical | BT1394445 | Password-memory is not remembering passwords to prevent them from being used again | 16.1.5 |
1378329-2 | 2-Critical | K000137353 | Secure internal communication between Tomcat and Apache | 16.1.5, 15.1.10.5 |
1366089 | 2-Critical | BT1366089 | HSB firmware version 2.12.4.0 bitstream release for VIPRION B2250 blade | 16.1.5 |
1360757 | 2-Critical | BT1360757 | The OWASP compliance score generation failing with error 501 "Invalid Path" | 16.1.5 |
1295481-2 | 2-Critical | BT1295481 | FIPS keys are not restored when BIG-IP license is renewed after it expires | 17.1.1, 16.1.5 |
1269593-2 | 2-Critical | K000137127, BT1269593 | SSH client fails to connect using host key type ssh-rsa | 16.1.5 |
1191137-3 | 2-Critical | BT1191137 | WebUI crashes when the localized form data fails to match the expectations | 17.1.1, 16.1.5, 15.1.9 |
1113609-2 | 2-Critical | BT1113609 | GUI unable to load Bot Profiles and tmsh is unable to list them as well. | 17.1.1, 16.1.5 |
1075681-1 | 2-Critical | CVE-2020-17541 - Libjpeg-turbo all version have a stack-based buffer overflow in the "transform" component | 16.1.5 | |
1004929-1 | 2-Critical | BT1004929 | During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. | 17.0.0, 16.1.5, 15.1.5, 14.1.4.5, 13.1.5 |
998957-1 | 3-Major | BT998957 | MCPD consumes excessive CPU while collecting statistics | 17.1.0, 16.1.5 |
997561-5 | 3-Major | BT997561 | TMM CPU imbalance with GRE/TB and GRE/MPLS traffic | 17.1.1, 16.1.5, 15.1.10 |
969345-1 | 3-Major | BT969345 | Temporary TMSH files not always removed after session termination | 16.1.5 |
955953-5 | 3-Major | BT955953 | iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg' | 17.0.0, 16.1.5, 15.1.10 |
950153-3 | 3-Major | BT950153 | LDAP remote authentication fails when empty attribute is returned | 17.1.1, 16.1.5, 15.1.10 |
942217-6 | 3-Major | BT942217 | Virtual server rejects connections even though the virtual status is 'available' | 16.1.5 |
715748-7 | 3-Major | BT715748 | BWC: Flow fairness not in acceptable limits | 17.1.1, 16.1.5, 15.1.10 |
673952-6 | 3-Major | BT673952 | 1NIC VE in high availability (HA) device-group shows 'Changes Pending' after reboot | 17.0.0, 16.1.5 |
605966-9 | 3-Major | BT605966 | BGP route-map changes may not immediately trigger route updates | 16.1.5 |
586948-2 | 3-Major | BT586948 | Dynamic toggling for HSB hardware checksum validation | 17.1.0, 16.1.5 |
1496269-2 | 3-Major | BT1496269 | VCMP guest on version 16.1.4 or above might experience constant TMM crashes.★ | 16.1.5 |
1491165-1 | 3-Major | BT1491165 | TMM crashes when saving DAG setting and there are 7 or more blades | 16.1.5 |
1472853-2 | 3-Major | BT1472853 | PVA may not fully come up on large platforms with many tmms | 16.1.5 |
1398229-1 | 3-Major | BT1398229 | Enabling support for SSH-RSA in Non FIPS mode | 16.1.5 |
1353957-2 | 3-Major | K000137505, BT1353957 | The message "Error getting auth token from login provider" is displayed in the GUI★ | 17.1.1.2, 16.1.5 |
1350717-3 | 3-Major | BT1350717 | When the client IP address changes immediately after the authentication to the Configuration Utility, HTTPD could enforce the source IP check even if 'auth-pam-validate-ip' is set to 'off' | 16.1.5 |
1350693-2 | 3-Major | BT1350693 | Log publisher using replicated destination with unreliable destination servers may leak xfrags | 16.1.5 |
1345989 | 3-Major | BT1345989 | "Rest framework is not available" being displayed when navigating to the "Device Management >> Overview" page | 16.1.5 |
1338993-2 | 3-Major | BT1338993 | Failing to fetch the installed RPM, throwing an error Object contains no token child value | 17.1.1, 16.1.5 |
1326501-2 | 3-Major | BT1326501 | Configure DAG fold_bits to improve connection distribution | 16.1.5 |
1322701-3 | 3-Major | Vulnerability scanner reports BIG-IP is disclosing sensitive information | 16.1.5 | |
1320389-1 | 3-Major | BT1320389 | vCMP guest loses connectivity because of bad interface mapping | 16.1.5 |
1312225-2 | 3-Major | BT1312225 | System Integrity Status: Invalid with some Engineering Hotfixes | 16.1.5 |
1311125-3 | 3-Major | BT1311125 | DDM Receive Power value reported in ltm log is ten times too high | 17.1.1, 16.1.5 |
1305125-2 | 3-Major | BT1305125 | Ssh to localhost not working with ssh-rsa | 17.1.1, 16.1.5 |
1298133-3 | 3-Major | BT1298133 | BFD sessions using floating self IP do not work well on multi-blade chassis | 16.1.5 |
1297257-2 | 3-Major | BT1297257 | Pool member Forced Offline then Enabled is marked down on peer after Incremental sync | 16.1.5 |
1296553-1 | 3-Major | BT1296553 | Include RQM Debug registers in hsb_snapshot for B2250 blade | 16.1.5 |
1294109-3 | 3-Major | BT1294109 | MCP does not properly read certificates with empty subject name | 16.1.5 |
1293193-2 | 3-Major | BT1293193 | Missing MAC filters for IPv6 multicast | 17.1.1, 16.1.5, 15.1.10 |
1291217-1 | 3-Major | BT1291217 | EasySoap++-0.6.2 is not coded to add an SNI | 16.1.5 |
1186649 | 3-Major | BT1186649 | TMM keep crashing after vCMP Guest Upgrade to BIG-IP v16.1.3.2★ | 16.1.5 |
1181757-4 | 3-Major | BT1181757 | BGPD assert when sending an update | 16.1.5 |
1154381-4 | 3-Major | BT1154381 | The tmrouted might crash when management route subnet is received over a dynamic routing protocol | 17.1.1, 16.1.5, 15.1.10 |
1147849-4 | 3-Major | Rest token creation does not follow all best practices | 16.1.5 | |
1135961-7 | 3-Major | BT1135961 | The tmrouted generates core with double free or corruption | 17.1.1, 16.1.5, 15.1.9 |
1134509-4 | 3-Major | BT1134509 | TMM crash in BFD code when peers from ipv4 and ipv6 families are in use. | 17.1.1, 16.1.5, 15.1.10 |
1134057-4 | 3-Major | BT1134057 | BGP routes not advertised after graceful restart | 17.1.1, 16.1.5, 15.1.9 |
1125733-3 | 3-Major | BT1125733 | Wrong server-side window scale used in hardware SYN cookie mode | 17.1.0, 16.1.5, 15.1.9 |
1113693-3 | 3-Major | BT1113693 | SSL Certificate List GUI page takes a long time to load | 16.1.5 |
1111993-2 | 3-Major | BT1111993 | HSB tool utility does not display PHY settings for HiGig interfaces | 17.1.0, 16.1.5, 15.1.10 |
1104773-6 | 3-Major | REST API Access hardening | 17.1.1, 16.1.5 | |
1102837-2 | 3-Major | BT1102837 | Use native driver for e810 instead of sock | 17.1.0, 16.1.5, 15.1.7 |
1093973-7 | 3-Major | BT1093973 | Tmm may core when BFD peers select a new active device. | 16.1.5 |
1086393-1 | 3-Major | BT1086393 | Sint Maarten and Curacao are missing in the GTM region list | 17.1.1, 16.1.5 |
1064893-1 | 3-Major | BT1064893 | Keymgmtd memory leak occurs while configuring ca-bundle-manager. | 17.0.0, 16.1.5 |
1042589-1 | 3-Major | BT1042589 | Wrong trunk_id is associated in bcm56xxd. | 17.0.0, 16.1.5, 15.1.10 |
1040573-4 | 3-Major | BT1040573 | REST operation takes a long time when two different users perform tasks in parallel | 16.1.5 |
1040117-2 | 3-Major | BT1040117 | BIG-IP Virtual Edition drops UDP packets | 17.1.1, 16.1.5, 15.1.10 |
1035661-4 | 3-Major | BT1035661 | REST Requests return 401 Unauthorized when using Basic Auth | 16.1.5 |
1020129-2 | 3-Major | BT1020129 | Turboflex page in GUI reports 'profile.Features is undefined' error★ | 17.1.1, 16.1.5, 15.1.10 |
1019429-1 | 3-Major | BT1019429 | CMP Forwarded flows do not get syncache counter decremented when only server-side is PVA accelerated | 17.0.0, 16.1.5, 15.1.4.1 |
1009793-2 | 3-Major | BT1009793 | Tmm crash when using ipsec | 16.1.5 |
857045-4 | 4-Minor | BT857045 | LDAP system authentication may stop working | 16.1.5 |
1355149-3 | 4-Minor | BT1355149 | The icrd_child might block signals to child processes | 16.1.5 |
1320889-3 | 4-Minor | BT1320889 | Sock interface driver might fail to forward some packets. | 17.1.1, 16.1.5 |
1292493 | 4-Minor | BT1292493 | Enforcement of non-approved algorithms in FIPS or Common Criteria mode. | 16.1.5 |
1280281-1 | 4-Minor | BT1280281 | SCP allow list may have issues with file paths that have spaces in them | 17.1.1, 16.1.5, 15.1.10 |
1145729-3 | 4-Minor | BT1145729 | Partition description between GUI and REST API/TMSH does not match | 17.1.1, 16.1.5 |
1136837-4 | 4-Minor | BT1136837 | TMM crash in BFD code due to incorrect timer initialization | 17.1.1, 16.1.5, 15.1.10 |
1089005-4 | 4-Minor | BT1089005 | Dynamic routes might be missing in the kernel on secondary blades. | 16.1.5 |
1064753-4 | 4-Minor | BT1064753 | OSPF LSAs are dropped/rate limited incorrectly. | 16.1.5, 15.1.10 |
1046025-3 | 4-Minor | BT1046025 | The iavf and ixlv drivers have incorrect VHO flag for all packets | 17.1.0, 16.1.5 |
1044893 | 4-Minor | BT1044893 | Kernel warnings from NIC driver Realtek 8139 | 17.1.1, 16.1.5, 15.1.10 |
1003081-3 | 4-Minor | BT1003081 | GRE/TB-encapsulated fragments are not forwarded. | 17.1.1, 16.1.5, 15.1.10 |
997269-1 | 5-Cosmetic | BT997269 | The management-dhcp contextual help for supersede-options is not available | 17.0.0, 16.1.5 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
994973-1 | 2-Critical | BT994973 | TMM crash with do_drivers_probe() | 16.1.5 |
965897-4 | 2-Critical | BT965897 | Disruption of mcpd with a segmentation fault during config sync | 17.1.1, 16.1.5, 15.1.10 |
927633-4 | 2-Critical | BT927633 | Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic | 16.1.5 |
1496457-2 | 2-Critical | TMM crash under certain traffic patterns when an HTTP/2 profile is applied. | 16.1.5 | |
1346101-1 | 2-Critical | BT1346101 | SSL Orchestrator can crash TMM | 16.1.5 |
1322973-2 | 2-Critical | A particular sequence of HTTP packets may cause TMM to crash | 16.1.5 | |
1319365-2 | 2-Critical | BT1319365 | Policy with external data group may crash TMM or return nothing with search contains | 17.1.1, 16.1.5 |
1305697-3 | 2-Critical | BT1305697 | TMM may crash after performing a full sync, when in-tmm monitors are configured and ssl-profile is changed | 17.1.1, 16.1.5 |
1298029-3 | 2-Critical | BT1298029 | DB_monitor may end the wrong processes | 17.1.1, 16.1.5 |
1209197-1 | 2-Critical | BT1209197 | Gtmd crash with SIGSEGV while importing or exporting a key or certificate to the BIG-IP | 17.1.0, 16.1.5 |
1105145-2 | 2-Critical | BT1105145 | Request body on server side egress is not chunked when it needs to be after HTTP processes a 100 continue response. | 17.1.0, 16.1.5 |
1078741-2 | 2-Critical | BT1078741 | Tmm crash | 17.0.0, 16.1.5 |
1072377-3 | 2-Critical | BT1072377 | TMM crash in rare circumstances during route changes | 17.1.0, 16.1.5, 15.1.10 |
996649-6 | 3-Major | BT996649 | Improper handling of DHCP flows leading to orphaned server-side connections | 17.1.1, 16.1.5, 15.1.10 |
874877-4 | 3-Major | BT874877 | The bigd monitor reports misleading error messages | 16.1.5 |
1505753-1 | 3-Major | BT1505753 | Maximum Fragment Length extension is not visible in ServerHello even though it is present in ClientHello | 16.1.5 |
1494293-4 | 3-Major | BT1494293 | BIG-IP might fail to forward server-side traffic after a routing disruption occurs. | 16.1.5 |
1494137-1 | 3-Major | BT1494137 | Translucent mode vlan-group uses wrong MAC when sending ICMP to client | 16.1.5 |
1429897 | 3-Major | BT1429897 | NShield netHSM : Creating new nShield key does not commit this key to an external RFS with nShield 12.60 | 16.1.5 |
1400317-2 | 3-Major | BT1400317 | TMM crash when using internal datagroup | 16.1.5 |
1399645-2 | 3-Major | BT1399645 | iRule event BOTDEFENSE_ACTION validation failing a subroutine call | 16.1.5 |
1399241-2 | 3-Major | BT1399241 | QUIC occasionally erroneously sends connection close with QPACK decoder stream error | 16.1.5 |
1391081-2 | 3-Major | BT1391081 | TMM crash when running HTTP/3 and persist record | 16.1.5 |
1389225-2 | 3-Major | BT1389225 | For certain iRules, TCP::close does not close the TCP connection | 16.1.5 |
1389033-2 | 3-Major | K000137430, BT1389033 | In an iRule SSL::sessionid returns an empty value★ | 16.1.5 |
1388621-2 | 3-Major | BT1388621 | Database monitor with no password marks pool member down | 16.1.5 |
1369673-2 | 3-Major | BT1369673 | OCSP unable to staple certificate chain | 16.1.5 |
1366593-2 | 3-Major | BT1366593 | HTTPS monitors can fail when multiple bigd processes use the same netHSM | 16.1.5 |
1366217-2 | 3-Major | BT1366217 | The TLS 1.3 SSL handshake fails with "Decryption error" when using dynamic CRL validator | 16.1.5 |
1347569-1 | 3-Major | BT1347569 | TCL iRule not triggered due to handshake state exceeding trigger point | 16.1.5 |
1312041 | 3-Major | BT1312041 | Connection RST with reason "STREAM max match size exceeded" after upgrading to v16.1.x★ | 16.1.5 |
1311053-2 | 3-Major | BT1311053 | Invalid response may be sent to a client when a http compression profile and http analytics profile attached to a virtual server | 16.1.5 |
1306249-1 | 3-Major | BT1306249 | Hourly spike in the CPU usage causing delay in TLS connections★ | 16.1.5 |
1305361-2 | 3-Major | BT1305361 | Flows that are terminated by an ILX streaming plugin may not expire immediately | 17.1.1, 16.1.5 |
1305329 | 3-Major | BT1305329 | HTTP iRule event HTTP_REQUEST_DATA is triggered even though there is no data collected via HTTP::collect command. | 16.1.5 |
1304189-3 | 3-Major | BT1304189 | Duplicate SYNs to a mirrored FastL4 virtual may result in connection failures | 17.1.1, 16.1.5 |
1302077-4 | 3-Major | BT1302077 | Virtual address statistics being counted for different virtual address after changing the destination address of a virtual server | 17.1.1, 16.1.5 |
1300925-3 | 3-Major | BT1300925 | Shared memory race may cause TMM to core | 17.1.1, 16.1.5 |
1294289-2 | 3-Major | BT1294289 | SSL Persist leaks memory on when client and server hello exceeds MSS | 16.1.5 |
1284413 | 3-Major | BT1284413 | After upgrade to 16.1.3.2 from 16.0.1.1, BIG-IP can send CONNECT requests when no proxy select agent is used★ | 16.1.5 |
1284261-3 | 3-Major | BT1284261 | Constant traffic on DHCPv6 virtual servers may cause a TMM crash. | 17.1.1, 16.1.5, 15.1.10 |
1272501 | 3-Major | BT1272501 | Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure" | 17.1.1, 16.1.5 |
1238529-2 | 3-Major | BT1238529 | TMM might crash when modifying a virtual server in low memory conditions | 17.1.1, 16.1.5 |
1132105-2 | 3-Major | Database monitor daemon (DBDaemon) uses unsupported Java version | 16.1.5 | |
1112385-3 | 3-Major | BT1112385 | Traffic classes match when they shouldn't | 17.1.1, 16.1.5, 15.1.10 |
1088597-2 | 3-Major | BT1088597 | TCP keepalive timer can be immediately re-scheduled in rare circumstances | 17.1.1, 16.1.5, 15.1.10 |
1084965-3 | 3-Major | BT1084965 | Low visibility of attack vector | 17.1.1, 16.1.5 |
1083621-1 | 3-Major | BT1083621 | The virtio driver uses an incorrect packet length | 17.1.1, 16.1.5, 15.1.9 |
1059573-4 | 3-Major | BT1059573 | Variation in a case insensitive value of an operand in LTM policy may fail in some rules. | 17.0.0, 16.1.5, 15.1.10 |
1036873-2 | 3-Major | BT1036873 | Pre-shared key extension sometimes is not the last extension in ClientHello in TLS1.3 | 17.0.0, 16.1.5 |
1025089-1 | 3-Major | BT1025089 | Pool members marked DOWN by database monitor under heavy load and/or unstable connections | 16.1.5 |
1017421-4 | 3-Major | BT1017421 | SASP Monitor does not log significant error conditions at default logging level | 16.1.5 |
929429-8 | 4-Minor | BT929429 | Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed | 17.1.1, 16.1.5, 15.1.10 |
1489657-3 | 4-Minor | BT1489657 | HTTP/2 MRF incorrectly end stream for 100 Continue | 16.1.5 |
1462885-2 | 4-Minor | BT1462885 | LTM should send ICMP port unreachable upon unsuccessful port selection. | 16.1.5 |
1348841 | 4-Minor | BT1348841 | TMM cored with SIGSEGV when using dtls by disabling the unclean shutdown flag. | 16.1.5 |
1312105-2 | 4-Minor | BT1312105 | The tmm/ehash_stat inuse field for listener name hash is incremented but not decremented | 16.1.5 |
1304289-2 | 4-Minor | BT1304289 | Pool member monitored by both GTM and LTM monitors may be erroneously marked Down | 17.1.1, 16.1.5 |
1269773-3 | 4-Minor | BT1269773 | Convert network-order to host-order for extensions in TLS1.3 certificate request | 17.1.1, 16.1.5, 15.1.10 |
1121349-2 | 4-Minor | BT1121349 | CPM NFA may stall due to lack of other state transition | 17.1.1, 16.1.5 |
1103117-2 | 4-Minor | BT1103117 | iAppLX extension using express with httpserver script leaves lingering client-side flow on HTTP requests. | 16.1.5 |
991457-1 | 5-Cosmetic | BT991457 | The mpidump should show sequence number and higher precision date/time | 16.1.5 |
979213-1 | 5-Cosmetic | BT979213 | Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM. | 17.1.1, 16.1.5, 15.1.10 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1322497-2 | 2-Critical | BT1322497 | GTM monitor recv string with special characters causes frequent iquery reconnects | 16.1.5 |
1225061-3 | 2-Critical | BT1225061 | The zxfrd segfault with numerous zone transfers | 16.1.5 |
1212081-2 | 2-Critical | BT1212081 | The zxfrd segfault and restart loop due to incorrect packet processing | 16.1.5 |
1081473-5 | 2-Critical | BT1081473 | GTM/DNS installations may observe the mcpd process crashing | 17.1.1, 16.1.5 |
1410989-3 | 3-Major | BT1410989 | DNSX returns a malformed UDP DNS response when the answer count is nonzero but there is no answer section. | 16.1.5 |
1399809-3 | 3-Major | BT1399809 | DNS Resolution for IPv6 clients is not working when dns64 is enabled with secondary in DNS Profile. | 16.1.5 |
1313369-3 | 3-Major | BT1313369 | Significant performance drop observed for DNS cache validating resolver for responses with indeterminate and insecure validation status | 17.1.1, 16.1.5 |
1302825-3 | 3-Major | BT1302825 | Allow configuration of the number of times the CNAME chase is performed | 17.1.1, 16.1.5 |
1137569-3 | 3-Major | BT1137569 | Set nShield HSM environment variable. | 16.1.5, 15.1.10 |
1137217-2 | 3-Major | BT1137217 | DNS profile fails to set TC flag for the responses containing RRSIG algorithm 13 | 16.1.5 |
1133201-1 | 3-Major | BT1133201 | Disabling a GTM pool member results in the same virtual server no longer being monitored in other pools | 17.1.1, 16.1.5 |
1128369-1 | 3-Major | BT1128369 | GTM (DNS) /Common/bigip monitor instances may show 'big3d: timed out' state | 16.1.5 |
1100197-2 | 3-Major | BT1100197 | Mcpd message: Unable to do incremental sync, reverting to full load for device group /Common/gtm | 16.1.5 |
1100169-1 | 3-Major | BT1100169 | GTM iQuery connections may be reset after SSL key renegotiation. | 16.1.5 |
1094069-1 | 3-Major | BT1094069 | iqsyncer will get stuck in a failed state when requesting a commit_id that is not on the target GTM | 16.1.5 |
1085377-2 | 3-Major | BT1085377 | BIND9 upgrade from version 9.11 to 9.16 | 17.1.0, 16.1.5 |
1311169-3 | 4-Minor | BT1311169 | DNSSEC response is not signed when failure-rcode-response is enabled and no record is returned | 17.1.1, 16.1.5 |
1295565-3 | 4-Minor | BT1295565 | BIG-IP DNS not identified in show gtm iquery for local IP | 17.1.1, 16.1.5 |
1186789-2 | 4-Minor | BT1186789 | DNSSEC keys stored on an internal FIPS card do not work after upgrading to versions >= 16.x | 17.1.1, 16.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
890037-3 | 2-Critical | BT890037 | Rare BD process core | 16.1.5 |
1490765-2 | 2-Critical | BT1490765 | Request body can be unordered by bot-defense | 16.1.5 |
1366445-3 | 2-Critical | BT1366445 | [CORS] "Replace with" and "Remove header" CORS functionalities does not work | 16.1.5 |
1282281-3 | 2-Critical | BT1282281 | Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns | 17.1.1, 16.1.5, 15.1.10 |
939097-5 | 3-Major | BT939097 | Error messages related to long request allocation appear in the bd.log incase of big chunked requests | 17.1.1, 16.1.5 |
852613-4 | 3-Major | BT852613 | Connection Mirroring and ASM Policy not supported on the same virtual server | 16.1.5, 14.1.2.7 |
1468809-2 | 3-Major | BT1468809 | Attack signature "Staged Since" timestamp is not accurate | 16.1.5 |
1462797-2 | 3-Major | BT1462797 | TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection when an HTTP/2 request is sent | 16.1.5 |
1359281-2 | 3-Major | BT1359281 | Attack signature is not detected when the value does not have '=' | 16.1.5 |
1350141-1 | 3-Major | BT1350141 | Duplicate user-defined Signature Set based on Attack Type is created upon policy import during upgrade★ | 16.1.5 |
1348425-3 | 3-Major | BT1348425 | Header name or parameter name is configured with space. | 16.1.5 |
1346461-3 | 3-Major | BT1346461 | Bd crash at some cases | 16.1.5 |
1332769-2 | 3-Major | BT1332769 | Wildcard order incorrect for JSON Policy Import | 16.1.5 |
1330473-2 | 3-Major | BT1330473 | Response_log_rate_limit is not applied | 16.1.5 |
1329893-1 | 3-Major | BT1329893 | TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection based on IP, when an HTTP/2 request is sent | 16.1.5 |
1329065-1 | 3-Major | BT1329065 | Hostname violation when hostname starts with multiple 0's | 16.1.5 |
1316529-3 | 3-Major | BT1316529 | Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails with hidden DOS | 17.1.1, 16.1.5 |
1302689-3 | 3-Major | BT1302689 | ASM requests to rechunk payload | 17.1.1, 16.1.5, 15.1.10 |
1301197-3 | 3-Major | BT1301197 | Bot Profile screen does not load and display large number of pools/members | 17.1.1, 16.1.5, 15.1.10 |
1298161-2 | 3-Major | BT1298161 | Ts_cookie_add_attrs is not effective with cookies that have non-root path or domain attribute | 16.1.5 |
1295057-3 | 3-Major | BT1295057 | Installation of Attack Signatures file reported as fail after 1 hour | 16.1.5 |
1295009-1 | 3-Major | BT1295009 | "JSON data does not comply with JSON schema" violation is raised when concurrent requests occur with same JSON data | 17.1.1, 16.1.5, 15.1.10 |
1292685-2 | 3-Major | BT1292685 | The date-time RegExp pattern through swagger would not cover all valid options | 17.1.1, 16.1.5, 15.1.10 |
1292645-2 | 3-Major | BT1292645 | False positive CORS violation can occur after upgrading to 17.1.x under certain conditions★ | 17.1.1, 16.1.5 |
1288517-2 | 3-Major | BT1288517 | Item filter does not work on /mgmt/tm/asm/tasks/export-suggestions/ | 16.1.5 |
1284097-2 | 3-Major | BT1284097 | False positive 'Illegal cross-origin request' violation | 17.1.1, 16.1.5 |
1284073-3 | 3-Major | BT1284073 | Cookies are truncated when number of cookies exceed the value configured in "max_enforced_cookies" | 17.1.1, 16.1.5 |
1281397-1 | 3-Major | BT1281397 | SMTP requests are dropped by ASM under certain conditions | 17.1.1, 16.1.5 |
1281389-1 | 3-Major | BT1281389 | Bot Defense can crash when using SMTP security profile | 16.1.5 |
1270133-3 | 3-Major | BT1270133 | bd crash during configuration update | 17.1.1, 16.1.5 |
1231137-3 | 3-Major | BT1231137 | During signature update, Bot signature from one user partition affecting the Bot profile created in another Partition | 16.1.5 |
1229813-2 | 3-Major | BT1229813 | The ref schema handling fails with oneOf/anyOf | 17.1.1, 16.1.5, 15.1.10 |
1211905-2 | 3-Major | BT1211905 | Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts" | 16.1.5 |
1210321-1 | 3-Major | BT1210321 | Parameters are not created for properties defined in multipart request body when URL include path parameter | 16.1.5 |
1207793-1 | 3-Major | BT1207793 | Bracket expression in JSON schema pattern does not work with non basic latin characters | 17.1.1, 16.1.5, 15.1.10 |
1168157-2 | 3-Major | BT1168157 | OpenAPI: Special ASCII characters in "schema" block should not be converted to UTF8 | 16.1.5 |
1081285-1 | 3-Major | BT1081285 | ASM::disable iRule command causes HTTP2 RST_STREAM response when MRF is enabled | 16.1.5 |
1038689-3 | 3-Major | BT1038689 | "Mandatory request body is missing" violation should trigger for "act as a POST" methods only | 17.1.1, 16.1.5 |
1004793-1 | 3-Major | BT1004793 | If there is an additional CSRT token, it triggers a No Max Parameter Protocol Compliance violation . | 17.0.0, 16.1.5 |
987977-3 | 4-Minor | BT987977 | VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation | 17.1.1, 16.1.5 |
911729-4 | 4-Minor | BT911729 | Redundant learning suggestion to set a Maximum Length when parameter is already at that value | 17.0.0, 16.1.5, 16.0.1.2, 15.1.4, 14.1.4.2 |
1399289-1 | 4-Minor | BT1399289 | "XML data does not comply with schema or WSDL document" violations after upgrade to 16.1.4.1 | 16.1.5 |
1366229-5 | 4-Minor | BT1366229 | Leaked Credentials Action unexpectedly modified after XML-format policy export and re-import | 16.1.5 |
1311253-3 | 4-Minor | BT1311253 | Set-Cookie header has no value (cookie-string) in server-side, due to asm.strip_asm_cookies | 16.1.5 |
1186661-2 | 4-Minor | BT1186661 | The security policy JSON profile created from OpenAPI file should have value "any" for it's defense attributes | 16.1.5 |
1181833-2 | 4-Minor | BT1181833 | Content is not updating under respective tab of webUI when CSRF enabled | 17.1.0, 16.1.5 |
1137245-1 | 4-Minor | BT1137245 | Issue with injected javascript can cause an error in the browser. | 16.1.5 |
1084157-3 | 4-Minor | BT1084157 | Possible captcha loop when using Single Page Application | 16.1.5 |
1016033-4 | 4-Minor | BT1016033 | Remote logging of WS/WSS shows date_time equal to Unix epoch start time | 17.0.0, 16.1.5, 15.1.5 |
1030129-4 | 5-Cosmetic | BT1030129 | iHealth unnecessarily flags qkview for H701182 with mcp_module.xml | 16.1.5 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
915005-3 | 4-Minor | BT915005 | AVR core files have unclear names | 16.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1505789-2 | 1-Blocking | K000138683, BT1505789 | VPN connection fails with Edge client 7.2.4.6 with error "Network is vulnerable"★ | 16.1.5 |
1146341-2 | 1-Blocking | BT1146341 | TMM crashes while processing traffic on virtual server | 17.1.0, 16.1.5, 15.1.10 |
831737-3 | 2-Critical | BT831737 | Memory Leak when using Ping Access profile | 17.1.1, 16.1.5, 15.1.6.1 |
1552685-5 | 2-Critical | K000138771, BT1552685 | Issues are observed with APM Portal Access on Chrome browser version 122 or later | 16.1.5 |
1455677-2 | 2-Critical | ACCESS Policy hardening | 16.1.5 | |
1398401-1 | 2-Critical | K000135607, BT1398401 | Configuration error: In url-filter <filter name> allowed-category <cat name> does not exist.★ | 16.1.5 |
1366401 | 2-Critical | BT1366401 | [APM]"F5RST: HTTP internal error" occurring after BIG-IP initiated client-ssl renegotiation | 16.1.5 |
1355377-2 | 2-Critical | BT1355377 | Subroutine gating criteria utilizing TCL may cause TMM to restart | 16.1.5 |
1355117-2 | 2-Critical | K000137374, BT1355117 | TMM core due to extensive memory usage★ | 17.1.1, 16.1.5, 15.1.10.3 |
1321713-2 | 2-Critical | K000135858, BT1321713 | BIG-IP Rewrite Profile GUI and URI Validation is inconsistent | 16.1.5 |
1104517-2 | 2-Critical | BT1104517 | In SWG explicit proxy, some TCP connections are reset because of inconsistency between sessionDB and local IP2SessionId map | 17.1.1, 16.1.5, 15.1.10 |
1063261-4 | 2-Critical | BT1063261 | TMM crash is seen due to sso_config objects. | 17.0.0, 16.1.5, 15.1.10 |
1020881-1 | 2-Critical | BT1020881 | TMM crashes while passing APM traffic. | 16.1.5 |
738716-1 | 3-Major | BT738716 | Add support for "Restart Desktop" setting in View clients, native as well as HTML5 clients | 17.1.1, 16.1.5 |
634576-3 | 3-Major | K48181045, BT634576 | TMM core in per-request policy | 16.1.5, 13.1.0 |
1506009-1 | 3-Major | BT1506009 | Oauth core | 16.1.5 |
1506005-2 | 3-Major | BT1506005 | TMM core occurs due to OAuth invalid number of keys or credential block size | 16.1.5 |
1491481-2 | 3-Major | BT1491481 | Server changes to support QT upgrade of Mac Clients | 16.1.5 |
1490833-1 | 3-Major | BT1490833 | OAuth agent gets misconfigured when adding a new Scope/Claim in VPE | 16.1.5 |
1473701 | 3-Major | BT1473701 | Oauth Discovery task is struck at "SAVE_AND_APPLY" state | 16.1.5 |
1472609 | 3-Major | BT1472609 | [APM]Some user roles unable view Access config GUI, getting 403 error | 16.1.5 |
1409453 | 3-Major | BT1409453 | [APM][NA]Read Access Denied for 'Manger role' when accessing Network Settings in Network Access config | 16.1.5 |
1402421 | 3-Major | BT1402421 | Virtual Servers haviing adfs proxy configuration might have all traffic blocked | 16.1.5 |
1359245 | 3-Major | BT1359245 | Apmd cored when processing oauth token response when response code is not "200" and "ContentType" header "text/html | 16.1.5 |
1352945-1 | 3-Major | BT1352945 | Rewrite plugin memory leak | 16.1.5 |
1350273-2 | 3-Major | BT1350273 | Kerberos SSO Failing for Cross Domain After Upgrade from 15.1.8.2 to 15.1.9.1★ | 16.1.5 |
1348153 | 3-Major | BT1348153 | Assigned IP Address session variable always as IPv6 Address | 16.1.5 |
1345997-2 | 3-Major | BT1345997 | Very large number of custom URLs in SWG can impact performance. | 16.1.5 |
1341849 | 3-Major | BT1341849 | APM- tmm core SIGSEGV in saml artifact usage | 16.1.5 |
1338837 | 3-Major | BT1338837 | [APM][RADIUS] Support Framed-IPv6-Address in RADIUS Accounting STOP message | 16.1.5 |
1328433 | 3-Major | BT1328433 | TMM cores while using VPN with ipv6 configured | 16.1.5 |
1292141-1 | 3-Major | BT1292141 | TMM crash while processing myvpn request | 17.1.1, 16.1.5 |
1273881-4 | 3-Major | BT1273881 | TMM crashes while processing traffic on the virtual server | 16.1.5 |
1269709-1 | 3-Major | BT1269709 | GUI should throw the error when the VS is configured with both vdi and HTTP/2 profiles | 16.1.5 |
1251157-3 | 3-Major | BT1251157 | Ping Access filter can accumulate connections increasing the memory use | 17.1.1, 16.1.5, 15.1.10 |
1238329 | 3-Major | BT1238329 | Intermittent request for /vdesk/c_ses.php3?orig_uri is reset with cause Access encountered error: ERR_NOT_FOUND | 16.1.5 |
1207821-3 | 3-Major | BT1207821 | APM internal virtual server leaks memory under certain conditions | 17.1.1, 16.1.5, 15.1.10 |
1190025-2 | 3-Major | BT1190025 | The OAuth process crash | 16.1.5 |
1188417-2 | 3-Major | BT1188417 | Failure in the SelfTest/Integrity test triggers a reboot action. | 16.1.5 |
1147621-2 | 3-Major | BT1147621 | AD query do not change password does not come into effect when RSA Auth agent used | 17.1.1, 16.1.5, 15.1.9 |
1145989-2 | 3-Major | BT1145989 | ID token sub-session variables are not populated | 16.1.5 |
1099833-5 | 3-Major | Add additional server side support for f5-epi links. | 16.1.5 | |
1044457-3 | 3-Major | BT1044457 | APM webtop VPN is no longer working for some users when CodeIntegrity is enabled. | 17.1.1, 16.1.5, 15.1.10 |
1006509-1 | 3-Major | BT1006509 | TMM memory leak★ | 16.1.5, 15.1.7 |
1505413 | 4-Minor | BT1505413 | Error in Wrapper for Array.slice Method When F5_window_link is Undefined | 16.1.5 |
1468589 | 4-Minor | BT1468589 | TypeError: Cannot convert a Symbol value to a string in CSSStyleDeclaration Object Getter and Setter Functions | 16.1.5 |
1382329 | 4-Minor | BT1382329 | Handling 'active' attribute in introspection response | 16.1.5 |
1381065-1 | 4-Minor | BT1381065 | Custom Request implementation modifies the Request object's prototype, resulting in the lack of the 'signal' property. | 16.1.5 |
1351493 | 4-Minor | BT1351493 | Invalid JSON node type while support-introspection enabled | 16.1.5 |
1350997-1 | 4-Minor | BT1350997 | Changes to support pre-logon when secondary logon service is disabled on windows edge client | 16.1.5 |
1294993 | 4-Minor | BT1294993 | URL Database download logs are not visible | 17.1.1, 16.1.5 |
1218813-4 | 4-Minor | BT1218813 | "Timeout waiting for TMM to release running semaphore" after running platform_diag | 17.1.1, 16.1.5, 15.1.9 |
1142389-3 | 4-Minor | BT1142389 | APM UI report displays error "Error Processing log message ..." when the log contains some special character received in client request | 17.1.1, 16.1.5, 15.1.10 |
1100561 | 4-Minor | BT1100561 | AAA: a trailing ampersand is added to serverside request when using HTTP forms based auth | 17.1.1, 16.1.5 |
504374-1 | 5-Cosmetic | BT504374 | Cannot search Citrix Applications inside folders | 16.1.5 |
427094-1 | 5-Cosmetic | BT427094 | Accept-language is not respected if there is no session context for page requested. | 17.1.1, 16.1.5, 15.1.10 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1391161-2 | 2-Critical | sipmsg_parse_sdp crashes when SIP receives certain traffic pattern. | 16.1.5 | |
1304297-2 | 2-Critical | A certain client sequence via MRF passthrough may cause TMM to core | 16.1.5 | |
1270497-2 | 2-Critical | BT1270497 | MRF SIP/ALG Core dump observed while accessing trans_data in sipmsg_register_ingress_register_request_session_reply_common method | 16.1.5 |
1466293-2 | 3-Major | SIP MRF over TCP might cause excessive memory buffering | 16.1.5 | |
1466289-3 | 3-Major | SIP MRF might leave orphaned connections | 16.1.5 | |
1307517-2 | 3-Major | BT1307517 | Allow SIP reply with missing FROM | 17.1.1, 16.1.5 |
1395281-2 | 4-Minor | BT1395281 | UDP payloads not ending with CRLF are being treated as BAD messages. | 16.1.5 |
1329477-2 | 4-Minor | BT1329477 | Auto-initialization does not work with certain MRF connection-mode | 17.1.1, 16.1.5 |
1251013-2 | 4-Minor | BT1251013 | Allow non-RFC compliant URI characters | 17.1.1, 16.1.5, 15.1.10 |
1225797-4 | 4-Minor | BT1225797 | SIP alg inbound_media_reinvite test fails | 17.1.1, 16.1.5 |
1184629-2 | 4-Minor | BT1184629 | Validate content length with respective to SIP header offset instead of parser offset | 17.1.0, 16.1.5, 15.1.9 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
984965-4 | 3-Major | BT984965 | While intentionally exiting, sshplugin may invoke functions out of sequence and crash | 16.1.5 |
915221-6 | 3-Major | BT915221 | DoS unconditionally logs MCP messages to /var/tmp/mcpd.out | 16.1.5 |
844597-6 | 3-Major | BT844597 | AVR analytics is reporting null domain name for a dns query | 17.1.1, 16.1.5, 15.1.10 |
1560497 | 3-Major | BT1560497 | Host is unreachable, vector is not mitigated by HW at profile level. | 16.1.5 |
1388985-2 | 3-Major | BT1388985 | The daemon dwbld uses 100% CPU when max port value configured in TMC port list | 16.1.5 |
1311561-1 | 3-Major | BT1311561 | Unable to add Geo regions with spaces into blacklist, Error: invalid on shun entry adding | 17.1.1, 16.1.5 |
1196053-3 | 3-Major | BT1196053 | The autodosd log file is not truncating when it rotates | 17.1.1, 16.1.5, 15.1.10 |
1067393-2 | 3-Major | BT1067393 | MCP validation - incorrect config load fail on AFM NAT rule with next-hop pool.★ | 17.0.0, 16.1.5, 15.1.5.1 |
1047933-1 | 3-Major | BT1047933 | Virtual server security policy - An error has occurred while trying to process your request | 17.0.0, 16.1.5 |
1042153-2 | 3-Major | BT1042153 | AFM TCP connection issues when tscookie-vlans enabled on server/client side VLAN. | 17.1.1, 17.0.0, 16.1.5, 15.1.10 |
1032329-1 | 3-Major | BT1032329 | A user with low privileges cannot open the Rule List editor. | 16.1.5, 15.1.4.1 |
1019557-1 | 3-Major | BT1019557 | Bdosd does not create /var/bdosd/*.json | 17.0.0, 16.1.5 |
928653-1 | 4-Minor | BT928653 | [tmsh]:list security nat policy rules showing automap though the value set is None | 16.1.5 |
1302869 | 4-Minor | BT1302869 | AFM is not accounting Nxdomain attack for TCP query | 16.1.5 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1496701-1 | 2-Critical | BT1496701 | PEM CPPE reporting buffer overflow resulting in core | 16.1.5 |
1312145-1 | 2-Critical | BT1312145 | Bcdatabase file gets truncated, deleted and re-downloaded in a loop | 16.1.5 |
1470329-2 | 3-Major | BT1470329 | PEM: Multiple layers of callback cookies need input validation in order to prevent crashes. | 16.1.5 |
1462393 | 3-Major | BT1462393 | Quota is not getting updated from the PEM side | 16.1.5 |
1394601-1 | 3-Major | BT1394601 | PEM AVR onbox reporting stall | 16.1.5 |
1389049-1 | 3-Major | BT1389049 | Frequent instances of provisioning-pending count spiking on various PEM devices | 16.1.5 |
1302677-4 | 3-Major | BT1302677 | Memory leak in PEM when Policy is queried via TCL | 17.1.1, 16.1.5, 15.1.10 |
1277381-3 | 3-Major | PEM resource leak in MW layer leads to crash of Diameter interface | 16.1.5 | |
1231001-2 | 3-Major | BT1231001 | PEM flow-term-on-sess-delete can cause cores | 16.1.5 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1060393-1 | 3-Major | K24102225, BT1060393 | Extended high CPU usage caused by JavaScript Obfuscator. | 16.1.5 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1538173-3 | 3-Major | BT1538173 | Bados TLS fingerprints works incorrectly with chrome's new versions | 16.1.5 |
1408381 | 3-Major | BT1408381 | BADOS signals might no sync on HA setups | 16.1.5 |
1388341-2 | 3-Major | BT1388341 | tmm crash upon context reference that was already released (HUDEVT_SHUTDOWN) | 16.1.5 |
1381565-2 | 3-Major | ADMD stability improvements when configured with TLS signatures | 16.1.5 | |
1046469-1 | 3-Major | BT1046469 | Memory leak during large attack | 16.1.5 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
984657 | 3-Major | BT984657 | Sysdb variable not working from tmsh | 16.1.5, 16.0.1.2, 15.1.4.1 |
1472685-2 | 3-Major | BT1472685 | Add support for 4 new Webroot Categories | 16.1.5 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
985329-2 | 3-Major | BT985329 | Saving UCS takes longer when iControl LX extension is installed | 16.1.5 |
943257-3 | 3-Major | BT943257 | REST framework support for IPv6 ConfigSync addresses | 17.1.1, 16.1.5 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
989529-1 | 3-Major | BT989529 | AFM IPS engine takes action on unspecified services | 16.1.5 |
1461597-2 | 3-Major | BT1461597 | IPS IM upgrade is taking more time | 16.1.5 |
1269845-2 | 3-Major | BT1269845 | When upgrading IM, seeing errors like MCPD timed out and Error: 'insp_id' | 16.1.5 |
1075001-2 | 3-Major | BT1075001 | Types 64-65 in IPS Compliance 'Unknown Resource Record Type' | 16.1.5 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1289845-3 | 3-Major | BT1289845 | Pool member marked as offline while matching both receive string and receive disable strings | 16.1.5 |
1287045-3 | 3-Major | BT1287045 | In-TMM monitor may mark pool member offline despite its response matches Receive Disable String | 16.1.5 |
1211985-4 | 3-Major | BT1211985 | BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring | 17.1.1, 16.1.5, 15.1.10 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1303185-4 | 3-Major | BT1303185 | Large numbers of URLs in url-db can cause TMM to restart | 17.1.1, 16.1.5, 15.1.10 |
1289417 | 3-Major | BT1289417 | SSL Orchestrator SEGV TMM core | 17.1.1, 16.1.5 |
Cumulative fixes from BIG-IP v16.1.4.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1495217-3 | CVE-2024-31156 | K000138636, BT1495217 | TMUI hardening | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1492361-2 | CVE-2024-33604 | K000138894, BT1492361 | TMUI Security Hardening | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1449709-2 | CVE-2024-28889 | K000138912, BT1449709 | Possible TMM core under certain Client-SSL profile configurations | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1366025-2 | CVE-2023-44487 | K000137106, BT1366025 | A particular HTTP/2 sequence may cause high CPU utilization. | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1360917-4 | CVE-2024-27202 | K000138520, BT1360917 | TMUI hardening | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
Functional Change Fixes
None
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1494833-3 | 2-Critical | K000138898, BT1494833 | A single signature does not match when exceeding 65535 states | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
Cumulative fixes from BIG-IP v16.1.4.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1361169-2 | CVE-2023-40534 | K000133467, BT1361169 | Connections may persist after processing HTTP/2 requests | 17.1.1.1, 16.1.4.2 |
1117229-1 | CVE-2022-26377 | K26314875, BT1117229 | CVE-2023-46747 and CVE-2022-26377: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1391357-1 | CVE-2023-43125 | K000136909, BT1391357 | Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1381357-2 | CVE-2023-46748 | K000137365, BT1381357 | CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1304957-6 | CVE-2023-5450 | K000135040, BT1304957 | BIG-IP Edge Client for macOS vulnerability CVE-2023-5450 | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1240121-1 | CVE-2022-36760 | K000132643, BT1240121 | CVE-2023-46747 and CVE-2022-36760: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1354253-2 | 3-Major | K000137322, BT1354253 | HTTP Request smuggling with redirect iRule | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1316277-2 | 3-Major | K000137796, BT1316277 | Large CRL files may only be partially uploaded | 17.1.1, 16.1.4.2, 15.1.10.3 |
Cumulative fixes from BIG-IP v16.1.4.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1324745-2 | CVE-2023-41373 | K000135689, BT1324745 | An undisclosed TMUI endpoint may allow unexpected behavior | 17.1.0.3, 16.1.4.1, 15.1.10.2, 14.1.5.6 |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v16.1.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1167897-6 | CVE-2022-40674 | K44454157, BT1167897 | [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c | 17.1.1, 16.1.4, 15.1.9 |
1121661-2 | CVE-2023-40534 | K000133467, BT1121661 | TMM may core while processing HTTP/2 requests | 17.1.0, 16.1.4 |
981917-4 | CVE-2020-8286 | K15402727 | CVE-2020-8286 - cUrl Vulnerability | 17.1.1, 16.1.4, 15.1.10 |
949857-7 | CVE-2024-22389 | K32544615, BT949857 | Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync | 17.1.1, 16.1.4, 15.1.9 |
884541-9 | CVE-2023-40537 | K29141800, BT884541 | Improper handling of cookies on VIPRION platforms | 17.1.0, 16.1.4, 15.1.9 |
1317705-2 | CVE-2024-25560 | K000139037, BT1317705 | TMM may restart on certain DNS traffic | 17.1.1, 16.1.4 |
1315193-1 | CVE-2024-33608 | K000138728, BT1315193 | TMM Crash in certain condition when processing IPSec traffic | 17.1.1, 16.1.4 |
1314301-2 | CVE-2024-23805 | K000137334, BT1314301 | TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled | 17.1.1, 16.1.4, 15.1.10 |
1295661-2 | CVE-2023-38418 | K000134746, BT1295661 | BIG-IP Edge Client for macOS vulnerability CVE-2023-38418 | 17.1.1, 16.1.4 |
1289189-3 | CVE-2024-24775 | K000137333, BT1289189 | In certain traffic patterns, TMM crash | 17.1.1, 16.1.4, 15.1.10 |
1271349-3 | CVE-2023-25690 | K000133098, BT1271349 | CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy | 17.1.1, 16.1.4, 15.1.9 |
1238629-1 | CVE-2024-21763 | K000137521, BT1238629 | TMM core when processing certain DNS traffic with bad actor (BA) enabled | 17.1.1, 16.1.4, 15.1.10 |
1220629-3 | CVE-2024-23314 | K000137675, BT1220629 | TMM may crash on response from certain backend traffic | 17.1.1, 16.1.4, 15.1.9 |
1208529-4 | CVE-2023-41085 | K000132420, BT1208529 | TMM crash when handling IPSEC traffic | 17.1.0, 16.1.4, 15.1.9 |
1195489-2 | CVE-2024-22093 | K000137522, BT1195489 | iControl REST input sanitization | 17.1.1, 16.1.4, 15.1.9 |
1189465-3 | CVE-2023-24461 | K000132539, BT1189465 | Edge Client allows connections to untrusted APM Virtual Servers | 17.1.0.3, 16.1.4, 15.1.9 |
1189461-3 | CVE-2023-36858 | K000132563, BT1189461 | BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-36858 | 17.1.1, 16.1.4 |
1183453-1 | CVE-2022-31676 | K87046687 | Local privilege escalation vulnerability (CVE-2022-31676) | 17.1.0, 16.1.4, 15.1.9 |
1167929-4 | CVE-2022-40674 | K44454157, BT1167929 | CVE-2022-40674 - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c | 17.1.1, 16.1.4, 15.1.9 |
1161733-4 | CVE-2023-40542 | K000134652, BT1161733 | Enabling client-side TCP Verified Accept can cause excessive memory consumption | 17.1.0, 16.1.4, 15.1.9 |
1153969-2 | CVE-2024-23979 | K000134516, BT1153969 | Excessive resource consumption when processing LDAP and CRLDP auth traffic | 17.1.1, 16.1.4, 15.1.9 |
1133013-3 | CVE-2023-43746 | K41072952, BT1133013 | Appliance mode hardening | 17.1.0, 16.1.4, 15.1.9 |
1126285-1 | CVE-2024-21849 | K000135873, BT1126285 | TMM might crash with certain HTTP traffic | 17.1.0, 16.1.4 |
1122441-5 | CVE-2015-1283, CVE-2021-45960,CVE-2022-22825,CVE-2022-22826,CVE-2022-22827, CVE-2022-23852, CVE-2022-25235, CVE-2022-25236, CVE-2022-23515, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2021-46143 | K19473898, BT1122441 | Upgrading the libexpat library | 17.1.0, 16.1.4, 15.1.9 |
1111097-6 | CVE-2022-1271 | K000130546, BT1111097 | gzip arbitrary-file-write vulnerability CVE-2022-1271 | 17.1.0, 16.1.4, 15.1.9 |
1107293-7 | CVE-2021-22555 | K06524534, BT1107293 | CVE-2021-22555: Linux kernel vulnerability | 17.1.0, 16.1.4, 15.1.8 |
1102881-4 | CVE-2021-25217 | K08832573, BT1102881 | dhclient/dhcpd vulnerability CVE-2021-25217 | 17.1.0, 16.1.4, 15.1.9 |
1098829-6 | CVE-2022-23852,CVE-2022-25235,CVE-2022-25236,CVE-2022-23515,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824 | K19473898, BT1098829 | Security vulnerabilities found in expat lib(used by iControlSoap) prior to version 2.4.8 | 17.1.0, 16.1.4, 15.1.9 |
1093813-2 | CVE-2002-20001, CVE-2022-40735, CVE-2024-41996 | K83120834, BT1093813 | DH Key Agreement vulnerability in APM server side components | 17.1.0, 16.1.4 |
1093253-8 | CVE-2021-3999 | K24207649 | CVE-2021-3999 Glibc Vulnerability | 17.1.0, 16.1.4, 15.1.9 |
1091601-9 | CVE-2022-23218, CVE-2022-23219 | K52308021, BT1091601 | Glibc vulnerabilities CVE-2022-23218, CVE-2022-23219 | 17.1.0, 16.1.4, 15.1.9 |
1091453-6 | CVE-2022-23308 | K32760744, BT1091453 | libxml2 vulnerability CVE-2022-23308 | 17.1.0, 16.1.4, 15.1.8 |
1089225-4 | CVE-2021-4034 | K46015513, BT1089225 | Polkit pkexec vulnerability CVE-2021-4034 | 17.1.0, 16.1.4, 15.1.8 |
1077301-4 | CVE-2021-23133 | K67416037, BT1077301 | CVE-2021-23133 kernel: Race condition in sctp_destroy_sock list_del | 17.1.0, 16.1.4, 15.1.8 |
1075733-3 | CVE-2018-14348 | K26890535, BT1075733 | Updated libcgroup library to fix CVE-2018-14348 | 17.1.0, 16.1.4, 15.1.9 |
1075689-3 | CVE-2020-25692,CVE-2020-25709,CVE-2020-12243,CVE-2019-13565,CVE-2020-25710,CVE-2020-36222,CVE-2020-36226,CVE-2020-36228,CVE-2020-36227,CVE-2021-27212,CVE-2020-36223,CVE-2020-36221,CVE-2020-36225,CVE-2020-36224,CVE-2019-13057 | K56241216, BT1075689 | Multiple CVE fixes for OpenLDAP library | 17.1.0, 16.1.4, 15.1.8 |
1075657-3 | CVE-2020-12825 | K01074825, BT1075657 | CVE-2020-12825 - libcroco vulnerability | 17.1.1, 16.1.4, 15.1.10 |
1070753-4 | CVE-2020-27216 CVE-2021-28169 CVE-2021-34428 CVE-2018-12536 |
K33548065, BT1070753 | CVE-2020-27216: Eclipse Jetty vulnerability | 17.1.1, 16.1.4, 15.1.9 |
1061977-3 | CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111 | K31781390, BT1061977 | Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111 | 17.1.1, 16.1.4, 15.1.10 |
1057393-3 | CVE-2019-18197 | K10812540, BT1057393 | CVE-2019-18197 libxslt vulnerability: use after free in xsltCopyText | 17.0.0, 16.1.4, 15.1.8 |
1051305-4 | CVE-2021-34798 | K72382141, BT1051305 | CVE-2021-34798: A NULL pointer dereference in httpd via malformed requests | 17.0.0, 16.1.4, 15.1.7 |
1043821-1 | CVE-2023-42768 | K26910459, BT1043821 | Inconsistent user role handling across configuration UIs | 17.1.0, 16.1.4, 15.1.9 |
972545-7 | CVE-2024-23976 | K91054692, BT972545 | iApps LX does not follow best practices in appliance mode | 17.1.1, 16.1.4, 15.1.9 |
966541-1 | CVE-2023-43485 | K06110200, BT966541 | Improper data logged in plaintext | 17.1.0, 16.1.4, 15.1.9 |
950605-6 | CVE-2020-14145 | K48050136, BT950605 | Openssh insecure client negotiation CVE-2020-14145 | 17.1.0, 16.1.4, 15.1.9 |
905937-8 | CVE-2023-41253 | K98334513, BT905937 | TSIG key value logged in plaintext in log | 17.1.0, 16.1.4, 15.1.9 |
785197-5 | CVE-2019-9075 | K42059040, BT785197 | binutils vulnerability CVE-2019-9075 | 17.1.0, 16.1.4, 15.1.9 |
651029-12 | CVE-2023-45219 | K20307245, BT651029 | Sensitive information exposed during incremental sync | 17.1.0, 16.1.4, 15.1.9 |
1238321-4 | CVE-2022-4304 | K000132943 | OpenSSL Vulnerability CVE-2022-4304 | 17.1.0.1, 16.1.4, 15.1.10 |
1235813-9 | CVE-2023-0215 | K000132946, BT1235813 | OpenSSL vulnerability CVE-2023-0215 | 17.1.0.1, 16.1.4, 15.1.10 |
1235801-4 | CVE-2023-0286 | K000132941, BT1235801 | OpenSSL vulnerability CVE-2023-0286 | 17.1.1, 16.1.4, 15.1.10 |
1189457-3 | CVE-2023-22372 | K000132522, BT1189457 | Hardening of client connection handling from Edge client. | 16.1.4, 15.1.9 |
1123537-9 | CVE-2022-28615 | K40582331, BT1123537 | CVE-2022-28615 (httpd): out-of-bounds read in ap_strcmp_match() | 17.1.1, 16.1.4, 15.1.9 |
1121965-2 | CVE-2022-28614 | K58003591, BT1121965 | CVE-2022-28614 (httpd): out-of-bounds read via ap_rwrite() | 17.1.0, 16.1.4, 15.1.9 |
1099341-4 | CVE-2018-25032 | K21548854 | CVE-2018-25032: A flaw found in zlib, when compressing (not decompressing!) certain inputs | 17.1.1, 16.1.4, 15.1.9 |
1089921-6 | CVE-2022-0359 | K08827426, BT1089921 | Vim vulnerability CVE-2022-0359 | 17.1.0, 16.1.4, 15.1.9 |
1089233-4 | CVE-2022-0492 | K54724312 | CVE-2022-0492 Linux kernel vulnerability | 17.1.0, 16.1.4, 15.1.9 |
1088445-7 | CVE-2022-22720 | K67090077, BT1088445 | CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body | 17.1.1, 16.1.4, 15.1.9 |
1070905-4 | CVE-2017-7656 | K21054458, BT1070905 | CVE-2017-7656 jetty: HTTP request smuggling using the range header | 17.1.1, 16.1.4, 15.1.9 |
1041577-4 | CVE-2024-21782 | K98606833, BT1041577 | SCP file transfer system, completing fix for 994801 | 17.1.1, 16.1.4, 15.1.9 |
1021245-3 | CVE-2019-20907 | K78284681, BT1021245 | CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive | 17.1.0, 16.1.4, 15.1.9 |
1018997-1 | CVE-2023-41964 | K20850144, BT1018997 | Improper logging of sensitive DB variables | 17.1.0, 16.1.4, 15.1.9 |
1009157-1 | CVE-2023-39447 | K47756555, BT1009157 | AGC hardening | 16.1.4, 15.1.8 |
1296489-3 | CVE-2024-23603 | K000138047, BT1296489 | ASM UI hardening | 17.1.1, 16.1.4, 15.1.10 |
1057445-3 | CVE-2019-13118 | K96300145, BT1057445 | CVE-2019-13118 libxslt vulnerability: uninitialized stack data | 17.0.0, 16.1.4, 15.1.8 |
1057437-3 | CVE-2019-13117 | K96300145, BT1057437 | CVE-2019-13117 libxslt vulnerability: uninitialized read in xsltNumberFormatInsertNumbers | 17.0.0, 16.1.4, 15.1.8 |
1057149-3 | CVE-2019-11068 | K30444545, BT1057149 | CVE-2019-11068 libxslt vulnerability: xsltCheckRead and xsltCheckWrite | 17.0.0, 16.1.4, 15.1.8 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1088037-3 | 1-Blocking | BT1088037 | VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers | 17.1.0, 16.1.4, 15.1.8 |
1053589-1 | 1-Blocking | BT1053589 | DDoS functionality cannot be configured at a Zone level | 16.1.4, 15.1.8 |
1282181-1 | 3-Major | High CPU or increased translation errors following upgrade or restart when DAG distribution changes | 16.1.4 | |
1211513-2 | 3-Major | BT1211513 | Data payload validation is added to HSB validation loopback packets | 17.1.1, 16.1.4, 15.1.10 |
1144373-4 | 3-Major | BT1144373 | BIG-IP SFTP hardening | 17.1.0, 16.1.4, 15.1.9 |
1040609-1 | 3-Major | K21800102, BT1040609 | RFC enforcement is bypassed when HTTP redirect irule is applied to the virtual server. | 17.1.0, 16.1.4, 15.1.9 |
1025497-1 | 4-Minor | BT1025497 | BIG-IP may accept and forward invalid DNS responses | 17.1.0, 16.1.4, 15.1.9 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1284969-1 | 1-Blocking | BT1284969 | Adding ssh-rsa key for passwordless authentication | 17.1.0.1, 16.1.4 |
1224125-1 | 1-Blocking | BT1224125 | When you upgrade to 16.1.3.2 or 17.1, keys that are not approved in FIPS 140-3 are permitted to be used. | 17.1.0, 16.1.4 |
1173441-3 | 1-Blocking | BT1173441 | The 'tmsh save sys config' call is being triggered when REST Authentication tokens (X-F5-Auth-Token) are deleted or expired | 17.1.0, 16.1.4, 15.1.9 |
1161913-1 | 1-Blocking | BT1161913 | Upgrades from BIG-IP versions 15.1.8, 15.1.8.1, 15.1.8.2, or v15.1.9 to 16.1.1, 16.1.2, 16.1.3 (not 16.1.4) or 17.0.x (but not 17.1.x) fail, and leaves the device INOPERATIVE★ | 16.1.4 |
1116845-4 | 1-Blocking | BT1116845 | Interfaces using the xnet driver are not assigned a MAC address | 17.1.0, 16.1.4, 15.1.9 |
995849-1 | 2-Critical | BT995849 | Tmm crash SIGSEGV - rcs_getsalen() in lib/rc_net.c | 17.0.0, 16.1.4, 15.1.9 |
994033-3 | 2-Critical | BT994033 | The daemon httpd_sam does not recover automatically when terminated | 17.1.1, 16.1.4, 15.1.9 |
993481-1 | 2-Critical | BT993481 | Jumbo frame issue with DPDK eNIC | 17.1.1, 16.1.4, 15.1.10 |
967905-5 | 2-Critical | BT967905 | Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
950201-3 | 2-Critical | BT950201 | Tmm core on GCP | 17.1.1, 16.1.4, 15.1.9 |
888765-2 | 2-Critical | BT888765 | After upgrading from 13.1.0 to 15.1.0.1 CGNAT is deprovisioned and tmm is restarted by reloaded config from text files★ | 16.1.4 |
723109-2 | 2-Critical | BT723109 | FIPS HSM: SO login failing when trying to update firmware | 17.1.1, 16.1.4, 15.1.10 |
1290889-4 | 2-Critical | K000134792, BT1290889 | TMM disconnects from processes such as mcpd causing TMM to restart | 17.1.1, 16.1.4, 15.1.9 |
1256841-1 | 2-Critical | BT1256841 | AWS Metadata crawling fails due to incorrect cloud provider name set by cloud-init script | 17.1.1, 16.1.4, 15.1.10 |
1232997-1 | 2-Critical | BT1232997 | IPSEC: The tmm process may exit with 'Invalid policy remote index' | 16.1.4, 15.1.10 |
1225789-2 | 2-Critical | BT1225789 | The iHealth API is transitioning from SSODB to OKTA | 17.1.1, 16.1.4, 15.1.9 |
1209709-4 | 2-Critical | BT1209709 | Memory leak in icrd_child when license is applied through BIG-IQ | 17.1.1, 16.1.4, 15.1.9 |
1195377 | 2-Critical | BT1195377 | Getting Service Indicator log for disallowed RSA-1024 crypto algorithm | 17.1.0, 16.1.4 |
1181613-1 | 2-Critical | BT1181613 | IPsec IKEv2: BIG-IP version 16.1.0 introduced RFC5996 non-compliance in IKE SA delete | 17.1.0, 16.1.4 |
1178221-3 | 2-Critical | BT1178221 | In IPsec IKEv2, packet memory corruption after retransmitted ISAKMP with NAT | 17.1.0, 16.1.4, 15.1.9 |
1144477-1 | 2-Critical | BT1144477 | IKE_SA_INIT uses src port 500 and dst port 4500 after IKE SA deleted | 17.1.0, 16.1.4 |
1136429-4 | 2-Critical | BT1136429 | Closing of unrelated MCPD connection causes an errant reply to an in-progress transaction or request group | 17.1.0, 16.1.4, 15.1.9 |
1134301-3 | 2-Critical | BT1134301 | IPsec interface mode may stop sending packets over tunnel after configuration update | 17.1.0, 16.1.4, 15.1.9 |
1128629 | 2-Critical | BT1128629 | Neurond crash observed during live install through test script | 17.1.0, 16.1.4, 15.1.9 |
1110893-4 | 2-Critical | BT1110893 | Some portions of the BIG-IP GUI do not work when accessed behind an HTTP proxy | 17.1.0, 16.1.4, 15.1.9 |
1105901-2 | 2-Critical | BT1105901 | Tmm crash while doing high-speed logging | 17.1.1, 16.1.4, 15.1.10 |
1095217-1 | 2-Critical | BT1095217 | Peer unit incorrectly shows the pool status as unknown after merging the configuration | 17.1.0, 16.1.4, 15.1.9 |
1085805-2 | 2-Critical | BT1085805 | UCS restore with SSL Orchestrator deployed fails due to multiple iFiles and incorrect iFile reference. | 17.1.0, 16.1.4 |
1085597-1 | 2-Critical | BT1085597 | IKEv1 IPsec peer cannot be created in config utility (web UI) | 17.1.0, 16.1.4 |
1082941-2 | 2-Critical | System account hardening | 17.1.0, 16.1.4, 15.1.9 | |
1076909-4 | 2-Critical | BT1076909 | Syslog-ng truncates the hostname at the first period. | 17.1.0, 16.1.4, 15.1.9 |
1075713-2 | 2-Critical | Multiple libtasn1 vulnuerabilities | 17.1.1, 16.1.4 | |
1075677-2 | 2-Critical | Multiple GnuTLS Mend findings | 17.1.1, 16.1.4, 15.1.10 | |
1035121-4 | 2-Critical | BT1035121 | Configsync syncs the node's monitor status | 17.0.0, 16.1.4, 15.1.9 |
1023829-2 | 2-Critical | BT1023829 | Security->Policies in Virtual Server web page spins mcpd 100%, which later cores | 17.0.0, 16.1.4, 15.1.9 |
998225-6 | 3-Major | BT998225 | TMM crash when disabling/re-enabling a blade that triggers a primary blade transition. | 17.0.0, 16.1.4, 15.1.9 |
995097-1 | 3-Major | BT995097 | Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file. | 17.0.0, 16.1.4, 15.1.10 |
992813-7 | 3-Major | BT992813 | The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations. | 17.0.0, 16.1.4, 15.1.10 |
989501-2 | 3-Major | BT989501 | A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus | 17.1.1, 16.1.4, 15.1.10 |
987301-3 | 3-Major | BT987301 | Software install on vCMP guest via block-device may fail with error 'reason unknown' | 17.0.0, 16.1.4, 15.1.9 |
966949-6 | 3-Major | BT966949 | Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node | 17.1.0, 16.1.4, 15.1.9 |
964125-6 | 3-Major | BT964125 | Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members. | 17.1.1, 16.1.4, 15.1.10 |
936093-5 | 3-Major | BT936093 | Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline | 17.1.1, 16.1.4, 15.1.9 |
930393-2 | 3-Major | BT930393 | IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration | 17.1.0, 16.1.4, 15.1.10 |
925469-2 | 3-Major | BT925469 | SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo | 17.1.0, 16.1.4, 15.1.9 |
921149-6 | 3-Major | BT921149 | After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy | 17.1.0, 16.1.4, 15.1.9 |
906273-1 | 3-Major | BT906273 | MCPD crashes receiving a message from bcm56xxd | 17.1.1, 16.1.4, 15.1.10 |
804529-1 | 3-Major | BT804529 | REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools | 17.1.1, 16.1.4, 15.1.10 |
662301-8 | 3-Major | BT662301 | 'Unlicensed objects' error message appears despite there being no unlicensed config | 17.1.0, 16.1.4, 15.1.9 |
1238693-2 | 3-Major | BT1238693 | Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519 | 17.1.0.1, 16.1.4 |
1232521-2 | 3-Major | SCTP connection sticking on BIG-IP even after connection terminated | 17.1.1, 16.1.4, 15.1.9 | |
1166329-2 | 3-Major | BT1166329 | The mcpd process fails on secondary blades, if the predefined classification applications are updated. | 17.1.0, 16.1.4 |
1160805-2 | 3-Major | BT1160805 | The scp-checkfp fail to cat scp.whitelist for remote admin | 16.1.4, 15.1.9 |
1154933-4 | 3-Major | Improper permissions handling in REST SNMP endpoint | 17.1.0, 16.1.4, 15.1.9 | |
1153865-4 | 3-Major | BT1153865 | Restjavad OutOfMemoryError errors and restarts after upgrade★ | 17.1.0, 16.1.4, 15.1.9 |
1146017-1 | 3-Major | BT1146017 | WebUI does not displays error when parent rewrite profile is not assigned to user defined rewrite profile | 17.1.0, 16.1.4, 15.1.9 |
1136921-4 | 3-Major | BT1136921 | BGP might delay route updates after failover | 17.1.1, 16.1.4, 15.1.10 |
1128169-1 | 3-Major | BT1128169 | TMM core when IPsec tunnel object is reconfigured | 17.1.0, 16.1.4 |
1127169 | 3-Major | BT1127169 | The BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG | 17.1.0, 16.1.4 |
1126805-3 | 3-Major | BT1126805 | TMM CPU usage statistics may show a lower than expected value on Virtual Edition | 17.1.0, 16.1.4, 15.1.9 |
1124209-3 | 3-Major | BT1124209 | Duplicate key objects when renewing certificate using pkcs12 bundle | 17.1.1, 16.1.4, 15.1.9 |
1123885-2 | 3-Major | BT1123885 | A specific type of software installation may fail to carry forward the management port's default gateway. | 17.1.0, 16.1.4, 15.1.9 |
1121517-2 | 3-Major | BT1121517 | Interrupts on Hyper-V are pinned on CPU 0 | 16.1.4, 15.1.10 |
1113961-1 | 3-Major | K43391532, BT1113961 | BIG-IP 16.1.3 VE with FIPS 140-3 May Fail to start in AWS-China | 17.1.0, 16.1.4, 15.1.9 |
1112537-2 | 3-Major | BT1112537 | LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete. | 17.1.1, 16.1.4, 15.1.10 |
1112109-4 | 3-Major | K000134769, BT1112109 | Unable to retrieve SCP files using WinSCP or relative path name | 17.1.0, 16.1.4, 15.1.9 |
1111629-4 | 3-Major | BT1111629 | Messages with "Failed Read: User, referer" are logged in /var/log/httpd/httpd_errors | 17.1.0, 16.1.4, 15.1.9 |
1111421-1 | 3-Major | BT1111421 | IPsec SA info cannot be viewed in TMSH or the web UI | 17.1.0, 16.1.4 |
1106489-2 | 3-Major | BT1106489 | GRO/LRO is disabled in environments using the TMM raw socket "sock" driver. | 16.1.4, 15.1.10 |
1102849-3 | 3-Major | BT1102849 | Less-privileged users (guest, operator, etc) are unable to run top level commands | 17.1.0, 16.1.4, 15.1.9, 14.1.5.1 |
1101453-1 | 3-Major | BT1101453 | MCPD SIGABRT and core happened while deleting GTM pool member | 17.1.0, 16.1.4, 15.1.9 |
1100409-4 | 3-Major | BT1100409 | Valid connections may fail while a virtual server is in SYN cookie mode. | 17.1.0, 16.1.4, 15.1.9 |
1100321 | 3-Major | BT1100321 | MCPD memory leak | 17.1.0, 16.1.4, 15.1.10 |
1100125-4 | 3-Major | BT1100125 | Per virtual SYN cookie may not be activated on all HSB modules | 17.1.0, 16.1.4, 15.1.10 |
1091725-4 | 3-Major | BT1091725 | Memory leak in IPsec | 17.1.0, 16.1.4, 15.1.9 |
1088429-4 | 3-Major | BT1088429 | Kernel slab memory leak | 17.1.0, 16.1.4, 15.1.9 |
1086517-2 | 3-Major | BT1086517 | TMM may not properly exit hardware SYN cookie mode | 17.1.0, 16.1.4, 15.1.6.1 |
1085837-2 | 3-Major | BT1085837 | Virtual server may not exit from hardware SYN cookie mode | 17.1.0, 16.1.4, 15.1.6.1 |
1084781-6 | 3-Major | Resource Admin permission modification | 17.1.0, 16.1.4, 15.1.9 | |
1081649-2 | 3-Major | BT1081649 | Remove the "F5 iApps and Resources" link from the iApps->Package Management | 17.1.0, 16.1.4, 15.1.9 |
1081641-4 | 3-Major | BT1081641 | Remove Hyperlink to Legal Statement from Login Page | 17.1.0, 16.1.4, 15.1.10 |
1080297-1 | 3-Major | BT1080297 | ZebOS does not show 'log syslog' in the running configuration, or store it in the startup configuration | 17.1.0, 16.1.4, 15.1.9 |
1077533-1 | 3-Major | BT1077533 | Status is showing INOPERATIVE after an upgrade and reboot★ | 17.1.1, 16.1.4, 15.1.10 |
1077405-2 | 3-Major | BT1077405 | Ephemeral pool members may not be created with autopopulate enabled. | 17.1.0, 16.1.4, 15.1.9 |
1076785-2 | 3-Major | BT1076785 | Virtual server may not properly exit from hardware SYN Cookie mode | 17.1.0, 16.1.4, 15.1.5.1 |
1069337-2 | 3-Major | CVE-2016-1841 - Use after free in xsltDocumentFunctionLoadDocument | 17.1.0, 16.1.4, 15.1.9 | |
1063237-4 | 3-Major | BT1063237 | Stats are incorrect when the management interface is not eth0 | 16.1.4, 15.1.9 |
1062953-1 | 3-Major | BT1062953 | Unable to save configuration via tmsh or the GUI. | 17.0.0, 16.1.4 |
1053557-2 | 3-Major | BT1053557 | Support for Mellanox CX-6 | 17.1.0, 16.1.4, 15.1.9 |
1048709-2 | 3-Major | BT1048709 | FCS errors between the switch and HSB | 17.1.0, 16.1.4, 15.1.8 |
1044089-3 | 3-Major | BT1044089 | ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI. | 17.1.1, 16.1.4, 15.1.10 |
1032821-7 | 3-Major | BT1032821 | Syslog: invalid level/facility from /usr/libexec/smart_parse.pl | 17.0.0, 16.1.4, 15.1.9 |
1029105-1 | 3-Major | BT1029105 | Hardware SYN cookie mode state change logs bogus virtual server address | 17.1.0, 16.1.4, 15.1.4 |
1001069-5 | 3-Major | BT1001069 | VE CPU usage higher after upgrade, given same throughput | 17.1.0, 16.1.4, 15.1.9 |
964533-2 | 4-Minor | BT964533 | Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs. | 17.1.1, 16.1.4, 15.1.10 |
939757-8 | 4-Minor | BT939757 | Deleting a virtual server might not trigger route injection update. | 17.1.1, 16.1.4, 15.1.10 |
904661-4 | 4-Minor | BT904661 | Mellanox NIC speeds may be reported incorrectly on Virtual Edition | 17.1.0, 16.1.4 |
889813-3 | 4-Minor | BT889813 | Show net bwc policy prints bytes-per-second instead of bits-per-second | 17.0.0, 16.1.4, 15.1.10, 14.1.4.5 |
838405-4 | 4-Minor | BT838405 | Listener traffic-group may not be updated when spanning is in use | 17.1.1, 16.1.4, 15.1.10 |
760496-4 | 4-Minor | BT760496 | Traffic processing interrupted by PF reset | 17.1.0, 16.1.4, 15.1.9 |
674026-6 | 4-Minor | BT674026 | iSeries AOM web UI update fails to complete.★ | 17.0.0, 16.1.4, 15.1.9 |
1256777-3 | 4-Minor | BT1256777 | In BGP, as-origination interval not persisting after restart when configured on a peer-group. | 17.1.1, 16.1.4 |
1252537-3 | 4-Minor | BT1252537 | Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role | 17.1.1, 16.1.4 |
1185257-4 | 4-Minor | BT1185257 | BGP confederations do not support 4-byte ASNs | 17.1.1, 16.1.4, 15.1.10 |
1155733-1 | 4-Minor | BT1155733 | NULL bytes are clipped from the end of buffer | 17.1.0, 16.1.4, 15.1.9 |
1117305-6 | 4-Minor | BT1117305 | The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials | 17.1.1, 16.1.4, 15.1.9 |
1106353-4 | 4-Minor | BT1106353 | [Zebos] Expand zebos/bgp commands in a qkview | 17.1.0, 16.1.4, 15.1.9 |
1090441-1 | 4-Minor | BT1090441 | IKEv2: Add algorithm info to SK_ logging | 17.1.0, 16.1.4 |
1076897-4 | 4-Minor | BT1076897 | OSPF default-information originate command options not working properly | 17.1.0, 16.1.4, 15.1.9 |
1076253-1 | 4-Minor | BT1076253 | IKE library memory leak | 17.0.0, 16.1.4, 15.1.9 |
1062385-4 | 4-Minor | BT1062385 | BIG-IP has an incorrect limit on the number of monitored HA-group entries. | 17.1.0, 16.1.4, 15.1.9 |
1057457-3 | 4-Minor | CVE-2015-9019: libxslt vulnerability: math.random() | 17.0.0, 16.1.4, 15.1.8 | |
1057449-3 | 4-Minor | CVE-2015-7995 libxslt vulnerability: Type confusion may cause DoS | 17.0.0, 16.1.4, 15.1.8 | |
1057441-3 | 4-Minor | An out-of-bounds access flawb in the libxslt component | 17.0.0, 16.1.4, 15.1.8 | |
1057433-3 | 4-Minor | Integer overflow in libxslt component | 17.0.0, 16.1.4, 15.1.8 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1112349-4 | 1-Blocking | BT1112349 | FIPS Card Cannot Initialize | 17.1.0, 16.1.4, 15.1.9 |
937649-4 | 2-Critical | BT937649 | Flow fwd broken with statemirror.verify enabled and source-port preserve strict | 17.1.0, 16.1.4, 15.1.9 |
935193-4 | 2-Critical | BT935193 | With APM and AFM provisioned, single logout ( SLO ) fails | 17.0.0, 16.1.4, 15.1.10 |
1282357-1 | 2-Critical | BT1282357 | Double HTTP::disable can lead to tmm core | 17.1.1, 16.1.4, 15.1.10 |
1205501-2 | 2-Critical | BT1205501 | The iRule command SSL::profile can select server SSL profile with outdated configuration | 17.1.1, 16.1.4, 15.1.9 |
1186249-2 | 2-Critical | BT1186249 | TMM crashes on reject rule | 17.1.0, 16.1.4 |
1156697-3 | 2-Critical | BT1156697 | Translucent VLAN groups may pass some packets without changing the locally administered bit | 17.1.0, 16.1.4, 15.1.9 |
1146377-2 | 2-Critical | BT1146377 | FastHTTP profiles do not insert HTTP headers triggered by iRules | 17.1.1, 16.1.4, 15.1.9 |
1132405-4 | 2-Critical | BT1132405 | TMM does not process BFD echo pkts with src.addr == dst.addr | 17.1.0, 16.1.4, 15.1.9 |
1126093 | 2-Critical | BT1126093 | DNSSEC Key creation failure with internal FIPS card. | 17.1.1, 16.1.4 |
1110813-3 | 2-Critical | BT1110813 | Improve MPTCP retransmission handling while aborting | 17.1.0, 16.1.4, 15.1.9 |
1099545-2 | 2-Critical | BT1099545 | Tmm may core when PEM virtual with a simple policy and iRule is being used | 17.1.0, 16.1.4, 15.1.9 |
1075073-2 | 2-Critical | BT1075073 | TMM Crash observed with Websocket and MQTT profile enabled | 17.0.0, 16.1.4, 15.1.9 |
1067669-1 | 2-Critical | BT1067669 | TCP/UDP virtual servers drop all incoming traffic. | 17.0.0, 16.1.4, 15.1.9 |
1030185-5 | 2-Critical | BT1030185 | TMM may crash when looking up a persistence record using "persist lookup" iRule commands | 17.0.0, 16.1.4, 15.1.9 |
1024241-1 | 2-Critical | BT1024241 | Empty TLS records from client to BIG-IP results in SSL session termination | 17.1.1, 16.1.4, 15.1.9 |
985925-3 | 3-Major | BT985925 | Ipv6 Routing Header processing not compatible as per Segments Left value. | 17.1.1, 16.1.4, 15.1.10 |
976525-5 | 3-Major | BT976525 | Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled | 17.0.0, 16.1.4, 15.1.6.1, 14.1.5 |
956133-2 | 3-Major | BT956133 | MAC address might be displayed as 'none' after upgrading.★ | 17.0.0, 16.1.4, 15.1.4, 14.1.4.4 |
948065-1 | 3-Major | BT948065 | DNS Responses egress with an incorrect source IP address. | 17.0.0, 16.1.4, 15.1.9 |
921541-6 | 3-Major | BT921541 | When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker. | 17.1.1, 16.1.4, 15.1.10 |
878641-3 | 3-Major | BT878641 | TLS1.3 certificate request message does not contain CAs | 17.1.1, 16.1.4, 15.1.9 |
876569-2 | 3-Major | BT876569 | QAT compression codec produces gzip stream with CRC error | 17.1.1, 16.1.4, 15.1.10 |
851121-6 | 3-Major | BT851121 | Database monitor DBDaemon debug logging not enabled consistently | 17.1.1, 16.1.4, 15.1.10 |
842425-6 | 3-Major | BT842425 | Mirrored connections on standby are never removed in certain configurations | 17.1.1, 16.1.4, 15.1.10 |
693473-8 | 3-Major | BT693473 | The iRulesLX RPC completion can cause invalid or premature TCL rule resumption | 17.1.1, 16.1.4, 15.1.9 |
574762-4 | 3-Major | BT574762 | Forwarding flows leak when a routing update changes the egress vlan | 17.0.0, 16.1.4, 15.1.9 |
1292793-3 | 3-Major | BT1292793 | FIX protocol late binding flows that are not PVA accelerated may fail | 17.1.1, 16.1.4, 15.1.10 |
1291565-2 | 3-Major | BT1291565 | BIG-IP generates more multicast packets in multicast failover high availability (HA) setup | 17.1.1, 16.1.4, 15.1.10 |
1284993-1 | 3-Major | BT1284993 | TLS extensions which are configured after session_ticket are not parsed from Client Hello messages | 17.1.1, 16.1.4 |
1284589-2 | 3-Major | BT1284589 | HTTP CONNECT request from client is not successful with iRule HTTP::disable discard command | 16.1.4 |
1281637-1 | 3-Major | BT1281637 | When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE | 17.1.1, 16.1.4, 15.1.9 |
1269733-3 | 3-Major | BT1269733 | HTTP GET request with headers has incorrect flags causing timeout | 17.1.1, 16.1.4, 15.1.10 |
1250085-3 | 3-Major | BT1250085 | BPDU is not processed with STP passthough mode enabled in BIG-IP | 17.1.1, 16.1.4 |
1238413-3 | 3-Major | BT1238413 | The BIG-IP might fail to update ARL entry for a host in a VLAN-group | 17.1.1, 16.1.4, 15.1.10 |
1229417-2 | 3-Major | BIG-IP iRulesLX: CVE-2020-7774 nodejs-y18n prototype pollution vulnerability | 17.1.1, 16.1.4, 15.1.9 | |
1229369-3 | 3-Major | BT1229369 | The fastl4 TOS mimic setting towards client may not function | 17.1.1, 16.1.4, 15.1.10 |
1210469-3 | 3-Major | BT1210469 | TMM can crash when processing AXFR query for DNSX zone | 17.1.1, 16.1.4, 15.1.9 |
1185133-2 | 3-Major | BT1185133 | ILX streaming plugins limited to MCP OIDs less than 10 million | 17.1.0, 16.1.4, 15.1.9 |
1184153-2 | 3-Major | BT1184153 | TMM crashes when you use the rateshaper with packetfilter enabled | 17.1.0, 16.1.4, 15.1.9 |
1159569-2 | 3-Major | BT1159569 | Persistence cache records may accumulate over time | 17.1.0, 16.1.4, 15.1.9 |
1155393-2 | 3-Major | BT1155393 | Failure to remove chunk headers from chunked response with Rewrite/HTML profile and compression | 17.1.0, 16.1.4, 15.1.9 |
1146241-2 | 3-Major | BT1146241 | FastL4 virtual server may egress packets with unexpected and erratic TTL values | 17.1.0, 16.1.4, 15.1.9 |
1146037-1 | 3-Major | BT1146037 | Updating the firmware for a FIPS protected internal HSM due to SDK or driver upgrade | 17.1.0, 16.1.4 |
1144117-3 | 3-Major | BT1144117 | "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands | 17.1.1, 16.1.4, 15.1.9 |
1141845-4 | 3-Major | BT1141845 | RULE_INIT with a call that contains an extra colon character (:) will crash BIG-IP. | 17.1.0, 16.1.4, 15.1.9 |
1135313-4 | 3-Major | BT1135313 | Pool member current connection counts are incremented and not decremented | 17.1.0, 16.1.4, 15.1.9 |
1133881-2 | 3-Major | BT1133881 | Errors in attaching port lists to virtual server when TMC is used with same sources | 17.1.0, 16.1.4, 15.1.9 |
1133625-2 | 3-Major | BT1133625 | The HTTP2 protocol is not working when SSL persistence and session ticket are enabled | 17.1.0, 16.1.4, 15.1.9 |
1128721-2 | 3-Major | BT1128721 | L2 wire support on vCMP architecture platform | 17.1.0, 16.1.4, 15.1.8 |
1126841-3 | 3-Major | BT1126841 | HTTP::enable can rarely cause cores | 17.1.1, 16.1.4, 15.1.10 |
1126329-2 | 3-Major | BT1126329 | SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT★ | 17.1.0, 16.1.4, 15.1.9 |
1123169-1 | 3-Major | BT1123169 | Error saving an iRule when calling a procedure from HTML_TAG_MATCHED event | 17.1.0, 16.1.4, 15.1.9 |
1117609-2 | 3-Major | BT1117609 | VLAN guest tagging is not implemented for CX4 and CX5 on ESXi | 17.1.1, 16.1.4, 15.1.10 |
1115041-1 | 3-Major | BT1115041 | BIG-IP does not forward the response received after GOAWAY, to the client. | 17.1.0, 16.1.4, 15.1.9 |
1113181-2 | 3-Major | BT1113181 | Self-IP allows no traffic following a modification from "Allow Custom (Include Default)" to "Allow Custom". | 16.1.4, 15.1.9 |
1112745-2 | 3-Major | BT1112745 | System CPU Usage detailed graph is not accessible on Cerebrus+ | 17.1.0, 16.1.4, 15.1.7 |
1111473-4 | 3-Major | BT1111473 | The error Invalid monitor rule instance identifier occurs, and possible blade reboot loop after sync with FQDN nodes | 17.1.0, 16.1.4, 15.1.9 |
1109953-4 | 3-Major | BT1109953 | TMM may crash if a data-group is used when an SSL Forward Proxy Bypass/Intercept list contains extremely long entry | 17.1.0, 16.1.4, 15.1.9 |
1107565 | 3-Major | BT1107565 | SSL Persistence behavior change for TLS1.3 connection between v16.1.0 and v16.1.2.2 | 17.1.1, 16.1.4 |
1102429-2 | 3-Major | BT1102429 | iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases. | 17.1.0, 16.1.4, 15.1.9 |
1101697-2 | 3-Major | BT1101697 | TLS1.3 connection failure with 0-RTT and Hello Retry Request (HRR). | 17.1.0, 16.1.4, 15.1.7 |
1101181-2 | 3-Major | BT1101181 | HTTP request payload not forwarded by BIG-IP when serverside is HTTP/2 and HTTP MRF router is enabled on virtual server | 17.1.0, 16.1.4, 15.1.9 |
1099229-4 | 3-Major | BT1099229 | SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present | 17.1.0, 16.1.4, 15.1.9, 14.1.5.1 |
1096893-1 | 3-Major | BT1096893 | TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection | 17.1.1, 16.1.4, 15.1.9 |
1091969-3 | 3-Major | BT1091969 | iRule 'virtual' command does not work for connections over virtual-wire. | 16.1.4, 15.1.9 |
1088173-2 | 3-Major | BT1088173 | With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile | 17.1.0, 16.1.4, 15.1.7 |
1080569-2 | 3-Major | BT1080569 | BIG-IP prematurely closes clientside HTTP1.1 connection when serverside is HTTP2 and HTTP MRF router is enabled on virtual server | 17.1.0, 16.1.4, 15.1.9 |
1079769-1 | 3-Major | BT1079769 | Tmm utilizing the virtio driver might crash after modifying several IPv6 virtual servers | 17.0.0, 16.1.4, 15.1.9 |
1077553-3 | 3-Major | BT1077553 | Traffic matches the wrong virtual server after modifying the port matching configuration | 17.1.0, 16.1.4, 15.1.9 |
1076577-3 | 3-Major | BT1076577 | iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg' | 17.1.0, 16.1.4, 15.1.7 |
1076573-3 | 3-Major | BT1076573 | MQTT profile addition is different in GUI and TMSH | 17.0.0, 16.1.4, 15.1.9 |
1074505-1 | 3-Major | BT1074505 | Traffic classes are not attached to virtual server at TMM start | 17.0.0, 16.1.4, 15.1.6.1, 14.1.5.1 |
1070389-4 | 3-Major | K000132430, BT1070389 | Tightening HTTP RFC enforcement | 17.1.0, 16.1.4, 15.1.9 |
1068673-3 | 3-Major | BT1068673 | SSL forward Proxy triggers CLIENTSSL_DATA event on bypass. | 17.1.0, 16.1.4, 15.1.9 |
1060021-1 | 3-Major | BT1060021 | Using OneConnect profile with RESOLVER::name_lookup iRule might result in core. | 17.1.0, 16.1.4, 15.1.9 |
1053741-4 | 3-Major | BT1053741 | Bigd may exit and restart abnormally without logging a reason | 17.1.0, 16.1.4, 15.1.8 |
1053173-1 | 3-Major | BT1053173 | Support for MQTT functionality over websockets. | 17.0.0, 16.1.4 |
1043009 | 3-Major | BT1043009 | TMM dump capture for compression engine hang | 17.1.0, 16.1.4, 15.1.9 |
1040017-5 | 3-Major | BT1040017 | Final ACK validation during flow accept might fail with hardware SYN Cookie | 17.0.0, 16.1.4, 15.1.7 |
1012813-1 | 3-Major | BT1012813 | Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file" | 17.1.1, 16.1.4 |
1000561-5 | 3-Major | BT1000561 | HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side | 17.1.1, 16.1.4, 15.1.9 |
1000069-3 | 3-Major | BT1000069 | Virtual server does not create the listener | 17.1.0, 16.1.4, 15.1.9 |
962177-6 | 4-Minor | BT962177 | Results of POLICY::names and POLICY::rules commands may be incorrect | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4, 13.1.4.1 |
960677-1 | 4-Minor | BT960677 | Improvement in handling accelerated TLS traffic | 17.1.1, 16.1.4, 15.1.9 |
1281709-3 | 4-Minor | BT1281709 | Traffic-group ID may not be updated properly on a TMM listener | 17.1.1, 16.1.4, 15.1.10 |
1240937-3 | 4-Minor | BT1240937 | The FastL4 TOS specify setting towards server may not function for IPv6 traffic | 17.1.1, 16.1.4, 15.1.10 |
1211189-3 | 4-Minor | BT1211189 | Stale connections observed and handshake failures observed with errors | 17.1.1, 16.1.4 |
1156105-2 | 4-Minor | BT1156105 | Proxy Exclusion List is not configurable if VLAN group and route-domain are in non default partition | 17.1.0, 16.1.4, 15.1.9 |
1137717-2 | 4-Minor | BT1137717 | There are no dynconfd logs during early initialization | 17.1.1, 16.1.4, 15.1.10 |
1133557-2 | 4-Minor | BT1133557 | Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name | 17.1.1, 16.1.4, 15.1.10 |
1132765-4 | 4-Minor | BT1132765 | Virtual server matching might fail in rare cases when using virtual server chaining. | 17.1.0, 16.1.4, 15.1.9 |
1128505-2 | 4-Minor | BT1128505 | HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy | 17.1.1, 16.1.4 |
1122377-2 | 4-Minor | BT1122377 | If-Modified-Since always returns 304 response if there is no last-modified header in the server response | 17.1.0, 16.1.4, 15.1.9 |
1111981-3 | 4-Minor | BT1111981 | Decrement in MQTT current connections even if the connection was never active | 17.1.0, 16.1.4, 15.1.9 |
1103617-4 | 4-Minor | BT1103617 | 'Reset on Timeout' setting might be ignored when fastl4 is used with another profile. | 17.1.0, 16.1.4, 15.1.9 |
1101369-1 | 4-Minor | BT1101369 | MQTT connection stats are not updated properly | 17.1.0, 16.1.4, 15.1.9 |
1037265-2 | 4-Minor | K11453402, BT1037265 | Improper handling of multiple cookies with the same name. | 17.1.0, 16.1.4, 15.1.9 |
1034217-2 | 4-Minor | BT1034217 | Quic_update_rtt can leave ack_delay uninitialized. | 17.0.0, 16.1.4, 15.1.9 |
1030533-1 | 4-Minor | BT1030533 | The BIG-IP system may reject valid HTTP responses from OCSP servers. | 17.0.0, 16.1.4, 15.1.9 |
1027805-4 | 4-Minor | BT1027805 | DHCP flows crossing route-domain boundaries might fail. | 17.0.0, 16.1.4, 15.1.9 |
Performance Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1127445-3 | 2-Critical | BT1127445 | Performance degradation after Bug ID 1019853 | 17.1.0, 16.1.4, 15.1.9 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1211341-4 | 1-Blocking | BT1211341 | Failed to delete custom monitor after dissociating from virtual server | 17.1.0, 16.1.4, 15.1.10 |
1137485-2 | 2-Critical | BT1137485 | Gtmd produces excessive logging and may also crash (SIGSEGV) repeatedly | 17.1.0, 16.1.4, 15.1.9 |
966461-7 | 3-Major | BT966461 | Tmm memory leak | 17.1.0, 16.1.4, 15.1.9 |
935945-2 | 3-Major | BT935945 | GTM HTTP/HTTPS monitors cannot be modified via GUI | 17.1.0, 16.1.4, 15.1.10 |
1230709-1 | 3-Major | BT1230709 | Remove unnecessary logging with nsec3_add_nonexist_proof | 16.1.4, 15.1.10 |
1200929-2 | 3-Major | BT1200929 | GTM configuration objects larger than 16384 bytes can cause the GTM sync process to hang | 17.1.0, 16.1.4, 15.1.10 |
1182353-3 | 3-Major | BT1182353 | DNS cache consumes more memory because of the accumulated mesh_states | 17.1.1, 16.1.4, 15.1.9 |
1162081-6 | 3-Major | Upgrade the bind package to fix security vulnerabilities | 17.1.0, 16.1.4, 15.1.9 | |
1122497-4 | 3-Major | BT1122497 | Rapid response not functioning after configuration changes | 17.1.0, 16.1.4, 15.1.9 |
1108237-2 | 3-Major | BT1108237 | Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM. | 17.1.1, 16.1.4 |
1073677-1 | 3-Major | BT1073677 | Add a db variable to enable answering DNS requests before reqInitState Ready | 17.1.0, 16.1.4, 15.1.10 |
1060145-1 | 3-Major | BT1060145 | Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2. | 17.1.0, 16.1.4, 15.1.9 |
1048077 | 3-Major | BT1048077 | SELinux errors with gtmd when using internal FIPS card | 17.1.0, 16.1.4 |
808913-1 | 4-Minor | BT808913 | Big3d cannot log the full XML buffer data | 17.0.0, 16.1.4, 15.1.9 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1105341-2 | 0-Unspecified | BT1105341 | Decode_application_payload can break exponent notation in JSON | 17.1.0, 16.1.4, 15.1.9 |
923821-1 | 2-Critical | BT923821 | Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack | 17.1.1, 16.1.4, 15.1.9 |
884945-1 | 2-Critical | BT884945 | Latency reduce in case of empty parameters. | 17.0.0, 16.1.4, 15.1.9 |
850141-2 | 2-Critical | BT850141 | Possible tmm core when using Dosl7/Bot Defense profile | 17.1.1, 16.1.4, 15.1.9 |
791669-5 | 2-Critical | BT791669 | TMM might crash when Bot Defense is configured for multiple domains | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.2.3 |
1132697-3 | 2-Critical | BT1132697 | Use of proactive bot defense profile can trigger TMM crash | 17.1.1, 16.1.4, 15.1.9 |
1113161-2 | 2-Critical | BT1113161 | After upgrade, Learning and Blocking Settings page is not loading because some policies are still pointing to deleted factory Negsig sets★ | 17.1.0, 16.1.4, 15.1.9 |
1095185-2 | 2-Critical | BT1095185 | Failed Configuration Load on Secondary Slot After Device Group Sync | 17.1.0, 16.1.4, 15.1.9 |
1040757-1 | 2-Critical | BT1040757 | A BD memory leak was fixed | 17.0.0, 16.1.4 |
974985-6 | 3-Major | BT974985 | Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable | 17.0.0, 16.1.4, 15.1.9 |
956373-4 | 3-Major | BT956373 | ASM sync files not cleaned up immediately after processing | 17.0.0, 16.1.4, 16.0.1.2, 15.1.3, 14.1.4.1 |
950917-4 | 3-Major | BT950917 | Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 | 17.0.0, 16.1.4, 15.1.4, 14.1.4.2, 13.1.4.1 |
929077-4 | 3-Major | BT929077 | Bot Defense allow list does not apply when using default Route Domain and XFF header | 17.0.0, 16.1.4, 16.0.1.1, 15.1.3, 14.1.4 |
928997-3 | 3-Major | BT928997 | Less XML memory allocated during ASM startup | 17.1.1, 16.1.4, 15.1.9 |
903313-4 | 3-Major | BT903313 | OWASP page: File Types score in Broken Access Control category is always 0. | 17.0.0, 16.1.4 |
890169-4 | 3-Major | BT890169 | URLs starting with double slashes might not be loaded when using a Bot Defense Profile. | 17.1.1, 16.1.4, 15.1.10 |
1312057-1 | 3-Major | bd instability when using many remote loggers with Arcsight format | 17.1.1, 16.1.4 | |
1297089-3 | 3-Major | BT1297089 | Support Dynamic Parameter Extractions in declarative policy | 17.1.1, 16.1.4 |
1296469-2 | 3-Major | ASM UI hardening | 17.1.1, 16.1.4 | |
1286101-1 | 3-Major | BT1286101 | JSON Schema validation failure with E notation number | 17.1.1, 16.1.4, 15.1.10 |
1216297-1 | 3-Major | BT1216297 | TMM core occurs when using disabling ASM of request_send event | 17.1.1, 16.1.4 |
1196537-1 | 3-Major | BT1196537 | BD process crashes when you use SMTP security profile | 17.1.1, 16.1.4, 15.1.9 |
1195125 | 3-Major | BT1195125 | "Failed to allocate memory for nodes of size 0, no variables found in query" BD log message fix | 16.1.4 |
1194173-2 | 3-Major | BT1194173 | BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value | 17.1.1, 16.1.4, 15.1.9 |
1190365-3 | 3-Major | BT1190365 | OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly | 17.1.1, 16.1.4, 15.1.10 |
1186437-1 | 3-Major | BT1186437 | Link to Server Technologies is not working | 16.1.4 |
1186401-2 | 3-Major | BT1186401 | Using REST API to change policy signature settings changes all the signatures. | 17.1.1, 16.1.4, 15.1.9 |
1186385-1 | 3-Major | BT1186385 | Link to 'Enforced Cookies' and 'SameSite Cookie Attribute Enforcement ' is opening the Policies List page | 16.1.4 |
1184841-2 | 3-Major | BT1184841 | Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API | 17.1.1, 16.1.4, 15.1.10 |
1173493-4 | 3-Major | BT1173493 | Bot signature staging timestamp corrupted after modifying the profile | 17.1.1, 16.1.4, 15.1.10 |
1156889-3 | 3-Major | BT1156889 | TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions | 17.1.1, 16.1.4, 15.1.9 |
1148009-2 | 3-Major | BT1148009 | Cannot sync an ASM logging profile on a local-only VIP | 17.1.1, 16.1.4, 15.1.9 |
1144497-2 | 3-Major | BT1144497 | Base64 encoded metachars are not detected on HTTP headers | 17.1.1, 16.1.4, 15.1.9 |
1141665-2 | 3-Major | BT1141665 | Significant slowness in policy creation following Threat Campaign LU installation | 17.1.0, 16.1.4, 15.1.9 |
1137993-2 | 3-Major | BT1137993 | Violation is not triggered on specific configuration | 17.1.1, 16.1.4, 15.1.9 |
1132981-2 | 3-Major | BT1132981 | Standby not persisting manually added session tracking records | 17.1.1, 16.1.4, 15.1.9 |
1132741-2 | 3-Major | BT1132741 | Tmm core when html parser scans endless html tag of size more then 50MB | 17.1.1, 16.1.4, 15.1.9 |
1128689-2 | 3-Major | BT1128689 | High BD CPU utilization | 16.1.4, 15.1.9 |
1127809-2 | 3-Major | BT1127809 | Due to incorrect URI parsing, the system does not extract the expected domain name | 17.1.0, 16.1.4, 15.1.9 |
1126409-3 | 3-Major | BT1126409 | BD process crash | 17.1.0, 16.1.4, 15.1.9 |
1117245-2 | 3-Major | BT1117245 | Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file | 17.1.1, 16.1.4, 15.1.10 |
1113881-2 | 3-Major | BT1113881 | Headers without a space after the colon, trigger an HTTP RFC violation | 17.1.0, 16.1.4, 15.1.9 |
1112805-4 | 3-Major | BT1112805 | ip_address_intelligence field is not populated with value in ArcSight remote log when source IP is IPv4 | 17.1.0, 16.1.4, 15.1.9 |
1110281-2 | 3-Major | BT1110281 | Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable | 17.1.1, 16.1.4, 15.1.9 |
1106937-3 | 3-Major | BT1106937 | ASM may skip signature matching | 17.1.0, 16.1.4, 15.1.9 |
1102301-2 | 3-Major | BT1102301 | Content profiles created for types other than video and image allowing executable | 17.1.0, 16.1.4 |
1100669-3 | 3-Major | BT1100669 | Brute force captcha loop | 17.1.0, 16.1.4, 15.1.9 |
1100393-2 | 3-Major | BT1100393 | Multiple Referer header raise false positive evasion violation | 17.1.0, 16.1.4 |
1099193-2 | 3-Major | BT1099193 | Incorrect configuration for "Auto detect" parameter is shown after switching from other data types | 17.1.0, 16.1.4, 15.1.9 |
1098609-4 | 3-Major | BT1098609 | BD crash on specific scenario | 17.1.1, 16.1.4, 15.1.9 |
1095041-2 | 3-Major | BT1095041 | ASM truncates cookies that contain a space in the name and TS cookie as part of cookie list. | 17.1.0, 16.1.4, 15.1.10 |
1089853-2 | 3-Major | BT1089853 | "Virtual Server" or "Bot Defense Profile" links in Request Details are not working | 17.1.0, 16.1.4 |
1089345-1 | 3-Major | BT1089345 | BD crash when mcp is down, usually on startups | 17.1.0, 16.1.4 |
1085661-1 | 3-Major | BT1085661 | Standby system saves config and changes status after sync from peer | 17.1.1, 16.1.4, 15.1.10 |
1084257-2 | 3-Major | K11342432, BT1084257 | New HTTP RFC Compliance check in headers | 17.1.0, 17.0.0.1, 16.1.4, 15.1.7 |
1080613-1 | 3-Major | BT1080613 | LU configurations revert to default and installations roll back to genesis files★ | 17.1.0, 16.1.4, 15.1.9 |
1078065-2 | 3-Major | BT1078065 | The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA. | 17.1.1, 16.1.4, 15.1.9 |
1072165-2 | 3-Major | BT1072165 | Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format | 17.1.0, 16.1.4, 15.1.9 |
1069729-3 | 3-Major | BT1069729 | TMM might crash after a configuration change. | 17.1.1, 16.1.4, 15.1.9 |
1067589-3 | 3-Major | BT1067589 | Memory leak in nsyncd | 17.1.0, 16.1.4, 15.1.9 |
1067557-2 | 3-Major | BT1067557 | Value masking under XML and JSON content profiles does not follow policy case sensitivity | 17.1.1, 16.1.4, 15.1.9 |
1059513-1 | 3-Major | BT1059513 | Virtual servers may appear as detached from security policy when they are not. | 17.1.1, 16.1.4, 15.1.10 |
1058597-5 | 3-Major | BT1058597 | Bd crash on first request after system recovery. | 17.0.0, 16.1.4, 15.1.9 |
1048949-1 | 3-Major | BT1048949 | TMM xdata leak on websocket connection with asm policy without websocket profile | 17.1.1, 16.1.4, 15.1.9 |
1029989-6 | 3-Major | BT1029989 | CORS : default port of origin header is set 80, even when the protocol in the header is https | 16.1.4, 15.1.10 |
1023889-3 | 3-Major | BT1023889 | HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message | 17.1.1, 16.1.4, 15.1.10 |
1017557-1 | 3-Major | BT1017557 | ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN | 17.1.0, 16.1.4, 15.1.9 |
942617-2 | 4-Minor | BT942617 | Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable | 17.1.1, 16.1.4, 15.1.10 |
810917-1 | 4-Minor | BT810917 | OWASP Compliance score is shown for parent and child policies that are not applicable. | 17.0.0, 16.1.4 |
1213333 | 4-Minor | BT1213333 | Check box to select all attack signatures does not work properly | 16.1.4 |
1189865-2 | 4-Minor | BT1189865 | "Cookie not RFC-compliant" violation missing the "Description" in the event logs | 17.1.1, 16.1.4, 15.1.9 |
1184929-1 | 4-Minor | BT1184929 | GUI link displays mixed values FULFILLED or Requirement Fulfilled and NOT FULFILLED or Requirement Not Fulfilled | 16.1.4 |
1133997-3 | 4-Minor | BT1133997 | Duplicate user-defined Signature Set based on untagged signatures is created upon policy clone or import | 17.1.1, 16.1.4 |
1132925-3 | 4-Minor | BT1132925 | Bot defense does not work with DNS Resolvers configured under non-zero route domains | 17.1.0, 16.1.4, 15.1.9 |
1123153-3 | 4-Minor | BT1123153 | "Such URL does not exist in policy" error in the GUI | 17.1.1, 16.1.4, 15.1.9 |
1113753-2 | 4-Minor | BT1113753 | Signatures might not be detected when using truncated multipart requests | 17.1.1, 16.1.4, 15.1.10 |
1111793-2 | 4-Minor | BT1111793 | New HTTP RFC Compliance check for incorrect newline separators between request line and first header | 17.1.0, 16.1.4, 15.1.7 |
1108657-3 | 4-Minor | BT1108657 | No notification about disabled "Virus detected" violation in case of enabling "Anti-Virus Protection" | 17.1.0, 16.1.4 |
1099765-3 | 4-Minor | BT1099765 | Inconsistent behavior in violation detection with maximum parameter enforcement | 17.1.1, 16.1.4, 15.1.10 |
1092965-2 | 4-Minor | BT1092965 | Disabled "Illegal Base64 value" violation is detect for staged base64 parameter with attack signature in value | 17.1.0, 16.1.4, 15.1.9 |
1084857-2 | 4-Minor | BT1084857 | ASM::support_id iRule command does not display the 20th digit | 17.1.1, 16.1.4, 15.1.10 |
1083513-1 | 4-Minor | BT1083513 | BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd | 17.1.1, 16.1.4, 15.1.10 |
1076825-1 | 4-Minor | BT1076825 | "Live Update" configuration and list of update files reverts to default after upgrade to v16.1.x and v17.1.x from earlier releases.★ | 17.1.1, 16.1.4 |
1026277-6 | 4-Minor | BT1026277 | Apply Policy can get ignored in auto-sync setup, while importing/replacing several existing policies with policies that have Policy Builder enabled | 17.0.0, 16.1.4 |
1003765-2 | 4-Minor | BT1003765 | Authorization header signature triggered even when explicitly disabled | 17.1.0, 16.1.4, 15.1.4.1 |
1113333-3 | 5-Cosmetic | BT1113333 | Change ArcSight Threat Campaign key names to be camelCase | 17.1.0, 16.1.4, 15.1.9 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
932485-5 | 3-Major | BT932485 | Incorrect sum(hits_count) value in aggregate tables | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
1111189-2 | 3-Major | BT1111189 | Listing errors in tmsh and installation failures when the configuration includes an AVR scheduled-report. | 17.1.0, 16.1.4 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
965837-4 | 2-Critical | BT965837 | When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection | 17.0.0, 16.1.4, 15.1.9 |
1283645 | 2-Critical | BT1283645 | Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued | 17.1.0.3, 16.1.4, 15.1.9, 14.1.5.6 |
1111149-2 | 2-Critical | BT1111149 | Nlad core observed due to ERR_func_error_string can return NULL | 17.1.1, 16.1.4, 15.1.9 |
1110489-3 | 2-Critical | BT1110489 | TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event | 17.1.1, 16.1.4, 15.1.9 |
1106757-3 | 2-Critical | BT1106757 | Horizon VDI clients are intermittently disconnected | 17.1.0, 16.1.4, 15.1.9 |
1082581-2 | 2-Critical | BT1082581 | Apmd sees large memory growth due to CRLDP Cache handling | 17.1.0, 16.1.4, 15.1.9, 14.1.5.3 |
1078829-1 | 2-Critical | BT1078829 | Login as current user fails in VMware | 17.0.0, 16.1.4, 15.1.10 |
1065501-2 | 2-Critical | BT1065501 | [API Protection]Per request policy is getting timed out | 17.0.0, 16.1.4, 15.1.9 |
1046633-1 | 2-Critical | BT1046633 | Rare tmm crash when sending packets to apmd fails | 17.0.0, 16.1.4, 15.1.9 |
957453-1 | 3-Major | BT957453 | Javascript parser incompatible with ECMAScript 6/7+ javascript versions | 17.1.0, 16.1.4, 15.1.9 |
956645-4 | 3-Major | BT956645 | Per-request policy execution may timeout. | 17.0.0, 16.1.4, 15.1.9, 14.1.4.5 |
819645-1 | 3-Major | BT819645 | Reset Horizon View application does not work when accessing through F5 APM | 17.1.0, 16.1.4, 15.1.9 |
796065-2 | 3-Major | BT796065 | PingAccess filter can accumulate connections increasing memory use. | 16.1.4 |
752077-4 | 3-Major | BT752077 | Kerberos replay cache leaks file descriptors | 17.0.0, 16.1.4, 15.1.9 |
490138-1 | 3-Major | BT490138 | Kerberos Auth might fail in case BIG-IP is configured with multiple AAA Kerberos Servers | 17.1.0, 16.1.4, 15.1.9 |
1268521 | 3-Major | BT1268521 | SAML authentication with the VCS fails when launching the applications/remote desktops from the APM Webtop when multiple RD resources are assigned to the APM Webtop | 17.1.1, 16.1.4, 15.1.10 |
1232977-3 | 3-Major | BT1232977 | TMM leaking memory in OAuth scope identifiers when parsing scope lists | 17.1.1, 16.1.4 |
1208949-1 | 3-Major | BT1208949 | TMM cored with SIGSEGV at 'vpn_idle_timer_callback' | 17.1.1, 16.1.4, 15.1.10 |
1205029 | 3-Major | BT1205029 | WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application | 17.1.1, 16.1.4 |
1196401-2 | 3-Major | BT1196401 | Restarting TMM does not restart APM Daemon | 17.1.0, 16.1.4, 15.1.9 |
1180365-2 | 3-Major | BT1180365 | APM Integration with Citrix Cloud Connector | 17.1.1, 16.1.4, 15.1.10 |
1173669-1 | 3-Major | BT1173669 | Unable to reach backend server with Per Request policy and Per Session together | 17.1.0, 16.1.4, 15.1.9 |
1167985-2 | 3-Major | BT1167985 | Network Access resource settings validation errors | 17.1.1, 16.1.4 |
1166449-2 | 3-Major | BT1166449 | APM - NTLM authentication will stop working if any of DC FQDN is not resolvable in the configured DC list | 17.1.0, 16.1.4, 15.1.9 |
1145361 | 3-Major | BT1145361 | When JWT is cached the error "JWT Expired and cannot be used" is observed | 17.1.1, 16.1.4 |
1124109-2 | 3-Major | Add "typ":"JWT" to JOSE Header while generating JWT token from OAuth AS | 17.1.0, 16.1.4, 15.1.10 | |
1113661-1 | 3-Major | BT1113661 | When OAuth profile is attached to access policy, iRule event in VPE breaks the evaluation | 17.1.0, 16.1.4 |
1111397-4 | 3-Major | BT1111397 | [APM][UI] Wizard should also allow same patterns as the direct GUI | 17.1.1, 16.1.4, 15.1.9 |
1108109-4 | 3-Major | BT1108109 | APM policy sync fails when access policy contains customization images★ | 17.1.0, 16.1.4, 15.1.9 |
1104409-1 | 3-Major | BT1104409 | Added Rewrite Control Lists builder to Admin UI | 17.1.0, 16.1.4, 15.1.9 |
1101321-3 | 3-Major | BT1101321 | APM log files are flooded after a client connection fails. | 17.1.0, 16.1.4, 15.1.9 |
1100549-3 | 3-Major | BT1100549 | "Resource Administrator" role cannot change ACL order | 17.1.0, 16.1.4, 15.1.9 |
1099305-2 | 3-Major | BT1099305 | Nlad core observed due to ERR_func_error_string can return NULL | 17.1.0, 16.1.4, 15.1.9 |
1089101-2 | 3-Major | BT1089101 | Apply Access Policy notification in UI after auto discovery | 17.1.0, 16.1.4, 15.1.9 |
1075849-5 | 3-Major | APM client hardening | 17.1.0, 16.1.4, 15.1.8.2 | |
1070029-1 | 3-Major | BT1070029 | GSS-SPNEGO SASL mechanism issue with AD Query to Synology Directory Service | 17.1.1, 16.1.4, 15.1.10 |
1067609-2 | 3-Major | Static keys were used while generating UUIDs under OAuth module | 17.1.0, 16.1.4, 15.1.9 | |
1064001-1 | 3-Major | BT1064001 | POST request to a virtual server with stream profile and a access policy is aborted. | 17.0.0, 16.1.4, 15.1.9 |
1060477-1 | 3-Major | BT1060477 | iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]". | 17.1.1, 16.1.4, 15.1.9 |
1050165 | 3-Major | BT1050165 | APM SSO is disabled in the session of users and requires support of administrator for resolving | 17.1.0, 16.1.4, 15.1.9 |
1046401-2 | 3-Major | BT1046401 | APM logs shows truncated OCSP URL path while performing OCSP Authentication. | 17.1.1, 16.1.4, 15.1.10 |
1042505-1 | 3-Major | BT1042505 | Session variable "session.user.agent" does not get populated for edge clients | 17.0.0, 16.1.4, 15.1.9 |
1039941-3 | 3-Major | BT1039941 | The webtop offers to download F5 VPN when it is already installed | 17.1.1, 16.1.4, 15.1.10 |
1038753-4 | 3-Major | K75431121, BT1038753 | OAuth Bearer with SSO does not process headers as expected | 17.1.0, 16.1.4, 15.1.9 |
1037877-3 | 3-Major | BT1037877 | OAuth Claim display order incorrect in VPE | 17.1.0, 16.1.4, 15.1.9 |
1018877-2 | 3-Major | BT1018877 | Subsession variable values mixing between sessions | 17.0.0, 16.1.4, 15.1.9 |
1013729-2 | 3-Major | BT1013729 | Changing User login password using VMware View Horizon client results in “HTTP error 500” | 17.0.0, 16.1.4, 15.1.10 |
1010961-1 | 3-Major | BT1010961 | Redirect fails when accessing SAML Resource more than once in SAML IDP initiated Flow | 17.1.0, 16.1.4 |
1010809-3 | 3-Major | BT1010809 | Connection is reset when sending a HTTP HEAD request to APM Virtual Server | 17.1.0, 16.1.4, 15.1.9 |
1002413-2 | 3-Major | BT1002413 | Websso puts quotation marks around non-string claim type 'custom' values | 17.0.0, 16.1.4 |
1000669-4 | 3-Major | BT1000669 | Tmm memory leak 'string cache' leading to SIGFPE | 17.0.0, 16.1.4, 15.1.9 |
1252005 | 4-Minor | BT1252005 | VMware USB redirection does not work with DaaS | 17.1.1, 16.1.4, 15.1.10 |
1224409 | 4-Minor | BT1224409 | Unable to set session variables of length >4080 using the -secure flag | 17.1.1, 16.1.4, 15.1.10 |
1195385 | 4-Minor | BT1195385 | OAuth Scope Internal Validation fails upon multiple providers with same type | 17.1.1, 16.1.4 |
1088389-2 | 4-Minor | BT1088389 | Admin to define the AD Query/LDAP Query page-size globally | 17.1.0, 16.1.4, 15.1.9 |
1079441-2 | 4-Minor | BT1079441 | APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries | 17.1.0, 16.1.4, 15.1.9 |
1050009-2 | 4-Minor | BT1050009 | Access encountered error:ERR_NOT_FOUND. File: <file name> messages in 'acs_cmp_acp_req_handler' function in APM logs | 17.1.0, 16.1.4, 15.1.9 |
1041985-1 | 4-Minor | BT1041985 | TMM memory utilization increases after upgrade★ | 17.1.1, 16.1.4, 15.1.9 |
1040829-4 | 4-Minor | BT1040829 | Errno=(Invalid cross-device link) after SCF merge | 17.1.1, 16.1.4, 15.1.10 |
1028081-1 | 4-Minor | BT1028081 | [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page | 17.1.1, 16.1.4, 15.1.9 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1269889-3 | 2-Critical | BT1269889 | LTM crashes are observed while running SIP traffic and pool members are offline | 17.1.1, 16.1.4, 15.1.10 |
1239901-2 | 2-Critical | BT1239901 | LTM crashes while running SIP traffic | 17.1.1, 16.1.4, 15.1.9 |
1141853-2 | 2-Critical | BT1141853 | SIP MRF ALG can lead to a TMM core | 17.1.0, 16.1.4, 15.1.9 |
1291149-3 | 3-Major | BT1291149 | Cores with fail over and message routing | 17.1.1, 16.1.4, 15.1.10 |
1287313-2 | 3-Major | BT1287313 | SIP response message with missing Reason-Phrase or with spaces are not accepted | 17.1.1, 16.1.4, 15.1.10 |
1189513-4 | 3-Major | BT1189513 | SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header | 17.1.1, 16.1.4, 15.1.9 |
1167941-3 | 3-Major | BT1167941 | CGNAT SIP ALG INVITE loops between BIG-IP and Server | 17.1.0, 16.1.4, 15.1.9 |
1038057-4 | 3-Major | BT1038057 | Unable to add a serverssl profile into a virtual server containing a FIX profile | 17.1.1, 16.1.4, 15.1.9 |
1213469-1 | 4-Minor | BT1213469 | MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP is dropped | 17.1.1, 16.1.4 |
1116941-1 | 4-Minor | BT1116941 | Need larger Content-Length value supported for SIP | 17.1.0, 16.1.4, 15.1.9 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1013353-1 | 1-Blocking | BT1013353 | ICMP flood or ICMP/IP/IPv6 fragment vectors are not hardware mitigated when configured on VS | 16.1.4 |
1292093 | 2-Critical | BT1292093 | Neuron based HW SYN cookie broken due to ZBDDOS feature porting to 16.1.x | 16.1.4 |
1287425 | 2-Critical | BT1287425 | Observed crash while running sweep flood tests | 16.1.4 |
1136917-1 | 2-Critical | BT1136917 | TMM crashed when dos-profile (with BDOS and White-list enabled) disassociated from Virtual Server. | 17.1.0, 16.1.4 |
1106273-3 | 2-Critical | BT1106273 | "duplicate priming" assert in IPSECALG | 17.1.1, 16.1.4, 15.1.9 |
1069809 | 2-Critical | BT1069809 | AFM rules with ipi-category src do not match traffic after failover. | 16.1.4, 15.1.9 |
1048425-4 | 2-Critical | BT1048425 | Packet tester crashes TMM when vlan external source-checking is enabled | 16.1.4 |
1040685-4 | 2-Critical | BT1040685 | Core file on blade slot2 after reboot (TMM SIGSEGV in pktclass_classifier) | 17.0.0, 16.1.4, 15.1.10 |
1038549-1 | 2-Critical | BT1038549 | TMM core when BDoS is enabled for an extended time | 16.1.4 |
997429-1 | 3-Major | BT997429 | When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled | 17.1.0, 16.1.4, 15.1.9 |
993269-3 | 3-Major | BT993269 | DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option | 17.0.0, 16.1.4, 15.1.9 |
952521-1 | 3-Major | BT952521 | Memory allocation error while creating an address list with a large range of IPv6 addresses★ | 17.0.0, 16.1.4, 15.1.9 |
929913-3 | 3-Major | BT929913 | External DNS logging does not differentiate between: all src_IP, Per-SrcIP and Per-DstIP events | 17.0.0, 16.1.4, 15.1.9 |
1287873 | 3-Major | BT1287873 | Hardware mitigation is not working for a few SIP vectors | 16.1.4 |
1216573-1 | 3-Major | BT1216573 | AFM Learning Domain issue when trying with many valid domains | 16.1.4 |
1209409-3 | 3-Major | BT1209409 | Address lists with thousands of addresses can cause MCPD to become unresponsive and use 100% CPU | 16.1.4 |
1127117-1 | 3-Major | BT1127117 | High Memory consumption for NAT translations of NAPT/PBA End Point Independent modes | 17.1.0, 16.1.4, 15.1.9 |
1124149-2 | 3-Major | BT1124149 | Increase the configuration for the PCCD Max Blob size from 4GB to 8GB | 17.1.0, 16.1.4, 15.1.9 |
1121521-2 | 3-Major | BT1121521 | Libssh upgrade from v0.7.7 to v0.9.6 | 17.1.0, 16.1.4, 15.1.8 |
1112781 | 3-Major | BT1112781 | DNS query drops on Virtual Edition platform if the packet size is above 1500 for NAPTR record. | 17.1.1, 16.1.4, 15.1.9 |
1078625 | 3-Major | BT1078625 | TMM crashes during DoS processing | 17.1.1, 16.1.4 |
1070033-2 | 3-Major | BT1070033 | Virtual server may not fully enter hardware SYN Cookie mode. | 17.0.0, 16.1.4, 14.1.4.6 |
1020061-3 | 3-Major | BT1020061 | Nested address lists can increase configuration load time | 17.0.0, 16.1.4, 15.1.9 |
760355-4 | 4-Minor | BT760355 | Firewall rule to block ICMP/DHCP from 'required' to 'default'★ | 16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1 |
1215401-1 | 4-Minor | BT1215401 | Under Shared Objects, some country names are not available to select in the Address List | 16.1.4, 15.1.9 |
1211021-4 | 4-Minor | BT1211021 | Enforcement does not happen for entries in new and modified IPI feed lists due to lock issues | 17.1.0, 16.1.4, 15.1.10 |
1069265-3 | 4-Minor | BT1069265 | New connections or packets from the same source IP and source port can cause unnecessary port block allocations. | 17.1.1, 16.1.4, 15.1.10 |
1003377-3 | 4-Minor | BT1003377 | Disabling DoS TCP SYN-ACK does not clear suspicious event count option | 16.1.4, 15.1.9 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1159397-1 | 1-Blocking | BT1159397 | The high utilization of memory when blade turns offline results in core | 17.1.0, 16.1.4, 15.1.9 |
1186925-4 | 2-Critical | BT1186925 | When FUA in CCA-i, PEM does not send CCR-u for other rating-groups | 17.1.1, 16.1.4, 15.1.9 |
1095989-1 | 2-Critical | BT1095989 | PEM behaviour on receiving CCA with result code: 4012 and FUA on the Gy interface | 17.1.0, 16.1.4 |
829653-1 | 3-Major | BT829653 | Memory leak due to session context not freed | 17.0.0, 16.1.4 |
1259489-3 | 3-Major | BT1259489 | PEM subsystem memory leak is observed when using PEM::subscriber information | 17.1.1, 16.1.4, 15.1.10 |
1238249-1 | 3-Major | BT1238249 | PEM Report Usage Flow log is inaccurate | 17.1.1, 16.1.4, 15.1.10 |
1226121-2 | 3-Major | BT1226121 | TMM crashes when using PEM logging enabled on session | 17.1.1, 16.1.4, 15.1.9 |
1207381-3 | 3-Major | BT1207381 | PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored | 17.1.1, 16.1.4, 15.1.9 |
1190353-3 | 3-Major | BT1190353 | The wr_urldbd BrightCloud database downloading from a proxy server is not working | 17.1.1, 16.1.4, 15.1.10 |
1174085-1 | 3-Major | BT1174085 | Spmdb_session_hash_entry_delete releases the hash's reference | 17.1.1, 16.1.4, 15.1.9 |
1174033-2 | 3-Major | BT1174033 | The UPDATE EVENT is triggered with faulty session_info and resulting in core | 17.1.0, 16.1.4, 15.1.9 |
1108681-4 | 3-Major | BT1108681 | PEM queries with filters return error message when a blade is offline | 17.1.0, 16.1.4, 15.1.9 |
1093357-4 | 3-Major | BT1093357 | PEM intra-session mirroring can lead to a crash | 17.1.1, 16.1.4, 15.1.10 |
1089829-3 | 3-Major | BT1089829 | PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers | 17.1.0, 16.1.4, 15.1.9 |
1020041-3 | 3-Major | BT1020041 | "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs | 17.1.1, 16.1.4, 15.1.10 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1016045-4 | 4-Minor | BT1016045 | OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows. | 16.1.4, 15.1.9 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1211297-3 | 2-Critical | BT1211297 | Handling DoS profiles created dynamically using iRule and L7Policy | 17.1.1, 16.1.4, 15.1.9 |
1060057-2 | 3-Major | BT1060057 | Enable or Disable APM dynamically with Bados generates APM error | 17.1.0, 16.1.4, 15.1.9 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1161965-3 | 3-Major | BT1161965 | File descriptor(fd) and shared memory leak in wr_urldbd | 17.1.0, 16.1.4, 15.1.9 |
974205-5 | 4-Minor | BT974205 | Unconstrained wr_urldbd size causing box to OOM | 17.1.0, 16.1.4, 15.1.4, 14.1.4.4, 12.1.6 |
1168137-3 | 4-Minor | BT1168137 | PEM Classification Auto-Update for month is working as hourly | 17.1.0, 16.1.4, 15.1.9 |
1167889 | 4-Minor | BT1167889 | PEM classification signature scheduled updates do not complete | 17.1.0, 16.1.4, 15.1.9 |
1117297-1 | 4-Minor | BT1117297 | Wr_urldbd continuously crashes and restarts★ | 17.1.0, 16.1.4, 15.1.9 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
954001-7 | 3-Major | REST File Upload hardening | 17.1.1, 16.1.4, 15.1.10 | |
1196477-3 | 3-Major | BT1196477 | Request timeout in restnoded | 17.1.1, 16.1.4, 15.1.9 |
1049237-1 | 4-Minor | BT1049237 | Restjavad may fail to cleanup ucs file handles even with ID767613 fix | 17.1.1, 16.1.4, 15.1.10 |
iApp Technology Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
889605-2 | 3-Major | BT889605 | iApp with Bot profile is unavailable if application folder includes a subpath | 17.1.0, 16.1.4, 15.1.9 |
1004697-3 | 3-Major | BT1004697 | Saving UCS files can fail if /var runs out of space | 16.1.4, 15.1.10 |
1093933-3 | 4-Minor | CVE-2020-7774 nodejs-y18n prototype pollution vulnerability | 17.1.1, 16.1.4, 15.1.9 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1122205-1 | 3-Major | BT1122205 | The 'action' value changes when loading protocol-inspection profile config | 17.1.1, 16.1.4, 15.1.10 |
1098837-1 | 4-Minor | BT1098837 | Configuration failure due to the DB validation exception happening in the ips_inspection_sig and ips_inspection_compl tables | 17.1.0, 16.1.4, 15.1.9 |
1135073-3 | 5-Cosmetic | BT1135073 | IPS signature update webUI warning message "An active subscription is required to access certain inspections" is always enabled | 17.1.0, 16.1.4, 15.1.9 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1107549-2 | 2-Critical | BT1107549 | In-TMM TCP monitor memory leak | 17.1.0, 16.1.4, 15.1.8 |
1110241-2 | 3-Major | BT1110241 | in-tmm http(s) monitor accumulates unchecked memory | 17.1.0, 16.1.4, 15.1.9 |
1046917-4 | 3-Major | BT1046917 | In-TMM monitors do not work after TMM crashes | 17.1.0, 16.1.4, 15.1.8 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
922737-1 | 2-Critical | BT922737 | TMM crashes with a sigsegv while passing traffic | 17.1.0, 16.1.4, 15.1.10 |
1104037-2 | 2-Critical | BT1104037 | Tmm crash after changing "connection.vlankeyed" to disabled on system with L2 wire | 17.1.0, 16.1.4, 15.1.10 |
1289365-1 | 3-Major | BT1289365 | The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode★ | 17.1.1, 16.1.4, 15.1.10 |
1095145-3 | 4-Minor | BT1095145 | Virtual server responding with ICMP unreachable after using /Common/service | 17.1.0, 16.1.4 |
Cumulative fixes from BIG-IP v16.1.3.5 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1285173-3 | CVE-2023-38138 | K000133474, BT1285173 | Improper query string handling on undisclosed pages | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
1265425-2 | CVE-2023-38423 | K000134535, BT1265425 | Improper query string handling on undisclosed pages | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
1185421-4 | CVE-2023-38419 | K000133472, BT1185421 | iControl SOAP uncaught exception when handling certain payloads | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v16.1.3.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1223369-3 | CVE-2024-23982 | K000135946, BT1223369 | Classification of certain UDP traffic may cause crash | 17.1.1, 16.1.3.4, 15.1.10 |
1213305-3 | CVE-2023-27378 | K000132726, BT1213305 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1208989-3 | CVE-2023-27378 | K000132726, BT1208989 | Improper value handling in DOS Profile properties page | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1208001-1 | CVE-2023-22374 | K000130415, BT1208001 | iControl SOAP vulnerability CVE-2023-22374 | 17.1.1, 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1204961-4 | CVE-2023-27378 | K000132726, BT1204961 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1204793-4 | CVE-2023-27378 | K000132726, BT1204793 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1196033-2 | CVE-2023-27378 | K000132726, BT1196033 | Improper value handling in DataSafe UI | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1106989-3 | CVE-2023-29163 | K20145107, BT1106989 | Certain configuration settings may lead to memory accumulation | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1086293-4 | CVE-2023-22358 | K76964818, BT1086293 | Untrusted search path vulnerability in APM Windows Client installer processes | 17.1.0, 17.0.0.2, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1086289-4 | CVE-2023-22358 | K76964818, BT1086289 | BIG-IP Edge Client for Windows vulnerability CVE-2023-22358 | 17.1.0, 17.0.0.2, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1207661-4 | CVE-2023-28406 | K000132768, BT1207661 | Datasafe UI hardening | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1096373-2 | CVE-2023-28742 | K000132972, BT1096373 | Unexpected parameter handling in BIG3d | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v16.1.3.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
982785-2 | CVE-2022-25946 | K52322100 | Guided Configuration hardening | 17.0.0, 16.1.3.3, 15.1.8, 14.1.5.3 |
890917-8 | CVE-2023-22323 | K56412001, BT890917 | Performance may be reduced while processing SSL traffic | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1143073-4 | CVE-2022-41622 | K94221585, BT1143073 | iControl SOAP vulnerability CVE-2022-41622 | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1107437-3 | CVE-2023-22839 | K37708118, BT1107437 | TMM may crash when enable-rapid-response is enabled on a DNS profile | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1106161-2 | CVE-2022-41800 | K13325942, BT1106161 | Securing iControlRest API for appliance mode | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1105389-4 | CVE-2023-23552 | K17542533, BT1105389 | Incorrect HTTP request handling may lead to resource leak | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3 |
1093821-4 | CVE-2023-22422 | K43881487, BT1093821 | TMM may behave unexpectedly while processing HTTP traffic | 17.1.0, 17.0.0.2, 16.1.3.3 |
1085077-4 | CVE-2023-22340 | K34525368, BT1085077 | TMM may crash while processing SIP-ALG traffic | 17.0.0, 16.1.3.3, 15.1.8, 14.1.5.3 |
1083225-2 | CVE-2023-22842 | K08182564, BT1083225 | TMM may crash while processing SIP traffic | 17.0.0, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1062569-1 | CVE-2023-22664 | K56676554, BT1062569 | HTTP/2 stream bottom filter leaks memory at teardown under certain conditions | 17.1.0, 17.0.0.2, 16.1.3.3 |
1032553-5 | CVE-2023-22281 | K46048342, BT1032553 | Core when virtual server with destination NATing receives multicast | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3 |
1112445-2 | CVE-2023-22302 | K58550078, BT1112445 | Fix to avoid zombie node on the chain | 17.1.0, 17.0.0.2, 16.1.3.3 |
1073005-2 | CVE-2023-22326 | K83284425, BT1073005 | iControl REST use of the dig command does not follow security best practices | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1065917-2 | CVE-2023-22418 | K95503300, BT1065917 | BIG-IP APM Virtual Server does not follow security best practices | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.7, 14.1.5.3 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1113385-4 | 3-Major | BT1113385 | Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1103369-2 | 3-Major | BT1103369 | DELETE of REST Auth token does not result in deletion of the pamcache token file on a multi-slot VIPRION chassis, vCMP guest, or VELOS tenant | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1134085-2 | 2-Critical | BT1134085 | Intermittent TMM core when iRule is configured with SSL persistence | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1122473-4 | 2-Critical | BT1122473 | TMM panic while initializing URL DB | 17.1.0, 16.1.3.3, 15.1.9 |
1174873-3 | 3-Major | BT1174873 | Query string separators ? or / in MutiDomain or SAML use cases are incorrectly converted to "%3F" or "%2F" | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
Cumulative fixes from BIG-IP v16.1.3.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
982777-9 | CVE-2022-27230 | K21317311, BT982777 | APM hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
982769-12 | CVE-2022-27806 | K68647001, BT982769 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
982753-2 | CVE-2022-27806 | K68647001, BT982753 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
982745-5 | CVE-2022-27806 | K68647001, BT982745 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
963625-3 | CVE-2022-27806 | K68647001, BT963625 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
959153-3 | CVE-2022-27806 | K68647001, BT959153 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
1106289-2 | CVE-2022-41624 | K43024307, BT1106289 | TMM may leak memory when processing sideband connections. | 17.1.0, 17.0.0.1, 16.1.3.2, 15.1.7, 14.1.5.2, 13.1.5.1 |
1068821 | CVE-2022-41806 | K00721320, BT1068821 | TMM may crash when processing AFM NAT64 policy | 16.1.3.2 |
1004881-5 | CVE-2015-9251,CVE-2016-7103,CVE-2017-18214,CVE-2018-16487,CVE-2018-3721,CVE-2019-1010266,CVE-2019-10744,CVE-2019-10768,CVE-2019-10768,CVE-2019-11358,CVE-2020-11022,CVE-2020-11023,CVE-2020-28168,CVE-2020-28500,CVE-2020-7676,CVE-2020-7676,CVE-2020-8203,CVE-2021-23337 | K12492858, BT1004881 | Update angular, jquery, moment, axios, and lodash libraries in AGC | 17.0.0, 16.1.3.2, 15.1.8 |
Functional Change Fixes
None
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1137037 | 2-Critical | BT1137037 | System boots into an inoperative state after installing engineering hotfix with FIPS 140-2/140-3 license in version 16.1.x★ | 16.1.3.2 |
Cumulative fixes from BIG-IP v16.1.3.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
972517-7 | CVE-2023-43746 | K41072952, BT972517 | Appliance mode hardening | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1104493-1 | CVE-2022-35272 | K90024104, BT1104493 | Client-side abort during server-side establishment may cause tmm to behave abnormally in HTTP MRF proxy | 17.1.0, 17.0.0.1, 16.1.3.1 |
1093621-2 | CVE-2022-41832 | K10347453 | Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1, 13.1.5.1 |
1085729-2 | CVE-2022-41836 | K47204506, BT1085729 | bd may crash while processing specific request | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1076397-1 | CVE-2022-35735 | K13213418, BT1076397 | TMSH hardening | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1073841-1 | CVE-2022-34862 | K66510514, BT1073841 | URI normalization does not function as expected | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1073357-2 | CVE-2022-34862 | K66510514, BT1073357 | TMM may crash while processing HTTP traffic | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1067505-4 | CVE-2022-34651 | K59197053, BT1067505 | TMM may crash while processing TLS traffic with HTTP::respond | 17.0.0, 16.1.3.1, 15.1.6.1 |
1066673-1 | CVE-2022-35728 | K55580033, BT1066673 | BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1024029-2 | CVE-2022-35245 | K58235223, BT1024029 | TMM may crash when processing traffic with per-session APM Access Policy | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
919357-8 | CVE-2022-41770 | K22505850, BT919357 | iControl REST hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
881809-8 | CVE-2022-41983 | K31523465, BT881809 | Client SSL and Server SSL profile hardening | 17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1 |
740321-1 | CVE-2022-34851 | K50310001, BT740321 | iControl SOAP API does not follow current best practices | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1084013-4 | CVE-2022-36795 | K52494562, BT1084013 | TMM does not follow TCP best practices | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1081153-2 | CVE-2022-41813 | K93723284, BT1081153 | TMM may crash while processing administrative requests | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1073549-1 | CVE-2022-35735 | K13213418, BT1073549 | TMSH hardening | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1055925-1 | CVE-2022-34844 | K34511555, BT1055925 | TMM may crash while processing traffic on AWS | 17.0.0, 16.1.3.1, 15.1.6.1 |
1043281-6 | CVE-2021-3712 | K19559038, BT1043281 | OpenSSL vulnerability CVE-2021-3712 | 17.0.0, 16.1.3.1, 15.1.6.1 |
1006921-1 | CVE-2022-33962 | K80970653, BT1006921 | iRules Hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1063641-4 | CVE-2022-33968 | K23465404, BT1063641 | NTLM library hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1063637-4 | CVE-2022-33968 | K23465404, BT1063637 | NTLM library hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1036057-1 | 3-Major | BT1036057 | Add support for line folding in multipart parser. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1025261-3 | 3-Major | BT1025261 | Restjavad uses more resident memory in control plane after software upgrade | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1071621-1 | 4-Minor | BT1071621 | Increase the number of supported traffic selectors | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1120433-2 | 1-Blocking | BT1120433 | Removed gtmd and big3d daemon from the FIPS-compliant list | 17.1.0, 16.1.3.1 |
989517-3 | 2-Critical | BT989517 | Acceleration section of virtual server page not available in DHD | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
957637-1 | 2-Critical | BT957637 | The pfmand daemon can crash when it starts. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
936501-1 | 2-Critical | BT936501 | Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled | 17.1.0, 16.1.3.1, 15.1.9 |
759928-6 | 2-Critical | BT759928 | Engineering Hotfixes might not contain all required packages | 17.0.0, 16.1.3.1, 15.1.7 |
1097193-2 | 2-Critical | K000134769, BT1097193 | Unable to SCP files using WinSCP or relative path name | 17.1.0, 16.1.3.1, 15.1.9 |
1076921-1 | 2-Critical | BT1076921 | The Hostname in BootMarker logs and /var/log/ltm logs that sourced from TMM were getting truncated. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1048853-1 | 2-Critical | BT1048853 | TMM memory leak of "IKE VBUF" | 17.0.0, 16.1.3.1, 15.1.7 |
1041865-4 | 2-Critical | K16392416, BT1041865 | Correctable machine check errors [mce] should be suppressed | 17.0.0, 16.1.3.1, 15.1.7 |
992121-4 | 3-Major | BT992121 | REST "/mgmt/tm/services" endpoint is not accessible | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
720610-4 | 3-Major | BT720610 | Automatic Update Check logs false 'Update Server unavailable' message on every run | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.2.7, 13.1.3 |
1123149 | 3-Major | BT1123149 | Sys-icheck fail for /etc/security/opasswd | 17.1.0, 16.1.3.1 |
1120685 | 3-Major | BT1120685 | Unable to update the password in the CLI when password-memory is set to > 0 | 17.1.0, 16.1.3.1 |
1091345-2 | 3-Major | BT1091345 | The /root/.bash_history file is not carried forward by default during installations. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1087621-1 | 3-Major | BT1087621 | IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
1048137-2 | 3-Major | BT1048137 | IPsec IKEv1 intermittent but consistent tunnel setup failures | 17.0.0, 16.1.3.1, 15.1.9 |
1042737-4 | 3-Major | BT1042737 | BGP sending malformed update missing Tot-attr-len of '0. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1024661-3 | 3-Major | BT1024661 | SCTP forwarding flows based on VTAG for bigproto | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
756918-4 | 4-Minor | BT756918 | Engineering Hotfix ISOs may be nearly as large as full Release ISOs | 17.0.0, 16.1.3.1, 15.1.7 |
1090569-1 | 4-Minor | BT1090569 | After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
1080317-3 | 4-Minor | BT1080317 | Hostname is getting truncated on some logs that are sourced from TMM | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1067105-2 | 4-Minor | BT1067105 | Racoon logging shows incorrect SA length. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
944381-2 | 2-Critical | BT944381 | Dynamic CRL checking for client certificate is not working when TLS1.3 is used. | 17.0.0, 16.1.3.1, 15.1.6.1 |
780857-4 | 2-Critical | BT780857 | HA failover network disruption when cluster management IP is not in the list of unicast addresses | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1113549-3 | 2-Critical | BT1113549 | System boots into an inoperative state after installing engineering hotfix with FIPS140-2/140-3 License★ | 17.1.0, 16.1.3.1 |
1110205-2 | 2-Critical | BT1110205 | SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown | 17.1.0, 16.1.3.1, 15.1.9 |
1087469-2 | 2-Critical | BT1087469 | iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate. | 17.1.0, 16.1.3.1, 15.1.6.1 |
1087217-2 | 2-Critical | BT1087217 | TMM crash as part of the fix made for ID912209 | 17.1.0, 16.1.3.1 |
1086677-4 | 2-Critical | BT1086677 | TMM Crashes in xvprintf() because of NULL Flow Key | 17.0.0, 16.1.3.1, 15.1.7 |
1080581-1 | 2-Critical | BT1080581 | Virtual server creation is not allowed to have TCP, UDP and HTTP together with Client or Server SSL Profiles.★ | 17.0.0, 16.1.3.1, 15.1.5.1 |
1074517-1 | 2-Critical | BT1074517 | Tmm may core while adding/modifying traffic-class attached to a virtual server | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1073609-4 | 2-Critical | BT1073609 | Tmm may core while using reject iRule command in LB_SELECTED event. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1020645 | 2-Critical | BT1020645 | When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered | 17.1.0, 16.1.3.1, 15.1.4.1 |
999881-6 | 3-Major | BT999881 | Tcl command 'string first' not working if payload contains Unicode characters. | 17.0.0, 16.1.3.1, 15.1.7 |
948985-3 | 3-Major | BT948985 | Workaround to address Nitrox 3 compression engine hang | 17.0.0, 16.1.3.1, 15.1.6.1 |
922413-8 | 3-Major | BT922413 | Excessive memory consumption with ntlmconnpool configured | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
748886-4 | 3-Major | BT748886 | Virtual server stops passing traffic after modification | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1109833-1 | 3-Major | BT1109833 | HTTP2 monitors not sending request | 17.1.0, 16.1.3.1 |
1091761-1 | 3-Major | BT1091761 | Mqtt_message memory leaks when iRules are used | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1082225-4 | 3-Major | BT1082225 | Tmm may core while Adding/modifying traffic-class attached to a virtual server. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1070789 | 3-Major | BT1070789 | SSL fwd proxy invalidating certificate even through bundle has valid CA | 17.1.0, 16.1.3.1 |
1068445-1 | 3-Major | BT1068445 | TCP duplicate acks are observed in speed tests for larger requests | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1060989 | 3-Major | BT1060989 | Improper handling of HTTP::collect | 17.1.0, 16.1.3.1 |
1053149-1 | 3-Major | BT1053149 | A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1043805-3 | 3-Major | BT1043805 | ICMP traffic over NAT does not work properly. | 17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1 |
1036169-4 | 3-Major | BT1036169 | VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500". | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1022453-4 | 3-Major | BT1022453 | IPv6 fragments are dropped when packet filtering is enabled. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1006157-3 | 3-Major | BT1006157 | FQDN nodes not repopulated immediately after 'load sys config' | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
987885-6 | 4-Minor | BT987885 | Half-open unclean SSL termination might not close the connection properly | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1104073-2 | 4-Minor | BT1104073 | Use of iRules command whereis with "isp" or "org" options may cause TCL object leak. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1077701-1 | 2-Critical | BT1077701 | GTM "require M from N" monitor rules do not report when the number of "up" responses change | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
984749-1 | 3-Major | BT984749 | Discrepancy between DNS cache statistics "Client Summary" and "Client Cache." | 17.0.0, 16.1.3.1, 15.1.7 |
1091249-2 | 3-Major | BT1091249 | BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1078669-2 | 3-Major | BT1078669 | iRule command “RESOLVER::name_lookup” returns null for TCP resolver with TC (truncated) flag set. | 17.0.0, 16.1.3.1, 15.1.7 |
1071301-1 | 3-Major | BT1071301 | GTM server does not get updated even when the virtual server status changes. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1071233-1 | 3-Major | BT1071233 | GTM Pool Members may not be updated accurately when multiple identical database monitors are configured | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
950069-1 | 4-Minor | BT950069 | Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record" | 17.0.0, 16.1.3.1, 15.1.6.1 |
1084673-2 | 4-Minor | BT1084673 | GTM Monitor "require M from N" status change log message does not print pool name | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1048685-4 | 2-Critical | BT1048685 | Rare TMM crash when using Bot Defense Challenge | 17.0.0, 16.1.3.1, 15.1.7 |
1015881-4 | 2-Critical | BT1015881 | TMM might crash after configuration failure | 17.1.0, 16.1.3.1, 15.1.7 |
886533-5 | 3-Major | BT886533 | Icap server connection adjustments | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1083913-2 | 3-Major | BT1083913 | Missing error check in ICAP handling | 17.1.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1082461-2 | 3-Major | BT1082461 | The enforcer cores during a call to 'ASM::raise' from an active iRule | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
1078765-1 | 3-Major | BT1078765 | Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1062493-1 | 3-Major | BT1062493 | BD crash close to it's startup | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1056957-1 | 3-Major | BT1056957 | An attack signature can be bypassed under some scenarios. | 17.1.0, 17.0.0.1, 16.1.3.1 |
1036305-5 | 3-Major | BT1036305 | "Mandatory request body is missing" violation in staging but request is unexpectedly blocked | 17.0.0, 16.1.3.1, 15.1.6.1 |
1030133-2 | 3-Major | BT1030133 | BD core on XML out of memory | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1014973-5 | 3-Major | BT1014973 | ASM changed cookie value. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
948241-4 | 4-Minor | BT948241 | Count Stateful anomalies based only on Device ID | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
947333-2 | 4-Minor | BT947333 | Irrelevant content profile diffs in Policy Diff | 17.1.0, 17.0.0.1, 16.1.3.1 |
1079721 | 4-Minor | BT1079721 | OWASP 2017 A2 Category - Login enforcement link is broken | 16.1.3.1 |
1073625-2 | 4-Minor | BT1073625 | Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1058297-2 | 4-Minor | BT1058297 | Policy history values for 'max Size Of Saved Versions' and for 'min Retained Files In Dir' is reset during upgrade★ | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1046317-2 | 4-Minor | BT1046317 | Violation details are not populated with staged URLs for some violation types | 17.0.0, 16.1.3.1, 15.1.6.1 |
1040513-5 | 4-Minor | BT1040513 | The counter for "FTP commands" is always 0. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1014573-1 | 4-Minor | BT1014573 | Several large arrays/objects in JSON payload may core the enforcer | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1029689-2 | 5-Cosmetic | BT1029689 | Incosnsitent username "SYSTEM" in Audit Log | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
926341-5 | 3-Major | BT926341 | RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade★ | 17.0.0, 16.1.3.1, 15.1.4, 14.1.4.4, 13.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
987341-1 | 2-Critical | BT987341 | BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1071485-3 | 3-Major | BT1071485 | For IP based bypass, Response Analytics sends RST. | 17.0.0, 16.1.3.1, 15.1.10 |
1063345-5 | 3-Major | BT1063345 | Urldbmgrd may crash while downloading the database. | 17.0.0, 16.1.3.1, 15.1.9 |
1043217-1 | 3-Major | BT1043217 | NTLM frontend auth fails with the latest Microsoft RDP client on MacOS 14.0.1 platform | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1039725-1 | 3-Major | BT1039725 | Reverse proxy traffic fails when a per-request policy is attached to a virtual server. | 17.0.0, 16.1.3.1, 15.1.9 |
1024437-6 | 3-Major | BT1024437 | Urldb index building fails to open index temp file | 17.0.0, 16.1.3.1, 15.1.9 |
1022493-4 | 3-Major | BT1022493 | Slow file descriptor leak in urldbmgrd (sockets open over time) | 17.0.0, 16.1.3.1, 15.1.10 |
1010597-1 | 3-Major | BT1010597 | Traffic disruption when virtual server is assigned to a non-default route domain★ | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
921441-4 | 3-Major | BT921441 | MR_INGRESS iRules that change diameter messages corrupt diam_msg | 17.0.0, 16.1.3.1, 15.1.7 |
1103233-2 | 4-Minor | BT1103233 | Diameter in-tmm monitor is logging disconnect events unnecessarily | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
977153-3 | 3-Major | BT977153 | Packet with routing header IPv6 as next header in IP layer fails to be forwarded | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1091565-1 | 2-Critical | BT1091565 | Gy CCR AVP:Requested-Service-Unit is misformatted/NULL | 17.1.0, 16.1.3.1, 15.1.9 |
1090649-3 | 3-Major | BT1090649 | PEM errors when configuring IPv6 flow filter via GUI | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1084993 | 3-Major | BT1084993 | [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
911585-5 | 4-Minor | BT911585 | PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
815901-2 | 4-Minor | BT815901 | Add rule to the disabled pem policy is not allowed | 17.0.0, 16.1.3.1, 15.1.7 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
832133-7 | 3-Major | BT832133 | In-TMM monitors fail to match certain binary data in the response from the server | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1050273-1 | 3-Major | BT1050273 | ERR_BOUNDS errors observed with HTTP service in SSL Orchestrator. | 17.0.0, 16.1.3.1, 15.1.5 |
Cumulative fixes from BIG-IP v16.1.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
996233-1 | CVE-2022-33947 | K38893457, BT996233 | Tomcat may crash while processing TMUI requests | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
972489-7 | CVE-2022-35243 | K11010341, BT972489 | BIG-IP Appliance Mode iControl hardening | 17.0.0, 16.1.3, 15.1.5.1, 14.1.5 |
1079505-4 | CVE-2022-33203 | K52534925, BT1079505 | TMM may consume excessive resources while processing SSL Orchestrator traffic | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
1081201-1 | CVE-2022-41694 | K64829234, BT1081201 | MCPD certification import hardening | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1078821-1 | 2-Critical | BT1078821 | Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
1036285-1 | 3-Major | BT1036285 | Enforce password expiry after local user creation | 17.0.0, 16.1.3 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
947905-4 | 1-Blocking | BT947905 | Upgrade from 13.1.4, 14.1.4, or 15.1.1 to 14.0.x, 15.0.x, 16.0.0 or 16.0.0.1 fails★ | 16.1.3, 16.0.1 |
1101705-2 | 1-Blocking | BT1101705 | RSA-KEX ciphers list are removed from httpd configuration in FIPS mode since these are non-approved ciphers for FIPS 140-3 certification | 17.1.0, 17.0.0.1, 16.1.3 |
1083977-1 | 1-Blocking | BT1083977 | MCPD crashes when changing HTTPD configuration, all secondary blades of clustered system remain offline★ | 17.0.0, 16.1.3 |
943109-4 | 2-Critical | BT943109 | Mcpd crash when bulk deleting Bot Defense profiles | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
940225-4 | 2-Critical | BT940225 | Not able to add more than 6 NICs on VE running in Azure | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
1108181-2 | 2-Critical | BT1108181 | iControl REST call with token fails with 401 Unauthorized | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
1079817-1 | 2-Critical | BT1079817 | Java null pointer exception when saving UCS with iAppsLX installed★ | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1 |
950149 | 3-Major | BT950149 | Add configuration to ccmode for compliance with the Common Criteria STIP PPM. | 17.0.0, 16.1.3 |
896941 | 3-Major | BT896941 | Common Criteria ccmode script updated | 17.0.0, 16.1.3 |
886649-5 | 3-Major | BT886649 | Connections stall when dynamic BWC policy is changed via GUI and TMSH | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
724653-5 | 3-Major | BT724653 | In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync. | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
1106325 | 3-Major | BT1106325 | Upgrade from BIG-IP 16.1.3 to BIG-IP 17.0 does not work when FIPS mode is enabled★ | 16.1.3 |
1089849 | 3-Major | BT1089849 | NIST SP800-90B compliance | 17.1.0, 17.0.0.1, 16.1.3 |
1064357-1 | 3-Major | BT1064357 | execute_post_install: EPSEC: Installation of EPSEC package failed | 17.0.0, 16.1.3, 15.1.7 |
1061481-1 | 3-Major | BT1061481 | Denied strings were found in the /var/log/ folder after an update or reboot | 17.1.0, 17.0.0.1, 16.1.3 |
1004833 | 3-Major | BT1004833 | NIST SP800-90B compliance | 17.0.0, 16.1.3, 15.1.4, 14.1.4.2 |
1100609 | 4-Minor | BT1100609 | Length Mismatch in DNS/DHCP IPv6 address in logs and pcap | 17.1.0, 16.1.3 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1071689-1 | 2-Critical | BT1071689 | SSL connection not immediately closed with HTTP2 connection and lingers until idle timeout | 17.0.0, 16.1.3 |
987077-3 | 3-Major | BT987077 | TLS1.3 with client authentication handshake failure | 17.0.0, 16.1.3, 15.1.5.1, 14.1.4.6 |
945357 | 3-Major | BT945357 | BIG-IP must be able to set CA=True when creating Certificate Signing Requests from TMSH. | 17.0.0, 16.1.3 |
934697-5 | 3-Major | BT934697 | Route domain is not reachable (strict mode) | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
1082505 | 3-Major | BT1082505 | TLS ciphersuites including RSA-KEX are non-approved ciphers for FIPS 140-3 certification | 17.1.0, 17.0.0.1, 16.1.3 |
1063977-3 | 3-Major | BT1063977 | Tmsh load sys config merge fails with "basic_string::substr" for non-existing key. | 17.1.0, 16.1.3 |
1071269 | 4-Minor | BT1071269 | SSL C3D enhancements introduced in BIG-IP version 16.1.3 will not be available in 17.0.0.★ | 16.1.3 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1084173-1 | 3-Major | BT1084173 | Unable to specify "no caching desired" for ephemeral DNS resolvers (i.e. RESOLV::lookup). | 17.0.0, 16.1.3, 15.1.6.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1070833-2 | 3-Major | BT1070833 | False positives on FileUpload parameters due to default signature scanning | 17.1.0, 16.1.3, 15.1.6.1 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
849029-7 | 3-Major | BT849029 | No configurable setting for maximum entries in CRLDP cache | 17.0.0, 16.1.3, 15.1.6.1, 14.1.4.4 |
1097821-2 | 3-Major | BT1097821 | Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5 |
1053309-1 | 3-Major | BT1053309 | Localdbmgr leaks memory while syncing data to sessiondb and mysql. | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
945853-4 | 2-Critical | BT945853 | Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession | 16.1.3, 15.1.3 |
990461-5 | 3-Major | BT990461 | Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★ | 17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4 |
1079637-1 | 3-Major | BT1079637 | Incorrect Neuron rule order | 17.0.0, 16.1.3, 15.1.5.1 |
1012581-1 | 3-Major | BT1012581 | Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
iApp Technology Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1094177-4 | 1-Blocking | BT1094177 | Analytics iApp installation fails | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1 |
1023721 | 3-Major | BT1023721 | iapp_restricted_key not available on fresh installation and overwrites the peer device's master key during config sync | 17.0.0, 16.1.3 |
1004665 | 3-Major | BT1004665 | Secure iAppsLX Restricted Storage issues. | 17.0.0, 16.1.3 |
Cumulative fixes from BIG-IP v16.1.2.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
965853-6 | CVE-2022-28695 | K08510472, BT965853 | IM package file hardening★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
964489-7 | CVE-2022-28695 | K08510472, BT964489 | Protocol Inspection IM package hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1051561-7 | CVE-2022-1388 | K23605346, BT1051561 | BIG-IP iControl REST vulnerability CVE-2022-1388 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
993981-3 | CVE-2022-28705 | K52340447, BT993981 | TMM may crash when ePVA is enabled | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
982697-7 | CVE-2022-26071 | K41440465, BT982697 | ICMP hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
951257-5 | CVE-2022-26130 | K82034427, BT951257 | FTP active data channels are not established | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
946325-7 | CVE-2022-28716 | K25451853, BT946325 | PEM subscriber GUI hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
830361-9 | CVE-2012-6711 | K05122252, BT830361 | CVE-2012-6711 Bash Vulnerability | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1087201-6 | CVE-2022-0778 | K31323265, BT1087201 | OpenSSL Vulnerability: CVE-2022-0778 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1078721-1 | CVE-2022-27189 | K16187341, BT1078721 | TMM may consume excessive resources while processing ICAP traffic | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1078053-1 | CVE-2022-28701 | K99123750, BT1078053 | TMM may consume excessive resources while processing STREAM traffic | 17.0.0, 16.1.2.2 |
1071593-4 | CVE-2022-32455 | K16852653, BT1071593 | TMM may crash while processing TLS traffic | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1069629-4 | CVE-2022-32455 | K16852653, BT1069629 | TMM may crash while processing TLS traffic | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1067993-4 | CVE-2022-28714 | K54460845, BT1067993 | APM Windows Client installer hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1059185-1 | CVE-2022-26415 | K81952114, BT1059185 | iControl REST Hardening | 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1057801-6 | CVE-2022-28707 | K70300233, BT1057801 | TMUI does not follow current best practices | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1056933-3 | CVE-2022-26370 | K51539421, BT1056933 | TMM may crash while processing SIP traffic | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
1055737-1 | CVE-2022-35236 | K79933541, BT1055737 | TMM may consume excessive resources while processing HTTP/2 traffic | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1051797 | CVE-2018-18281 | K36462841, BT1051797 | Linux kernel vulnerability: CVE-2018-18281 | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1047053-3 | CVE-2022-28691 | K37155600, BT1047053 | TMM may consume excessive resources while processing RTSP traffic | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5 |
1032513-3 | CVE-2022-35240 | K28405643, BT1032513 | TMM may consume excessive resources while processing MRF traffic | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1002565-1 | CVE-2021-23840 | K24624116, BT1002565 | OpenSSL vulnerability CVE-2021-23840 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
992073-2 | CVE-2022-27181 | K93543114, BT992073 | APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
982757-3 | CVE-2022-26835 | K53197140 | APM Access Guided Configuration hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
982341-7 | CVE-2022-26835 | K53197140, BT982341 | iControl REST endpoint hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
915981-4 | CVE-2022-26340 | K38271531, BT915981 | BIG-IP SCP hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
823877-7 | CVE-2019-10098 CVE-2020-1927 |
K25126370, BT823877 | CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
1071365-5 | CVE-2022-29474 | K59904248, BT1071365 | iControl SOAP WSDL hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1066729-1 | CVE-2022-28708 | K85054496, BT1066729 | TMM may crash while processing DNS traffic | 17.0.0, 16.1.2.2, 15.1.5.1 |
1057809-6 | CVE-2022-27659 | K41877405, BT1057809 | Saved dashboard hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1047089-2 | CVE-2022-29491 | K14229426, BT1047089 | TMM may terminate while processing TLS/DTLS traffic | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
1001937-1 | CVE-2022-27634 | K57555833, BT1001937 | APM configuration hardening | 17.0.0, 16.1.2.2, 15.1.5.1 |
1000021-7 | CVE-2022-27182 | K31856317, BT1000021 | TMM may consume excessive resources while processing packet filters | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
1020609-7 | CVE-2022-23032 | K30525503, BT1020609 | BIG-IP APM Edge Client proxy vulnerability CVE-2022-23032 | 16.1.2.2 |
713754-3 | CVE-2017-15715 | K27757011 | Apache vulnerability: CVE-2017-15715 | 16.1.2.2, 15.1.5.1, 14.1.4.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
435231 | 2-Critical | K79342815, BT435231 | Support RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral parameters | 17.0.0, 16.1.2.2 |
1050537-1 | 2-Critical | BT1050537 | GTM pool member with none monitor will be part of load balancing decisions. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
882709-6 | 3-Major | BT882709 | Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors★ | 17.0.0, 16.1.2.2, 15.1.6.1 |
874941-4 | 3-Major | BT874941 | HTTP authentication in the access policy times out after 60 seconds | 16.1.2.2, 15.1.6.1, 14.1.5 |
669046-7 | 3-Major | BT669046 | Handling large replies to MCP audit_request messages | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1046669-1 | 3-Major | BT1046669 | The audit forwarders may prematurely time out waiting for TACACS responses | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1033837-1 | 4-Minor | K23605346, BT1033837 | REST authentication tokens persist on reboot★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1070009 | 1-Blocking | BT1070009 | iprepd, icr_eventd and tmipsecd restarts continuously after installing FIPS 140-3 license in BIG-IP cloud platform | 17.0.0, 16.1.2.2 |
976669-5 | 2-Critical | BT976669 | FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade | 17.0.0, 16.1.2.2, 16.1.0, 15.1.5.1, 14.1.4.6 |
935177-3 | 2-Critical | BT935177 | IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm | 17.0.0, 16.1.2.2, 15.1.6.1 |
1059165-1 | 2-Critical | BT1059165 | Multiple virtual server pages fail to load. | 17.0.0, 16.1.2.2 |
1048141-3 | 2-Critical | BT1048141 | Sorting pool members by 'Member' causes 'General database error' | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1047213-1 | 2-Critical | BT1047213 | VPN Client to Client communication fails when clients are connected to different TMMs. | 17.0.0, 16.1.2.2 |
1007901-1 | 2-Critical | BT1007901 | Support for FIPS 140-3 Module identifier service. | 17.0.0, 16.1.2.2 |
999125-1 | 3-Major | BT999125 | After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
992865-3 | 3-Major | BT992865 | Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances | 17.1.0, 16.1.2.2, 15.1.4 |
988165-3 | 3-Major | BT988165 | VMware CPU reservation is now enforced. | 17.0.0, 16.1.2.2, 15.1.5.1 |
984585-3 | 3-Major | BT984585 | IP Reputation option not shown in GUI. | 17.0.0, 16.1.2.2, 15.1.5.1 |
963541-1 | 3-Major | BT963541 | Net-snmp5.8 crash | 17.0.0, 16.1.2.2, 15.1.5.1 |
959985-3 | 3-Major | BT959985 | Update VMware hardware version templates for BIG-IP Virtual Edition (VE) from v10 to v13 in order to support VMs deployed in more versions of vSphere ESXi. | 17.0.0, 16.1.2.2, 15.1.6.1 |
943669-4 | 3-Major | BT943669 | B4450 blade reboot | 16.1.2.2, 15.1.2 |
943577-1 | 3-Major | BT943577 | Full sync failure for traffic-matching-criteria with port list under certain conditions | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
912253-2 | 3-Major | BT912253 | Non-admin users cannot run show running-config or list sys | 17.0.0, 16.1.2.2, 15.1.5.1 |
907549-6 | 3-Major | BT907549 | Memory leak in BWC::Measure | 17.0.0, 16.1.2.2, 15.1.0.5, 14.1.5 |
901669-6 | 3-Major | BT901669 | Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
755976-9 | 3-Major | BT755976 | ZebOS might miss kernel routes after mcpd deamon restart | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1083537 | 3-Major | BT1083537 | FIPS 140-3 Certification | 17.1.0, 17.0.0.1, 16.1.2.2 |
1076377-3 | 3-Major | BT1076377 | OSPF path calculation for IA and E routes is incorrect. | 17.0.0, 16.1.2.2, 15.1.9 |
1074113-1 | 3-Major | BT1074113 | IPsec IKEv2: Selectors incorrectly marked up after disable ike-peer | 17.0.0, 16.1.2.2 |
1071609-2 | 3-Major | BT1071609 | IPsec IKEv1: Log Key Exchange payload in racoon.log. | 17.0.0, 16.1.2.2, 15.1.6.1 |
1066285-4 | 3-Major | BT1066285 | Master Key decrypt failure - decrypt failure. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1065585-1 | 3-Major | BT1065585 | System does not halt on on FIPS/entropy error threshold for BIG-IP Virtual Edition | 17.0.0, 16.1.2.2 |
1064461-4 | 3-Major | BT1064461 | PIM-SM will not complete RP registration over tunnel interface when floating IP address is used. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1060625-1 | 3-Major | BT1060625 | Wrong INTERNAL_IP6_DNS length. | 17.1.0, 17.0.0, 16.1.2.2 |
1060149-2 | 3-Major | BT1060149 | BIG-IP vCMP guest data-plane failure with turboflex-adc selected on the host. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1059853 | 3-Major | BT1059853 | Long loading configuration time after upgrade from 15.1.3.1 to 16.1.2.★ | 17.0.0, 16.1.2.2 |
1056993-2 | 3-Major | BT1056993 | 404 error is raised on GUI when clicking "App IQ." | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1056741-2 | 3-Major | BT1056741 | ECDSA certificates signed by RSA CA are not selected based by SNI. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1052893-4 | 3-Major | BT1052893 | Configuration option to delay reboot if dataplane becomes inoperable | 17.1.1, 16.1.2.2 |
1048541-1 | 3-Major | BT1048541 | Certificate Order Manager: renew requests to the Comodo (now Sectigo) CA are unsuccessful. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1047169-1 | 3-Major | BT1047169 | GTM AAAA pool can be deleted from the configuration despite being in use by an iRule. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1022637-1 | 3-Major | BT1022637 | A partition other than /Common may fail to save the configuration to disk | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5 |
1020789-4 | 3-Major | BT1020789 | Cannot deploy a four-core vCMP guest if the remaining cores are in use. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5 |
1019357-2 | 3-Major | BT1019357 | Active fails to resend ipsec ikev2_message_id_sync if no response received | 17.0.0, 16.1.2.2, 15.1.6.1 |
1008837-1 | 3-Major | BT1008837 | Control plane is sluggish when mcpd processes a query for virtual server and address statistics | 17.0.0, 16.1.2.2, 15.1.4, 14.1.4.4 |
1008269-1 | 3-Major | BT1008269 | Error: out of stack space | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
976337-2 | 4-Minor | BT976337 | i40evf Requested 4 queues, but PF only gave us 16. | 16.1.2.2, 15.1.5.1 |
742753-8 | 4-Minor | BT742753 | Accessing the BIG-IP system's WebUI via special proxy solutions may fail | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
528894-5 | 4-Minor | BT528894 | Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5 |
1072237-1 | 4-Minor | BT1072237 | Retrieval of policy action stats causes memory leak | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1067617-4 | 4-Minor | BT1067617 | BGP default route not advertised after mid-session OPEN. | 17.0.0, 16.1.2.2, 15.1.6.1 |
1062333-6 | 4-Minor | Linux kernel vulnerability: CVE-2019-19523 | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 | |
1061797-1 | 4-Minor | BT1061797 | Upgraded AWS CloudFormation Helper Scripts which now support IMDSv2 | 17.0.0, 16.1.2.2, 15.1.5.1 |
1058677-2 | 4-Minor | BT1058677 | Not all SCTP connections are mirrored on the standby device when auto-init is enabled. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1046693-4 | 4-Minor | BT1046693 | TMM with BFD confgured might crash under significant memory pressure | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1045549-4 | 4-Minor | BT1045549 | BFD sessions remain DOWN after graceful TMM restart | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1040821-4 | 4-Minor | BT1040821 | Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1034589-1 | 4-Minor | BT1034589 | No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1034329-1 | 4-Minor | BT1034329 | SHA-512 checksums for BIG-IP Virtual Edition (VE) images available on downloads.f5.com | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1031425-3 | 4-Minor | BT1031425 | Provide a configuration flag to disable BGP peer-id check. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1030645-4 | 4-Minor | BT1030645 | BGP session resets during traffic-group failover | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1024621-4 | 4-Minor | BT1024621 | Re-establishing BFD session might take longer than expected. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1011217-5 | 4-Minor | BT1011217 | TurboFlex Profile setting reverts to turboflex-base after upgrade★ | 17.0.0, 16.1.2.2, 15.1.6.1 |
1002809-4 | 4-Minor | BT1002809 | OSPF vertex-threshold should be at least 100 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
968929-2 | 2-Critical | BT968929 | TMM may crash when resetting a connection on an APM virtual server | 17.0.0, 16.1.2.2 |
910213-7 | 2-Critical | BT910213 | LB::down iRule command is ineffective, and can lead to inconsistent pool member status | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1071449-4 | 2-Critical | BT1071449 | The statsd memory leak on platforms with license disabled processors. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1064617-1 | 2-Critical | BT1064617 | DBDaemon process may write to monitor log file indefinitely | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1059053-2 | 2-Critical | BT1059053 | Tmm crash when passing traffic over some configurations with L2 virtual wire | 17.0.0, 16.1.2.2, 15.1.5.1 |
1047581-3 | 2-Critical | BT1047581 | Ramcache can crash when serving files from the hot cache | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
999901-1 | 3-Major | K68816502, BT999901 | Certain LTM policies may not execute correctly after a system reboot or TMM restart. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
993517-1 | 3-Major | BT993517 | Loading an upgraded config can result in a file object error in some cases | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
977761 | 3-Major | BT977761 | Connections are dropped if a certificate is revoked. | 17.1.0, 16.1.2.2 |
967101-1 | 3-Major | BT967101 | When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
955617-8 | 3-Major | BT955617 | Cannot modify properties of a monitor that is already in use by a pool | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
953601-4 | 3-Major | BT953601 | HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
936441-7 | 3-Major | BT936441 | Nitrox5 SDK driver logging messages | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
912517-7 | 3-Major | BT912517 | Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
902377-4 | 3-Major | BT902377 | HTML profile forces re-chunk even though HTML::disable | 17.0.0, 16.1.2.2, 15.1.5.1 |
883049-9 | 3-Major | BT883049 | Statsd can deadlock with rrdshim if an rrd file is invalid | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
803109-4 | 3-Major | BT803109 | Certain configuration may result in zombie forwarding flows | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
794385-6 | 3-Major | BT794385 | BGP sessions may be reset after CMP state change | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
672963-1 | 3-Major | BT672963 | MSSQL monitor fails against databases using non-native charset | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1083989-1 | 3-Major | BT1083989 | TMM may restart if abort arrives during MBLB iRule execution | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1073973-1 | 3-Major | BT1073973 | Gateway HTTP/2, response payload intermittently not forwarded to client. | 17.0.0, 16.1.2.2 |
1072953-2 | 3-Major | BT1072953 | Memory leak in traffic management interface. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1071585-1 | 3-Major | BT1071585 | BIG-IP system does not respond to an arp from a SelfIP configured in virtual wire mode | 17.0.0, 16.1.2.2 |
1068561-1 | 3-Major | BT1068561 | Can't create key on the second netHSM partition. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1068353-1 | 3-Major | BT1068353 | Unexpected event sequence may cause HTTP/2 flow stall during shutdown | 16.1.2.2 |
1064157-1 | 3-Major | BT1064157 | Http_proxy_opaque_get should constrain search to local/spawn flows, not looped flows | 17.0.0, 16.1.2.2, 15.1.6.1 |
1063453-1 | 3-Major | BT1063453 | FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1058469-1 | 3-Major | BT1058469 | Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1056401-4 | 3-Major | BT1056401 | Valid clients connecting under active syncookie mode might experience latency. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1055097-1 | 3-Major | BT1055097 | TCP proxy with ramcache and OneConnect can result in out-of-order events, which stalls the flow. | 17.0.0, 16.1.2.2 |
1052929-4 | 3-Major | BT1052929 | MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1043357-4 | 3-Major | BT1043357 | SSL handshake may fail when using remote crypto client | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1043017-4 | 3-Major | BT1043017 | Virtual-wire with standard-virtual fragmentation | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6 |
1042913-2 | 3-Major | BT1042913 | Pkcs11d CPU utilization jumps to 100% | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1042509-1 | 3-Major | BT1042509 | On an HTTP2 gateway virtual server, TMM does not ever update the stream's window for a large POST request | 17.0.0, 16.1.2.2 |
1029897-1 | 3-Major | K63312282, BT1029897 | Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1024841-2 | 3-Major | BT1024841 | SSL connection mirroring with ocsp connection failure on standby | 17.0.0, 16.1.2.2, 15.1.5.1 |
1024225-3 | 3-Major | BT1024225 | BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1020549-1 | 3-Major | BT1020549 | Server-side connections stall with zero window with OneConnect profile | 17.0.0, 16.1.2.2 |
1017721-5 | 3-Major | BT1017721 | WebSocket does not close cleanly when SSL enabled. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5.1 |
1017533-3 | 3-Major | BT1017533 | Using TMC might cause virtual server vlans-enabled configuration to be ignored | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6 |
1016449-3 | 3-Major | BT1016449 | After certain configuration tasks are performed, TMM may run with stale Self IP parameters. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1008501-1 | 3-Major | BT1008501 | TMM core | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1008009-3 | 3-Major | BT1008009 | SSL mirroring null hs during session sync state | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
1006781-2 | 3-Major | BT1006781 | Server SYN is sent on VLAN 0 when destination MAC is multicast | 17.0.0, 16.1.2.2, 15.1.4.1 |
1004897-5 | 3-Major | BT1004897 | 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.4 |
1004689-4 | 3-Major | BT1004689 | TMM might crash when pool routes with recursive nexthops and reselect option are used. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
838305-9 | 4-Minor | BT838305 | BIG-IP may create multiple connections for packets that should belong to a single flow. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
717806-8 | 4-Minor | BT717806 | In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1080341-4 | 4-Minor | BT1080341 | Changing an L2-forward virtual to any other virtual type might not update the configuration. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1075205-1 | 4-Minor | BT1075205 | Using TCP::close after HTTP::redirect/HTTP::respond causes HTTP response not to be delivered to the client. | 17.0.0, 16.1.2.2 |
1064669-1 | 4-Minor | BT1064669 | Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1026605-6 | 4-Minor | BT1026605 | When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1026005-1 | 4-Minor | BT1026005 | BIG-IP Virtual Edition (VE) does NOT preserve the order of NICs 5-10 defined in the VMware ESXi hypervisor and NSXT platforms. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1016441-4 | 4-Minor | K11342432, BT1016441 | RFC Enforcement Hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1016049-6 | 4-Minor | BT1016049 | EDNS query with CSUBNET dropped by protocol inspection | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
968581-4 | 5-Cosmetic | BT968581 | TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1062513-4 | 2-Critical | BT1062513 | GUI returns 'no access' error message when modifying a GTM pool property. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1030881-1 | 2-Critical | BT1030881 | [GTM] Upgrade failure - 01070022:3: The monitor template min was not found.★ | 17.0.0, 16.1.2.2 |
1027657-4 | 2-Critical | BT1027657 | Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1011433-1 | 2-Critical | BT1011433 | TMM may crash under memory pressure when performing DNS resolution | 17.0.0, 16.1.2.2, 15.1.6.1 |
1010617-1 | 2-Critical | BT1010617 | String operation against DNS resource records cause tmm memory corruption | 17.0.0, 16.1.2.2, 15.1.5.1 |
876677-2 | 3-Major | BT876677 | When running the debug version of TMM, an assertion may be triggered due to an expired DNS lookup. | 17.0.0, 16.1.2.2, 15.1.6.1 |
1076401-5 | 3-Major | BT1076401 | Memory leak in TMM (ldns) when exceeding dnssec.maxnsec3persec. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1064189-1 | 3-Major | BT1064189 | DoH proxy and server listeners from GUI with client-ssl profile and server-ssl profile set to None produces undefined warning | 17.0.0, 16.1.2.2 |
1046785-1 | 3-Major | BT1046785 | Missing GTM probes when max synchronous probes are exceeded. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5, 13.1.5 |
1044425-1 | 3-Major | K85021277, BT1044425 | NSEC3 record improvements for NXDOMAIN | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1020337-2 | 3-Major | BT1020337 | DNS msg_ObjType can cause buffer overrun due to lack of NUL terminator | 17.0.0, 16.1.2.2, 15.1.5.1 |
1018613-1 | 3-Major | BT1018613 | Modify wideip pools with replace-all-with results pools with same order 0 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1079909-1 | 2-Critical | K82724554, BT1079909 | The bd generates a core file | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5 |
1069501-1 | 2-Critical | K22251611, BT1069501 | ASM may not match certain signatures | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1069449-1 | 2-Critical | K39002226, BT1069449 | ASM attack signatures may not match cookies as expected | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1068237-1 | 2-Critical | BT1068237 | Some attack signatures added to policies are not used. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1000789-1 | 2-Critical | BT1000789 | ASM-related iRule keywords may not work as expected | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
965785-4 | 3-Major | BT965785 | Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
961509-5 | 3-Major | BT961509 | ASM blocks WebSocket frames with signature matched but Transparent policy | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
926845-7 | 3-Major | BT926845 | Inactive ASM policies are deleted upon upgrade | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
923221-8 | 3-Major | BT923221 | BD does not use all the CPU cores | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
818889-1 | 3-Major | BT818889 | False positive malformed json or xml violation. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1077281-2 | 3-Major | BT1077281 | Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages | 17.1.0, 16.1.2.2, 15.1.6.1 |
1072197-1 | 3-Major | K94142349, BT1072197 | Issue with input normalization in WebSocket. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1070273-1 | 3-Major | BT1070273 | OWASP Dashboard does not calculate Disallow DTDs in XML content profile protection properly. | 17.0.0, 16.1.2.2, 15.1.6.1 |
1069133-4 | 3-Major | BT1069133 | ASMConfig memory leak | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1067285-1 | 3-Major | BT1067285 | Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.' | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1066829-1 | 3-Major | BT1066829 | Memory leak for xml/json auto-detected parameter with signature patterns. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1061617-4 | 3-Major | BT1061617 | Some of the URL Attack signatures are not detected in the URL if "Handle Path Parameters" is configured "As Parameters". | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1060933-1 | 3-Major | K49237345 | Issue with input normalization. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1059621-2 | 3-Major | BT1059621 | IP Exceptions feature and SSRF feature do not work as expected if both the entries are configured with the same IP/IPs. | 17.0.0, 16.1.2.2 |
1056365-1 | 3-Major | BT1056365 | Bot Defense injection does not follow best SOP practice. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1052173-1 | 3-Major | BT1052173 | For wildcard SSRF hosts "Matched Disallowed Address" field is wrong in the SSRF violation. | 17.0.0, 16.1.2.2 |
1052169 | 3-Major | BT1052169 | Traffic is blocked on detection of an SSRF violation even though the URI parameter is in staging mode | 16.1.2.2 |
1051213-1 | 3-Major | BT1051213 | Increase default value for violation 'Check maximum number of headers'. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1051209-1 | 3-Major | K53593534, BT1051209 | BD may not process certain HTTP payloads as expected | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1047389-4 | 3-Major | BT1047389 | Bot Defense challenge hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1043533-3 | 3-Major | BT1043533 | Unable to pick up the properties of the parameters from audit reports. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1043385-4 | 3-Major | BT1043385 | No Signature detected If Authorization header is missing padding. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1042605-1 | 3-Major | BT1042605 | ASM Critical Warnings during UCS load after upgrade to v15.1.0 or above★ | 17.0.0, 16.1.2.2, 15.1.5.1 |
1041149-1 | 3-Major | BT1041149 | Staging of URL does not affect apply value signatures | 17.0.0, 16.1.2.2, 15.1.5.1 |
1038733-4 | 3-Major | BT1038733 | Attack signature not detected for unsupported authorization types. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1037457-1 | 3-Major | BT1037457 | High CPU during specific dos mitigation | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1033017-1 | 3-Major | BT1033017 | Policy changes learning mode to automatic after upload and sync | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1030853-1 | 3-Major | BT1030853 | Route domain IP exception is being treated as trusted (for learning) after being deleted | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1028473-1 | 3-Major | BT1028473 | URL sent with trailing slash might not be matched in ASM policy | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1023993-4 | 3-Major | BT1023993 | Brute Force is not blocking requests, even when auth failure happens multiple times | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1021521-1 | 3-Major | BT1021521 | JSON Schema is not enforced if OpenAPI media-type is wild card. | 17.0.0, 16.1.2.2 |
1019721-1 | 3-Major | BT1019721 | Wrong representation of JSON/XML validation files in template based (minimal) JSON policy export | 17.0.0, 16.1.2.2 |
1012221-1 | 3-Major | BT1012221 | The childInheritanceStatus is not compatible with parentInheritanceStatus★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1011069-1 | 3-Major | BT1011069 | Group/User R/W permissions should be changed for .pid and .cfg files. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1008849-4 | 3-Major | BT1008849 | OWASP "A4 XML External Entities (XXE)" is not reflecting the XXE signatures configuration. | 17.0.0, 16.1.2.2, 15.1.5.1 |
844045-4 | 4-Minor | BT844045 | ASM Response event logging for "Illegal response" violations. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1066377-1 | 4-Minor | BT1066377 | OpenAPI - Content profile is not consistent with wildcard configuration | 17.0.0, 16.1.2.2 |
1050697-4 | 4-Minor | BT1050697 | Traffic learning page counts Disabled signatures when they are ready to be enforced | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1048445-1 | 4-Minor | BT1048445 | Accept Request button is clickable for unlearnable violation illegal host name | 17.1.0, 16.1.2.2, 15.1.6.1 |
1039245-2 | 4-Minor | BT1039245 | Policy Properties screen does not load and display | 17.0.0, 16.1.2.2 |
1038741-4 | 4-Minor | BT1038741 | NTLM type-1 message triggers "Unparsable request content" violation. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1036521-1 | 4-Minor | BT1036521 | TMM crash in certain cases | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1035361-4 | 4-Minor | BT1035361 | Illegal cross-origin after successful CAPTCHA | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1034941-1 | 4-Minor | BT1034941 | Exporting and then re-importing "some" XML policy does not load the XML content-profile properly | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1021637-4 | 4-Minor | BT1021637 | In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs | 17.1.0, 16.1.2.2, 15.1.6.1 |
1020717-4 | 4-Minor | BT1020717 | Policy versions cleanup process sometimes removes newer versions | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1038913-4 | 3-Major | BT1038913 | The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category | 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
858005-1 | 3-Major | BT858005 | When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:" | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
423519-5 | 3-Major | K74302282, BT423519 | Bypass disabling the redirection controls configuration of APM RDP Resource. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1045229-1 | 3-Major | BT1045229 | APMD leaks Tcl_Objs as part of the fix made for ID 1002557 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
1044121-3 | 3-Major | BT1044121 | APM logon page is not rendered if db variable "ipv6.enabled" is set to false | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1029397-4 | 2-Critical | BT1029397 | Tmm may crash with SIP-ALG deployment in a particular race condition | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
957905-1 | 3-Major | BT957905 | SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1082885-1 | 3-Major | BT1082885 | MR::message route virtual asserts when configuration changes during ongoing traffic | 17.0.0, 16.1.2.2, 15.1.6, 14.1.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
964625-5 | 3-Major | BT964625 | Improper processing of firewall-rule metadata | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
959609-4 | 3-Major | BT959609 | Autodiscd daemon keeps crashing | 17.0.0, 16.1.2.2, 15.1.6.1 |
929909-3 | 3-Major | BT929909 | TCP Packets are not dropped in IP Intelligence | 17.0.0, 16.1.2.2, 15.1.5.1 |
1008265-1 | 3-Major | K92306170, BT1008265 | DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1072057-1 | 4-Minor | BT1072057 | "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1086897-1 | 2-Critical | BT1086897 | PEM subcriber lookup can fail for internet side/subscriber side new connections | 17.0.0, 16.1.2.2 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1028269-2 | 2-Critical | BT1028269 | Device using CGNAT + subscriber discovery license shows unknown for pem_subscriber-id. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1019613-5 | 2-Critical | BT1019613 | Unknown subscriber in PBA deployment may cause CPU spike | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1064217-1 | 3-Major | BT1064217 | Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1038445-1 | 2-Critical | BT1038445 | During upgrade to 16.1, the previous FPS Engine live update remains active★ | 17.0.0, 16.1.2.2 |
873617-1 | 3-Major | BT873617 | DataSafe is not available with AWAF license after BIG-IP startup or MCP restart. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1071181-2 | 3-Major | BT1071181 | Improving Signature Detection Accuracy | 16.1.2.2, 15.1.6.1, 14.1.5 |
1060409-2 | 4-Minor | BT1060409 | Behavioral DoS enable checkbox is wrong. | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1033829-3 | 2-Critical | BT1033829 | Unable to load Traffic Classification package | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
1052153-2 | 3-Major | BT1052153 | Signature downloads for traffic classification updates via proxy fail | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1072733-4 | 2-Critical | Protocol Inspection IM package hardening | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 | |
1070677-1 | 3-Major | BT1070677 | Learning phase does not take traffic into account - dropping all. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
940261-1 | 4-Minor | BT940261 | Support IPS package downloads via HTTP proxy. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
944121-4 | 3-Major | BT944121 | Missing SNI information when using non-default domain https monitor running in TMM mode. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
854129-6 | 3-Major | BT854129 | SSL monitor continues to send previously configured server SSL configuration after removal | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1050969-1 | 1-Blocking | BT1050969 | After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
969297 | 3-Major | BT969297 | Virtual IP configured on a system with SelfIP on vwire becomes unresponsive | 16.1.2.2 |
1058401-1 | 3-Major | BT1058401 | SSL Bypass does not work for inbound traffic | 17.0.0, 16.1.2.2 |
1048033-1 | 3-Major | BT1048033 | Server-speaks-first traffic might not work with SSL Orchestrator | 17.0.0, 16.1.2.2 |
1047377-1 | 3-Major | BT1047377 | "Server-speak-first" traffic might not work with SSL Orchestrator | 17.0.0, 16.1.2.2 |
1029869-1 | 3-Major | BT1029869 | Use of ha-sync script may cause gossip communications to fail | 17.0.0, 16.1.2.2, 15.1.6.1 |
1029585-1 | 3-Major | BT1029585 | Use of ha-sync script may cause platforms in a sync-failover device group to fall out of sync | 17.0.0, 16.1.2.2, 15.1.6.1 |
Cumulative fixes from BIG-IP v16.1.2.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1045101-4 | CVE-2022-26890 | K03442392, BT1045101 | Bd may crash while processing ASM traffic | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6, 13.1.5 |
940185-7 | CVE-2022-23023 | K11742742, BT940185 | icrd_child may consume excessive resources while processing REST requests | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
1065789-1 | CVE-2023-24594 | K000133132, BT1065789 | TMM may send duplicated alerts while processing SSL connections | 17.0.0, 16.1.2.1, 15.1.5 |
1063389-6 | CVE-2015-5191 | K84583382, BT1063389 | open-vm-tools vulnerability: CVE-2015-5191 | 17.0.0, 16.1.2.1, 14.1.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1015133-5 | 3-Major | BT1015133 | Tail loss can cause TCP TLP to retransmit slowly. | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
749332-1 | 2-Critical | BT749332 | Client-SSL Object's description can be updated using CLI and with REST PATCH operation | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.4 |
996001-5 | 3-Major | BT996001 | AVR Inspection Dashboard 'Last Month' does not show all data points | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
994305-3 | 3-Major | BT994305 | The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5 | 17.0.0, 16.1.2.1, 15.1.5.1 |
968657-1 | 3-Major | BT968657 | Added support for IMDSv2 on AWS | 17.0.0, 16.1.2.1, 15.1.5.1 |
1032949-1 | 3-Major | BT1032949 | Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate. | 17.0.0, 16.1.2.1, 15.1.5 |
1041765-2 | 4-Minor | BT1041765 | Racoon may crash in rare cases | 17.0.0, 16.1.2.1, 15.1.10 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
999097-1 | 3-Major | BT999097 | SSL::profile may select profile with outdated configuration | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
910673-6 | 3-Major | BT910673 | Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM' | 17.0.0, 16.1.2.1, 15.1.5.1 |
898929-6 | 3-Major | BT898929 | Tmm might crash when ASM, AVR, and pool connection queuing are in use | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
1038629-4 | 3-Major | BT1038629 | DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
1031609-1 | 3-Major | BT1031609 | Improve nethsm-thales-install.sh and nethsm-thales-rfs-install.sh to be compatible with Entrust Client v12.60.10 package.★ | 17.0.0, 16.1.2.1, 15.1.5.1 |
1019609-1 | 3-Major | BT1019609 | No Error logging when BIG-IP device's IP address is not added in client list on netHSM.★ | 17.0.0, 16.1.2.1, 15.1.5.1 |
1017513-5 | 3-Major | BT1017513 | Config sync fails with error Invalid monitor rule instance identifier or monitors are in a bad state such as checking | 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5 |
1007749-2 | 3-Major | BT1007749 | URI TCL parse functions fail when there are interior segments with periods and semi-colons | 17.0.0, 16.1.2.1, 15.1.5 |
1048433-1 | 4-Minor | BT1048433 | Improve Extract logic of thales-sync.sh to support VIPRION cluster to support 12.6.10 client installation.★ | 16.1.2.1, 15.1.5.1 |
1024761-1 | 4-Minor | BT1024761 | HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body | 17.0.0, 16.1.2.1, 15.1.5 |
1005109-4 | 4-Minor | BT1005109 | TMM crashes when changing traffic-group on IPv6 link-local address | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
935249-3 | 3-Major | BT935249 | GTM virtual servers have the wrong status | 17.0.0, 16.1.2.1, 15.1.5 |
1039553-1 | 3-Major | BT1039553 | Non-200 HTTP status codes fail to be matched by GTM HTTP(S) monitors | 17.0.0, 16.1.2.1, 15.1.5 |
1021061-4 | 3-Major | BT1021061 | Config fails to load for large config on platform with Platform FIPS license enabled | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
993613-7 | 2-Critical | BT993613 | Device fails to request full sync | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
984593-1 | 3-Major | BT984593 | BD crash | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
921697-1 | 3-Major | BT921697 | Attack signature updates fail to install with Installation Error.★ | 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.6 |
907025-5 | 3-Major | BT907025 | Live update error" 'Try to reload page' | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
885765-1 | 3-Major | BT885765 | ASMConfig Handler undergoes frequent restarts | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
830341-5 | 3-Major | BT830341 | False positives Mismatched message key on ASM TS cookie | 17.0.0, 16.1.2.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
1043205-1 | 3-Major | BT1043205 | SSRF Violation should be shown as a Parameter Entity Reference. | 16.1.2.1 |
1042069-1 | 3-Major | Some signatures are not matched under specific conditions. | 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5, 13.1.5 | |
1002385-1 | 4-Minor | K67397230, BT1002385 | Fixing issue with input normalization | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1009093-2 | 2-Critical | BT1009093 | GUI widgets pages are not functioning correctly | 17.0.0, 16.1.2.1, 15.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
969317-4 | 3-Major | BT969317 | "Restrict to Single Client IP" option is ignored for vmware VDI | 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5 |
828761-5 | 3-Major | BT828761 | APM OAuth - Auth Server attached iRule works inconsistently | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
827393-5 | 3-Major | BT827393 | In rare cases tmm crash is observed when using APM as RDG proxy. | 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5 |
738593-3 | 3-Major | BT738593 | Vmware Horizon session collaboration (shadow session) feature does not work through APM. | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
1007677-2 | 3-Major | BT1007677 | Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector' | 17.0.0, 16.1.2.1, 15.1.4.1 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1039329-2 | 3-Major | BT1039329 | MRF per peer mode is not working in vCMP guest. | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
1025529-2 | 3-Major | BT1025529 | TMM generates core when iRule executes a nexthop command and SIP traffic is sent | 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
956013-4 | 3-Major | BT956013 | System reports{{validation_errors}} | 16.1.2.1, 15.1.5, 14.1.4.5 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1023437-1 | 3-Major | Buffer overflow during attack with large HTTP Headers | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1055361-1 | 2-Critical | BT1055361 | Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a tmm crash. | 17.0.0, 16.1.2.1, 15.1.5.1 |
Cumulative fixes from BIG-IP v16.1.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
991421-2 | CVE-2022-23016 | K91013510, BT991421 | TMM may crash while processing TLS traffic | 17.0.0, 16.1.2, 15.1.4.1 |
989701-8 | CVE-2020-25212 | K42355373, BT989701 | CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
988549-10 | CVE-2020-29573 | K27238230, BT988549 | CVE-2020-29573: glibc vulnerability | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
968893-3 | CVE-2022-23014 | K93526903, BT968893 | TMM crash when processing APM traffic | 17.0.0, 16.1.2, 15.1.4.1 |
940317-9 | CVE-2020-13692 | K23157312, BT940317 | CVE-2020-13692: PostgreSQL JDBC Driver vulnerability | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
1037181-1 | CVE-2022-23022 | K96924184, BT1037181 | TMM may crash while processing HTTP traffic | 17.0.0, 16.1.2 |
1032405-1 | CVE-2021-23037 | K21435974, BT1032405 | TMUI XSS vulnerability CVE-2021-23037 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1031269 | CVE-2022-23020 | K17514331, BT1031269 | TMM may consume excessive resources when processing logging profiles | 17.0.0, 16.1.2 |
1030689-1 | CVE-2022-23019 | K82793463, BT1030689 | TMM may consume excessive resources while processing Diameter traffic | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
1029629-1 | CVE-2022-28706 | K03755971, BT1029629 | TMM may crash while processing DNS lookups | 17.0.0, 16.1.2, 15.1.5.1 |
1028669-7 | CVE-2019-9948 | K28622040, BT1028669 | Python vulnerability: CVE-2019-9948 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1028573-6 | CVE-2020-10878 | K40508224, BT1028573 | Perl vulnerability: CVE-2020-10878 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1028497-7 | CVE-2019-15903 | K05295469, BT1028497 | libexpat vulnerability: CVE-2019-15903 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1021713-1 | CVE-2022-41806 | K00721320, BT1021713 | TMM may crash when processing AFM NAT64 policy | 17.0.0, 16.1.2, 15.1.5.1 |
1012365-4 | CVE-2021-20305 | K33101555, BT1012365 | Nettle cryptography library vulnerability CVE-2021-20305 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1007489-7 | CVE-2022-23018 | K24358905, BT1007489 | TMM may crash while handling specific HTTP requests★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
974341-6 | CVE-2022-23026 | K08402414, BT974341 | REST API: File upload | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
973409-6 | CVE-2020-1971 | K42910051, BT973409 | CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
941649-8 | CVE-2021-23043 | K63163637, BT941649 | Local File Inclusion Vulnerability | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
803965-10 | CVE-2018-20843 | K51011533, BT803965 | Expat Vulnerability: CVE-2018-20843 | 17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5 |
1035729-1 | CVE-2022-23021 | K57111075, BT1035729 | TMM may crash while processing traffic http traffic | 17.0.0, 16.1.2 |
1009725-1 | CVE-2022-23030 | K53442005, BT1009725 | Excessive resource usage when ixlv drivers are enabled | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
985953-6 | 4-Minor | BT985953 | GRE Transparent Ethernet Bridging inner MAC overwrite | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1039049-2 | 1-Blocking | BT1039049 | Installing EHF on particular platforms fails with error "RPM transaction failure" | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
997313-2 | 2-Critical | BT997313 | Unable to create APM policies in a sync-only folder★ | 17.0.0, 16.1.2, 15.1.4.1 |
1031357-2 | 2-Critical | BT1031357 | After reboot of standby and terminating peer, some IPsec traffic-selectors are still online | 17.0.0, 16.1.2 |
1029949-2 | 2-Critical | BT1029949 | IPsec traffic selector state may show incorrect state on high availability (HA) standby device | 17.0.0, 16.1.2 |
998221-1 | 3-Major | BT998221 | Accessing pool members from configuration utility is slow with large config | 17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.3 |
946185-3 | 3-Major | BT946185 | Unable to view iApp component due to error 'An error has occurred while trying to process your request.'★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
922185-3 | 3-Major | BT922185 | LDAP referrals not supported for 'cert-ldap system-auth'★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
881085-4 | 3-Major | BT881085 | Intermittent auth failures with remote LDAP auth for BIG-IP managment | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1045421-1 | 3-Major | K16107301, BT1045421 | No Access error when performing various actions in the TMOS GUI | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1032737-2 | 3-Major | BT1032737 | IPsec: tmm SIGSEGV in getlocaladdr in ikev2_initiate | 17.0.0, 16.1.2, 15.1.4.1 |
1032077-1 | 3-Major | BT1032077 | TACACS authentication fails with tac_author_read: short author body | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1028969-1 | 3-Major | BT1028969 | An unused traffic-selector can prevent an IKEv2 IPsec tunnel from working | 17.0.0, 16.1.2 |
1026549-1 | 3-Major | BT1026549 | Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1022757-2 | 3-Major | BT1022757 | Tmm core due to corrupt list of ike-sa instances for a connection | 17.0.0, 16.1.2, 15.1.9 |
1021773-1 | 3-Major | BT1021773 | Mcpd core. | 17.0.0, 16.1.2, 15.1.7 |
1020377-1 | 3-Major | BT1020377 | Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon | 17.0.0, 16.1.2 |
1015645-2 | 3-Major | BT1015645 | IPSec SA's missing after reboot | 17.0.0, 16.1.2 |
1009949-4 | 3-Major | BT1009949 | High CPU usage when upgrading from previous version★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
1003257-6 | 3-Major | BT1003257 | ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
921365-2 | 4-Minor | BT921365 | IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby | 17.0.0, 16.1.2, 15.1.4 |
1034617-1 | 4-Minor | BT1034617 | Login/Security Banner text not showing in console login. | 17.0.0, 16.1.2 |
1030845-1 | 4-Minor | BT1030845 | Time change from TMSH not logged in /var/log/audit. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1022417-1 | 4-Minor | BT1022417 | Ike stops with error ikev2_send_request: [WINDOW] full window | 17.0.0, 16.1.2, 15.1.9 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1039041 | 1-Blocking | BT1039041 | Log Message: Clock advanced by <number> ticks | 17.0.0, 16.1.2 |
1040361-1 | 2-Critical | BT1040361 | TMM crashes during its startup when TMC destination port list attached/deleted to virtual server. | 17.0.0, 16.1.2, 15.1.5, 14.1.4.5 |
915773-7 | 3-Major | BT915773 | Restart of TMM after stale interface reference | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
1023365-2 | 3-Major | BT1023365 | SSL server response could be dropped on immediate client shutdown. | 17.0.0, 16.1.2, 15.1.4.1 |
1021481-1 | 3-Major | BT1021481 | 'http-tunnel' and 'socks-tunnel' (which are internal interfaces) should be hidden. | 17.0.0, 16.1.2 |
1020957-1 | 3-Major | BT1020957 | HTTP response may be truncated by the BIG-IP system | 17.0.0, 16.1.2 |
1018577-4 | 3-Major | BT1018577 | SASP monitor does not mark pool member with same IP Address but different Port from another pool member | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1016113-1 | 3-Major | BT1016113 | HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile. | 17.0.0, 16.1.2, 15.1.4 |
1008017-2 | 3-Major | BT1008017 | Validation failure on Enforce TLS Requirements and TLS Renegotiation | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
895557-5 | 4-Minor | BT895557 | NTLM profile logs error when used with profiles that do redirect | 17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.2 |
1031901-2 | 4-Minor | BT1031901 | In HTTP2 deployment, RST_STREAM sent to client if server in CLOSING state is picked | 17.0.0, 16.1.2, 15.1.4.1 |
1018493-1 | 4-Minor | BT1018493 | Response code 304 from TMM Cache always closes TCP connection. | 17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5 |
1002945-4 | 4-Minor | BT1002945 | Some connections are dropped on chained IPv6 to IPv4 virtual servers. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1035853-1 | 2-Critical | K41415626, BT1035853 | Transparent DNS Cache can consume excessive resources. | 17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5 |
1028773-1 | 2-Critical | BT1028773 | Support for DNS Over TLS | 17.0.0, 16.1.2 |
1009037-1 | 2-Critical | BT1009037 | Tcl resume on invalid connection flow can cause tmm crash | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1021417-1 | 3-Major | BT1021417 | Modifying GTM pool members with replace-all-with results in pool members with order 0 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
912149-7 | 2-Critical | BT912149 | ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1019853-1 | 2-Critical | K30911244, BT1019853 | Some signatures are not matched under specific conditions | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1017153-4 | 2-Critical | BT1017153 | Asmlogd suddenly deletes all request log protobuf files and records from the database. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1011065-1 | 2-Critical | K39002226, BT1011065 | Certain attack signatures may not match in multipart content | 17.0.0, 16.1.2, 15.1.4.1 |
1011061-4 | 2-Critical | K39002226, BT1011061 | Certain attack signatures may not match in multipart content | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
947341-4 | 3-Major | BT947341 | MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files. | 17.0.0, 16.1.2, 16.0.1.2, 15.1.3, 14.1.4.1 |
932133-1 | 3-Major | BT932133 | Payloads with large number of elements in XML take a lot of time to process | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
842013-1 | 3-Major | BT842013 | ASM Configuration is Lost on License Reactivation★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1042917-1 | 3-Major | BT1042917 | Using 'Full Export' of security policy should result with no diffs after importing it back to device. | 17.0.0, 16.1.2 |
1028109-1 | 3-Major | BT1028109 | Detected attack signature is reported with the wrong context. | 17.0.0, 16.1.2 |
1022269-1 | 3-Major | BT1022269 | False positive RFC compliant violation | 17.0.0, 16.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
1004069-4 | 3-Major | BT1004069 | Brute force attack is detected too soon | 17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5 |
1004537-2 | 4-Minor | BT1004537 | Traffic Learning: Accept actions for multiple suggestions not localized | 17.0.0, 16.1.2, 15.1.4 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
932137-7 | 3-Major | BT932137 | AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
922105-1 | 3-Major | BT922105 | Avrd core when connection to BIG-IQ data collection device is not available | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
1035133-4 | 3-Major | BT1035133 | Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
948113-1 | 4-Minor | BT948113 | User-defined report scheduling fails | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1020705-2 | 4-Minor | BT1020705 | tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name | 17.0.0, 16.1.2, 15.1.3.1, 14.1.4.4 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1027217-1 | 1-Blocking | BT1027217 | Script errors in Network Access window using browser. | 17.0.0, 16.1.2, 15.1.4.1 |
1006893-4 | 2-Critical | BT1006893 | Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
993457-1 | 3-Major | BT993457 | TMM core with ACCESS::policy evaluate iRule | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1021485-3 | 3-Major | BT1021485 | VDI desktops and apps freeze with Vmware and Citrix intermittently | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1017233-2 | 3-Major | BT1017233 | APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption | 17.0.0, 16.1.2, 15.1.4.1 |
939877-3 | 4-Minor | BT939877 | OAuth refresh token not found | 17.0.0, 16.1.2, 15.1.4, 14.1.4.4 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1007113-3 | 2-Critical | BT1007113 | Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1018285-2 | 4-Minor | BT1018285 | MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction | 17.0.0, 16.1.2, 15.1.4.1 |
1003633-1 | 4-Minor | BT1003633 | There might be wrong memory handling when message routing feature is used | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1049229-1 | 2-Critical | BT1049229 | When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1013629-4 | 3-Major | BT1013629 | URLCAT: Scan finds many Group/User Read/Write (666/664/662) files | 17.0.0, 16.1.2, 15.1.9 |
686783-1 | 4-Minor | BT686783 | UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1032689 | 4-Minor | BT1032689 | UlrCat Custom db feedlist does not work for some URLs | 16.1.2, 15.1.4.1, 14.1.4.5 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
929213-2 | 3-Major | BT929213 | iAppLX packages not rolled forward after BIG-IP upgrade★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1038669-1 | 3-Major | BT1038669 | Antserver keeps restarting. | 17.0.0, 16.1.2, 15.1.5 |
1032797-1 | 3-Major | BT1032797 | Tmm continuously cores when parsing custom category URLs | 17.0.0, 16.1.2, 15.1.5 |
Cumulative fixes from BIG-IP v16.1.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
979877-9 | CVE-2020-1971 | K42910051, BT979877 | CVE-2020-1971 OpenSSL: EDIPARTYNAME NULL pointer de-reference vulnerability description and available information | 16.1.1, 15.1.4, 14.1.5.1 |
954425-4 | CVE-2022-23031 | K61112120, BT954425 | Hardening of Live-Update | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
797797-7 | CVE-2019-11811 | K01512680, BT797797 | CVE-2019-11811 kernel: use-after-free in drivers | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.3 |
1013569-1 | CVE-2022-31473 | K34893234, BT1013569 | Hardening of iApps processing | 17.0.0, 16.1.1, 15.1.4 |
1008561-4 | CVE-2022-23025 | K44110411, BT1008561 | In very rare condition, BIG-IP may crash when SIP ALG is deployed | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
911141-1 | 3-Major | BT911141 | GTP v1 APN is not decoded/encoded properly | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
974241-3 | 2-Critical | BT974241 | Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades | 17.0.0, 16.1.1, 15.1.4 |
887117-4 | 3-Major | BT887117 | Invalid SessionDB messages are sent to Standby | 17.0.0, 16.1.1, 15.1.4.1 |
1019829-2 | 3-Major | BT1019829 | Configsync.copyonswitch variable is not functioning on reboot | 16.1.1 |
1018309-5 | 3-Major | BT1018309 | Loading config file with imish removes the last character | 17.0.0, 16.1.1, 15.1.4.1 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1023341-1 | 1-Blocking | HSM hardening | 17.0.0, 16.1.1, 15.1.5.1, 14.1.4.6, 13.1.5 | |
995405-1 | 2-Critical | BT995405 | After upgrade, the copied SSL vhf/vht profile prevents traffic from passing★ | 17.0.0, 16.1.3, 16.1.1 |
1040677 | 2-Critical | BT1040677 | BIG-IP D120 platform reports page allocation failures in N3FIPS driver | 17.0.0, 16.1.1 |
980617-1 | 3-Major | BT980617 | SNAT iRule is not working with HTTP/2 and HTTP Router profiles | 17.0.0, 16.1.1, 15.1.10 |
912945-3 | 4-Minor | BT912945 | A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1039069-1 | 1-Blocking | BT1039069 | Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049.★ | 17.0.0, 16.1.1, 15.1.4 |
993489-1 | 3-Major | BT993489 | GTM daemon leaks memory when reading GTM link objects | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
996381-1 | 2-Critical | K41503304, BT996381 | ASM attack signature may not match as expected | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1 |
970329-1 | 2-Critical | K70134152, BT970329 | ASM hardening | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
965229-5 | 2-Critical | BT965229 | ASM Load hangs after upgrade★ | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
986937-3 | 3-Major | BT986937 | Cannot create child policy when the signature staging setting is not equal in template and parent policy | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4 |
981069-3 | 3-Major | BT981069 | Reset cause: "Internal error ( requested abort (payload release error))" | 17.0.0, 16.1.1, 15.1.4 |
962589-4 | 3-Major | BT962589 | Full Sync Requests Caused By Failed Relayed Call to delete_suggestion | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
951133-4 | 3-Major | BT951133 | Live Update does not work properly after upgrade★ | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4 |
920149-3 | 3-Major | BT920149 | Live Update default factory file for Server Technologies cannot be reinstalled | 17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4 |
888289-8 | 3-Major | BT888289 | Add option to skip percent characters during normalization | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
1005105-3 | 3-Major | BT1005105 | Requests are missing on traffic event logging | 17.0.0, 16.1.1, 15.1.4, 14.1.4.5 |
1000741-1 | 3-Major | K67397230, BT1000741 | Fixing issue with input normalization | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
941625-3 | 4-Minor | BT941625 | BD sometimes encounters errors related to TS cookie building | 17.0.0, 16.1.1, 15.1.4 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
924945-5 | 3-Major | BT924945 | Fail to detach HTTP profile from virtual server | 17.0.0, 16.1.1, 16.0.1.2, 15.1.3 |
913085-6 | 3-Major | BT913085 | Avrd core when avrd process is stopped or restarted | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
909161-1 | 3-Major | BT909161 | A core file is generated upon avrd process restart or stop | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1024101-1 | 3-Major | BT1024101 | SWG as a Service license improvements | 17.0.0, 16.1.3, 16.1.1 |
1022625-2 | 3-Major | BT1022625 | Profile type 'swg-transparent' should be selected on create page when 'create-new' is selected for SwgAsService in SSL Orchestrator | 17.0.0, 16.1.1 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
993913-4 | 2-Critical | BT993913 | TMM SIGSEGV core in Message Routing Framework | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
1012721-4 | 2-Critical | BT1012721 | Tmm may crash with SIP-ALG deployment in a particular race condition | 17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4, 13.1.5 |
1007821-3 | 2-Critical | BT1007821 | SIP message routing may cause tmm crash | 17.0.0, 16.1.1, 15.1.4 |
996113-2 | 3-Major | BT996113 | SIP messages with unbalanced escaped quotes in headers are dropped | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
805821-1 | 3-Major | BT805821 | GTP log message contains no useful information | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
919301-1 | 4-Minor | BT919301 | GTP::ie count does not work with -message option | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
913413-1 | 4-Minor | BT913413 | 'GTP::header extension count' iRule command returns 0 | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
913409-1 | 4-Minor | BT913409 | GTP::header extension command may abort connection due to unreasonable TCL error | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
913393-1 | 5-Cosmetic | BT913393 | Tmsh help page for GTP iRule contains incorrect and missing information | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
992213-3 | 3-Major | BT992213 | Protocol Any displayed as HOPTOPT in AFM policy view | 17.0.0, 16.1.1, 15.1.4, 14.1.4.2 |
1000405-1 | 3-Major | BT1000405 | VLAN/Tunnels not listed when creating a new rule via GUI | 17.0.0, 16.1.1, 15.1.4 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1018145 | 3-Major | BT1018145 | Firewall Manager user role is not allowed to configure/view protocol inspection profiles | 16.1.1, 15.1.4 |
Cumulative fix details for BIG-IP v16.1.5.1 that are included in this release
999901-1 : Certain LTM policies may not execute correctly after a system reboot or TMM restart.
Links to More Info: K68816502, BT999901
Component: Local Traffic Manager
Symptoms:
After a system reboot or TMM restart, LTM policies referencing an external data-group may not execute correctly, regardless of a successful matching condition.
This can cause a wide range of issues, including misrouted traffic, unshaped traffic, the bypassing of ASM, or complete traffic failure (based on the policy actions).
Note that if a virtual server references multiple LTM policies, and only some of those policies reference an external data-group, all LTM policies attached to the virtual server will be affected.
Conditions:
-- LTM policy with an external data-group configured on a virtual server.
-- System reboot or TMM restart.
Impact:
LTM policies may be unable to execute the appropriate action on a successful matching condition, leading to a wide range of traffic-impacting consequences.
Workaround:
Remove and re-add the affected policy to the desired virtual-server. Alternatively, to fix a wider number of affected virtual servers in one go, reload the system configuration by executing 'tmsh load sys config'.
Fix:
TMM now loads LTM policies with external data-groups as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
999881-6 : Tcl command 'string first' not working if payload contains Unicode characters.
Links to More Info: BT999881
Component: Local Traffic Manager
Symptoms:
Tcl command 'string first' returns an incorrect value when Unicode characters are present in the payload.
Conditions:
-- Tcl command 'string first' is used in iRules.
-- Payload contains Unicode characters.
Impact:
Traffic processing with iRules that contains the 'string first' command might not work as expected.
Workaround:
You can use any of the following workarounds:
-- Use iRuleLX.
-- Do not use Unicode characters in the payload.
-- Use a custom Tcl proc to iterate through the string using lindex
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
999125-1 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.
Links to More Info: BT999125
Component: TMOS
Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.
Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.
Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).
Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.
Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:
tmsh restart sys service sod
Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.
Fix:
Redundant devices remain in the correct failover state following a management IP address change.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
999097-1 : SSL::profile may select profile with outdated configuration
Links to More Info: BT999097
Component: Local Traffic Manager
Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.
Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.
Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.
Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.
Fix:
The system now makes sure that SSL profiles are properly reloaded after changes are made.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
998957-1 : MCPD consumes excessive CPU while collecting statistics
Links to More Info: BT998957
Component: TMOS
Symptoms:
MCPD CPU utilization is 100%.
Conditions:
This condition can occur when the BIG-IP system has a large number of virtual servers, pools, and pool members for which statistics are being collected. The CPU impact is proportional to the number of objects configured. It appears unlikely to see a significant impact when under 1000 objects.
Impact:
CPU utilization by MCPD is excessive.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.1.0, 16.1.5
998225-6 : TMM crash when disabling/re-enabling a blade that triggers a primary blade transition.
Links to More Info: BT998225
Component: TMOS
Symptoms:
TMM crashes during the primary blade transition.
Conditions:
-- Using bidirectional forwarding detection.
-- Primary blade transition occurs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM no longer crashes on primary blade transition.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
998221-1 : Accessing pool members from configuration utility is slow with large config
Links to More Info: BT998221
Component: TMOS
Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.
Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.
Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,
Managing pool members from configuration utility is very slow causing performance impact.
Workaround:
None
Fix:
Optimized the GUI query used for retrieving pool members data.
Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.3
997793-3 : Error log: Failed to reset strict operations; disconnecting from mcpd★
Links to More Info: K34172543, BT997793
Component: TMOS
Symptoms:
After rebooting the device you are unable to access the GUI. When checking the LTM logs in the SSH/console, it repeatedly prompts an error: tmm crash.
Failed to reset strict operations; disconnecting from mcpd.
Conditions:
-- APM provisioned.
-- Previous EPSEC packages that are still residing on the system from earlier BIG-IP versions are installed upon boot.
Impact:
Mcpd fails to fully load and the device fails to come up fully, and it cannot pass traffic.
An internal timer might cause the installation to be aborted and all daemons to be restarted through bigstart restart. Traffic is disrupted while tmm restarts.
Workaround:
You can recover by restarting the services. Traffic will be disrupted while tmm restarts:
1. Stop the overdog daemon first by issuing the command:
systemctl stop overdog.
2. Restart all services by issuing the command:
bigstart restart.
3. Wait for 10 to 20 mins until EPSEC packages are successfully installed and mcpd successfully starts.
4. Start the overdog daemon after the system is online
systemctl start overdog.
Impact of workaround: it is possible that the EPSEC rpm database is or could be corrupted. If you find that you cannot access the GUI after appying this workaround, see https://cdn.f5.com/product/bugtracker/ID1188857.html
Fix:
After rebooting the device, you can now access the GUI without a 'Failed to reset' error.
Fixed Versions:
16.1.5
997561-5 : TMM CPU imbalance with GRE/TB and GRE/MPLS traffic
Links to More Info: BT997561
Component: TMOS
Symptoms:
When handling unidirectional GRE traffic, a lack of inner payload entropy can lead to CPU pinning.
In some circumstances, handling this traffic should not require maintaining state across TMMs.
Conditions:
This occurs with GRE/TB (transparent ethernet bridging) and GRE/MPLS traffic.
Impact:
TMM utilization across CPUs is imbalanced, which can impact overall device performance.
Workaround:
None
Fix:
The BIG-IP now has a 'iptunnel.ether_nodag' DB key, which defaults to 'disable'. When this DB key is enabled, the BIG-IP system always processes tunnel-encapsulated traffic on the TMM that handles the tunnel packet, rather than re-disaggregating it.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
997429-1 : When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled
Links to More Info: BT997429
Component: Advanced Firewall Manager
Symptoms:
Some DoS-related log messages may be missing
Conditions:
-- Static DDoS vector is configured with the same mitigation threshold and detection threshold setpoint.
-- The platform supports Hardware DDoS mitigation and hardware mitigation and hardware mitigation is not disabled.
Impact:
Applications dependent on log frequency may be impacted.
Workaround:
Configure the mitigation limit about 10% over the attack limit.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
997313-2 : Unable to create APM policies in a sync-only folder★
Links to More Info: BT997313
Component: TMOS
Symptoms:
Unable to configure an APM policy in a sync-only folder, or the configuration fails to load after an upgrade, with an error message similar to:
-- err mcpd[mcpd_pid]: 01070734:3: Configuration error: Invalid Devicegroup Reference. The customization_group (/Common/sync-only/example_apm_customization) requires customization_source (/Common/standard) to be syncd to the same devices
Conditions:
-- Multiple BIG-IP devices configured in a sync-only device group, but different/non-overlapping failover device groups
-- APM policy being created in a folder or partition associated with sync-only device group.
Impact:
-- Unable to create the access policy.
-- The configuration fails to load and the device remains inoperative.
Workaround:
You can use either of the following strategies to prevent the issue:
--Do not create APM policies in a sync-only folder.
--Disable MCPD device-group reference validation for the sync-only folder, e.g.:
tmsh modify sys folder /Common/sync-only no-ref-check true
tmsh save sys config
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1
997269-1 : The management-dhcp contextual help for supersede-options is not available
Links to More Info: BT997269
Component: TMOS
Symptoms:
In TMSH, unable to view the contextual help for supersede-options of management-dhcp.
Conditions:
In TMSH, configuring DHCP settings for the management interface.
Impact:
The help text is not available on usage of supersede-options.
Workaround:
None
Fix:
Added missing contextual help for supersede-options.
Fixed Versions:
17.0.0, 16.1.5
996649-6 : Improper handling of DHCP flows leading to orphaned server-side connections
Links to More Info: BT996649
Component: Local Traffic Manager
Symptoms:
When there are multiple client-side flows tied to a single server-side DHCP flow, timeout handling on the client-side flows is incorrect and might lead to a server-side flow getting orphaned. This results in traffic from the server not making its way back to the client.
Conditions:
Regular DHCP virtual server in use.
Impact:
Traffic is not passed to the client.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
996381-1 : ASM attack signature may not match as expected
Links to More Info: K41503304, BT996381
Component: Application Security Manager
Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.
Conditions:
- Attack signature 200000128 enabled.
Impact:
Processed traffic may not match all expected attack signatures
Workaround:
N/A
Fix:
Attack signature 200000128 now matches as expected.
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1
996113-2 : SIP messages with unbalanced escaped quotes in headers are dropped
Links to More Info: BT996113
Component: Service Provider
Symptoms:
Dropped SIP messages.
Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote
Impact:
Certain SIP messages are not being passed via MRF.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
996001-5 : AVR Inspection Dashboard 'Last Month' does not show all data points
Links to More Info: BT996001
Component: TMOS
Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.
Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.
Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.
Workaround:
None
Fix:
Viewing a 'Last Month' graph now reports ~30 days worth of data, rather than a variable amount of data based on actual calendar periods.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
995849-1 : Tmm crash SIGSEGV - rcs_getsalen() in lib/rc_net.c
Links to More Info: BT995849
Component: TMOS
Symptoms:
Tmm crashes while processing a large number of tunnels.
Conditions:
-- A large number of ipsec tunnels
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Memory allocation failures are handled.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
995405-1 : After upgrade, the copied SSL vhf/vht profile prevents traffic from passing★
Links to More Info: BT995405
Component: Local Traffic Manager
Symptoms:
After an RPM upgrade, SSL Orchestrator traffic does not pass
Conditions:
Upgrading SSL Orchestrator via RPM
Impact:
Traffic will not pass.
Workaround:
Bigstart restart tmm
Fix:
Fixed an issue that was preventing from passing after an RPM upgrade.
Fixed Versions:
17.0.0, 16.1.3, 16.1.1
995097-1 : Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file.
Links to More Info: BT995097
Component: TMOS
Symptoms:
After reloading the configuration from a file, management-dhcp supersede options whose values contained a double quote character (") no longer contain the character.
For instance, after reloading the configuration, the following section:
# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
supersede-options {
domain-name {
value { "example.com" }
}
domain-name-servers {
value { 8.8.8.8 }
}
domain-search {
value { "example.com" }
}
}
}
Becomes:
# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
supersede-options {
domain-name {
value { example.com }
}
domain-name-servers {
value { 8.8.8.8 }
}
domain-search {
value { example.com }
}
}
}
This also affects the configuration file for the dhclient/dhclient6 daemons that the system automatically generates from the aforementioned config stanza.
Conditions:
This issue occurs when the following statements apply:
--- The values of management-dhcp supersede options contain double quote characters.
--- The configuration is reloaded from file.
The BIG-IP system reloads the configuration from file in the following cases:
-- When you issue the 'tmsh load sys config' command.
-- After an upgrade, as the mcpd binary database does not exist yet.
-- When troubleshooting requires removing the mcpd binary database and reloading the config from file.
-- When the system is relicensed.
-- When system provisioning changes.
-- When a UCS/SCF archive is restored.
-- When someone merges in config from file or terminal (but this is limited to the actual contents being merged in, not the entire configuration).
Impact:
The in-memory mcpd configuration relating to management-dhcp supersede options is incorrect.
The /etc/dhclient.conf file that is automatically generated contains incorrect syntax.
As a result of this, the dhclient/dhclient6 daemons fail to parse the file and run with an incomplete configuration.
Ultimately, the system does not behave as configured in regard to its management-dhcp configuration.
Workaround:
Reapply the desired management-dhcp supersede-options configuration using the tmsh utility.
For example, to restore the intended in-memory configuration shown under Symptoms, you would run within tmsh:
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options none
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name-servers { value add { 8.8.8.8 } } }
# save sys config
On versions earlier than 15.0.0, you must also restart the dhclient/dhclient6 daemons by running:
bigstart restart dhclient dhclient6
Note that the workaround is not permanent and will be invalidated the next time the config is loaded from file again.
Fix:
The BIG-IP system user is no longer responsible for knowing which dhcp-options require quoting and which do not. This determination is now done internally by mcpd, which uses the correct syntax for each supersede-option when writing the /etc/dhclient.conf file. This means that, as the BIG-IP system user, you are not required to quote anything when manipulating management-dhcp supersede-options in tmsh.
For instance, you can enter the following command:
tmsh modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { one.example.com two.example.com } } }
And the system inserts the following instruction in the /etc/dhclient.conf file:
supersede domain-search "one.example.com", "two.example.com" ;
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
994973-1 : TMM crash with do_drivers_probe()
Links to More Info: BT994973
Component: Local Traffic Manager
Symptoms:
During the TMM shutdown time, TMM crashes. And the TMM core is created by SIGABRT using the xnet drivers. SIGABRT source is located within the do_drivers_probe()function.
Conditions:
Occurs while,
-- using the xnet drivers
-- rebooting TMM
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM does not crash.
Fixed Versions:
16.1.5
994305-3 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5
Links to More Info: BT994305
Component: TMOS
Symptoms:
Features supported in newer versions of open-vm-tools are not available.
Conditions:
This issue may be seen when running in VMware environments.
Impact:
Features that require a later version of open-vm-tools are not available.
Workaround:
None.
Fix:
The version of open-vm-tools has been updated to 11.1.5.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1
994033-3 : The daemon httpd_sam does not recover automatically when terminated
Links to More Info: BT994033
Component: TMOS
Symptoms:
APM policy redirecting users to incorrect domain, the httpd_sam daemon not running.
Conditions:
Daemon httpd_sam stopped with the terminate command.
Impact:
APM policy performing incorrect redirects.
Workaround:
Restart the daemons httpd_apm and httpd_sam.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
993913-4 : TMM SIGSEGV core in Message Routing Framework
Links to More Info: BT993913
Component: Service Provider
Symptoms:
TMM crashes on SIGSEGV.
Conditions:
This can occur while passing traffic through the message routing framework.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4
993613-7 : Device fails to request full sync
Links to More Info: BT993613
Component: Application Security Manager
Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs
Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.
Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage
Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
993517-1 : Loading an upgraded config can result in a file object error in some cases
Links to More Info: BT993517
Component: Local Traffic Manager
Symptoms:
After an upgrade from a version prior to 13.1.0, when loading a configuration that has had an HTTPS monitor in it, if that configuration has not yet been saved, you may see errors like this in the LTM log:
-- 0107134a:3: File object by name (DEFAULT) is missing.
If you run 'tmsh load sys config verify' on this configuration, the system also posts the error on the screen.
Conditions:
-- Upgrading from a version prior to 13.1.0.
-- At least one HTTPS monitor that has the kEDH cipher in its cipherlist.
-- Upgrading to version 13.1.1.4 or later.
-- Loading the configuration (either automatically on startup, or manually).
Impact:
Other than the error message, there is no impact.
Workaround:
After the initial reboot, save the configuration.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
993489-1 : GTM daemon leaks memory when reading GTM link objects
Links to More Info: BT993489
Component: Global Traffic Manager (DNS)
Symptoms:
The gtmd process memory consumption is higher than expected.
Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.
Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
993481-1 : Jumbo frame issue with DPDK eNIC
Links to More Info: BT993481
Component: TMOS
Symptoms:
TMM crashes
Conditions:
-- TMM is using DPDK driver with Cisco eNIC
-- TMM receives jumbo sized packet
Impact:
Traffic disrupted while TMM restarts.
Workaround:
- Use a different driver such as sock.
- Do not use or accept jumbo frames, use the following TMSH command to set the MTU to less than or equal to 1500:
tmsh modify net vlan external mtu 1500
Fix:
Skipped initialization of structures.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
993457-1 : TMM core with ACCESS::policy evaluate iRule
Links to More Info: BT993457
Component: Access Policy Manager
Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.
Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.
Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM no longer crashes and generates a core file during the ACCESS::policy evaluate iRule under these conditions.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
993269-3 : DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option
Links to More Info: BT993269
Component: Advanced Firewall Manager
Symptoms:
Using DoS timestamp cookies together with a FastL4 profile with the timestamp rewrite option enabled might lead to traffic failures.
DoS timestamp cookies might also lead to problems with traffic generated by the Linux host.
Conditions:
-- DoS timestamp cookies are enabled, and either of the following:
-- FastL4 profile with the timestamp rewrite option enabled.
-- Traffic originating from Linux host.
Impact:
Traffic is dropped due to incorrect timestamps.
Workaround:
Disable timestamp cookies on the affected VLAN.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
992865-3 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances
Links to More Info: BT992865
Component: TMOS
Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.
Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
+ BIG-IP i11000 series (C123)
+ BIG-IP i15000 series (D116)
Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.
Workaround:
None
Fix:
Virtual servers correctly enter hardware SYN cookie mode on all platforms.
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.4
992813-7 : The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations.
Links to More Info: BT992813
Component: TMOS
Symptoms:
The mcpd daemon performs validation of the request-options and supersede-options a BIG-IP administrator specifies via the tmos.sys.management-dhcp endpoint in tmsh.
As the list of dhcp-options known to mcpd is outdated, it is possible you may be returned an error when attempting to configure valid request-options or supersede-options.
For example, you may be returned the following error when attempting to supersede the domain-search option:
01071627:3: Management Dhcp resource supersede-option - Invalid dhcp option: domain-search
Conditions:
You attempt to configure a dhcp-option unknown to mcpd as part of the request-options or supersede-options properties.
Note: A common dhcp-option of which mcpd has no knowledge is domain-search. You are unlikely to experience this issue unless you are requesting or superseding this particular dhcp-option.
Impact:
You are unable to instantiate the desired management-dhcp configuration.
Workaround:
None
Fix:
The list of dhcp-options known to mcpd has been updated.
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
992213-3 : Protocol Any displayed as HOPTOPT in AFM policy view
Links to More Info: BT992213
Component: Advanced Firewall Manager
Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.
Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.
Impact:
GUI shows an incorrect value.
Workaround:
None
Fix:
GUI Shows correct value for rule protocol option.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.2
992121-4 : REST "/mgmt/tm/services" endpoint is not accessible
Links to More Info: BT992121
Component: TMOS
Symptoms:
Accessing "/mgmt/tm/services" failed with a null exception and returned 400 response.
Conditions:
When accessing /mgmt/tm/services through REST API
Impact:
Unable to get services through REST API, BIG-IQ needs that call for monitoring.
Workaround:
None
Fix:
/mgmt/tm/services through REST API is accessible and return the services successfully.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
991457-1 : The mpidump should show sequence number and higher precision date/time
Links to More Info: BT991457
Component: Local Traffic Manager
Symptoms:
The mpidump command does not some data that would be useful in a troubleshooting situation.
Conditions:
Running mpidump to gather data.
Impact:
Comparing tcpdumps with mpidumps is almost impossible due to the lack of timestamp precision in the mpidump tool's verbose text output. When doing analysis, it makes it extremely difficult, if not impossible without this precision
Workaround:
None
Fix:
None
Fixed Versions:
16.1.5
990461-5 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★
Links to More Info: BT990461
Component: Advanced Firewall Manager
Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.
Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.
Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.
Workaround:
Manually update the SYN cookie threshold values after an upgrade.
Fixed Versions:
17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4
989701-8 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response
989529-1 : AFM IPS engine takes action on unspecified services
Links to More Info: BT989529
Component: Protocol Inspection
Symptoms:
Specific ports configured in the IPS profile are not taken into account during the matching action exercised by the IPS subsystem. As a result, all ports are matched.
Conditions:
Service ports specified under Security :: Protocol Security : Inspection Profiles :: service type (e.g., HTTP).
Impact:
Increased resource usage and excessive logging.
Workaround:
None.
Fixed Versions:
16.1.5
989517-3 : Acceleration section of virtual server page not available in DHD
Links to More Info: BT989517
Component: TMOS
Symptoms:
Cannot use Advanced Menu to create a virtual server for HTTP/2 on systems with DHD licenses. This occurs because the Acceleration section is not available.
You can via TMSH then it works, but at as soon as you use the GUI to modify the virtual server, it loses the HTTP/2 configuration.
Conditions:
The Acceleration section is not visible in case 'DoS' is provisioned (available with the DHD license).
Impact:
1) You are unable to use the GUI to modify any parameters of the Acceleration table in the virtual server page.
2) Loss of configuration items if making changes via the GUI.
Workaround:
A virtual server with parameters present in the Acceleration table can still be created using TMSH. However, do not edit that virtual server in the GUI, or the Acceleration parameters will be lost.
Fix:
The Acceleration table is now visible, and there is no loss of configuration items if making changes via the GUI.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
989501-2 : A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus
Links to More Info: BT989501
Component: TMOS
Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might fall or drop off of PCI bus, resulting in the BIG-IP system not being able to process traffic. If this happens, a daemon_heartbeat failsafe gets triggered instead of dataplane_inoperable_t action.
Conditions:
The conditions that lead to HSB to fall off of PCI bus are unknown at this time.
Impact:
The BIG-IP system unable to pass traffic and a failover is triggered.
Workaround:
Reboot the device or the blade to recover from the situation and monitor for re-occurrence. If it happens again, it could indicate potential underlying hardware issue.
Fix:
The dataplane_inoperable_t High Availability (HA) event should be triggered by overdog process (which monitors high availability (HA) table for failover action types of restart, restart-all, or reboot) and allow for system to be rebooted to recover.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
988165-3 : VMware CPU reservation is now enforced.
Links to More Info: BT988165
Component: TMOS
Symptoms:
CPU reservation is not enabled which can result in insufficient CPU resource for virtual edition guest.
Conditions:
BIG-IP Virtual Edition running in VMware.
Impact:
Performance may be lower than expected particularly if ESXi is over subscribed and traffic volume is high.
Workaround:
Manually enforce the 2GHz per core rule when provisioning VMware instances to ensure that your VMware hosts are not oversubscribed.
Fix:
The VMware CPU reservation of 2GHz per core is now automatically enabled in the OVF file. The CPU reservation can be up to 100 percent of the defined virtual machine hardware. For example, if the hypervisor has 2.0 GHz cores, and the VE is set to 4 cores, you will see 4 x 2.0 GHz reserved for 8GHz (or 8000 MHz).
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
987977-3 : VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation
Links to More Info: BT987977
Component: Application Security Manager
Symptoms:
Remote logging message, violation_details field, includes XML document for VIOL_HTTP_RESPONSE_STATUS even though it is configured not to do so (Learn/Alarm/Block are all disabled) with VIOL_HTTP_RESPONSE_STATUS violation.
Conditions:
When all the following conditions are met
-- Response status code is not one of 'Allowed Response Status Codes'.
-- Learn/Alarm/Block flags are disabled with 'Illegal HTTP status in response'.
-- Logging profile is configured for remote storage.
-- Storage format is comma-separated.
-- Both violation_details and violations fields are set.
Impact:
Remote logging server receives inaccurate message.
Workaround:
None
Fix:
No longer includes 'violation_details' field in remote logging message in the scenario, but includes it only when it is appropriate.
Fixed Versions:
17.1.1, 16.1.5
987885-6 : Half-open unclean SSL termination might not close the connection properly
Links to More Info: BT987885
Component: Local Traffic Manager
Symptoms:
Upon receiving TCP FIN from the client in the middle of the SSL Application Data, the BIG-IP system does not close the connection on either client- or server-side (i.e., it does not 'forward' the FIN on the server-side as it normally does) causing the connection to go stale until the timeout is reached.
Conditions:
-- TCP and SSL profiles configured on a virtual server.
-- Client terminates the connection in the middle of an SSL record.
Impact:
Connection termination does not happen. Connection remains in the connection table until idle timeout is reached.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
987341-1 : BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers.
Links to More Info: BT987341
Component: Access Policy Manager
Symptoms:
BIG-IP discovers and updates JSON Web Keys (JWK) in OpenID Connect (OIDC) deployments using a Java Runtime Environment (JRE). The JRE in BIG-IP does not support strong TLS ciphers, so the discovery/update process can fail against OIDC providers that enforce strong encryption requirements.
Conditions:
Using an OpenID Connect provider that allows only strong TLS ciphers. and using an APM configuration that validates incoming JWTs against a dynamic JWK list in Internal Validation Mode.
Impact:
This might cause discovery to fail against certain OpenID Connect auth providers that enforce strong cipher requirements. It could lead to JWT validation failure as the JWK expire and cannot be updated by BIG-IP.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
987301-3 : Software install on vCMP guest via block-device may fail with error 'reason unknown'
Links to More Info: BT987301
Component: TMOS
Symptoms:
When installing an engineering hotfix (EHF) on a vCMP guest via block-device, sometimes it fails with 'reason unknown'.
-- /var/log/liveinstall may contain an error similar to:
I/O error : Input/output error
/tmp/lind_util.voCQOs/BIGIP1610/install/fsinfo.xml:1: parser error : Document is empty
-- /var/log/kern.log may contain an error similar to:
Aug 14 14:15:54 bigip1 info kernel: attempt to access beyond end of device
Aug 14 14:15:54 bigip1 info kernel: sr0: rw=0, want=3560560, limit=312712
Conditions:
This might occur after multiple attempts to install an EHF on a vCMP guest via block-device:
tmsh install sys software block-device-hotfix Hotfix-BIGIP-14.1.2.6.0.77.2-ENG.iso volume HD1.3
Impact:
Sometimes the EHF installation fails on the guest.
Workaround:
-- Retry the software installation.
-- If the software installation continues to fail, copy the ISO images into the vCMP guest, and use those to perform the installation.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
987077-3 : TLS1.3 with client authentication handshake failure
Links to More Info: BT987077
Component: Local Traffic Manager
Symptoms:
SSL handshakes fail, and TLS clients send 'Bad Record MAC' errors.
Conditions:
-- LTM authentication profile using OCSP and TLS1.3.
-- Client application data arrives during LTM client authentication iRule.
Impact:
-- A handshake failure occurs.
-- Client certificate authentication may pass without checking its validity via OCSP.
Workaround:
Use TLS1.2 or use TLS1.3 without the LTM authentication profile.
Fix:
Handshake completes if using TLS1.3 with client authentication and LTM auth profile.
Fixed Versions:
17.0.0, 16.1.3, 15.1.5.1, 14.1.4.6
986937-3 : Cannot create child policy when the signature staging setting is not equal in template and parent policy
Links to More Info: BT986937
Component: Application Security Manager
Symptoms:
When trying to create a child policy, you get an error:
FAILURE: "Could not update the Policy policy1. Inherited values may not be changed."
Conditions:
-- Parent policy created with signature staging disabled.
-- Creating a new child policy with that policy as a parent.
Impact:
You are unable to create the child policy and the system presents an error.
Workaround:
Create the policy without assigning it to the parent, and then assign it to the parent policy on the Inheritance Settings page.
Fix:
The error no longer occurs on child policy creation.
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4
985953-6 : GRE Transparent Ethernet Bridging inner MAC overwrite
Links to More Info: BT985953
Component: TMOS
Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.
Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.
Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.
Workaround:
None
Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
985925-3 : Ipv6 Routing Header processing not compatible as per Segments Left value.
Links to More Info: BT985925
Component: Local Traffic Manager
Symptoms:
Packet should forward the packet with the route header unmodified when Segments Left is 0 (zero). It performs as expected when Segments Left is non-zero by dropping the packet and sending an ICMP error.
Conditions:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
With Next Header field in IP header being Routing Header for IPv6, BIG-IP system fails to forward the ICMPv6 Echo Request packet to server, rather, it drops the packet.
Workaround:
None
Fix:
Now the ICMP packet is forwarded with both IPv6 extension headers present.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
985329-2 : Saving UCS takes longer when iControl LX extension is installed
Links to More Info: BT985329
Component: Device Management
Symptoms:
The tmsh command 'save sys ucs' takes longer when iControl LX extensions is installed.
You may also see errors logged in /var/log/restjavad.0.log:
[WARNING][211][date and time UTC][8100/shared/iapp/build-package BuildRpmTaskCollectionWorker] Failed to execute the build command 'rpmbuild -bb --define '_tmppath /shared/tmp' --define 'main /var/config/rest/iapps/f5-service-discovery' --define '_topdir /var/config/rest/node/tmp' '/var/config/rest/node/tmp/ac891731-acb1-4832-b9f0-325e73ed1fd1.spec'', Threw:com.f5.rest.common.CommandExecuteException: Command execution process killed
at com.f5.rest.common.ShellExecutor.finishExecution(ShellExecutor.java:281)
at com.f5.rest.common.ShellExecutor.access$000(ShellExecutor.java:33)
at com.f5.rest.common.ShellExecutor$1.onProcessFailed(ShellExecutor.java:320)
at org.apache.commons.exec.DefaultExecutor$1.run(DefaultExecutor.java:203)
at java.lang.Thread.run(Thread.java:748)
Errors logged in /var/log/ltm:
err iAppsLX_save_pre: Failed to get task response within timeout for: /shared/iapp/build-package/a1724a94-fb6b-4b3e-af46-bc982567df8f
err iAppsLX_save_pre: Failed to get getRPM build response within timeout for f5-service-discovery
Conditions:
iControl LX extensions (e.g., AS3, Telemetry) are installed on the BIG-IP system.
Impact:
Saving the UCS file takes a longer time (e.g., ~1-to-2 minutes) than it does if iControl LX extensions are not installed (e.g., ~40 seconds).
Workaround:
None
Fixed Versions:
16.1.5
984965-4 : While intentionally exiting, sshplugin may invoke functions out of sequence and crash
Links to More Info: BT984965
Component: Advanced Firewall Manager
Symptoms:
The sshplugin process used by the AFM module may continually restart and deposit a large number of core-dump files, displaying a SIGSEGV Segmentation fault.
In the file /var/log/sshplugin.start, errors may be logged including these lines:
shmget name:/var/run/tmm.mp.sshplugin18, key:0xeb172db6, size:7, total:789184 : Invalid argument
tm_register failed: Bad file descriptor
Conditions:
-- AFM provisioned and in use.
-- Heavy system load makes problem more likely.
Impact:
-- Extra processing load from relaunching sshplugin processes.
-- The large number of core files might fill up /var/core.
Workaround:
First, attempt a clean process restart:
# bigstart restart sshplugin
If that is not effective, rebooting the entire system may clear the condition.
Fixed Versions:
16.1.5
984749-1 : Discrepancy between DNS cache statistics "Client Summary" and "Client Cache."
Links to More Info: BT984749
Component: Global Traffic Manager (DNS)
Symptoms:
"show ltm dns cache", shows difference between "Client Summary" and "Client Cache".
Conditions:
Create a resolver type DNS cache, attach to a DNS profile, and attach to a virtual server. Send queries to virtual server. Compare/review result of "show ltm dns cache."
Impact:
Client Cache Hit/Miss Statistics ratio affected.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
984657 : Sysdb variable not working from tmsh
Links to More Info: BT984657
Component: Traffic Classification Engine
Symptoms:
When cloud_only system db variable is enabled, urlcat_query returns categorization from webroot from tmsh
Conditions:
The following sys db variable is enabled: cloud_only
You attempt to run the following command:
tmsh list sys db urlcat_query
Impact:
Sysdb variables does not work from tmsh
Fix:
After the fix able to verify sysdb variables from tmsh
Fixed Versions:
16.1.5, 16.0.1.2, 15.1.4.1
984593-1 : BD crash
Links to More Info: BT984593
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
984585-3 : IP Reputation option not shown in GUI.
Links to More Info: BT984585
Component: TMOS
Symptoms:
Cannot configure IP Reputation option from the GUI.
Conditions:
Configuring the LTM policy type 'IP Reputation' using the GUI, when the 'IP Intelligence' module is licensed in time-limited modules.
Impact:
The IP Reputation option is not shown in GUI configuration list. Cannot create LTM policies with IP Reputation.
Workaround:
Use tmsh to configure IP Reputation.
Fix:
The IP Reputation option is now shown in the GUI.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
983073-3 : Certain traffic to ixlv & iavf can cause memory leak.
Links to More Info: K000138833
982785-2 : Guided Configuration hardening
Links to More Info: K52322100
982757-3 : APM Access Guided Configuration hardening
Links to More Info: K53197140
981917-4 : CVE-2020-8286 - cUrl Vulnerability
Links to More Info: K15402727
981069-3 : Reset cause: "Internal error ( requested abort (payload release error))"
Links to More Info: BT981069
Component: Application Security Manager
Symptoms:
An unexpected RST occurs on inbound traffic. The RST cause shows "Internal error ( requested abort (payload release error))"
Conditions:
When all the following conditions are met:
- The system was upgraded to a version where ID910253 is fixed
- TS cookie coming from a previous version
- data guard in non blocking (masking)
- response that is not zipped and has a textual content type
Impact:
Traffic is affected.
Workaround:
Any of the following actions can resolve the issue:
1. Turn off data guard or change it to blocking.
2. Make the server reply with zipped responses (perhaps by adding the accept-encoding: gzip using an iRule).
3. Add an additional response related feature.
4. Use the following iRule in case there aren't cookie related enforcement:
when HTTP_REQUEST {
set cookies [HTTP::cookie names]
foreach aCookie $cookies {
if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
HTTP::cookie remove $aCookie
}
}
}
Fix:
Fixed an issue that was triggering resets on traffic.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4
980617-1 : SNAT iRule is not working with HTTP/2 and HTTP Router profiles
Links to More Info: BT980617
Component: Local Traffic Manager
Symptoms:
On HTTP/2 full-proxy virtual servers, the snatpool command in an iRule is accepted but the source address server-side is not changed.
Conditions:
1.) Basic HTTP profile and HTTP/2 profile is configured on BIG-IP systems
2.) iRule with snatpool <pool_name>, snat <IP> is configured
Impact:
Unable to use snatpool (and possibly snat) in iRule to control the server-side source address.
Workaround:
Configure SNAT under the virtual server configuration, rather than in an iRule.
Fixed Versions:
17.0.0, 16.1.1, 15.1.10
979877-9 : CVE-2020-1971 OpenSSL: EDIPARTYNAME NULL pointer de-reference vulnerability description and available information
979213-1 : Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.
Links to More Info: BT979213
Component: Local Traffic Manager
Symptoms:
Upon reviewing the performance graphs in the GUI, you may notice significant spikes in the Throughput(bits) and Throughput(packets) graphs.
The spikes may report unrealistically high levels of traffic.
Note: Detailed throughput graphs are not affected by this issue.
Conditions:
This issue occurs when the following conditions are met:
-- The BIG-IP device is a physical system.
-- TMM was restarted on the system.
-- At some point, at least one interface was up on the system and recorded some traffic.
Impact:
This issue is purely cosmetic but might cause concern when reviewing the performance graphs.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
977761 : Connections are dropped if a certificate is revoked.
Links to More Info: BT977761
Component: Local Traffic Manager
Symptoms:
SSL handshake failures occur with the backend server revoked certificate in case of reverse proxy.
Conditions:
1. BIG-IP LTM configured as SSL reverse proxy.
2. revoked-cert-status-response-control set to ignore in the server ssl profile.
3. server certificate authentication set to "require" in the server ssl profile.
Impact:
Ssl handshake failures due to revoked server certificate
Workaround:
1. Set the server certificate authentication to ignore in the server ssl profile.
Fix:
Added checks to validate the certificate as well as the flags set (ignore/drop) for the revoked certificate.
Fixed Versions:
17.1.0, 16.1.2.2
977153-3 : Packet with routing header IPv6 as next header in IP layer fails to be forwarded
Links to More Info: BT977153
Component: Advanced Firewall Manager
Symptoms:
BIG-IP systems fail to follow RFC 5095, which specifies the traffic should be forwarded.
Conditions:
This symptom is found when the following conditions are met:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
This failure in forwarding ICMP error message prevents the BIG-IP AFM product from completing certification.
Workaround:
None.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
976669-5 : FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade
Links to More Info: BT976669
Component: TMOS
Symptoms:
After rebooting or replacing a secondary blade, the FIPS integrity check fails for other secondary blades and they fail to fully boot.
Conditions:
This can occur after rebooting or replacing a secondary blade.
Impact:
When the FIPS integrity checks fail the blades won't fully boot.
Workaround:
On the secondary blade reboot, the following critical files are deleted from other secondary blades which leads to FIPS integrity check failure:
/root/.ssh/authorized_keys
/root/.ssh/known_hosts
To mitigate, copy the missing files from the primary blade to the secondary blade.
From the primary blade, issue the following command towards the secondary blade(s).
rsync -avz -e ssh /root/.ssh/* root@<Secondary Blade>:/root/.ssh/
Fix:
Critical files are not deleted during secondary blade reboot.
Fixed Versions:
17.0.0, 16.1.2.2, 16.1.0, 15.1.5.1, 14.1.4.6
976525-5 : Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled
Links to More Info: BT976525
Component: Local Traffic Manager
Symptoms:
In BIG-IP v13.1.3.2 and later, there is new functionality to SNAT the traffic coming from the host system. When there are multiple routes to a destination address and transparent monitors are in use, tmm occasionally picks the wrong source IP for these connections.
Conditions:
-- The db variable snat.hosttraffic is enabled.
-- Gateway pool with multiple members.
-- Transparent monitors.
Impact:
The system chooses the wrong source IP address for the egress interface. That incorrect source IP address might cause traffic to return on the wrong VLAN.
Workaround:
Use either of the following workarounds:
-- Disable VLAN keyed connections: modify sys db connection.vlankeyed value disable
-- Upgrade to a version with a fix for ID 826905 (https://cdn.f5.com/product/bugtracker/ID826905.html) and disable snat.hosttraffic.
Fix:
Transparent monitors now have the correct source IP addresses when gateway pools are in use and snat.hosttraffic is enabled.
Fixed Versions:
17.0.0, 16.1.4, 15.1.6.1, 14.1.5
976337-2 : i40evf Requested 4 queues, but PF only gave us 16.
Links to More Info: BT976337
Component: TMOS
Symptoms:
During BIG-IP system boot, a message is logged:
i40evf 0000:05:00.0: Requested 4 queues, but PF only gave us 16.
Conditions:
-- BIG-IP Virtual Edition configured for SR-IOV
-- E810 virtual functions (VFs)
Impact:
A message is logged but it is benign and can be ignored.
Fixed Versions:
16.1.2.2, 15.1.5.1
974985-6 : Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable
Links to More Info: BT974985
Component: Application Security Manager
Symptoms:
Non http traffic isn't forwarded to the backend server
Conditions:
- ASM provisioned
- DoS Application or Bot Defense profile assigned to a virtual server
- DOSL7::disable applied at when CLIENT_ACCEPTED {}
Impact:
Broken webapps with non-http traffic
Workaround:
Instead of using DOSL7::disable, redirect non-http traffic to non-http aware virtual server using the iRule command virtual <virtual_server_name>
Fix:
Fix DOSL7::disable command handler in the tmm code
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
974241-3 : Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades
Links to More Info: BT974241
Component: TMOS
Symptoms:
Mcpd exists with error similar to:
01070734:3: Configuration error: Configuration from primary failed validation: 010713cf:3: Configuration group '/Common/test1_end_deny_ag' has invalid source '/Common/standard'
Conditions:
1. VIPRION or vCMP guest with multiple blades in a cluster
2. Create a access policy with modern customization enabled
Impact:
Mcpd restarts leading to failover.
Workaround:
Use standard customization and not modern customization.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4
974205-5 : Unconstrained wr_urldbd size causing box to OOM
Links to More Info: BT974205
Component: Traffic Classification Engine
Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.
Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.
Impact:
The device eventually runs out of memory (OOM condition).
Workaround:
Restart the wr_urldbd process:
restart sys service wr_urldbd
Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.
Added two sys DB variables:
-- wr_urldbd.cloud_cache.log.level
Value Range:
sys db wr_urldbd.cloud_cache.log.level {
value "debug"
default-value "none"
value-range "debug none"
}
-- wr_urldbd.cloud_cache.limit
Value Range:
sys db wr_urldbd.cloud_cache.limit {
value "5500000"
default-value "5500000"
value-range "integer min:5000000 max:10000000"
}
Note: Both these variables are introduced for debugging purpose.
Fixed Versions:
17.1.0, 16.1.4, 15.1.4, 14.1.4.4, 12.1.6
970329-1 : ASM hardening
Links to More Info: K70134152, BT970329
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM does not follow current best practices.
Conditions:
- ASM provisioned
Impact:
Attack detection is not triggered as expected
Workaround:
N/A
Fix:
Attack detection is now triggered as expected
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
969345-1 : Temporary TMSH files not always removed after session termination
Links to More Info: BT969345
Component: TMOS
Symptoms:
Temporary TMSH-related subdirectories and files located in /var/system/tmp/tmsh may not be properly cleaned up after a TMSH session is terminated. These files can accumulate and eventually cause disk-space issues.
Conditions:
A TMSH session is terminated abruptly rather than ended gracefully.
Impact:
The /var filesystem may fill up, causing any of a variety of problems as file-I/O operations fail for various software subsystems.
Workaround:
The BIG-IP software includes a shell script (/usr/local/bin/clean_tmsh_tmp_dirs) which can be run by the system administrator to clean up excess temporary files in the directories /var/tmp/tmsh and /var/system/tmp/tmsh.
Fixed Versions:
16.1.5
969317-4 : "Restrict to Single Client IP" option is ignored for vmware VDI
Links to More Info: BT969317
Component: Access Policy Manager
Symptoms:
The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI.
Conditions:
- Configure APM Webtop with vmware VDI.
- Set "Restrict to Single Client IP" option in Access Profile.
- Try to launch vmware desktop on one client. Copy the launch URI
- Try to launch vmware desktop from other client using the copied URI.
Impact:
A connection from the second client is allowed, but it should not be allowed.
Fix:
Restrict to Single Client IP is honored for VMware VDI for both PCOIP and Blast protocols.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5
969297 : Virtual IP configured on a system with SelfIP on vwire becomes unresponsive
Links to More Info: BT969297
Component: SSL Orchestrator
Symptoms:
Virtual IP ARP does not get resolved when a SelfIP is configured on a virtual-wire.
Conditions:
Issue happens when a SelfIP address is configured and a Virtual IP address is configured for a Virtual Server.
Impact:
The virtual server is unreachable.
Workaround:
None
Fix:
ARP forwarding to peer is decided based on whether Virtual IP and self-IP is configured or not.
Fixed Versions:
16.1.2.2
968929-2 : TMM may crash when resetting a connection on an APM virtual server
Links to More Info: BT968929
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
- HTTP profile without fallback host.
- iRules.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure fallback host to an HTTP profile that redirects the request to a specified location.
Fixed Versions:
17.0.0, 16.1.2.2
968657-1 : Added support for IMDSv2 on AWS
Links to More Info: BT968657
Component: TMOS
Symptoms:
AWS added a token-based Instance MetaData Service API (IMDSv2). Prior versions of BIG-IP Virtual Edition supported only a request/response method (IMDSv1). When the AWS API is starting with IMDSv2, you will receive the following error message:
get_dossier call on the command line fails with:
01170003:3: halGetDossier returned error (1): Dossier generation failed.
This latest version of BIG-IP Virtual Edition now supports instances started with IMDSv2.
Conditions:
AWS instances started with IMDSv2.
Impact:
BIG-IP Virtual Edition cannot license or re-license AWS instances started with IMDSv2 and other metadata-based functionality will not function.
Fix:
With the latest version of BIG-IP VE, you can now initialize "IMDSv2 only" instances in AWS and migrate your existing instances to "IMDSv2 only" using aws-cli commands. For details, consult documentation: https://clouddocs.f5.com/cloud/public/v1/shared/aws-ha-IAM.html#check-the-metadata-service-for-iam-role
IMDSv2 documentation from AWS: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1
968581-4 : TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description
Links to More Info: BT968581
Component: Local Traffic Manager
Symptoms:
The TMSH command "show /ltm profile ramcache" has a max-response option to output a number of records designated in this parameter. Due to calculation algorithm, the command may output less records than RAMCACHE stores or more records than the limit prescribes.
Conditions:
-- A virtual server is configured on BIG-IP.
-- A webacceleration profile with no web application is attached to the virtual server.
-- Traffic is sent over the virtual server with a number of unique cacheable documents that exceed a designated limit.
Impact:
Output of the command may not match to actual list of stored documents in RAMCACHE.
Fix:
Command "show /ltm /profile ramcache" respects a limit defined as "max-response" parameter.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
967905-5 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash
Links to More Info: BT967905
Component: TMOS
Symptoms:
Tmm crashes.
Conditions:
-- static bwc
-- virtual to virtual chain
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the static bwc on a virtual chain.
Fix:
Fixed a tmm crash.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1
967101-1 : When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out.
Links to More Info: BT967101
Component: Local Traffic Manager
Symptoms:
Gratuitous ARP (GARP) messages are dropped at the time of sending GARP because the number of links up in the trunk is 0 (which returns "error 18" ... ERR_NOT_FOUND)
Conditions:
-- Two BIG-IP systems with switchless configuration, such as i2xxx and i4xxx.
-- Bring down and up the interfaces at the same time in the trunk.
Impact:
Neighboring device arp table is not updated about the BIG-IP interface status, because no gratuitous ARP message is sent out.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
966949-6 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node
Links to More Info: BT966949
Component: TMOS
Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.
Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230
This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.
Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.
Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
966461-7 : Tmm memory leak
Links to More Info: BT966461
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm leaks memory for DNSSEC requests.
Conditions:
NetHSM is configured but disconnected.
or
Internal FIPS card is configured and tmm receives more DNSSEC requests than the FIPS card is capable of handling.
Impact:
Tmm memory utilization increases over time.
Workaround:
None
Fix:
A new DB variable dnssec.fipswaitingqueuecap is introduced to configure the capacity of the FIPS card.
You can throttle the incoming DNSSEC requests based on the count of outstanding DNSSEC requests in netHSM/Internal FIPS queue.
tmsh modify sys db dnssec.fipswaitingqueuecap value <value>
this value sets the capacity per tmm process.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
965897-4 : Disruption of mcpd with a segmentation fault during config sync
Links to More Info: BT965897
Component: Local Traffic Manager
Symptoms:
The mcpd process on the peer device fails with a segfault, restarts and then segfaults again in a loop
Numerous messages may be logged in the "daemon" logfile of the following type:
emerg logger[2020]: Re-starting mcpd
Conditions:
-- High availability (HA) configuration
-- A port-and-address list configuration is changed to be only an address list
-- A config sync occurs
Impact:
Continuous restarts of mcpd process on the peer device.
Workaround:
One possible measure for getting the peer-machine "mcpd" out of its failure mode is to command the still-functioning system to push a "full" config sync to the appropriate device group. Doing this twice consecutively may be necessary.
# tmsh run /cm config-sync force-full-load-push to-group APPROPRIATE-DEVICE-GROUP
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
965837-4 : When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection
Links to More Info: BT965837
Component: Access Policy Manager
Symptoms:
When BIG-IP is configured with a PingAccess profile and an SSL profile is associated with both the BIG-IP virtual server and a ping access configuration, an active connection to the virtual server may lead to a TMM crash.
Conditions:
-- SSL is configured on both the BIG-IP virtual server that contains the ping access profile and ping access configuration.
-- Active connection to the BIG-IP virtual server
-- Config sync is triggered or "tmsh load sys config" is triggered
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fix:
Fixed a TMM crash related to ping access.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
965785-4 : Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine
Links to More Info: BT965785
Component: Application Security Manager
Symptoms:
DCC.HSL_DATA_PROFILES table on standby machine stay empty after sync process. Error for DB insert failure into table DCC.HSL_DATA_PROFILES thrown in asm_config_server.log.
Conditions:
There is no specific condition, the problem occurs rarely.
Impact:
Sync process requires an additional ASM restart
Workaround:
Restart ASM after sync process finished
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
965229-5 : ASM Load hangs after upgrade★
Links to More Info: BT965229
Component: Application Security Manager
Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------
In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
info tsconfig.pl[24675]: ASM initial configration script launched
info tsconfig.pl[24675]: ASM initial configration script finished
info asm_start[25365]: ASM config loaded
err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------
Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade
Impact:
ASM post upgrade config load hangs and there are no logs or errors
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
964625-5 : Improper processing of firewall-rule metadata
Links to More Info: BT964625
Component: Advanced Firewall Manager
Symptoms:
The 'mcpd' process may suffer a failure and be restarted.
Conditions:
Adding very large firewall-policy rules, whether manually, or from config-sync, or from BIG-IQ.
Impact:
-- MCPD crashes, which disrupts both control-plane and data-plane processing while services restart.
-- Inability to configure firewall policy.
Workaround:
Reduce the number of firewall policy rules.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
964533-2 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.
Links to More Info: BT964533
Component: TMOS
Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.
Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.
Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.
There is no impact other than additional log entries.
Workaround:
None.
Fix:
Log level has been changed so this issue no longer occurs.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
964125-6 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.
Links to More Info: BT964125
Component: TMOS
Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.
There is more then one avenue where node statistics would be queried.
The BIG-IP Dashboard for LTM from the GUI is one example.
Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.
Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
963541-1 : Net-snmp5.8 crash
Links to More Info: BT963541
Component: TMOS
Symptoms:
Snmpd crashes.
Conditions:
This does not always occur, but it may occur after a subagent (bgpd) is disconnected.
Impact:
Snmpd crashes.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
962589-4 : Full Sync Requests Caused By Failed Relayed Call to delete_suggestion
Links to More Info: BT962589
Component: Application Security Manager
Symptoms:
When using parent policies with learning enabled in an auto-sync device group, in some use cases deleting an ignored suggestion on a parent policy will cause a full sync to occur.
This can cause unexpected delays in configuration being synchronized between peers, and in the event of repeated instances in quick succession could fill the /var partition
Conditions:
1) Device Group with ASM and auto-sync enabled
2) Parent Policies with learning are in use.
3) Ignored Suggestions are deleted on the parent policy after they have 0 suggesting children left.
Impact:
ASM configuration requests a full sync which can cause unexpected slowness in config synchronization and may fill the /var partition if done multiple times in quick succession.
A full /var partition can lead to bd cores.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4
962177-6 : Results of POLICY::names and POLICY::rules commands may be incorrect
Links to More Info: BT962177
Component: Local Traffic Manager
Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.
Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.
Impact:
Traffic processing may not provide expected results.
Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4, 13.1.4.1
961509-5 : ASM blocks WebSocket frames with signature matched but Transparent policy
Links to More Info: BT961509
Component: Application Security Manager
Symptoms:
WebSocket frames receive a close frame
Conditions:
-- ASM provisioned
-- ASM policy attached to a virtual server
-- WebSocket profile attached to a virtual server
-- ASM policy transparent mode enabled
Impact:
WebSocket frame blocked in transparent mode
Workaround:
Change signatures blocking settings to Learn = Yes, Alarm = Yes, Block = No
Fix:
WebSocket frame blocking condition now takes into account global transparent mode setting.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
960677-1 : Improvement in handling accelerated TLS traffic
Links to More Info: BT960677
Component: Local Traffic Manager
Symptoms:
Rare aborted TLS connections.
Conditions:
None
Impact:
Certain rare traffic patterns may cause TMM to abort some accelerated TLS connections.
Workaround:
None
Fix:
The aborted connections will no longer be aborted and will complete normally.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
959985-3 : Update VMware hardware version templates for BIG-IP Virtual Edition (VE) from v10 to v13 in order to support VMs deployed in more versions of vSphere ESXi.
Links to More Info: BT959985
Component: TMOS
Symptoms:
Virtual hardware version setting for BIG-IP VE VMware templates (virtualHW.version) are set to version 10 and must change to version 13, so more versions of vSphere ESXi (for example, ESXi v6.0 and later) can support deploying BIG-IP Virtual Edition.
Conditions:
Using BIG-IP Virtual Edition VMware hardware templates set to v10 running in most, later versions of VMware ESXi.
Impact:
BIG-IP Virtual Edition VMware hardware templates result in performance issues and deployment errors/failures.
Workaround:
None
Fix:
Changed the BIG-IP Virtual Edition VMware hardware template version setting (virtualHW.version) to 13 and deployed them successfully using later versions of VMware ESXi.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
959609-4 : Autodiscd daemon keeps crashing
Links to More Info: BT959609
Component: Advanced Firewall Manager
Symptoms:
Autodiscd daemon keeps crashing.
Conditions:
Issue is happening when high speed logging and auto discovery configuration are configured and send the traffic.
Impact:
Auto discovery feature is not working as expected
Workaround:
None.
Fix:
Auto discovery feature now works as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
957905-1 : SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP.
Links to More Info: BT957905
Component: Service Provider
Symptoms:
SIP Requests that don't contain a content_length header are accepted and forwarded by the BIG-IP to the server.
SIP Responses that don't contain a content_length header are accepted and forwarded to the client.
The sipmsg parser does not treats the content_length header as a required header as part of the SIP Request / Response.
Conditions:
SIP request / response without content_length header.
Impact:
RFC 6731 non compliance.
Workaround:
N/A
Fix:
BIG-IP now aborts the connection of any TCP SIP request / response that does not contain a content_length header.
content_length header is treated as optional for UDP and SCTP.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
957637-1 : The pfmand daemon can crash when it starts.
Links to More Info: BT957637
Component: TMOS
Symptoms:
The pfmand process crashes and writes out a core file during bootup (or if the process is manually restarted by an Administrator for any reason) on certain platforms.
The crash may happen more than once, until the process finally settles and is able to start correctly.
Conditions:
-- Platforms i4000/i2000/i4800/i2800/i4600/i2600/i850.
Impact:
Network connection lost while pfmand restarts.
Workaround:
None
Fix:
The issue causing the pfmand daemon to occasionally crash has been resolved.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
957453-1 : Javascript parser incompatible with ECMAScript 6/7+ javascript versions
Links to More Info: BT957453
Component: Access Policy Manager
Symptoms:
A web application failed to function on the client side.
Conditions:
-- APM proxying a web application.
-- Web application uses ES6/7 or higher javascript.
Impact:
The web application failed to function.
Workaround:
None
Fix:
The fix is implemented in two steps:
STEP 1:
Initial implementation with bug ID 592353, added support for Javascript ECMA6/7+. Optional internal wrapping is added into client-side includes.
With this fix, a custom iRule workaround can be applied to fix a limited set of possible cases.
STEP 2:
With bug ID 957453, the implementation of the light rewriter on the server side is also completed.
No iRule workaround is required to support ES6/7+ javascript versions after the implementation of bug ID 957453.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
956645-4 : Per-request policy execution may timeout.
Links to More Info: BT956645
Component: Access Policy Manager
Symptoms:
When attempting to access a resource that requires subsession validation, the client may receive an HTTP 503 "Service Unavailable" response, and the logs indicate that per-request policy execution time has expired.
Conditions:
Multiple connections are accessing the same subsession, triggering subsession lock contention.
Impact:
Some clients will fail to connect to their destination.
Workaround:
Add criteria to the gating criteria to enable more fine-grained subroutines to reduce subsession contention. For example, add category, or application name, to the gating criteria. In the case of API protection, consider concatenating credentials with the resource hostname (plus port).
Increase the per-request policy execution timeout value, controlled by the variable tmm.access.prp_global_timeout, to a higher value.
Fix:
Subesssion lock contention wait time is reduced. Clients will not fail to connect due to subsession lock contention.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9, 14.1.4.5
956373-4 : ASM sync files not cleaned up immediately after processing
Links to More Info: BT956373
Component: Application Security Manager
Symptoms:
Some ASM sync files remain on disk after config sync finishes. They remain until periodic clean-up tasks activate
Conditions:
-- ASM provisioned
-- BIG-IP devices are in a sync group
-- Relatively small "/var" partition
Impact:
If the files are large it may lead to "lack of disk space" problem.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.3, 14.1.4.1
956133-2 : MAC address might be displayed as 'none' after upgrading.★
Links to More Info: BT956133
Component: Local Traffic Manager
Symptoms:
The MAC Address of a BIG-IP Virtual Edition network interface is displayed as 'none' after upgrading.
Conditions:
1. The VLAN MTU is set to less than 1280 bytes on a BIG-IP network interface.
2. Upgrade BIG-IP to 14.1.0 or above from BIG-IP versions below 14.1.0.
Impact:
Traffic disrupted when the MAC address is set to 'none'.
Workaround:
N/A
Fix:
IPv6 link-local addresses are now created with MTU greater than 1280, so this issue is resolved.
Fixed Versions:
17.0.0, 16.1.4, 15.1.4, 14.1.4.4
956013-4 : System reports{{validation_errors}}
Links to More Info: BT956013
Component: Policy Enforcement Manager
Symptoms:
A {{validation_errors}} at Subscriber Management :: Control Plane Listeners and Data Plane Listeners with ipv6 addresses
Conditions:
Specifying an IPv6 address in the expression in Subscriber Management :: Control Plane Listeners and Policy Enforcement :: Data Plane Listeners.
Impact:
Cannot access the BIG-IP GUI through IPv6 address from any web browser. Admin/User cannot enter input through GUI.
Workaround:
None.
Fixed Versions:
16.1.2.1, 15.1.5, 14.1.4.5
955953-5 : iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg'
Links to More Info: BT955953
Component: TMOS
Symptoms:
'table' command fails to resume causing processing of traffic to halt due to 'irule_scope_msg' causing iRule processing to proceed in a way that 'table' does not expect.
Conditions:
- iRule using 'table' command
- Diameter 'irule_scope_msg' enabled
Impact:
Traffic processing halts (no crash)
Fixed Versions:
17.0.0, 16.1.5, 15.1.10
955617-8 : Cannot modify properties of a monitor that is already in use by a pool
Links to More Info: BT955617
Component: Local Traffic Manager
Symptoms:
If the monitor is associated with a node or pool, then modifying monitor properties other than the destination address is displaying incorrect error. For example, modifying the receive string results in following error:
0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor
This error should only be generated if the destination address of an associated monitor is being modified, but this error message is generated when other parameters are modified.
Conditions:
-- Monitor with alias address field as default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.
Impact:
Monitor properties cannot be modified if they are in use by a pool.
Workaround:
Remove the monitor, modify it, and then add it again.
Fix:
Monitor properties can be modified even when the monitor is attached to the node or pool, updated values reflect in the node or pool.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
954001-7 : REST File Upload hardening
Component: Device Management
Symptoms:
REST file upload does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
Only upload trusted files to the BIG-IP.
Fix:
REST file uploads now follow best security practices.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
953601-4 : HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions
Links to More Info: BT953601
Component: Local Traffic Manager
Symptoms:
HTTPS monitor marks pool member/nodes as down and they remain down until bigd is restarted or the monitor instance is removed and created again.
Conditions:
BIG-IP is configured with restrictive ciphers that are only compatible with TLS 1.2 (ECDH+AESGCM) but all of the TLS protocol versions are allowed. When HTTPS monitor TLS 1.0 handshake fails, due to incompatible ciphers with the server being monitored. It does not try TLS 1.2 version and marks pool members or nodes as down.
Impact:
HTTPS monitor shows pool members or nodes down when they are up.
Workaround:
Restart bigd or remove and add monitors.
Fix:
In case of handshake failure, BIG-IP will try TLS 1.2 version.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
952521-1 : Memory allocation error while creating an address list with a large range of IPv6 addresses★
Links to More Info: BT952521
Component: Advanced Firewall Manager
Symptoms:
When trying to create a large IPv6 address-list IP range either via the GUI, tmsh, or from loading a previously saved config, MCPd will temporarily experience memory exhaustion and report an error "01070711:3: Caught runtime exception, std::bad_alloc"
Conditions:
When adding an IPv6 address range that contains a very large number of IPs. This does not affect IPv4.
Impact:
The IP address range cannot be entered. If upgrading from a non-affected version of TMOS where an IP range of this type has been saved to the config, a std::bad_alloc error will be printed when loading the config after upgrading.
Workaround:
Use CIDR notation or multiple, smaller IP ranges.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
951133-4 : Live Update does not work properly after upgrade★
Links to More Info: BT951133
Component: Application Security Manager
Symptoms:
After upgrading BIG-IP version the Live Update "Check for Update" button does not respond.
Conditions:
Upgrading from a version that did not have Live Update to a new version which includes Live Update
Impact:
Live Update can't query for new updates.
Workaround:
Restart tomcat process:
> bigstart restart tomcat
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4
950917-4 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034
Links to More Info: BT950917
Component: Application Security Manager
Symptoms:
Following Signature Update (-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:
01310027:2: subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )
Conditions:
Signature Update -SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.
Impact:
Apply policy fails.
Workaround:
You can use any of the following workarounds:
-- Install an older signature update -SignatureFile_20200917_175034
-- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.
-- Run the following SQL command to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------
Fixed Versions:
17.0.0, 16.1.4, 15.1.4, 14.1.4.2, 13.1.4.1
950201-3 : Tmm core on GCP
Links to More Info: BT950201
Component: TMOS
Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.
TMM panic with this message in a tmm log file:
panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.
Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141
-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.
Note: Using either workaround has a performance impact.
Fix:
- Added error handling to prevent crashing when a bad packet gets received
- Added a new column 'invalid_header' into tmm/virtio_rx_stats table to track incidents
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
950153-3 : LDAP remote authentication fails when empty attribute is returned
Links to More Info: BT950153
Component: TMOS
Symptoms:
LDAP/AD Remote authentication fails and the authenticating service may crash.
The failure might be intermittent.
Conditions:
LDAP/AD server SearchResEntry includes attribute with empty or NULL value.
This can be seen in tcpdump of the LDAP communication in following ways
1. No Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue:
2. 1. NULL Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue: 00
Impact:
Logging in via the GUI will fail silently
Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log
The logs will be similar to :
info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000]
info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0
Workaround:
There is no Workaround on the LTM side.
For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
950149 : Add configuration to ccmode for compliance with the Common Criteria STIP PPM.
Links to More Info: BT950149
Component: TMOS
Symptoms:
To comply with configuration requirements for the Common Criteria STIP PPM, the ccmode script must be updated.
Conditions:
Required compliance with Common Criteria STIP PPM configuration.
Impact:
Without these updates, the BIG-IP will not be compliant with the Common Criteria STIP requirements.
Workaround:
Follow the instructions in the Common Criteria Guidance document.
Fix:
This fix added configuration elements for compliance to Common Criteria STIP PPM requirements.
Fixed Versions:
17.0.0, 16.1.3
950069-1 : Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record"
Links to More Info: BT950069
Component: Global Traffic Manager (DNS)
Symptoms:
When attempting to use zonerunner to edit a TXT record that contains a plus character, BIG-IP DNS presents the error message 'Resolver returned no such record'.
Conditions:
A TXT record exists with RDATA (the value of the TXT record) containing one or more + symbols
Impact:
Unable to edit the record.
Workaround:
Two workarounds available:
1. Use zonerunner to delete the record and then recreate it with the desired RDATA value
2. Manually edit the bind zone file (see K7032)
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1
949857-7 : Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync
948985-3 : Workaround to address Nitrox 3 compression engine hang
Links to More Info: BT948985
Component: Local Traffic Manager
Symptoms:
Occasionally the Nitrox3 compression engine hangs.
In /var/log/ltm:
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.
Conditions:
The BIG-IP system uses Nitrox 3 hardware compression chips: 5xxx, 7xxx, 12250, and B2250.
You can check if your platform has nitrox3 by running the following command:
tmctl -w 200 compress -s provider
provider
--------
bzip2
lzo
nitrox3 <--------
zlib
Impact:
The Nitrox3 hardware compression system becomes unavailable, and the compression mode switches to software compression. This can lead to high CPU usage.
Workaround:
Disable HTTP compression or use software compression.
Fix:
Added db key compression.nitrox3.dispatchsize to control the request size.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1
948725-7 : An undisclosed iControl REST endpoint may provide a list of usernames to unauthorized users
948241-4 : Count Stateful anomalies based only on Device ID
Links to More Info: BT948241
Component: Application Security Manager
Symptoms:
Currently when Device ID is enabled, the BIG-IP system counts stateful anomalies on both IP and Device ID. When a client has a proxy (without XFF), and many requests arrive with the same IP, this can cause false positives
Conditions:
- Bot Defense profile is attached to a virtual server.
- Bot Defense profile has "Browser Verification" set to "Verify After Access" or "Device ID Mode" set to "Generate After Access".
Impact:
False positives may occur in case of a proxy without XFF
Workaround:
None
Fix:
Stateful anomalies are no longer counted on IP when Device ID is enabled
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
948113-1 : User-defined report scheduling fails
Links to More Info: BT948113
Component: Application Visibility and Reporting
Symptoms:
A scheduled report fails to be sent.
An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
Because : Unknown column ....... in 'order clause'
Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report
Impact:
Internal error for AVR report for ASM pre-defined.
Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr
Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});
The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm
Lastly, remount /usr back to read-only:
mount -o remount,ro /usr
Fix:
Using 'sort-by' measure when building PDF (instead of the first value on measure-list)
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
948065-1 : DNS Responses egress with an incorrect source IP address.
Links to More Info: BT948065
Component: Local Traffic Manager
Symptoms:
DNS responses over a certain size egress the BIG-IP with an incorrect source IP address set.
Conditions:
Large responses of ~2460 bytes from local BIND
Impact:
The response to the client appears to be coming from the wrong source IP address, and the request fails.
Workaround:
Change 'max-udp-size' in BIND to a smaller value reduces the size of response, which stops the fragmentation.
Note: This workaround has limitations, as some records in 'Additional Section' are truncated.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
947905-4 : Upgrade from 13.1.4, 14.1.4, or 15.1.1 to 14.0.x, 15.0.x, 16.0.0 or 16.0.0.1 fails★
Links to More Info: BT947905
Component: TMOS
Symptoms:
Loading configuration process fails after an upgrade from 13.1.4, 14.1.4, or 15.1.1 to release 14.0.0, 15.0.0, 16.0.0 or 16.0.0.1.
The system posts errors similar to the following:
-- info tmsh[xxxx]: cli schema (15.1.1) has been loaded from schema data files.
-- crit tmsh[xxxx]: 01420001:2: Can't load keyword definition (user-account.session_limit) : framework/SchemaCmd.cpp, line 825.
-- crit tmsh[xxxx]: 01420001:2: Can't load keyword definition (system-settings.ssh_max_session_limit) : framework/SchemaCmd.cpp, line 825
-- emerg load_config_files[xxxx]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Loading schema version: 15.1.1.
-- err mcpd[xxxx]: 01070422:3: Base configuration load failed.
-- Unexpected Error: "Can't load keyword definition (user-account.session_limit)".
-- Unexpected Error: "Can't load keyword definition (system-settings.ssh_max_session_limit)"
-- Syntax Error:(/config/bigip_user.conf at line: 10) "session-limit" unknown property
Conditions:
Upgrade from one of the following release:
-- v13.1.4 or later within the v13.1.x branch
-- v14.1.4 or later within the v14.1.x branch
-- v15.1.1 or later within the v15.1.x branch
to one of the following releases:
-- v14.0 through v14.1.3.1
-- v15.0 through v15.1.0.5
-- v16.0.0 and v16.0.0.1
Impact:
After upgrade, config does not load. The system hangs at the base configuration load failure status.
Workaround:
Although there is no workaround, you can avoid this issue by upgrading to the most recent maintenance or point release in v14.1.x, v15.1.x, or v16.x.
You can find a list of most current software releases in K5903: BIG-IP software support policy :: https://support.f5.com/csp/article/K5903
Fixed Versions:
16.1.3, 16.0.1
947341-4 : MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files.
Links to More Info: BT947341
Component: Application Security Manager
Symptoms:
1) var/lib/mysql/mysqld.err is filled with log entries that contain:
------------
200824 11:04:43 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
200824 11:18:46 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
200824 11:35:58 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
------------
2) There are a lot of PRX.REQUEST_LOG partitions, in some cases up to 1024, many of which are empty.
Conditions:
ASM/AVR provisioned
Impact:
MySQL runs out of resources when opening the file
PRX.REQUEST_LOG and an error message states the file is corrupt.
Workaround:
1. If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
https://support.f5.com/csp/article/K14956
https://support.f5.com/csp/article/K42497314
2. To identify the empty partitions, look into:
mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G"
3. For every partition that is empty, manually (or via shell script) execute this sql:
mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "ALTER TABLE PRX.REQUEST_LOG DROP PARTITION <empty_partition_name>;"
Note: <empty_partition_name> must be substituted with the partition name, for example p100001.
4. Increase 'open_files_limit' to '10000'.
--------------------------------
In the /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter to 10000.
2. Restart MySQL:
bigstart restart mysql
--------------------------------
5. pkill asmlogd
Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.
Fix:
This release increases the default 'open_files_limit' to '10000'.
Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.3, 14.1.4.1
947333-2 : Irrelevant content profile diffs in Policy Diff
Links to More Info: BT947333
Component: Application Security Manager
Symptoms:
Defense attributes' grayed out values are shown in the policy diff even if "any" is selected
Conditions:
-- Import a policy
-- Perform a policy diff
Impact:
Policy diff showing irrelevant diffs
Workaround:
None
Fix:
Removed grayed out diffs from policy diff content profile section
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1
946185-3 : Unable to view iApp component due to error 'An error has occurred while trying to process your request.'★
Links to More Info: BT946185
Component: TMOS
Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:
An error has occurred while trying to process your request.
Conditions:
-- With or without Partitions configured.
-- Navigate to GUI iApps :: Application Services : Applications, to view a custom iApp.
-- More likely to occur after upgrade.
Impact:
Unable to view/modify iApps via GUI iApps :: Application Services : Applications screen.
Workaround:
To reconfigure the iApp, do the following:
1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List
2. Click the Application Link :: Reconfigure.
Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.
Fix:
Viewing Application Service components now reports no errors in the GUI under these conditions.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
945853-4 : Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession
Links to More Info: BT945853
Component: Advanced Firewall Manager
Symptoms:
TMM crashes during a configuration change.
Conditions:
This occurs under the following conditions:
-- Create/modify/delete multiple virtual servers in quick succession.
-- Perform back-to-back config loads / UCS loads containing a large number of virtual server configurations.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes during a configuration change.
Fixed Versions:
16.1.3, 15.1.3
945357 : BIG-IP must be able to set CA=True when creating Certificate Signing Requests from TMSH.
Links to More Info: BT945357
Component: Local Traffic Manager
Symptoms:
A Certificate Signing Request (CSR) is generated on the BIG-IP device to be used to create a certificate. It is possible for the entity owning the just-created certificate to serve as a Certificate Authority (CA) and be able to issue certificates and private keys to other parties. However, that ability does not exist unless the certificate has the CA field set to True (by default it is set to False).
Conditions:
In the TMSH prompt on the Command Line Interface (CLI), an attempt is made to generate a Certificate Signing Request (CSR) to be used to eventually create a certificate and corresponding private key.
Impact:
Without this change, certificates and private keys generated on the BIG-IP device cannot be directly provided to certification authorities so they can be used to sign certificates they would issue to other parties.
Workaround:
This is a new facility, not provided before, and overcomes a limitation. Without this facility, existing users of the BIG-IP are not impacted at all. As such, there is no workaround applicable.
Fix:
This fix enables certificates and private keys generated on the BIG-IP device via CSR's to be directly provided to certification authorities for their use. Because the CA field is set to now True, this fix adds convenience for certification authorities.
Fixed Versions:
17.0.0, 16.1.3
944381-2 : Dynamic CRL checking for client certificate is not working when TLS1.3 is used.
Links to More Info: BT944381
Component: Local Traffic Manager
Symptoms:
In SSL reverse proxy, dynamic CRL checking for client certificate is not working when TLS 1.3 handshake is used.
The SSL handshake successfully completed even though the client certificate is revoked.
Conditions:
-- Dynamic CRL checking enabled on a client-ssl profile
-- The client-side SSL handshake uses TLS1.3.
Impact:
The handshake should fail but complete successfully
Fix:
The issue was due to Dynamic CRL revocation check has not been integrated to TLS 1.3.
After the Dynamic CRL checking is integrated to TLS 1.3, the TLS handshake will work as expected.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1
944121-4 : Missing SNI information when using non-default domain https monitor running in TMM mode.
Links to More Info: BT944121
Component: In-tmm monitors
Symptoms:
In-TMM https monitors do not send the SNI (Server Name Indication) information for non-default route domain pool members.
In-TMM monitors do not send any packet when TLS1.3 monitor is used.
Conditions:
-- SNI is configured in serverssl profile
-- serverssl profile is assigned to in-tmm https monitors
-- https monitors are monitoring pool members that are in a non-default route domain.
- Another Condition :
TLS1.3 Monitor is used
Impact:
The TLS connection might fail in case of SNI
No SYN packet is sent in case of TLS1.3 monitor
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
943669-4 : B4450 blade reboot
Links to More Info: BT943669
Component: TMOS
Symptoms:
In a rare scenario, a B4450 blade suddenly reboots.
Conditions:
This occurs when there is heavy traffic load on VIPRION B4450 blades. The root cause is unknown. It happens extremely rarely.
Impact:
Traffic disrupted while the blade reboots.
Workaround:
None.
Fix:
The system now monitors the pause frames and reboots when needed.
Fixed Versions:
16.1.2.2, 15.1.2
943577-1 : Full sync failure for traffic-matching-criteria with port list under certain conditions
Links to More Info: BT943577
Component: TMOS
Symptoms:
Performing a full configuration sync with traffic-matching-criteria (TMC) under specific conditions fails with errors similar to:
err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 245 6869100131892804717 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..
Conditions:
This may occur on a full-load config sync (not an incremental sync)
On the device receiving the ConfigSync:
- a traffic-matching-criteria is attached to a virtual server
- the traffic-matching-criteria is using a port-list
On the device sourcing the ConfigSync:
- the same traffic-matching-criteria is attached to the same virtual server
- the original port-list is modified (e.g. a description is changed)
- the TMC is changed to reference a _different_ port-list
Impact:
Unable to sync configurations.
Workaround:
Copy the "net port-list" and "ltm traffic-matching-criteria" objects from the source to target system, merge them with "tmsh load sys config merge", and then perform a force-full-load-push sync from source to target.
If the BIG-IP systems are using device groups with auto-sync enabled, disable auto-sync temporarily while performing this workaround.
1. On the source system (the system whose configuration you want to sync to peer), save the configuration and extract the ltm traffic-matching-criteria and port-lists:
tmsh save sys config
(shopt -s nullglob; echo "#"; echo "# $HOSTNAME"; echo "# generated $(date +"%F %T %z")"
cat /config{/partitions/*,}/bigip{_base,}.conf |
awk '
BEGIN { p=0 }
/^(ltm traffic-matching-criteria|net port-list) / { p=1 }
/^}/ { if (p) { p=0; print } }
{ if (p) print; }
' ) > /var/tmp/portlists-and-tmcs.txt
2. Copy /var/tmp/portlists-and-tmcs.txt to the target system
3. On the target system, load that file:
tmsh load sys config replace file /var/tmp/portlists-and-tmcs.txt
3a. If loading the config file on the target system fails with the same error message seen during a ConfigSync, follow the procedure in
K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.
tmsh save sys config
clsh touch /service/mcpd/forceload
clsh reboot
4. On the source system, force a full-load sync to the device-group:
tmsh run cm config-sync force-full-load-push to-group <name of sync-group>
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
943257-3 : REST framework support for IPv6 ConfigSync addresses
Links to More Info: BT943257
Component: Device Management
Symptoms:
In an HA sync environment, the REST framework reads the ConfigSync IP address retrieved through the tm/cm/device iCRD API. For an IPv6 address, the REST framework discards the related device certificate, which leads to the REST/gossip/sync failure.
Conditions:
Add support for IPv6 ConfigSync IP addresses in the REST framework in an HA sync environment.
Impact:
For an IPv6 address, the REST framework discards the related device certificate, which leads to the REST/gossip/sync failure.
Workaround:
None
Fix:
Valid device trust certificates are created with their name set to uniquely generated IPv4 address from the given IPv6 address. This helps in establishing the trust between the hosts thereby eliminating the REST/Gossip-sync failures.
Fixed Versions:
17.1.1, 16.1.5
943109-4 : Mcpd crash when bulk deleting Bot Defense profiles
Links to More Info: BT943109
Component: TMOS
Symptoms:
When bulk deleting a large number of Bot Defense profiles (around 450 profiles) using TMSH, mcpd could crash.
Conditions:
This can be encountered during bulk delete of Bot Defenese profiles via tmsh.
Impact:
Crash of mcpd causing failover.
Workaround:
Delete the Bot Defense profiles in smaller batches to avoid the possible crash.
Fix:
There is no longer a crash of mcpd when deleting a large number of Bot Defense in a bulk using TMSH.
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5
942617-2 : Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable
Links to More Info: BT942617
Component: Application Security Manager
Symptoms:
Bot Defense does not accept the system variables with heading or tailing white space.
Conditions:
Create a system variable with heading or tailing white space in,
Security ›› Options : Application Security : Advanced Configuration : System Variables
Impact:
The HttpOnly cookie attribute is configured, but does not appear in TSCookie.
Workaround:
Create the system variables even with whitspaces through CLI, it omits the blank space from system variable name.
Fix:
Trim() to delete the whitspaces.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
942217-6 : Virtual server rejects connections even though the virtual status is 'available'
Links to More Info: BT942217
Component: TMOS
Symptoms:
With certain configurations, a virtual server keeps rejecting connections with reset cause 'VIP down' after 'trigger' events occur.
Conditions:
Required Configuration:
-- On the virtual server, the service-down-immediate-action is set to 'reset' or 'drop' and 'connection-limit' to be any (not 0).
-- The pool member has rate-limit enabled.
Required Conditions:
-- Monitor flap, or adding/removing monitor or set the connection limit to be zero or configuration change made with service-down-immediate-action.
-- At that time, one of the above events occur, the pool member's rate-limit is active.
Impact:
Virtual server keeps rejecting connections.
Workaround:
Delete one of the conditions.
Note: The affected virtual server may automatically recover upon the subsequent monitor flap, etc., if no rate-limit is activated at that time.
Fixed Versions:
16.1.5
941625-3 : BD sometimes encounters errors related to TS cookie building
Links to More Info: BT941625
Component: Application Security Manager
Symptoms:
BD sometimes print errors related to TS cookie building when receiving ASM cookies with account_id:
-- BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040.
-- IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.
Conditions:
-- Cookie protection is enabled.
-- The BIG-IP software is upgraded from a version that was earlier than 15.1.x.
Impact:
The cookie is not built and an error is logged.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4
940261-1 : Support IPS package downloads via HTTP proxy.
Links to More Info: BT940261
Component: Protocol Inspection
Symptoms:
IPS package download via HTTP proxy does not work.
2021-08-31 16:59:59,793 WARNING Download file failed. Retrying.
--
The error repeats continuously.
Conditions:
-- The global db key 'sys management-proxy-config' is configured
-- An IPS download is triggered
Impact:
The IPS IM package fails to download.
Workaround:
No workaround.
Fix:
IPS package downloads can now be successfully performed through an HTTP proxy.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
940225-4 : Not able to add more than 6 NICs on VE running in Azure
Links to More Info: BT940225
Component: TMOS
Symptoms:
Azure BIG-IP Virtual Edition (VE) with more than 6 NICs fails to boot.
Conditions:
-- Standard_DS4_v2 Azure instance type.
-- Mellanox ConnectX-3 ethernet controller.
-- A greater-than-2-NIC template is used, for example https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/standalone/n-nic/existing-stack/byol with "numberOfAdditionalNics" set.
-- Accelerated networking is enabled on two or more NICs.
Impact:
Not able to boot BIG-IP VM with 8 NICs, which should be supported for Standard_DS4_v2 instance type:
8 vCPU
28 GiB
8 Max NICs
Adding more NICs to the instance makes the device fail to boot.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
939877-3 : OAuth refresh token not found
Links to More Info: BT939877
Component: Access Policy Manager
Symptoms:
When an OAuth client sends a refresh token to renew the access token, BIG-IP reports an error:
err tmm[13354]: 01990004:3: /Common/my_OAuth_v1:Common: Request Refresh Token from Source ID ... failed. Error Code (id_not_found) Error Description (The refresh token is not found)
Conditions:
-- The refresh token expiration interval is longer than authcode and accesstoken.
-- The Authorization code table entry does not exist because of an internal clearing/purging operation.
-- tmm restarts or failover to standby thus losing refresh-token value from primarydb
Impact:
OAuth APM client end user fails to renew the access token even with a valid refresh token.
Workaround:
Clear/reset the Authorization code column value manually:
As a root user run below BIG-IP shell
(tmos)# list apm oauth db-instance
apm oauth db-instance oauthdb { db-name <db_name> description "Default OAuth DB." }
Copy the value corresponding to <db_name>.
Log into mysql from the bash prompt:
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw)
mysql> use <db_name>;
mysql> update master set auth_code = NULL where refresh_token='affected_refresh_token_id';
(Substitute the affected refresh token ID with affected_refresh_token_id in the previous command.)
Fix:
Do not report error if the Authorization code does not exist when a valid refresh-token/access-token exists.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4, 14.1.4.4
939757-8 : Deleting a virtual server might not trigger route injection update.
Links to More Info: BT939757
Component: TMOS
Symptoms:
When multiple virtual servers share the same virtual address, deleting a single virtual server might not trigger a route injection update.
Conditions:
-- Multiple virtual servers sharing the same destination address
-- One of the virtual servers is deleted
Impact:
The route remains in the routing table.
Workaround:
Disable and re-enable the virtual address after deleting a virtual server.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
939097-5 : Error messages related to long request allocation appear in the bd.log incase of big chunked requests
Links to More Info: BT939097
Component: Application Security Manager
Symptoms:
bd.log shows error messages
Conditions:
Big chunked requests are sent
Impact:
Unexpected error messages seen in the bd.log
Workaround:
None
Fix:
The error messages related to long request allocation are no longer appearing.
Fixed Versions:
17.1.1, 16.1.5
937649-4 : Flow fwd broken with statemirror.verify enabled and source-port preserve strict
Links to More Info: BT937649
Component: Local Traffic Manager
Symptoms:
Flow forwarding does not work with statemirror.verify enabled and source-port is preserve strict. Depending on the number of tmms and the IP addresses/ports on the network, this causes return traffic to get dropped.
Traffic captures show packets leaving the BIG-IP system on one tmm and being returned on another. The return traffic that encounters the second tmm is dropped.
Conditions:
-- Mirroring is enabled.
-- High availability (HA) peer is connected.
-- The source-port setting is preserve-strict.
-- The statemirror.verify option is enabled.
-- There is more than one tmm.
Impact:
Server-side return traffic to the BIG-IP is dropped. This causes connection timeouts and resets.
Workaround:
-- Disable statemirror.verify, disable source-port preserve-strict, disable mirroring.
-- On BIG-IP Virtual Edition (VE), add the following to tmm_init.tcl on both units and restart tmm:
ndal ignore_hw_dag yes
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
936501-1 : Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled
Links to More Info: BT936501
Component: TMOS
Symptoms:
When attempting to Export/Import a file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf via SCP, you receive an error dialog:
"file not allowed"
Conditions:
-- fips140 or common criteria mode enabled
-- Export/Import file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf
Impact:
Import/Export file using scp tool from/to the BIG-IP file path(s) /var/local/ucs or /var/local/scf not allowed when fips140 or cc mode enabled even if the file is encrypted.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.9
936441-7 : Nitrox5 SDK driver logging messages
Links to More Info: BT936441
Component: Local Traffic Manager
Symptoms:
The system kernel started spontaneously logging messages at an extremely high rate (~3000 per second):
Warning kernel: EMU(3)_INT: 0x0000000000000020
warning kernel: sum_sbe: 0
warning kernel: sum_dbe: 0
warning kernel: sum_wd: 0
warning kernel: sum_gi: 0
warning kernel: sum_ge: 0
warning kernel: sum_uc: 1
The above set of messages seems to be logged at about 2900-3000 times a second.
These messages continue after TMM fails its heartbeat and is killed. The system is rebooted by the host watchdog.
Conditions:
These messages are triggered by Nitrox5 driver when EMU microcode cache errors corrected by hardware.
Impact:
High rate of logging messages. The tmm heartbeat eventually fails, and tmm is restarted. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
936093-5 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline
Links to More Info: BT936093
Component: TMOS
Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.
Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.
Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.
Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:
/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr
This can be accomplished using a command such as:
truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
935945-2 : GTM HTTP/HTTPS monitors cannot be modified via GUI
Links to More Info: BT935945
Component: Global Traffic Manager (DNS)
Symptoms:
GUI reports an error when modifying DNS/GTM HTTP/HTTPS monitors:
01020036:3: The requested monitor parameter (/Common/http-default 2 RECV_STATUS_CODE=) was not found.
Conditions:
RECV_STATUS_CODE has never been set for the DNS/GTM HTTP/HTTPS monitors.
Impact:
Not able to make changes to DNS/GTM HTTP/HTTPS monitors through GUI.
Workaround:
If 'recv-status-code' has never been set, use tmsh instead.
Note: You can set 'recv-status-code' using tmsh, for example:
tmsh modify gtm monitor http http-default recv-status-code 200
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
935249-3 : GTM virtual servers have the wrong status
Links to More Info: BT935249
Component: Global Traffic Manager (DNS)
Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up).
Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.
-- The status code (for example, 200) being searched for in the response appears elsewhere than in the first line (for example, in a following header).
Impact:
The system incorrectly matches the status code in a response line which is not the Status-Line. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.
Workaround:
You can work around this issue by not performing HTTP status matching in your HTTP/HTTPS GTM monitors.
Fix:
The HTTP status code is now correctly searched only in the first line of the response.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5
935193-4 : With APM and AFM provisioned, single logout ( SLO ) fails
Links to More Info: BT935193
Component: Local Traffic Manager
Symptoms:
SAML Single log out (SLO) fails on BIG-IP platforms. The SAML module on the BIG-IP system reports following error messages:
-- SAML SSO: Error (12) Inflating SAML Single Logout Request
-- SAML SSO: Error (12) decoding SLO message
-- SAML SSO: Error (12) extracting SAML SLO message
Conditions:
Failures occur with Redirect SLO.
Impact:
SAML single logout does not work.
Workaround:
Use POST binding SLO requests.
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
935177-3 : IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm
Links to More Info: BT935177
Component: TMOS
Symptoms:
TMM crashes when the maximum transmission unit (MTU) or 'Use PMTU' setting is changed while passing IPsec traffic.
Conditions:
-- IPsec tunnel configured and passing traffic.
-- The MTU or 'Use PMTU' setting for the IPsec tunnel (in interface mode) is changed.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not change MTU or PMTU settings for the tunnel while it is passing traffic.
The settings can be changed while passing traffic, but TMM may crash very soon after the change. If the settings are changed and TMM does not crash soon after, then it will not spontaneously crash at some later point.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
934697-5 : Route domain is not reachable (strict mode)
Links to More Info: BT934697
Component: Local Traffic Manager
Symptoms:
Network flows are reset and following errors are found in /var/log/ltm:
Route domain not reachable (strict mode).
Conditions:
This might occur in either one of the following scenarios:
Scenario 1
==========
-- LTM with iRules configured.
-- The iRule directs traffic to a node that is in a route domain.
or
Scenario 2
==========
-- LTM with an LTM policy configured.
-- The policy directs traffic to a node that is in a route domain.
Other
=====
Tunnel scenario's such as IPSec where client and encrypted traffic are in different route domains.
Impact:
Traffic is not sent to the node that is in a route domain.
The iRule 'node' method and/or LTM policy 'node' specification require a route_domain to be specified in order for the traffic to be sent to a node that is assigned to a route domain.
Workaround:
Specify the node along with Route Domain ID.
-- For iRules, change from this:
when HTTP_REQUEST {
node 10.10.10.10 80
}
To this (assuming route domain 1):
when HTTP_REQUEST {
node 10.10.10.10%1 80
}
-- For LTM policies, change from this:
actions {
0 {
forward
select
node 10.2.35.20
}
}
To this (assuming route domain 1):
actions {
0 {
forward
select
node 10.2.35.20%1
}
}
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5
932485-5 : Incorrect sum(hits_count) value in aggregate tables
Links to More Info: BT932485
Component: Application Visibility and Reporting
Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.
Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.
Impact:
The system reports incorrect values in AVR tables when dealing with large numbers
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
932137-7 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade
Links to More Info: BT932137
Component: Application Visibility and Reporting
Symptoms:
After upgrade, AFM statistics show non-relevant data.
Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.
Impact:
Non-relevant data are shown in AFM statistics.
Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
932133-1 : Payloads with large number of elements in XML take a lot of time to process
Links to More Info: BT932133
Component: Application Security Manager
Symptoms:
ASM experiences high CPU and latency usage while processing a large XML request.
Conditions:
-- ASM provisioned
-- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser.
Impact:
High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request.
Workaround:
None
Fix:
This fix includes performance improvements for large XML payloads.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
930393-2 : IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration
Links to More Info: BT930393
Component: TMOS
Symptoms:
-- IPsec tunnel does not start.
-- Remote IPsec networks unavailable.
Conditions:
-- Using IKEv1 and one of the following:
+ Performing an upgrade.
+ IPsec tunnel reconfiguration generally involving a change to, or addition of, a traffic-selector.
Impact:
IPsec tunnel is down permanently.
Workaround:
-- Reconfigure or delete and re-create the traffic selectors associated with the IPsec tunnel that does not start.
Special Notes:
-- This occurs rarely and does not happen spontaneously, without intentional changes (reconfiguration or upgrade).
-- A BIG-IP reboot or a restart of tmipsecd does not resolve this condition.
-- This symptom might also occur due to a genuine misconfiguration.
-- After major version upgrades, default ciphers can change, double-check the encryption and authentication ciphers for the tunnel.
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
929913-3 : External DNS logging does not differentiate between: all src_IP, Per-SrcIP and Per-DstIP events
Links to More Info: BT929913
Component: Advanced Firewall Manager
Symptoms:
DNS logs on LTM side do not print the all src_IP, per-srcIP, etc.
Conditions:
-- DNS logging is enabled
-- A DNS flood is detected
Impact:
Some information related to DNS attack event is missing such as src_IP, Per-SrcIP and Per-DstIP events.
Fix:
DNS now logs all src_IP, Per-SrcIP and Per-DstIP events.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
929909-3 : TCP Packets are not dropped in IP Intelligence
Links to More Info: BT929909
Component: Advanced Firewall Manager
Symptoms:
When an IP address is added to IP Intelligence under Denial-Of_service Category at a global level, and a TCP flood with that IP address occurs, IP Intelligence does not drop those packets
Conditions:
TCP traffic on BIG-IP with IP Intelligence enabled and provisioned
Impact:
When adding an IP address to an IP Intelligence category, UDP traffic from that IP address is dropped, but TCP traffic is not dropped.
Fix:
When adding an IP address to an IP Intelligence category, both TCP and UDP traffic from that IP address is dropped.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
929429-8 : Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed
Links to More Info: BT929429
Component: Local Traffic Manager
Symptoms:
Whenever you create Oracle or SQL (mssql, mysql or postgresql) database monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.
Conditions:
-- Create an Oracle or SQL database LTM monitor.
-- Add a pool member to the Oracle or SQL database monitor created.
-- Platform FIPS is licensed.
Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
929213-2 : iAppLX packages not rolled forward after BIG-IP upgrade★
Links to More Info: BT929213
Component: Device Management
Symptoms:
Certain iAppLX packages are not rolled forward after a BIG-IP upgrade or restoring a UCS file generated from an affected system, and will be unavailable for use.
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm
Conditions:
-> Installing any of the below iAppLX packages
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm
-> Performing an upgrade
-> Trying to access the LX packages from GUI by navigating to iApps -> Package Management LX
Impact:
After upgrading or restoring a UCS file generated from an affected system, the cloud-failover, service discovery, and telemetry iAppLX apps are not available for use, and will result in 404 error, while accessing them from GUI
Workaround:
The package needs to be uninstalled and installed again for use.
Steps:
-> From GUI, Navigate to iApps -> Package Management LX
-> select the package to uninstall and click on Uninstall
-> click on Import and provide the path of package to install again
Fix:
A new database key has been added, 'sys db iapplxrpm.timeout', which allows the RPM build timeout value to be increased.
sys db iapplxrpm.timeout {
default-value "60"
scf-config "true"
value "60"
value-range "integer min:30 max:600"
}
For example:
tmsh modify sys db iapplxrpm.timeout value 300
tmsh restart sys service restjavad
Increasing the db key and restarting restjavad should not be traffic impacting.
After increasing the timeout, the RPM build process that runs during a UCS save should be successful, and the resulting UCS should include the iAppsLX packages as expected.
Note: The maximum db key value of 600 may be needed in some cases.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
929077-4 : Bot Defense allow list does not apply when using default Route Domain and XFF header
Links to More Info: BT929077
Component: Application Security Manager
Symptoms:
When configuring an IP address allow list in Bot Defense Profile, using a default Route Domain, and a request with an X-Forwarded-For header the request might not be added to the allow list.
Conditions:
-- Bot Defense Profile is attached to virtual server.
-- Bot Defense Profile has an IP address allow list configured.
-- Using default Route Domain.
-- Sending a request with X-Forwarded-For header.
-- Might require heavy traffic.
Impact:
Request from an IP address that is on the allow list is blocked.
Workaround:
Allow the IP address using an iRule.
Fix:
The system now sets the correct route domain, and IP addresses on the allow list are allowed.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.1, 15.1.3, 14.1.4
928997-3 : Less XML memory allocated during ASM startup
Links to More Info: BT928997
Component: Application Security Manager
Symptoms:
Smaller total_xml_memory is selected during ASM startup.
For example, platforms with 32GiB or more RAM should give ASM 1GiB of XML memory, but it gives 450MiB only. Platform with 16MiB should give ASM 450MiB but it gives 300MiB.
Conditions:
Platforms with 16GiB, 32GiB, or more RAM
Impact:
Less XML memory allocated
Workaround:
Use this ASM internal parameter to increase XML memory size.
additional_xml_memory_in_mb
For more details, refer to the https://support.f5.com/csp/article/K10803 article.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
928653-1 : [tmsh]:list security nat policy rules showing automap though the value set is None
Links to More Info: BT928653
Component: Advanced Firewall Manager
Symptoms:
The tmsh command 'tmsh list security nat policy rules' shows automap even though the value is set to None
Conditions:
1. AFM provisioned
2. NAT rules configured
Impact:
The tmsh commands 'tmsh save sys config; and 'tmsh load sys config' modify the None value to automap on the NAT policy rules.
Workaround:
None
Fixed Versions:
16.1.5
927633-4 : Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic
Links to More Info: BT927633
Component: Local Traffic Manager
Symptoms:
Log messages written to /var/log/ltm:
-- notice tmm2[30394]: 01010259:5: External Datagroup (/Common/dg1) queued for update.
and to /var/log/tmmX:
-- notice panic: ../kern/sys.c:1081: Assertion "entry != NULL" failed.
Conditions:
-- Create datagroups.
-- Some condition causes a datagroup to not be present (e.g., delete, rename operations, or another, internal operation).
-- Load the config.
Impact:
Internal mapping of external datagroup fails. Datagroup creation fails.
Workaround:
None.
Fixed Versions:
16.1.5
926845-7 : Inactive ASM policies are deleted upon upgrade
Links to More Info: BT926845
Component: Application Security Manager
Symptoms:
Upon upgrade, active ASM policies are preserved, and inactive policies are deleted.
Conditions:
-- Configuration contains active and inactive ASM policies.
-- Upgrade the BIG-IP system to any later version.
-- You can check existing ASM policies in tmsh:
tmsh list asm policy
Impact:
Only the active ASM policies are preserved; the inactive policies are deleted.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
926341-5 : RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade★
Links to More Info: BT926341
Component: Application Visibility and Reporting
Symptoms:
Unusually high AVR CPU utilization occurs following an upgrade.
Conditions:
-- BIG-IP software upgrade to v13.0.x or later.
-- Running AVR.
Impact:
AVR CPU utilization can be unusually high for an unusually long period of time.
Workaround:
After upgrade manually edit /etc/avr/avrd.cfg to decrease AVR CPU usage is high by increasing the time period of real-time statistics collection. In order to do so:
1. Change value of RtIntervalSecs in /etc/avr/avrd.cfg file to 30 or 60 seconds.
2. Restart the system by running the following command at the command prompt:
bigstart restart.
When changing RtIntervalSecs please take into consideration two important limitations:
-- Value of RtIntervalSecs cannot be less than 10.
-- Value of RtIntervalSecs must be 10 on BIG-IP devices that are registered on BIG-IQ DCD nodes.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.4, 14.1.4.4, 13.1.5
925469-2 : SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo
Links to More Info: BT925469
Component: TMOS
Symptoms:
When using the Certificate Order Manager to request new Multi-Domain certificate from the Sectigo Certificate Authority (CA), the request the BIG-IP sends is missing the field 'subjectAltName'.
Conditions:
-- Certificate Order Manager is configured to send requests to the Comodo/Sectigo CA.
-- Configure a new key with Subject Alternative Name (SAN).
Impact:
The BIG-IP system sends a request to the Sectigo CA that is missing the 'subjectAltName' field. That makes Certificate Order Manager not suitable for requesting Multi-Domain certificates.
Workaround:
There is no workaround other than not using Certificate Order Manager for Multi-Domain certificates.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
924945-5 : Fail to detach HTTP profile from virtual server
Links to More Info: BT924945
Component: Application Visibility and Reporting
Symptoms:
The virtual server might stay attached to the initial HTTP profile.
Conditions:
Attaching new HTTP profiles or just detaching an existing one.
Impact:
The virtual server stays attached to the former HTTP profile, meaning that the virtual server might be attached to a different HTTP profile than what the GUI displays. Configuration changes to the HTTP profile the GUI shows as attached are not reflected in the virtual server. For example, the new HTTP profile might enable XFF, but if the former attached profile does not enable it, the virtual server does not accept XFF.
Workaround:
Create new similar virtual server and attach it to the correct HTTP profile.
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.3
923821-1 : Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack
Links to More Info: BT923821
Component: Application Security Manager
Symptoms:
When mitigated action is set to CSI followed by captcha for credential stuffing attack, captcha is not triggered even after successful CSI challenge.
Conditions:
1) Mitigated action is set to CSI followed by captcha for credential stuffing attack.
2) Credential stuffing attack occurs.
3) CSI challenge is success.
Impact:
Captcha is not triggered leading to less than configured mitigation action for credential stuffing attack.
Workaround:
None
Fix:
Captcha will now be triggered after successful CSI challenge.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
923221-8 : BD does not use all the CPU cores
Links to More Info: BT923221
Component: Application Security Manager
Symptoms:
Not all CPUs are utilized. The CPUs that are not loaded are those with ID greater than 31.
Conditions:
BIG-IP software is installed on a device with more than 32 cores.
Impact:
ASM does not use all of the available CPU cores.
Workaround:
Run the following commands from bash shell.
1. # mount -o remount,rw /usr
2. Modify the following file on the BIG-IP system:
/usr/local/share/perl5/F5/ProcessHandler.pm
Important: Make a backup of the file before editing.
3. Change this:
ALL_CPUS_AFFINITY => '0xFFFFFFFF',
To this:
ALL_CPUS_AFFINITY => '0xFFFFFFFFFFFF',
4. # mount -o remount,ro /usr
5. Restart the asm process:
# bigstart restart asm.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
922737-1 : TMM crashes with a sigsegv while passing traffic
Links to More Info: BT922737
Component: SSL Orchestrator
Symptoms:
TMM crashes with a sigsegv while passing traffic.
Conditions:
Virtual server with a Connector profile that redirects to an internal virtual server with service profile applied on the same BIG-IP system.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
922413-8 : Excessive memory consumption with ntlmconnpool configured
Links to More Info: BT922413
Component: Local Traffic Manager
Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.
Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.
Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.
Workaround:
None.
Fix:
When an NTLM Conn Pool profile is attached to a virtual server, it no longer causes memory pressure on a large number connections with NTLM authentication.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
922185-3 : LDAP referrals not supported for 'cert-ldap system-auth'★
Links to More Info: BT922185
Component: TMOS
Symptoms:
Admin users are unable to log in.
Conditions:
-- Remote LDAP auth enabled.
-- Administrative users are authenticated with the 'cert-ldap' source.
-- The admin user tries to log in.
Impact:
The cert-ldap authentication does not work, so login fails.
Workaround:
Manually edit the /etc/nslcd.conf and set the referrals to no.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
922105-1 : Avrd core when connection to BIG-IQ data collection device is not available
Links to More Info: BT922105
Component: Application Visibility and Reporting
Symptoms:
When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated.
Conditions:
BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons.
Impact:
No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere.
Workaround:
Attempts to connect to BIG-IQ can be disabled manually by the following command:
tmsh modify analytics global-settings use-offbox disabled
Fix:
Avrd no longer cores when the connection to the BIG-IQ data collection device is not available.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
921697-1 : Attack signature updates fail to install with Installation Error.★
Links to More Info: BT921697
Component: Application Security Manager
Symptoms:
Installing a new Attack Signature Update (ASU) file on ASM/AWAF device that has large number of active policies can result in a failure due to memory exceptions. The following errors can be observed:
/var/log/ts/asm_config_server.log:
F5::ASMConfig::Handler::handle_error,,Code: 406 , Error message = Process size (232341504) has exceeded max size (200000000)
/var/log/asm
crit perl[19751]: 01310027:2: ASM subsystem error (apply_asm_attack_signatures ,F5::LiveUpdate::PayloadHandler::clean_fail): Fail load update files: TSocket: timed out reading 1024 bytes from n.n.n.n:9781
Conditions:
1. Adding and activating a large number of policies on a BIG-IP system configured with ASM/AWAF. It is not known exactly how many policies are required to encounter this, but it appears to be between 50 and 90 where this becomes a risk.
2. Installing a new ASU file
Impact:
The attack signature update fails.
Workaround:
Impact of workaround:
Performing this workaround requires restarting ASM, so it affects traffic processing briefly; therefore, it is recommended that you perform this during a maintenance window.
Increase 'max memory size' from the default ~200 MB (200000000) to 300 MB:
1. Take a backup of the original file.
# cp /etc/ts/tools/asm_config_server.cfg /var/tmp/asm_config_server.original.cfg
2. Add the following to the end of file /etc/ts/tools/asm_config_server.cfg:
# AsyncMaxMemorySize=314572800
3. Restart ASM.
# bigstart restart asm
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.6
921541-6 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.
Links to More Info: BT921541
Component: Local Traffic Manager
Symptoms:
The HTTP session initiated by curl hangs.
Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
+ B4450N (A114)
+ i4000 (C115)
+ i10000 (C116/C127)
+ i7000 (C118)
+ i5000 (C119)
+ i11000 (C123)
+ i11000 (C124)
+ i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.
Impact:
Connection hangs, times out, and resets.
Workaround:
Use software compression.
Fix:
The HTTP session hang no longer occurs.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
921441-4 : MR_INGRESS iRules that change diameter messages corrupt diam_msg
Links to More Info: BT921441
Component: Service Provider
Symptoms:
-- 'DIAMETER::host origin' command may not be set correctly.
There are errors in ltm/log:
err tmm[18562]: 014c0001:3: DIAMETER: hud_diam_handle error: Not found
Conditions:
-- Virtual server is configured with a diameter profile enabled with an ingress iRule, for example:
ltm rule Diameter - iRule {
when MR_INGRESS {
DIAMETER:: host origin "hostname.realm.example"
}
}
-- Traffic arrives containing CER and ULR messages.
Impact:
Using the iRule to change the host origin corrupts the diameter message.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
921365-2 : IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby
Links to More Info: BT921365
Component: TMOS
Symptoms:
IKE-SAs are deleted on standby BIG-IP systems after a failover.
Conditions:
-- High availability (HA) environment
-- Dead-peer detection (DPD) / liveness checks are enabled
-- An HA failover occurs
This is a timing issue and can occur intermittently during a normal failover.
Impact:
Some of the IKE-SAs are missing on the standby device. When a failover happens, IPsec traffic will be dropped for those missing SAs.
Workaround:
Set IKE DPD interval time to ZERO (i.e., disable).
Fix:
When the BIG-IP system is in standby mode, the system no longer retries sending IKE/IPSEC control messages, which prevents this issue from occurring.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4
921149-6 : After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy
Links to More Info: BT921149
Component: TMOS
Symptoms:
All Bandwidth Controller (BWC) stats are 0 (zero) even though traffic is passing.
Conditions:
-- A BWC policy is attached to a virtual server.
-- The virtual server with the attached BWC policy is modified.
Impact:
The system disassociates the BWC policy from the virtual server. Traffic is no longer throttled according to the policy rules.
Workaround:
To reattach the policy, detach the Bandwidth Controller policy from the virtual server, and then reapply it.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
920149-3 : Live Update default factory file for Server Technologies cannot be reinstalled
Links to More Info: BT920149
Component: Application Security Manager
Symptoms:
Live Update default factory file for Server Technologies cannot be reinstalled once it is no longer the currently installed update file.
Conditions:
This occurs:
-- Once another update file for Server Technologies has been installed (most likely, a newer file).
-- If the device has been upgraded from a prior release such that the currently installed Server Technologies file is from the previous release, and is not the default factory file for the current release.
Impact:
Live Update default factory file for Server Technologies cannot be reinstalled.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4
919301-1 : GTP::ie count does not work with -message option
Links to More Info: BT919301
Component: Service Provider
Symptoms:
The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error:
wrong # args: should be "-type <ie-path>"
Conditions:
Issue the 'GTP::ie count' command with -message command, for example:
GTP::ie count -message $m -type apn
Impact:
iRules fails and it could cause connection abort.
Workaround:
Swap order of argument by moving -message to the end, for example:
GTP::ie count -type apn -message $m
There is a warning message due to iRules validation, but the command works in runtime.
Fix:
'GTP::ie' count is now working with -message option.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
915773-7 : Restart of TMM after stale interface reference
Links to More Info: BT915773
Component: Local Traffic Manager
Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
915221-6 : DoS unconditionally logs MCP messages to /var/tmp/mcpd.out
Links to More Info: BT915221
Component: Advanced Firewall Manager
Symptoms:
Excessive and large DoS debug messages associated with tmsh commands and stat queries are logged to /var/tmp/mcpd.out which is not log-rotated.
Conditions:
-- AFM is provisioned.
-- DoS queries executed via tmsh.
-- Access to DoS dashboard.
Impact:
Disk space is consumed on the filesystem for /var/tmp, which can eventually lead to follow-on failures when the disk fills up.
Workaround:
Delete or purge /var/tmp/mcpd.out.
Fixed Versions:
16.1.5
915005-3 : AVR core files have unclear names
Links to More Info: BT915005
Component: Application Visibility and Reporting
Symptoms:
If avrd fails a core file created in this case is named according to the thread name and has no indication that it belongs to avr, for example: SENDER_HTTPS.bld0.0.9.core.gz
Conditions:
Avrd fails with a core
Impact:
It is inconvenient for identifying the process that caused the core.
Fix:
Improved the avrd core file name.
Fixed Versions:
16.1.5
913413-1 : 'GTP::header extension count' iRule command returns 0
Links to More Info: BT913413
Component: Service Provider
Symptoms:
The 'GTP::header extension count' iRule command always returns 0 (zero).
Conditions:
This is encountered when using 'GTP::header extension count' in an iRule.
Impact:
The command returns false information.
Workaround:
None
Fix:
'GTP::header extension count' command now returns number of header extension correctly.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913409-1 : GTP::header extension command may abort connection due to unreasonable TCL error
Links to More Info: BT913409
Component: Service Provider
Symptoms:
When running "GTP::header extension" iRule command with some conditions, it may cause a TCL error and abort the connection.
Conditions:
Running "GTP::header extension" iRule command is used with some specific arguments and/or specific condition of GTP message
Impact:
TCL error log is shown and connection is aborted
Workaround:
None
Fix:
GTP::header extension command no longer abort connection due to unreasonable TCL error
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913393-1 : Tmsh help page for GTP iRule contains incorrect and missing information
Links to More Info: BT913393
Component: Service Provider
Symptoms:
In the tmsh help page for the GTP iRule command, it contains incorrect and missing information for GTP::header and GTP::respond command.
Conditions:
When running "tmsh help ltm rule command GTP::header", information regarding GTP::header and GTP::respond iRule command may be incorrect or missing.
Impact:
User may not be able to use related iRule command properly.
Workaround:
None
Fix:
Tmsh help page for GTP iRule is updated
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913085-6 : Avrd core when avrd process is stopped or restarted
Links to More Info: BT913085
Component: Application Visibility and Reporting
Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.
Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.
Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.
Workaround:
None.
Fix:
Avrd no longer cores when avrd process is stopped or restarted.
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
912945-3 : A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed
Links to More Info: BT912945
Component: Local Traffic Manager
Symptoms:
In a virtual configured with multiple client SSL profiles, the profile with ECDSA-signed cert is not selected even though its CN/SAN matching the SNI extension of ClientHello.
Conditions:
-- A virtual server with multiple client SSL profiles.
-- The SNI of,,lientHello does not match the 'server name' of any profile.
-- The cert in the profile is ECDSA-signed and its CN/SAN matches SNI extension of ClientHello.
-- That profile in is not selected.
Impact:
The incorrect client SSL profile is selected.
Workaround:
Configure the 'Server Name' option in the client SSL profile.
Fix:
Fixed an issue with client SSL profile selection.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4
912517-7 : Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured
Links to More Info: BT912517
Component: Local Traffic Manager
Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.
Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle, or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.
Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.
Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).
Fix:
For BIG-IP versions prior to 17.0.0, a database monitor no longer marks pool member down if 'send' is configured but no 'receive' strings are configured.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
912253-2 : Non-admin users cannot run show running-config or list sys
Links to More Info: BT912253
Component: TMOS
Symptoms:
Lower-privileged users, for instance guests or operators, are unable to list the configuration in tmsh, and get an error:
Unexpected Error: Can't display all items, can't get object count from mcpd.
The list /sys or list /sys telemd commands trigger the following error:
01070823:3: Read Access Denied: user (oper) type (Telemd configuration).
Conditions:
User account with a role of guest, operator, or any role other than admin.
Impact:
You are unable to show the running config, or use list or list sys commands.
Workaround:
Logon with an account with admin access.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
912149-7 : ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476'
Links to More Info: BT912149
Component: Application Security Manager
Symptoms:
The system exhibits various symptoms related to sync and control plane, and reports errors similar to the following:
/var/log/:
asm:
-- (asm_config_server.pl,F5::Cgc::Channel::send): Failed to send a message, error:15638476.
ts_debug.log:
-- |ZEROMQ|May 21 23:27:31.840|24813|25914|25914|epoll.cpp:0060|~epoll_t()|(zmq_assert) Assertion failed: load.get () == 0
Conditions:
-- Two devices in a sync-failover/sync-only device group.
-- Other conditions required to reproduce this issue are under investigation.
Note: The occurrences of the Cgc::Channel message in the /var/log/ and /var/log/ts/asm_config_server logs are the most reliable indicator of this issue.
Impact:
-- Config-sync does not work, resulting in a different configuration among the devices in a sync group.
-- Security log profile changes are not propagated to other devices.
-- Portions of the GUI hang, e.g.: Security module tab, and 'security' menu under virtual server.
-- Policies with learning enabled do not generate learning suggestions.
Workaround:
Restart asm_config_server on the units in the device group.
# pkill -f asm_config_server
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
911729-4 : Redundant learning suggestion to set a Maximum Length when parameter is already at that value
Links to More Info: BT911729
Component: Application Security Manager
Symptoms:
Policy Builder is issuing a learning suggestion to set a specific maximum length for a parameter when that parameter already has that exact maximum length already configured.
Conditions:
-- Response learning is turned on
-- Response parameter length is less than, but close to, the currently configured maximum length limit.
Impact:
Redundant learning suggestion is issued.
Workaround:
You can either:
-- Ignore the learning suggestion (Click the Ignore button).
-- Turn off Learn from response.
Fix:
Learning suggestion is no longer issued with already configured maximum parameter length value.
Fixed Versions:
17.0.0, 16.1.5, 16.0.1.2, 15.1.4, 14.1.4.2
911585-5 : PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval
Links to More Info: BT911585
Component: Policy Enforcement Manager
Symptoms:
PEM sessions go to a stale state and the Credit Control Request (CCRi) is not sent.
Conditions:
-- PEM is configured and passing normal PEM traffic.
-- Using BIG-IP Virtual Edition (VE)
Impact:
Session is not established.
Workaround:
None.
Fix:
Enhanced application to accept new sessions under problem conditions.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
911141-1 : GTP v1 APN is not decoded/encoded properly
Links to More Info: BT911141
Component: Service Provider
Symptoms:
GTP v1 APN element was decoded/encoded as octetstring and Only GTP v2 APN element is decoded/encoded as DNS encoding.
Conditions:
- GTP version 1.
- APN element.
Impact:
iRules become more complex when dealing with GTP v1 APN element, as it may need to convert between octetstring and dotted style domain name value after decoding or before encoding the data.
Workaround:
Use iRules to convert between octetstring and dotted style domain name values.
Fix:
GTP version 1 APN information element is now decoded/encoded as DNS encoding.
Behavior Change:
GTP v1 apn element is now decoded/encoded using DNS-like encoding. Previously, it was decoded/encoded as octetstring.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
910673-6 : Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'
Links to More Info: BT910673
Component: Local Traffic Manager
Symptoms:
Thales installation script fails with error message.
ERROR: Could not reach Thales HSM "<ip>". Make sure the HSM IP address is correct and that the HSM is accessible to the BIG-IP.
Conditions:
This occurs when the ICMP ping is blocked between the BIG-IP system and netHSM.
Impact:
Thales/nCipher NetHSM client software installation fails.
Workaround:
Unblock ICMP ping between the BIG-IP system and netHSM.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1
910213-7 : LB::down iRule command is ineffective, and can lead to inconsistent pool member status
Links to More Info: BT910213
Component: Local Traffic Manager
Symptoms:
Use of the LB::down command in an iRule may not have the desired effect, or may result in pool members that are down for load balancing, but indicate up/available in the GUI and CLI.
Specifically, the pool member is marked down within the tmm instance executing the iRule, but the status change is not updated to mcpd, or to other tmm instances.
As a result, the message 'Pool /Common/mypool member /Common/1.1.1.1:80 monitor status iRule down' does not appear in the log, and the status of the pool member is not updated when viewed in the GUI or via 'tmsh show ltm pool xxxx members'.
Note: If [event info] is logged in the LB_FAILED event, it will indicate that the load balancing decision failed due to "connection limit"
Conditions:
Using the LB::down command in an iRule.
Impact:
Because mcpd believes the pool member to be up, it does not update tmm's status, so tmm continues to regard it as down indefinitely, or until a monitor state change occurs.
If the LB::down command is used on all members of a pool, the affected tmms cannot load balance to that pool, even though the GUI/tmsh indicate that the pool has available members.
Because pool member status is stored on per-tmm basis and incoming connections are distributed across tmms using a hash, this can lead to apparently inconsistent results, where some traffic (traffic hitting a particular tmm) is rejected with an RST cause of 'No pool member available'.
Workaround:
- Delete and recreate affected pool members
(or) Restart tmm
(or) Restart the BIG-IP.
There is no direct workaround, but the use of an inband monitor instead of the LB::down command may be effective. You must tune the inband monitor's settings to values consistent with the desired behavior.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
909161-1 : A core file is generated upon avrd process restart or stop
Links to More Info: BT909161
Component: Application Visibility and Reporting
Symptoms:
Sometime when avrd process is stopped or restarted, a core is generated.
Conditions:
Avrd process is stopped or restarted.
Impact:
Avrd creates a core file but there is no other negative impact to the system.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
907549-6 : Memory leak in BWC::Measure
Links to More Info: BT907549
Component: TMOS
Symptoms:
Memory leak in BWC calculator.
Conditions:
When the HSL log publisher is attached to the BWC::Measure instance in the Bandwidth policy.
Impact:
A memory leak occurs.
Workaround:
None.
Fix:
Memory is not leaked.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.0.5, 14.1.5
907025-5 : Live update error" 'Try to reload page'
Links to More Info: BT907025
Component: Application Security Manager
Symptoms:
When trying to update Attack Signatures. the following error message is shown:
Could not communicate with system. Try to reload page.
Conditions:
Insufficient disk space to update the Attack Signature.
Impact:
Live Update unable to restore the database during startup. Device runs out of disk space, which leads to failure in writing live update hsqldb log file. The liveupdatedb.script file, which is based on the .log file, is truncated and missing necessary settings in order to initialize the live update database.
Workaround:
This following procedure restores the database to its default, initial state:
1. Remove the sigfile.tmp.* directories under /var/ts/var/tmp.
2. Delete the script:
delete /var/lib/hsqldb/live-update/liveupdatedb.script
3. Create a new script:
create new /var/lib/hsqldb/live-update/liveupdatedb.script.
4. Add the following lines to create the live update database schema and set the SA user as expected:
CREATE SCHEMA PUBLIC AUTHORIZATION DBA
CREATE MEMORY TABLE AVAILABILITY(ID VARCHAR(255) NOT NULL,ERRORMESSAGE VARCHAR(255),LASTCHECKDATETIME BIGINT,LASTCHECKUPDATEFILE VARCHAR(255),STATUS VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT AVAILABILITY_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLSCHEDULE(ID VARCHAR(255) NOT NULL,APPLYATALLTIMES BOOLEAN,APPLYONALLDAYS BOOLEAN,APPLYONFRIDAYS BOOLEAN,APPLYONMONDAYS BOOLEAN,APPLYONSATURDAYS BOOLEAN,APPLYONSUNDAYS BOOLEAN,APPLYONTHURSDAYS BOOLEAN,APPLYONTUESDAYS BOOLEAN,APPLYONWEDNESDAYS BOOLEAN,ENDTIME VARCHAR(255),FREQUENCY VARCHAR(255),STARTTIME VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT INSTALLSCHEDULE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE UPDATEFILE(ID VARCHAR(255) NOT NULL,CREATEDATETIME BIGINT,FILELOCATION VARCHAR(255),FILENAME VARCHAR(255),ISFILEAVAILABLE BOOLEAN,ISFILEMANUALLYUPLOADED BOOLEAN,ISGENESIS BOOLEAN,MD5 VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT UPDATEFILE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLATION(ID VARCHAR(255) NOT NULL,ADDEDENTITIESCOUNT INTEGER,DELETEDENTITIESCOUNT INTEGER,ERRORMESSAGE VARCHAR(255),LASTREADMEFILENAME VARCHAR(255),LASTUPDATEMICROS BIGINT,LOADDATETIME BIGINT,MODIFIEDENTITIESCOUNT INTEGER,README VARCHAR(500000),STATUS VARCHAR(255),"TYPE" VARCHAR(255),UPDATEFILE_ID_OID VARCHAR(255),CONSTRAINT INSTALLATION_PK PRIMARY KEY(ID),CONSTRAINT INSTALLATION_FK1 FOREIGN KEY(UPDATEFILE_ID_OID) REFERENCES UPDATEFILE(ID))
CREATE INDEX INSTALLATION_N49 ON INSTALLATION(UPDATEFILE_ID_OID)
CREATE MEMORY TABLE INSTALLATION_DELETEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_DELETEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_DELETEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_DELETEDENTITYLIST_N49 ON INSTALLATION_DELETEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_MODIFIEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_MODIFIEDENTITYLIST_N49 ON INSTALLATION_MODIFIEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_ADDEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_ADDEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_ADDEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_ADDEDENTITYLIST_N49 ON INSTALLATION_ADDEDENTITYLIST(ID_OID)
CREATE USER SA PASSWORD ""
GRANT DBA TO SA
SET WRITE_DELAY 20
SET SCHEMA PUBLIC
5. Restart the tomcat process:
bigstart restart tomcat
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
906273-1 : MCPD crashes receiving a message from bcm56xxd
Links to More Info: BT906273
Component: TMOS
Symptoms:
Under rare circumstances, the Broadcom switch daemon bcm56xxd, can send more then one message at a time to MCPD.
This can cause MCPD to either fail immediately or have it hang and be terminated by sod 5 minutes later.
One of the messages being sent is in response to a link status change. The second message is a reply to a query, for instance a query for l2 forward statistics.
Conditions:
- BIG-IP with a Broadcom switch.
- Link status change is available.
- MCPD sends a query to bcm56xxd, that is, for l2 forward statistics.
Impact:
MCPD failure and restarts causing a failover.
Workaround:
None
Fix:
The Broadcom switch daemon bcm56xxd will not send more then one message to MCPD at a time.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
904661-4 : Mellanox NIC speeds may be reported incorrectly on Virtual Edition
Links to More Info: BT904661
Component: TMOS
Symptoms:
Speeds for Mellanox NICs on BIG-IP Virtual Edition may be reported incorrectly. The behavior varies depending on what driver is in use:
- Speeds are always reported as 10G when the mlxvf5 driver is used, regardless of the actual speed of the interface.
- Speeds are reported as either 10G or 40G when the xnet driver is used. This is accurate unless the actual NIC speed is greater than 40G, in which is it will still be reported as 40G.
Conditions:
-- BIG-IP Virtual Edition
-- Using a Mellanox NIC with the mlxvf5 or xnet driver
Impact:
Possibly incorrect media speed reported. (Actual speed is correct, regardless of what is displayed.)
Fixed Versions:
17.1.0, 16.1.4
903313-4 : OWASP page: File Types score in Broken Access Control category is always 0.
Links to More Info: BT903313
Component: Application Security Manager
Symptoms:
Under Broken Access Control category, the contribution of Disallowed File Types seems to be 0 no matter what is the number of Disallowed File Types in policy. As a result, it is not possible to reach full compliance.
Conditions:
Security Policy is configured. Not Applicable for parent or child policy.
Impact:
For any OWASP configurable policy (i.e. not parent or child policy), the policy cannot reach the maximum score for Broken Access Control category
Fixed Versions:
17.0.0, 16.1.4
902377-4 : HTML profile forces re-chunk even though HTML::disable
Links to More Info: BT902377
Component: Local Traffic Manager
Symptoms:
HTML profile performs a re-chunk even though HTML::disable has been executed in the HTTP_RESPONSE event.
Conditions:
Using HTML::disable in an HTTP_RESPONSE event.
Impact:
The HTML profile still performs a re-chunk.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
901669-6 : Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change.
Links to More Info: BT901669
Component: TMOS
Symptoms:
-- The 'tmsh show cm failover-status' command shows a status of 'Error' when the command is run on a peer of a device that underwent a management IP address change.
-- Should the sod_tg_conn_stat or sod_tg_msg_stat tmstat tables be inspected using the tmctl command, the tables show stale information in the entry_key column.
Note: Additionally, in certain cases, it is possible for failover functionality to be broken after the management IP address change, meaning devices remain stuck in an improper Active/Active or Standby/Standby state. This further aspect of the issue is tracked under ID999125. This ID tracks only the cosmetic defect.
Conditions:
-- Two or more devices in a sync-failover device-group.
-- The management IP address is changed on one of the devices.
The error appears under either of these conditions:
-- The 'tmsh show cm failover-status' is run on a peer of the device that underwent the management IP address change.
-- The sod_tg_conn_stat or sod_tg_msg_stat tmstat tables are inspected using the tmctl command.
Impact:
The 'tmsh show cm failover-status' command indicates an error.
Workaround:
You can work around this issue by running the following command on the peers of the device which underwent a management IP address change:
tmsh restart sys service sod
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
898929-6 : Tmm might crash when ASM, AVR, and pool connection queuing are in use
Links to More Info: BT898929
Component: Local Traffic Manager
Symptoms:
TMM crashes and generates a core file.
Conditions:
-- System is provisioned for at least ASM, AVR, and LTM.
-- An LTM pool is configured to use connection queuing.
-- The LTM pool is used on a virtual server with an analytics profile.
Impact:
Tmm might crash. Traffic disrupted while tmm restarts.
Workaround:
Disable connection queuing on the pool.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
896941 : Common Criteria ccmode script updated
Links to More Info: BT896941
Component: TMOS
Symptoms:
Configuration of SSH must be done to support Common Criteria compliance. This is currently done by following instructions in the Common Criteria Guidance Document.
Conditions:
Common Criteria compliance configuration.
Impact:
This update automates the SSH configuration.
Workaround:
Continue to follow Common Criteria Guidance document instructions for SSH configuration.
Fix:
Added SSH configuration to meet Common Criteria requirements.
Fixed Versions:
17.0.0, 16.1.3
895557-5 : NTLM profile logs error when used with profiles that do redirect
Links to More Info: BT895557
Component: Local Traffic Manager
Symptoms:
As of BIG-IP version 14.1, HTTP iRule commands that inspect HTTP state after the commands HTTP::respond, HTTP::redirect, and HTTP::retry returns errors instead of returning corrupt data (https://support.f5.com/csp/article/K23237429).
When the NTLM profile is configured, it does the same through a built-in TCL rule where among several things, it tries to check if HTTP::cookie exists. If a profile like HTTP exists wherein a redirect/respond/retry is configured, it results in a TCL error informing the admin that they are accessing an invalid HTTP state.
Conditions:
-- NTLM profile is configured alongside HTTP profile
-- One of the redirect/respond/retry commands has been executed before the NTLM profile accesses the state of HTTP (for ex. HTTP::collect, HTTP::close, HTTP::cookie, etc.).
Impact:
Tcl error is seen in /var/log/ltm informing the admin that the iRule operation executed after HTTP::redirect/retry/respond is not supported.
For example -
TCL error: _plugin_rule_/Common/ntlm_default_iis <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::cookie exists [PROFILE::ntlm insert_cookie_name]"
Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.2
890169-4 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
Links to More Info: BT890169
Component: Application Security Manager
Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.
Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.
Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
890037-3 : Rare BD process core
Links to More Info: BT890037
Component: Application Security Manager
Symptoms:
The BD process crashes leaving a core dump. ASM restarts happening failover.
Conditions:
Traffic load to some extent, but beside that we do not know the conditions leading to this.
Impact:
Failover, traffic disturbance.
Workaround:
None
Fixed Versions:
16.1.5
889813-3 : Show net bwc policy prints bytes-per-second instead of bits-per-second
Links to More Info: BT889813
Component: TMOS
Symptoms:
The 'tmsh show net bwc policy' is printing out bits-per-second in the value field, but the name field says 'bytesPerSec'.
Conditions:
Running the tmsh command:
tmsh show net bwc policy
Impact:
The stats are in bits-per-second, but the label says bytesPerSec. Although there is no functional impact, the incorrect label could cause confusion.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.4, 15.1.10, 14.1.4.5
889605-2 : iApp with Bot profile is unavailable if application folder includes a subpath
Links to More Info: BT889605
Component: iApp Technology
Symptoms:
iApp with Bot profile is unavailable if the application folder includes a subpath. If the subpath is not present then iApp with bot profile is available.
Conditions:
1) Create default "Bot Protection" or "Web Application Comprehensive Protection" with an enabled "Bot Defense" use case in WGC without a virtual server.
2) Go to "iApps >> Application Services: Applications" and refer to the created iApp.
Impact:
iApp cannot be loaded when tried to open through iApps >> Applications view in TMUI.
Workaround:
View the configuration created from Guided configuration as mentioned: iApps >> Application Services >> Applications LX menu
Fix:
Open the iApps >> Applications view in TMUI and load the iApp.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
888765-2 : After upgrading from 13.1.0 to 15.1.0.1 CGNAT is deprovisioned and tmm is restarted by reloaded config from text files★
Links to More Info: BT888765
Component: TMOS
Symptoms:
After upgrading, CGNAT is de-provisioned and tmm is restarted after config load.
Conditions:
- CGNAT provisioned prior to upgrade
- Upgrade from 13.1.0 to 15.1.0.1 and reboot
Impact:
-- CGNAT is de-provisioned
-- Tmm restarts
Workaround:
After upgrading, re-provision CGNAT:
tmsh modify sys provision cgnat level <level>
tmsh save sys config
Fixed Versions:
16.1.4
888289-8 : Add option to skip percent characters during normalization
Links to More Info: BT888289
Component: Application Security Manager
Symptoms:
An attack signature is not detected.
Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.
Impact:
An attack goes undetected.
Workaround:
Turn on the bad unescape violation or the metacharacter violation.
Fix:
Added an internal parameter, normalization_remove_percents. Its default is 0 (zero), meaning that the previous behavior is maintained. When enabled, the normalization of the data before running the signature removes the percent characters (as it does to high ASCII and space characters).
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
887117-4 : Invalid SessionDB messages are sent to Standby
Links to More Info: BT887117
Component: TMOS
Symptoms:
SessionDB messages sent from Active to Standby are dropped due to inconsistencies detected in the message. You see logs in /var/log/ltm:
SessionDB ERROR: received invalid or corrupt HA message; dropped message.
Conditions:
-- High availability (HA) pair configuration.
-- SessionDB messages sent from Active to Standby.
Impact:
Standby drops these messages
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4.1
886649-5 : Connections stall when dynamic BWC policy is changed via GUI and TMSH
Links to More Info: BT886649
Component: TMOS
Symptoms:
Connections stall when dynamic BWC policy is changed via GUI and TMSH.
Conditions:
Issue is seen when you have a dynamic bandwidth control policy configured, and you make a change to the policy via the GUI and TMSH.
Impact:
Connection does not transfer data.
Workaround:
Restart TMM. Delete the relevant configuration, create a new configuration, and apply it.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
886533-5 : Icap server connection adjustments
Links to More Info: BT886533
Component: Application Security Manager
Symptoms:
Request getting to the ICAP server takes a long time to process (several seconds), which makes the whole transaction slower than expected. When testing the connection to the ICAP server itself, you determine that it is fast.
Conditions:
This happens especially with large file uploads that are mixed with smaller file uploads. The smaller uploads are waiting for the bigger upload.
Impact:
Slow responses to specific requests.
Workaround:
None.
Fix:
This release provides greater responsiveness of the internal queue to the ICAP thread.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
885765-1 : ASMConfig Handler undergoes frequent restarts
Links to More Info: BT885765
Component: Application Security Manager
Symptoms:
Under some settings and load the RPC handler for the tsconfd process restarts frequently.
Conditions:
When processing a large number of configuration updates.
Impact:
The RPC handler for the tsconfd process restarts frequently, causing unnecessary churn and noisy logs
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
884945-1 : Latency reduce in case of empty parameters.
Links to More Info: BT884945
Component: Application Security Manager
Symptoms:
Traffic load with many empty parameters may lead to increased latency.
Conditions:
Sending requests with many empty parameters
Impact:
Traffic load with many empty parameters may cause increased latency through the BIG-IP system.
Workaround:
None
Fix:
Ignore empty parameters
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
883049-9 : Statsd can deadlock with rrdshim if an rrd file is invalid
Links to More Info: BT883049
Component: Local Traffic Manager
Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.
You may see errors:
-- err statsd[5005]: 011b0600:3: Error ''/var/rrd/endpisession' is too small (should be 15923224 bytes)' during rrd_update for rrd file '/var/rrd/endpisession'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/endpisession'.
Conditions:
Truncation of a binary file in /var/rrd.
Impact:
Stats are no longer collected. Statsd and rrdshim deadlock.
Workaround:
Remove the truncated file and restart statsd:
bigstart restart statsd
Fix:
Now detecting and rectifying truncation of RRD files.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
882709-6 : Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors★
Links to More Info: BT882709
Component: TMOS
Symptoms:
Traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.
This may manifest as traffic failing after an upgrade from earlier (unaffected) software versions.
Note: This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.
This is due to an interoperability issue between RedHat Enterprise Linux (RHEL) and Microsoft Hyper-V, which seems to affect RHEL v7.3 and RHEL v7.5.
Hyper-V on Windows Server 2016 and Windows Server 2012 do not seem to identify the version of the built-in LIS correctly on Centos 7.3 or Centos 7.5 (which are built on RHEL 7.3 and RHEL 7.5 respectively).
Although there is a statement of support by Microsoft for VLAN tagging on RHEL 7.3 and 7.5 when running on Hyper-V, that functionality does not appear to work at present: Supported CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V :: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/Supported-CentOS-and-Red-Hat-Enterprise-Linux-virtual-machines-on-Hyper-V.
Conditions:
-- BIG-IP VE is deployed on a Hyper-V hypervisor.
-- VLAN configured in BIG-IP VE with tagged interfaces, e.g.:
net vlan external {
interfaces {
1.1 {
tagged
}
}
tag 4000
}
-- At present, VLAN tagging on the v14.x and v15.x releases does not work because those releases are running on CentOS 7.3 and 7.5 respectively, which both are affected by the MS/RHEL interoperability issue.
-- BIG-IP v12.x and v13.x use a different (older) CentOS version, so VLAN tagging works without issue on those releases.
Impact:
-- The system does not prevent you from configuring tagged VLANs, even though they do not pass traffic.
-- Although upgrades complete and you can reboot into the new boot location (or you can set up on Hyper-V from scratch), traffic does not pass (into the guest) across VLANs that are tagged.
Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.
Workaround:
Essentially, there is no workaround in this release; you must reconfigure the virtual machine to use separate, untagged interfaces for each VLAN.
Note: Although this is technically a problem between Hyper-V and the built-in LIS on RHEL 7.3/7.5, this issue is being tracked internally in this bug.
Behavior Change:
In this release, traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.
This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.
Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
881085-4 : Intermittent auth failures with remote LDAP auth for BIG-IP managment
Links to More Info: BT881085
Component: TMOS
Symptoms:
There are intermittent auth failures when accessing the BIG-IP administration interfaces via SSH or the GUI.
Conditions:
-- Remote LDAP auth is configured.
-- An idle timeout RST is received on the LDAP connection before the configured auth LDAP idle-timeout expires. This RST might be generated by tmm (if the connection to the LDAP server is via a defined VLAN), some other intervening device on the network, or from the LDAP server itself (depending on its connection time limit).
Impact:
There might be intermittent remote-auth failures.
Workaround:
Set the auth ldap idle-timeout to a smaller value, for example, via tmsh:
modify auth ldap system-auth idle-timeout 299
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
878641-3 : TLS1.3 certificate request message does not contain CAs
Links to More Info: BT878641
Component: Local Traffic Manager
Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4
Conditions:
TLS1.3 and client authentication
Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected
Fix:
Certificate request message now may contain CAs
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
876677-2 : When running the debug version of TMM, an assertion may be triggered due to an expired DNS lookup.
Links to More Info: BT876677
Component: Global Traffic Manager (DNS)
Symptoms:
When running the debug version of TMM, if a particular DNS lookup takes more than 30 seconds, TMM may assert with a message in the /var/log/tmm file similar to the following example:
notice panic: ../modules/hudfilter/3dns/cache_resolver.c:2343: Assertion "standalone refcnt must be one" failed.
Conditions:
-- Using the debug TMM
-- Using the RESOLV::lookup iRule command
-- The DNS server targeted by the aforementioned command is running slowly or malfunctioning
Impact:
TMM crashes and, in redundant configurations, the unit fails over.
Workaround:
Do not use the debug TMM.
Fix:
The debug assert was removed and replaced by a debug log.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
876569-2 : QAT compression codec produces gzip stream with CRC error
Links to More Info: BT876569
Component: Local Traffic Manager
Symptoms:
When an HTTP compression profile is enabled on BIG-IP platforms with Intel QuickAssist Technology (Intel QAT) compression accelerators, gzip errors are produced.
Conditions:
This occurs when the following conditions are met:
-- The following platforms with Intel QAT are affected:
+ 4450 blades
+ i4600/i4800
+ i10600/i10800
+ i7600/i7800
+ i5600/i5800
+ i11600/i11800
+ i11400/i11600/i11800
+ i15600/i15800
-- The compression.qat.dispatchsize variable is set to any of the following values:
+ 65535
+ 32768
+ 16384
+ 8192
-- The size of the file being compressed is a multiple of the compression.qat.dispatchsize value, for exampld:
+ 65355*32768
+ 8192*32768
Impact:
Clients cannot decompress the compressed file because there is an invalid gzip footer.
Workaround:
Disable hardware compression and use software compression.
Fix:
The system now handles gzip errors seen with QAT compression.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
874941-4 : HTTP authentication in the access policy times out after 60 seconds
Links to More Info: BT874941
Component: Access Policy Manager
Symptoms:
HTTP authentication in the access policy times out after 60 seconds, where previously, the timeout was 90 seconds.
Conditions:
Encountering the timeout of HTTP authentication in the access policy in this version of the software.
Impact:
HTTP authentication times out 30 seconds earlier than it did in previous versions. There is no way to configure this timeout value, so authentication fails for operations that require greater than 60 seconds to complete.
Workaround:
None.
Fix:
Added options to configure the HTTP connection and request timeouts in HTTP authentication.
1. A db key to configure Connection Timeout for HTTP Server configuration:
+[APM.HTTP.ConnectionTimeout]
+default=10
+type=integer
+min=0
+max=300
+realm=common
+scf_config=true
+display_name=APM.HTTP.ConnectionTimeout
2. A db key to configure Request Timeout for HTTP Server configuration:
+[APM.HTTP.RequestTimeout]
+default=60
+type=integer
+min=0
+max=600
+realm=common
+scf_config=true
+display_name=APM.HTTP.RequestTimeout
Behavior Change:
Added db variables APM.HTTP.ConnectionTimeout and APM.HTTP.RequestTimeout as options to configure the HTTP connection and request timeouts in HTTP authentication.
The APM.HTTP.ConnectionTimeout defaults to 10 seconds, and the APM.HTTP.RequestTimeout defaults to 60 seconds.
Note: These defaults are the same as the values in earlier releases, so there is no effective functional change in behavior.
Fixed Versions:
16.1.2.2, 15.1.6.1, 14.1.5
874877-4 : The bigd monitor reports misleading error messages
Links to More Info: BT874877
Component: Local Traffic Manager
Symptoms:
When a recv string is used with an HTTP/HTTP2/HTTPS/TCP monitor, the HTTP status code is collected and in the event of failure, the most recent value (from before the failure) is retrieved and used as part of the log output. This can result in a message that is misleading.
Conditions:
- The BIG-IP system configured to monitor an HTTP/HTTP2 server.
- The BIG-IP system configured to monitor an HTTPS/TCP monitor.
Impact:
Generates a misleading log messages, difficulty in identifying the actual cause of the monitor failure.
This occurs because the system stores the 'last error' string for these monitors. This can be misleading, especially when a receive string is used. Following is an example:
-- A BIG-IP system is monitoring an HTTP server that is returning proper data (i.e., matching the receive string).
-- The HTTP server goes down. Now the BIG-IP system will have a last error string of 'No successful responses received before deadline' or 'Unable to connect'.
-- The HTTP server goes back up and works for a while.
-- For some reason, the HTTP server's responses no longer match the receive string.
In this case, a message is logged on the BIG-IP system:
notice mcpd[6060]: 01070638:5: Pool /Common/http member /Common/n.n.n.n:n monitor status down. [ /Common/my_http_monitor: down; last error: /Common/my_http_monitor: Unable to connect @2020/01/09 04:18:20. ] [ was up for 4hr:18mins:46sec ]
The 'Unable to connect' last error reason is not correct: the BIG-IP system can connect to the HTTP server and gets responses back, but they do not match the received string.
Workaround:
None
Fix:
None
Fixed Versions:
16.1.5
873617-1 : DataSafe is not available with AWAF license after BIG-IP startup or MCP restart.
Links to More Info: BT873617
Component: Fraud Protection Services
Symptoms:
DataSafe is not available with an AWAF license.
Conditions:
-- AWAF license
-- BIG-IP startup or MCP restart
Impact:
DataSafe is not available.
Workaround:
Reset to default license.antifraud.id variable.
tmsh modify sys db license.antifraud.id reset-to-default.
Fix:
Additional DataSafe license validation during MCP startup after license information is loaded.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
858005-1 : When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:"
Links to More Info: BT858005
Component: Access Policy Manager
Symptoms:
APM Access Policy evaluation failed.
Conditions:
When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces there is no configuration error but runtime evaluation results in failure with error message in /var/log/apm:
"Rule evaluation failed with error:"
Impact:
APM end user’s session cannot be established.
Workaround:
Using APM VPE remove all leading/trailing spaces from config of “IP Subnet Match” agent
Fix:
This issue is fixed by trimming spaces from IP Subnet Match agent config in VPE
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
857045-4 : LDAP system authentication may stop working
Links to More Info: BT857045
Component: TMOS
Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.
In /var/log/daemon.log, you may see the following:
warning systemd[1]: nslcd.service failed
Conditions:
Nslcd daemon crashed, and it fails to restart.
Impact:
System authentication stops working until nslcd is restarted.
Workaround:
Manually restart nslcd daemon:
systemctl start nslcd
nslcd can be reconfigured to restart automatically and create core files when it crashes, though these changes will be lost across software installs (and is not backed up as part of a UCS archive):
1. Run "systemctl edit nslcd", which will open a text editor (by default, nano).
2. In the text editor, add these contents:
[Service]
# Allow core files
LimitCORE=infinity
# Try to keep auth daemon running, even if it crashes
Restart=always
3. Exit the text editor and save the file
4. Check the output of "systemctl status nslcd" for any warnings/errors from systemd as a result of editing the file; there should not be any.
5. Restart nslcd:
systemctl restart nslcd
Fixed Versions:
16.1.5
854129-6 : SSL monitor continues to send previously configured server SSL configuration after removal
Links to More Info: BT854129
Component: In-tmm monitors
Symptoms:
After an SSL profile has been removed from a monitor, a monitor instance continues to use settings from the previously-configured server SSL profile, such as client certificate or ciphers or supported TLS versions.
Conditions:
-- In-TMM monitors enabled.
-- SSL monitor configured with a server SSL profile.
-- Setting the monitor's 'SSL Profile' parameter to 'none'.
Impact:
The previously configured settings, such as certificate or cipher, continue to be used for monitoring pool members, which may result in unexpected health check behavior/pool member status.
Workaround:
An administrator can avoid this issue by ensuring the monitor's 'SSL Profile' parameter specifies a profile (i.e., is not 'none').
Note: In some software versions, changing a monitor's SSL profile from one profile to a different profile may not take effect. For information about this behavior, see https://cdn.f5.com/product/bugtracker/ID912425.html
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
852613-4 : Connection Mirroring and ASM Policy not supported on the same virtual server
Links to More Info: BT852613
Component: Application Security Manager
Symptoms:
Connection Mirroring used together with ASM is not supported by the BIG-IP system, and a config validation prevents associating an ASM Policy with a virtual server that is configured with Connection Mirroring.
Conditions:
Virtual Server is attempted to be configured with Connection Mirroring and ASM Policy together.
Impact:
Connection Mirroring and ASM Policy cannot be configured on the same virtual server.
Workaround:
None.
Fix:
Connection Mirroring and ASM Policy can now be configured on the same virtual server. Only a subset of ASM features are supported. Please refer to the documentation for support and limitations when using Connection Mirroring with ASM.
Fixed Versions:
16.1.5, 14.1.2.7
851121-6 : Database monitor DBDaemon debug logging not enabled consistently
Links to More Info: BT851121
Component: Local Traffic Manager
Symptoms:
Debug logging in the database monitor daemon (DBDaemon) for database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle) is enabled on a per-monitor basis.
When a ping is initiated for a particular monitor with debug logging enabled in the monitor configuration, debug logging in DBDaemon is enabled.
When a ping is initiated for a particular monitor with debug logging disabled in the monitor configuration, debug logging in DBDaemon is disabled.
When monitoring database pool members with a mix of monitors with debug logging enabled versus disabled, the result can be that debug logging in DBDaemon is enabled and disabled at times which do not correspond to all actions related to a specific database monitor, or pool members monitored by that monitor.
In addition, debug messages logging internal DBDaemon state related to the management of the full collection of monitored objects, active threads, and other may not be logged consistently.
Conditions:
-- Using multiple database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle).
-- Enabling debug logging on one or more database health monitors, but not all.
Debug logging for database health monitors is enabled by configuring the "debug" property of the monitor with a value of "yes".
Debug logging is disabled by configuring the "debug" property with a value of "no" (default).
# tmsh list ltm monitor mysql mysql_example debug
ltm monitor mysql mysql_example {
debug yes
}
Impact:
Logging of database monitor activities by DBDaemon may be inconsistent and incomplete, impeding efforts to diagnose issues related to database health monitors.
Workaround:
When attempting to diagnose database health monitor issues with DBDaemon debug logging, enable debug logging for ALL database monitors currently in use.
Once diagnostic data collection is completed, disable debug logging for all database monitors currently configured/in use.
Fix:
DBDaemon debug logging can now be enabled globally to facilitate diagnosing database health monitor issues.
DBDaemon debug logging can be enabled globally by creating the following touch file:
-- /var/run/DBDaemon.debug
DBDaemon global debug logging can be disabled by removing or unlinking the above touch file.
Creating or removing the above touch file has immediate effect.
This mechanism enables/disables DBDaemon debug logging globally for all instances of DBDaemon which may be running under different route domains.
In addition, when debug logging is enabled for a specific database monitor (Microsoft SQL, MySQL, PostgreSQL, Oracle), DBDaemon accurately logs all events for that monitor. The per-monitor debug logging is enabled independent of the global DBDaemon debug logging status.
The timestamps in DBDaemon logs (/var/log/DBDaemon-*.log*) are now written using the local timezone configured for the BIG-IP system.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
850141-2 : Possible tmm core when using Dosl7/Bot Defense profile
Links to More Info: BT850141
Component: Application Security Manager
Symptoms:
Tmm crashes.
Conditions:
-- Dosl7/Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- An asynchronous iRule is attached to the virtual server
OR:
-- Device ID feature is enabled, and the current request requires a complex Device ID generation.
-- The connection is closed before the response arrives.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
849029-7 : No configurable setting for maximum entries in CRLDP cache
Links to More Info: BT849029
Component: Access Policy Manager
Symptoms:
There is no setting provided to configure maximum entries the in CRLDP cache.
Conditions:
In a configuration with tens of thousands of CRLDP and hundreds of thousands or millions of certificates, certain operations might encounter an internal limit, resulting in a number of revoked certificates.
Impact:
No settings exist. Cannot set maximum entries in CRLDP cache.
Workaround:
None.
Fix:
There is now a setting for configuring maximum entries in CRLDP cache.
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.4.4
844597-6 : AVR analytics is reporting null domain name for a dns query
Links to More Info: BT844597
Component: Advanced Firewall Manager
Symptoms:
AVR analytics is reporting null domain name for a DNS query if DNS DoS profile is attached to a virtual server, but the profile does not have the matching type vector enabled to the query type.
Conditions:
-- DNS DoS profile is attached to a virtual server.
-- The query type in the DNS query does not match an enabled DNS vector on the DNS profile.
Impact:
DNS domain name is reported as NULL
Workaround:
Enable the matching type vector on the DNS DoS profile.
Fix:
The domain name is now reported correctly under these conditions.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
844045-4 : ASM Response event logging for "Illegal response" violations.
Links to More Info: BT844045
Component: Application Security Manager
Symptoms:
Response log is not available when the request is legal but returns an illegal response status code.
In ASM, logging profiles allow the logging of all blocked responses. The existing response logging allows either all requests or illegal requests only which does not contain response logging data.
Conditions:
-- Response logging is enabled
-- An illegal response occurs
Impact:
Response logging does not occur.
Workaround:
N/A
Fix:
When a response has ASM response violations and response logging is enabled only for when there was a violation, ASM includes the response in the log.
Added an internal variable:
disable_illegal_response_logging -- default value 0.
If the response logging is enabled in the GUI, only the response logs are captured.
If the variable disable_illegal_response_logging is set to 1, then response logging is disabled(even if enabled in GUI).
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
842425-6 : Mirrored connections on standby are never removed in certain configurations
Links to More Info: BT842425
Component: Local Traffic Manager
Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.
Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.
Impact:
Leaking connections on the standby system.
Workaround:
You can use either of the following workarounds:
-- Use auto-lasthop with mirrored connections.
-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
842013-1 : ASM Configuration is Lost on License Reactivation★
Links to More Info: BT842013
Component: Application Security Manager
Symptoms:
After re-activating a BIG-IP license, if the configuration fails to load and reverts to a base config load, the ASM policy config contains 'default' or 'stub' policies, even after fixing the error that caused the configuration to fail to load.
Conditions:
1) A parsing error exists in the BIG-IP config such that 'tmsh load sys config verify' would fail
2) There is a license reactivation or the configuration is reloaded
Impact:
ASM policy configuration is lost and all policies are reverted to empty 'stubs'
Workaround:
In the case of license re-activation/before upgrade:
Run the command "tmsh load sys config verify" prior to license activation on ASM units to be sure that the config will pass parsing and avoid the fallback to base configuration load.
In a case of booting the system into the new version:
Option 1:
1. Using the steps in either K4423 or K8465, fix the issue that was preventing the config to load.
2. Reload the config from the fixed UCS file using the command in K13132.
Option 2:
1. Roll back to the old version.
2. Fix the issue that was preventing the config to load.
3. Before activating the Boot Location of the new version at System >> Software Management : Boot Locations, make sure to set the option Install Configuration to Yes. see: K64400324
Option 3: If one of the high availability (HA) units successfully upgraded, then use config-sync to push the working config to the failing unit.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
838405-4 : Listener traffic-group may not be updated when spanning is in use
Links to More Info: BT838405
Component: TMOS
Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.
Conditions:
Spanning is disabled or enabled on a virtual address.
Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.
Depending on the configuration, virtual server may or may not forward the traffic when expected.
Workaround:
Enable/Disable spanning together with changing a traffic-group (both options have to be changed simultaneously):
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-2 spanning disabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
838305-9 : BIG-IP may create multiple connections for packets that should belong to a single flow.
Links to More Info: BT838305
Component: Local Traffic Manager
Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.
Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.
Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
832133-7 : In-TMM monitors fail to match certain binary data in the response from the server
Links to More Info: BT832133
Component: In-tmm monitors
Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system marks them DOWN.
Conditions:
This issue occurs when all of the following conditions are met:
- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).
- One or more TCP or HTTP monitors specify a receive string using HEX encoding, in order to match binary data in the server's response.
- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.
Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.
Workaround:
Either one of the following workarounds can be used:
- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.
- Do not monitor the application through a binary response (if the application allows it).
Fix:
The monitor finds the recv string and shows the pool or member as available.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
831737-3 : Memory Leak when using Ping Access profile
Links to More Info: BT831737
Component: Access Policy Manager
Symptoms:
The memory usage by pingaccess keeps going up when sending request with expired session cookie to a virtual server with PingAccess Profile.
Conditions:
1. BIG-IP virtual server that contains PingAccess Profile.
2. Request sent with expired session cookie.
Impact:
Memory leak occurs in which ping access memory usage increases.
Fix:
Fixed a memory link with the Ping Access profile.
Fixed Versions:
17.1.1, 16.1.5, 15.1.6.1
830341-5 : False positives Mismatched message key on ASM TS cookie
Links to More Info: BT830341
Component: Application Security Manager
Symptoms:
ASM system triggers false positives for ASM Cookie Hijacking violation with reason "Mismatched message key"
Conditions:
-- An HTTP request containing an old frame cookie with a different message key from the main ts cookie is rejected
-- The cookie is left intact
Impact:
All subsequent requests are rejected on ASM Cookie Hijacking violation
Workaround:
1. Disable "Learn Host Names" flag all policies. If the policy builder is on manual mode, they need to change it back to Auto mode, disable "Learn Host Names", then change to manual mode.
OR
2. Delete the mismatched cookie. This will cause the violations to stop occurring if the request comes from a legit endpoint
Fix:
In order to activate the changed functionality, set internal parameter ignore_cookies_msg_key to 1 and restart asm by executing following commands in CLI:
/usr/share/ts/bin/add_del_internal add ignore_cookies_msg_key 1
bigstart restart asm
Once enabled, ASM system does not trigger false positives.
Fixed Versions:
17.0.0, 16.1.2.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
829653-1 : Memory leak due to session context not freed
Links to More Info: BT829653
Component: Policy Enforcement Manager
Symptoms:
Memory increases slowly
Conditions:
A PEM iRule times out
Impact:
Memory could be exhausted depending on the frequency of the command timeouts
Fixed Versions:
17.0.0, 16.1.4
828761-5 : APM OAuth - Auth Server attached iRule works inconsistently
Links to More Info: BT828761
Component: Access Policy Manager
Symptoms:
The iRule attached to the OAuth Resource Server (RS) is not triggered when the traffic hits the virtual server.
Conditions:
The issue occurs during a reboot of the BIG-IP device containing an OAuth server config and an attached iRule, or when the iRule is initially assigned to the OAuth Server.
Impact:
OAuth scope check agent fails with 'HTTP error 503': as the iRule attached to the RS virtual server is not triggered.
Workaround:
For existing OAuth servers with the iRule attached, modify the iRule, for example, adding a log. This makes the iRule trigger when it is initially attached or loaded.
Fix:
The iRule is triggered when a request comes to the OAuth RS virtual server.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
827393-5 : In rare cases tmm crash is observed when using APM as RDG proxy.
Links to More Info: BT827393
Component: Access Policy Manager
Symptoms:
Tmm may crash when APM is configured as an RDG proxy to access Microsoft remote desktops and applications.
Conditions:
APM is used as RDG proxy
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Tmm does not crash when APM is configured as RDG proxy.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5
819645-1 : Reset Horizon View application does not work when accessing through F5 APM
Links to More Info: BT819645
Component: Access Policy Manager
Symptoms:
You are unable to reset VMware applications from a Windows VM client, Android VM client or HTML5 client.
Conditions:
-- VMware Horizon Proxy configured via an iApp on APM
-- Access the VM applications via APM webtop through native client /HTML5 client for windows or access applications via native client on android
Impact:
Impaired reset option functionality
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
818889-1 : False positive malformed json or xml violation.
Links to More Info: BT818889
Component: Application Security Manager
Symptoms:
A false positive malformed XML or JSON violation occurs.
Conditions:
-- A stream profile is attached (or the http profile is set to rechunk on the request side).
-- A json/XML profile attached to the virtual.
Impact:
A false positive violation.
Workaround:
Modify the http profile to work in preserve mode for request chunking (this workaround is not possible in 16.1).
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
815901-2 : Add rule to the disabled pem policy is not allowed
Links to More Info: BT815901
Component: Policy Enforcement Manager
Symptoms:
Adding rule to PEM policy is not allowed
Conditions:
A PEM policy is disabled
Impact:
You are unable to add rules to a PEM policy if it is disabled.
Fix:
Allow adding rules to disabled PEM policy
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
810917-1 : OWASP Compliance score is shown for parent and child policies that are not applicable.
Links to More Info: BT810917
Component: Application Security Manager
Symptoms:
OWASP score for a parent policy or child policy is shown as 0.
The more accurate value should be 'N/A' since these policies are not configurable for OWASP.
Conditions:
Create either child policy or parent policy. On Security ›› Application Security : Security Policies : Policies List page you will see in the OWASP Compliance score the value 0, and when going to OWASP page configuration (Security ›› Overview : OWASP Compliance) the user will see a note that the policy is not configurable for OWASP.
Impact:
When looking on the policies list, the user may get the impression that the parent or child policies can be configured to comply with OWASP.
Workaround:
Ignore OWASP Compliance score for child and parent policies.
Fixed Versions:
17.0.0, 16.1.4
808913-1 : Big3d cannot log the full XML buffer data
Links to More Info: BT808913
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d cannot log the full XML buffer data:
-- notice big3d[12212]: 012b600d:5: Probe from ::ffff:11.11.1.21:45011: len 883/buffer = <vip>.
Conditions:
The gtm.debugprobelogging variable is enabled.
Impact:
Not able to debug big3d monitoring issues efficiently.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
805821-1 : GTP log message contains no useful information
Links to More Info: BT805821
Component: Service Provider
Symptoms:
GTP profile and GTP iRules provide no useful information in order to proceed with troubleshooting.
Conditions:
GTP profile or iRules fails to process message
Impact:
User lacks of information for troubleshooting
Workaround:
N/A
Fix:
GTP error log has been replaced with a more useful message. The new log message provides more intuitive information including the reason and, in some messages, location of data that causes the failure.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
804529-1 : REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools
Links to More Info: BT804529
Component: TMOS
Symptoms:
The GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats for a specific pool may fail with Error 404.
Conditions:
Pools that start with the letter 'm'. This is because those endpoints contain objects with incorrect selflinks.
For example:
- Query to the below pool that starts with the letter 'm' will work as it contains the right selflink.
- Pool: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats"
- selfLink: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats?ver=x.x.x.x"
- Query to the below pool that does not start with the letter 'm' may not work as it contains the wrong selflink.
- Pool: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats"
- selfLink: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats?ver=x.x.x.x"
In the above example, the word 'members' is displayed in selflink.
Impact:
Errors are observed with GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats.
Workaround:
The following workarounds are available:
1. Use /mgmt/tm/ltm/pool/members/stats without a specific pool, which does return the pool member stats for every pool.
2. For each pool member in /mgmt/tm/ltm/pool, issue a GET for:
/mgmt/tm/ltm/pool/<pool>/members/<member>/stats
Fix:
The REST endpoint /mgmt/tm/ltm/pool/members/stats/<specific pool> will have the working endpoints returned.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
803109-4 : Certain configuration may result in zombie forwarding flows
Links to More Info: BT803109
Component: Local Traffic Manager
Symptoms:
OneConnect profile in conjunction with 'Source-port preserve-strict' or cmp-hash setting of 'dst-ip' or 'src-ip' on the server-side VLAN may result in zombie forwarding flows.
On the server-side the incoming traffic hits a different TMM from the one that handles the outgoing traffic.
Unexpected 'Inet port exhaustion' messages may be logged in the LTM log file.
Conditions:
-- OneConnect configured.
And one of the following:
-- Source-port is set to preserve-strict.
-- The cmp-hash setting on the server-side VLAN is set to 'dst-ip' or 'src-ip'.
Impact:
Zombie forwarding flows. Over time, the current allocation count grows and does not return to its prior level when traffic stops.
The current allocation can be checked with this command:
# tmctl memory_usage_stat name=connflow -s name,cur_allocs
Workaround:
You can use any of the following workarounds:
-- Remove the OneConnect profile from the Virtual Server.
-- Do not use 'source-port preserve-strict' setting on the Virtual Server.
-- Set the 'cmp-hash default' on the server-side VLAN if it is set to 'cmp-hash src-ip' or 'cmp-hash dst-ip'.
Note: After making this change, it may be necessary to run the command 'tmsh restart sys service tmm', which will clear the old flows but also impact traffic. Traffic interrupted while tmm restarts.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
796065-2 : PingAccess filter can accumulate connections increasing memory use.
Links to More Info: BT796065
Component: Access Policy Manager
Symptoms:
Currently the maximum http header count value for ping access is 64. The connection to the backend is aborted if there are more than 64 headers.
Conditions:
1. Ping access is configured.
2. The HTTP header count is more than 64.
Impact:
Connection is aborted by the BIG-IP system users are unable to access the backend.
Workaround:
None
Fix:
Fixed an issue with the ping access filter.
Fixed Versions:
16.1.4
794385-6 : BGP sessions may be reset after CMP state change
Links to More Info: BT794385
Component: Local Traffic Manager
Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.
This happens in the following instances:
- Blade reset.
- Booting up or shutting down.
- Running 'bigstart restart'.
- Setting a blade state from/to primary/secondary.
During these events, there is a small chance that ingress ACK packet of previously established BGP connection is going to be disaggregated to the new processing group(TMMs) and selected TMM is ready to process traffic, but is not ready yet to process traffic for existing connection. In this case, connection isn't processed and reset instead.
Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BGP peering is configured.
-- CMP state change is occurred on one of the blades.
-- BGP ingress ACK packet is disaggregated to TMM, which either wrong TMM or not ready to process the packet of already established connection
Impact:
Affected BGP peering is reset and dynamic routes learnt by the configured protocol are withdrawn, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decisions are from networks learnt by affected routing protocols when the routing process on the BIG-IP system becomes unreachable. However, this state is short-lived, because the peering is recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
There is no workaround, but the issue was never seen with a configuration where CMP hash of affected VLAN is changed back to Default value.
Fix:
BGP session is no longer reset during CMP state change.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
791669-5 : TMM might crash when Bot Defense is configured for multiple domains
Links to More Info: BT791669
Component: Application Security Manager
Symptoms:
TMM might crash and generate a core file when using a Bot Defense profile that is configured for multiple domains.
Conditions:
Bot Defense is configured with multiple 'Related Site Domains' and attached to a virtual server.
Impact:
TMM crash with core. Traffic disrupted while tmm restarts.
Workaround:
None,
Fix:
TMM no longer crashes when Bot Defense is configured for multiple domains.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.2.3
780857-4 : HA failover network disruption when cluster management IP is not in the list of unicast addresses
Links to More Info: BT780857
Component: Local Traffic Manager
Symptoms:
If the cluster management IP address is not in the list of failover network unicast addresses, the blade management IP addresses in the unicast mesh will not be able to receive failover messages from peer devices.
Conditions:
-- VIPRION chassis or vCMP guest on a VIPRION chassis.
-- Per-blade management IP addresses listed in the failover network unicast mesh.
-- No cluster management IP address listed.
Impact:
The blade management IP addresses in the failover network unicast mesh stop functioning:
[root@VIP2200-R75-S5:/S1-green-P::Standby:In Sync] config # tmctl -w 200 -S sod_tg_conn_stat
entry_key local_failover_addr remote_device_name pkts_received transitions last_msg status
----------------------------- ------------------- ------------------------------ ------------- ----------- ---------- ------
10.200.75.8->10.10.10.1:1026 10.10.10.1:1026 VIP2200-R75-S8.sin.pslab.local 3249 3 1555399271 1
10.200.75.8->10.200.75.3:1026 10.200.75.3:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--
10.200.75.8->10.200.75.4:1026 10.200.75.4:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--
Workaround:
You can add an explicit management IP firewall rule to allow this traffic:
tmsh modify security firewall management-ip-rules rules add { accept_udp_1026 { place-before first ip-protocol udp destination { ports add { 1026 } } action accept } }
This will add a firewall policy so port 1026 is no longer locked down, and the blade management IP addresses in the unicast mesh should begin to function properly.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
776117-1 : BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type
Links to More Info: BT776117
Component: TMOS
Symptoms:
The BIG-IP Virtual Edition's virtio driver is incompatible with the Q35 machine type.
Conditions:
-- BIG-IP Virtual Edition with the virtio driver.
-- Setting the machine type to Q35 on the hypervisor.
Impact:
The BIG-IP will not use the virtio driver, using the sock (or unic, in versions prior to 14.1.0) driver instead.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
760496-4 : Traffic processing interrupted by PF reset
Links to More Info: BT760496
Component: TMOS
Symptoms:
CPU usage increases after PF reset. Traffic between client and server is interrupted.
Conditions:
-- E710 NICs are used.
-- Reset PF.
Impact:
The BIG-IP instance requires a restart after PF reset to resume traffic processing.
Workaround:
Restart the BIG-IP device.
Fix:
A TMSH db variable ve.ndal.exit_on_ue, is introduced to enable/disable device restart on PF reset. On restart, a new error message within /var/log/tmm is written. Error message: "Restarting TMM on unrecoverable error."
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
760355-4 : Firewall rule to block ICMP/DHCP from 'required' to 'default'★
Links to More Info: BT760355
Component: Advanced Firewall Manager
Symptoms:
If a firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.
Conditions:
- Firewall is configured on the management port.
- Firewall is configured with an ICMP rule to block.
- Firewall is configured with an ICMP rule to allow.
Impact:
ICMP packets cannot be blocked with a firewall rule to drop on the management port. ICMP packets are allowed from the management port and will not increase the counter even if explicitly allowed by a rule.
Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.
# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP
Fix:
ICMP firewall rule has been moved from the f5-required to f5-default.
Fixed Versions:
16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1
759928-6 : Engineering Hotfixes might not contain all required packages
Links to More Info: BT759928
Component: TMOS
Symptoms:
An Engineering Hotfix might be missing certain required packages.
Conditions:
This can occur with certain Engineering Hotfixes.
Impact:
Some of the required packages may be missing.
Workaround:
None
Fix:
Engineering Hotfix ISOs now automatically include packages for targets that may be affected by code change in a specific target.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
756918-4 : Engineering Hotfix ISOs may be nearly as large as full Release ISOs
Links to More Info: BT756918
Component: TMOS
Symptoms:
Engineering Hotfix ISO images might be unexpectedly large.
Conditions:
This might occur with certain Engineering Hotfix builds.
Impact:
Engineering Hotfixes are unnecessarily large.
Workaround:
None
Fix:
Engineering Hotfix ISO images are no longer created with a size that may occasionally exceed 2 GB, and no longer contain a complete set of packages replacing all packages installed by the original BIG-IP release upon which the Engineering Hotfix is based.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
755976-9 : ZebOS might miss kernel routes after mcpd deamon restart
Links to More Info: BT755976
Component: TMOS
Symptoms:
After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses).
One of the most common scenario is a device reboot.
Conditions:
-- Dynamic routing is configured.
-- Virtual address is created and Route Advertisement is configured:
imish -e 'sh ip route kernel'
-- mcpd daemon is restarted or device is rebooted.
Impact:
The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised.
Workaround:
There are several workarounds; here are two:
-- Restart the tmrouted daemon:
bigstart restart tmrouted
-- Recreate the affected virtual address.
Fix:
The kernel route is now present in the ZebOS routing table after mcpd daemon restart.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
752077-4 : Kerberos replay cache leaks file descriptors
Links to More Info: BT752077
Component: Access Policy Manager
Symptoms:
APMD reports 'too many open files' error when reading HTTP requests:
-- err apmd[15293]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 113 Msg: epoll_create() failed [Too many open files].
-- err apmd[15293]: 01490000:3: ApmD.cpp func: "process_apd_request()" line: 1801 Msg: Error 3 reading/parsing response from socket 1498. strerror: Too many open files, queue size 0, time since accept
There are file descriptor dumps in /var/log/apm showing many deleted files with name krb5_RCXXXXXX:
-- err apmd[15293]: 01490264:3: 1492 (/shared/tmp/krb5_RCx8EN5y (deleted)) : cloexec, Fflags[0x8002], read-write
-- err apmd[15293]: 01490264:3: 1493 (/shared/tmp/krb5_RCnHclFz (deleted)) : cloexec, Fflags[0x8002], read-write
-- err apmd[15293]: 01490264:3: 1494 (/shared/tmp/krb5_RCKGW8ia (deleted)) : cloexec, Fflags[0x8002], read-write
Conditions:
This failure may happen if the access policy uses Kerberos authentication, Active Directory authentication, or Active Directory query. The conditions under which the Kerberos replay cache leaks is unknown.
Impact:
APM end users experience intermittent log on issues.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
749332-1 : Client-SSL Object's description can be updated using CLI and with REST PATCH operation
Links to More Info: BT749332
Component: TMOS
Symptoms:
REST PUT fails to update the object description when proxy-ca-cert and proxy-ca-key are not configured, and triggers an error:
SSL forward proxy RSA CA key is missing.
Conditions:
Issue is seen only with REST PUT operation, and when proxy-ca-cert and proxy-ca-key are not configured.
Impact:
REST PUT operation cannot be used to update/modify the description.
Workaround:
You can use either of the following:
-- You can use TMSH to update/modify the description, even if proxy-ca-cert and proxy-ca-key are not configured.
-- You can also use PATCH operation and send only the required field which need modification.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.4
748886-4 : Virtual server stops passing traffic after modification
Links to More Info: BT748886
Component: Local Traffic Manager
Symptoms:
A virtual server stops passing traffic after changes are made to it.
Conditions:
-- Virtual server is using a port-list or address-list
-- High availability (HA) environment with multiple traffic groups
-- A change is made to the virtual server
Impact:
Every time you make changes to the virtual server, the traffic-group for the virtual address is changed, and traffic goes down.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
742753-8 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail
Links to More Info: BT742753
Component: TMOS
Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.
Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:
- Remove the Referer header.
- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.
Impact:
Users cannot log on to the BIG-IP system's WebUI.
Workaround:
As a workaround, you can do any of the following things:
- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).
- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).
- Modify the proxy solution so that it inserts compatible Referer and Host headers.
Fix:
CSRF checks based on HTTP headers pre-logon have been improved.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
738716-1 : Add support for "Restart Desktop" setting in View clients, native as well as HTML5 clients
Links to More Info: BT738716
Component: Access Policy Manager
Symptoms:
When VMware resources are accessed through APM VMware VDI, the "Restart Desktop" setting is not seen on enumerated for Desktop resource. The same issue is observed with HTML5 clients.
Conditions:
- VMware Native or HTML5 client is used
- APM VMware VDI is used
- Desktop resources should be enumerated
- Right click on resource
Impact:
Unable to restart desktop from native and HTML5 clients.
Workaround:
None
Fix:
Restart desktop is successful and it works as expected.
Fixed Versions:
17.1.1, 16.1.5
738593-3 : Vmware Horizon session collaboration (shadow session) feature does not work through APM.
Links to More Info: BT738593
Component: Access Policy Manager
Symptoms:
When the VMware virtual desktop interface (VDI) is configured, session collaboration or shadow session does not work.
Conditions:
-- VMware VDI configured and Desktop resource is accessed with native client only.
-- Launch resources and VMware Horizon Client will use Blast protocol to display VMware sessions.
-- Shadow session is enabled in desktop.
Impact:
Desktop's Shadow session resource icon is not showed on webtop of native client.
Workaround:
None
Fix:
Users should see Desktop's shadow session icon when resources are loaded on to webtop of native client.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
737692-5 : Handle x520 PF DOWN/UP sequence automatically by VE
Links to More Info: BT737692
Component: TMOS
Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, i.e. the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that the BIG-IP VE can use). If an x520 device's PF is marked down and then up, tmm does not recover traffic on that interface.
Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.
Impact:
VE does not process any traffic on that VF.
Workaround:
Reboot VE.
Fix:
Tmm now restarts automatically when the PF comes back up after going down.
Behavior Change:
Tmm now restarts automatically when the PF comes back up after going down.
Fixed Versions:
17.1.1, 16.1.5, 15.1.3.1
724653-5 : In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync.
Links to More Info: BT724653
Component: TMOS
Symptoms:
In a device-group configuration, a BIG-IP administrator can add a non-synced object to a partition on one device, then delete that partition on a peer device, syncing the delete (this is assuming the partition is empty on the peer).
Although the config-sync operation will report as having completed successfully on both devices, and no errors will be visible in the /var/log/ltm file of either device, a number of issues can manifest at a later time.
For instance, assuming the non-synced object was a VLAN, listing all VLANs across all partitions will return the following error:
root@(bigip-ntr-d)(cfg-sync In Sync)(Active)(/)(tmos)# list net vlan recursive
01070712:3: Internal error, can't load folder or nested folder for: /test/my_vlan
And reloading the config will return the following error (as the partition has been deleted, including its flat config files):
root@(bigip-ntr-d)(cfg-sync In Sync)(Active)(/Common)(tmos)# load sys config
Loading system configuration...
/defaults/asm_base.conf
/defaults/config_base.conf
/defaults/ipfix_ie_base.conf
/defaults/ipfix_ie_f5base.conf
/defaults/low_profile_base.conf
/defaults/low_security_base.conf
/defaults/policy_base.conf
/defaults/wam_base.conf
/defaults/analytics_base.conf
/defaults/apm_base.conf
/defaults/apm_saml_base.conf
/defaults/app_template_base.conf
/defaults/classification_base.conf
/var/libdata/dpi/conf/classification_update.conf
/defaults/urlcat_base.conf
/defaults/daemon.conf
/defaults/pem_base.conf
/defaults/profile_base.conf
/defaults/sandbox_base.conf
/defaults/security_base.conf
/defaults/urldb_base.conf
/usr/share/monitors/base_monitors.conf
Loading configuration...
/config/bigip_base.conf
/config/bigip_user.conf
/config/bigip.conf
01070523:3: No Vlan association for STP Interface Member 1.2.
Unexpected Error: Loading configuration process failed.
These are just examples, and the exact failures will depend on the type of non-synced object and its use within your configuration.
Conditions:
-- Two or more devices in a device-group configuration.
-- Using partitions that contain non-synced objects.
-- Deleting the partition on a device and syncing the changes to the other devices.
Impact:
The partition is deleted on the peer device, even though it still contains non-synced objects. A number of config issues can arise at a later time as a result of this.
Workaround:
In some cases, if you need to define non-synced objects, you can do so in partitions or folders that are associated with 'device-group none' and 'traffic-group none'. This would prevent the partition or folder from synchronizing to other devices in the first place.
Fix:
Validation has been added that will make a config-sync receiver reject the operation if this includes the deletion of a non-empty partition. In this case, the config-sync will fail and report an error message similar to the following example:
0107082a:3: All objects from local device and all HA peer devices must be removed from a partition (test) before the partition may be removed, type ID (467), text ID (60706)
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5
723109-2 : FIPS HSM: SO login failing when trying to update firmware
Links to More Info: BT723109
Component: TMOS
Symptoms:
After FIPS device initialization when trying to update the FIPS firmware. It may fail on SO login.
Conditions:
When trying to update FIPS firmware.
Impact:
This will not be able to upgrade the FIPS firmware.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
720610-4 : Automatic Update Check logs false 'Update Server unavailable' message on every run
Links to More Info: BT720610
Component: TMOS
Symptoms:
The Automatic Update Check operation erroneously logs a message indicating that the Update Server is unavailable on every run, successful or not.
Conditions:
The BIG-IP system is configured to run the Automatic Update Check feature.
Impact:
Misleading 'PHONEHOME: Update Server unavailable' messages in the log file, implying that the update server is not available.
Workaround:
None.
Fix:
The Automatic Update Check operation no longer logs false messages.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.2.7, 13.1.3
717806-8 : In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured
Links to More Info: BT717806
Component: Local Traffic Manager
Symptoms:
Load average peaks are observed when a high number of monitors (>= 200) are configured across 'n' bigd instances.
Conditions:
When a high number of monitors are configured across 'n' bigd instances. CPU load peaks appear and disappear periodically.
Impact:
No performance impact
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
715748-7 : BWC: Flow fairness not in acceptable limits
Links to More Info: BT715748
Component: TMOS
Symptoms:
Flow fairness for BWC dynamic policy instance has reduced.
Conditions:
The flow fairness is up to 50%. It is expected to be within 25%.
Impact:
Flow fairness of BWC dynamic policy across sessions is not as expected.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
713754-3 : Apache vulnerability: CVE-2017-15715
Links to More Info: K27757011
693473-8 : The iRulesLX RPC completion can cause invalid or premature TCL rule resumption
Links to More Info: BT693473
Component: Local Traffic Manager
Symptoms:
RPC completion will attempt to resume the RPC iRule execution when there is subsequent iRule activity on the flow - CLIENT/SERVER_CLOSED, for instance, which keeps the flow alive and blocks in an iRule event.
Conditions:
Blocking the iRule event When an RPC call is outstanding and the flow is aborted.
Impact:
It will cause the iRule event blocking when RPC call is outstanding and the flow is aborted
Workaround:
None
Fix:
Cancel ILX RPC TCL resumption if iRule event is aborted before resumption (reply or timeout) occurs.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
686783-1 : UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters.
Links to More Info: BT686783
Component: Traffic Classification Engine
Symptoms:
If a UrlCat custom database feed list has URLs containing a www prefix or capital letters, the URLs are not categorized when queried.
Conditions:
The UrlCat custom database feed list with URL containing www prefix or capital letters,
Impact:
Improper classification
Workaround:
Using an iRule can help classify the URL.
Fix:
Normalized the URL before putting in the custom database.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
674026-6 : iSeries AOM web UI update fails to complete.★
Links to More Info: BT674026
Component: TMOS
Symptoms:
Upon upgrading a BIG-IP version, AOM web UI updates can sometimes fail.
Conditions:
This occurs when upgrading a BIG-IP system's software version on iSeries platforms.
Impact:
After booting to a new version, the AOM web UI update fails with an error message in /var/log/ltm similar to the following:
err bmcuiupdate[20824]: Failed updated AOM web UI with return code 2
Workaround:
At the bash prompt run:
/etc/lcdui/bmcuiupdate
This triggers another upgrade attempt, and the result is logged in /var/log/ltm. This should not be service-affecting.
Fix:
AOM web UI update failures are now automatically corrected.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
673952-6 : 1NIC VE in high availability (HA) device-group shows 'Changes Pending' after reboot
Links to More Info: BT673952
Component: TMOS
Symptoms:
When Virtual Edition (VE) is configured for 1NIC, you will see the following logs on reboot indicating that configuration has been loaded from file:
notice tmsh[12232]: 01420002:5: AUDIT - pid=12232 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all base
notice tmsh[12392]: 01420002:5: AUDIT - pid=12392 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all
Conditions:
- VE configured in 1NIC mode.
- Unit booted either through reboot or power on.
Impact:
This is unlikely to have any impact if the VE is in standalone mode but could result in an unexpected config if the configuration files differ.
If the VE is part of a device-group, then this will result in a commit id update and the units will show 'Changes pending'.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.5
672963-1 : MSSQL monitor fails against databases using non-native charset
Links to More Info: BT672963
Component: Local Traffic Manager
Symptoms:
MSSQL monitor is fails against databases using non-native charset.
Conditions:
MSSQL monitor configured to monitor a database that is using non-native charset (ISO-8859-1).
Impact:
MSSQL monitoring always marks node / member down.
Workaround:
On BIG-IP v13.x and v14.0.x, you can work around this issue using the following steps:
1. Log in to the BIG-IP console into a bash prompt.
2. Run the following command:
mount -o remount,rw /usr; ln -s /usr/java-64/openjdk/lib/charsets.jar /usr/java/openjdk/lib/charsets.jar; mount -o remount,ro /usr
3. Restart bigd:
bigstart restart bigd
Fix:
MSSQL monitor can be used effectively against a database using a non-native charset.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
669046-7 : Handling large replies to MCP audit_request messages
Links to More Info: BT669046
Component: TMOS
Symptoms:
When receiving very large replies to MCP messages (e.g., when viewing audit logs from the GUI), MCP can run out of memory and produce a core file. This is due in part to the amount of data returned, and also due in part to memory handling.
In a production environment, fragmentation naturally occurs over the lifetime of MCP, thus increasing the odds of this happening. In addition, larger configurations cause more space to be consumed in MCPD and might more easily lead to the fragmentation, resulting in this issue.
Conditions:
Receiving very large replies to MCP messages (e.g., from audit_request messages, which occurs when you view audit logs from the GUI).
Memory usage is already high.
Impact:
Allocation of memory for viewing the audit logs fails. MCP can run out of memory and produce a core file.
Workaround:
Use tmsh/bash to view the audit logs instead of the GUI when audit logs are extremely large and memory usage is already high.
Fix:
Viewing audit logs in the GUI is now limited to 10,000 lines, so this issue no longer occurs.
Behavior Change:
The GUI is limited to viewing no more than 10,000 lines of the audit log.
You can use tmsh/bash to view audit logs larger than 10,000 lines.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
662301-8 : 'Unlicensed objects' error message appears despite there being no unlicensed config
Links to More Info: BT662301
Component: TMOS
Symptoms:
An error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.
Examination of the configuration and license shows that there are no configuration errors or unlicensed configuration objects. The device is operational.
Conditions:
The BIG-IP system is licensed and the configuration loaded.
Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.
Workaround:
On an appliance, restart mcpd by running the following command:
bigstart restart mcpd
On a VIPRION or vCMP guest running on a VIPRION, restart MCPD on all blades by running the following command:
clsh bigstart restart mcpd
Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
634576-3 : TMM core in per-request policy
Links to More Info: K48181045, BT634576
Component: Access Policy Manager
Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.
Conditions:
APM or SWG per-request policy with reject ending.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores when per-request policy encounters reject ending.
Fixed Versions:
16.1.5, 13.1.0
605966-9 : BGP route-map changes may not immediately trigger route updates
Links to More Info: BT605966
Component: TMOS
Symptoms:
When a route-map is used to filter BGP advertisements, changes to the route-map that affect the filtered routes may not trigger an update to the affected routes.
Conditions:
BGP in use with a route-map filtering advertisements.
Impact:
BGP table may not reflect route-map changes until "clear ip bgp" is executed.
Workaround:
Run "clear ip bgp <neighbor>".
Fix:
Changing a route-map used with BGP updates affected routes without clearing the session.
Fixed Versions:
16.1.5
586948-2 : Dynamic toggling for HSB hardware checksum validation
Links to More Info: BT586948
Component: TMOS
Symptoms:
Disabling hardware checksum validation on BIG-IP requires manually editing a config tcl file and restarting TMM.
Conditions:
- Configuring HSB hardware checksum validation.
Impact:
None
Workaround:
None
Fix:
HSB hardware checksum validation can now be configured by using the new DB variable "tmm.hsb.hwchecksumvalidation".
When the value of this DB variable is changed, the HSB will be updated immediately without requiring a TMM restart.
Fixed Versions:
17.1.0, 16.1.5
574762-4 : Forwarding flows leak when a routing update changes the egress vlan
Links to More Info: BT574762
Component: Local Traffic Manager
Symptoms:
Forwarding flow doesn’t expire and leaks a connflow object.
Conditions:
Conditions to hit this are a route change on forwarded flows.
Impact:
Memory leak.
Workaround:
None
Fix:
Fixed a memory leak with forwarding flows.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
528894-5 : Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition
Links to More Info: BT528894
Component: TMOS
Symptoms:
Configuration stanzas that do not belong in the files of a non-Common partition appear there. These stanzas could include, for example, 'net trunk' or 'sys ha-group' objects.
Conditions:
-- The system includes partitions other than Common.
-- Configuration in a partition other than Common is modified.
-- A Config-Sync operation not involving an overwrite takes place (it is also possible to reproduce this issue on a standalone BIG-IP system by doing a save operation like the following: "tmsh save sys config partitions { Common other }").
Impact:
/config/partitions/<partition_name>/bigip_base.conf will contain extraneous config stanzas (such as the ones mentioned in Symptoms).
/config/bigip_base.conf will no longer contain config stanzas that belong there.
Note that the impact is mostly cosmetic. An affected device will still be able to correctly load its configuration even if some config stanzas appear in the wrong flat config file.
However, Administrators performing audits of the flat config files will be perplexed as to why some stanzas are moving back and forth between partitions.
Workaround:
If you wish to restore your flat config files to their proper state after the issue has already occurred, simply run "tmsh save sys config" on the affected device.
Alternatively, to prevent the issue in the first place, you can Config-Sync using the following command "tmsh run cm config-sync force-full-load-push to-group <device-group>".
Note that neither workaround is permanent and the issue will reoccur.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5
504374-1 : Cannot search Citrix Applications inside folders
Links to More Info: BT504374
Component: Access Policy Manager
Symptoms:
Search in webtop will not consider Citrix applications inside folders while searching.
Conditions:
Citrix applications available inside folder
Impact:
Unable to search Citrix applications inside folders.
Workaround:
None
Fixed Versions:
16.1.5
490138-1 : Kerberos Auth might fail in case BIG-IP is configured with multiple AAA Kerberos Servers
Links to More Info: BT490138
Component: Access Policy Manager
Symptoms:
In case BIG-IP is configured with multiple AAA Kerberos Server objects and those Kerberos Server uses different keytabs for different service account but for the same realm,
authentication may fail intermittently
Conditions:
- multiple AAA Kerberos Servers created
- AAA Kerberos servers are configured with different keytabs
- the keytabs are for different service accounts but for the same realm
Impact:
Kerberos authentication fails, user cannot log in
Workaround:
As a workaround, it is suggested to merge keytab files and use cumulative keytab file for all AAA Kerberos Servers
Administrator can merge keytab files with "ktutil" kerberos utility that is installed at BIG-IP.
1. run ktutil
2. load all the keytab files to merge using:
rkt <file>
3. you cal list currently loaded entries with "l"
4. after you load all required keytabs, save new keytab with
wkt <newfile>
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
435231 : Support RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral parameters
Links to More Info: K79342815, BT435231
Component: Local Traffic Manager
Symptoms:
RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral (FFDHE) parameters are not supported.
Conditions:
This affects ciphersuites that use Diffie–Hellman Ephemeral (DHE) key exchange.
Impact:
Support for larger FFDHE groups will be chosen if offered by the client.
Note: You might notice an impact to performance as compared with the previously chosen DHE 1024.
Workaround:
None
Fix:
With the support for the FFDHE groups defined in RFC7919, the system now supports DHE2048, DHE3072, DHE4096 keys. The default DHE key size is 2048 bits. (In previous BIG-IP versions, the default was 1024 bits.)
You can configure this default value by enabling or disabling the DB variable tmm.ssl.dh1024. To do so, use the following TMSH command syntax:
modify sys db tmm.ssl.dh1024 value enable/disable
To use FFDHE2048, FFDHE3072, FFDHE4096 keys, you define them in a cipher rule, and then use this rule in a cipher group before associating it with an SSL profile.
Note: If you use a cipher rule that does not define any of the FFDHE2048, FFDHE3072, or FFDHE4096 groups (e.g., f5-default), this feature is not enabled.
For more information, and for steps to define these rules, see K79342815: BIG-IP support for RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral (FFDHE) :: https://support.f5.com/csp/article/K79342815.
Behavior Change:
RFC7919 Negotiated FFDHE parameters are now supported.
The FFDHE2048, FFDHE3072, FFDHE4096 keys are supported in this release. The default is DHE 2048 bits.
In previous versions, the default DHE key size was 1024 bits. If you want to continue to use DHE 1024 you can enable db var tmm.ssl.dh1024, by default it is disabled.
For more information, and for steps to use this feature, see K79342815: BIG-IP support for RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral (FFDHE) :: https://support.f5.com/csp/article/K79342815.
Fixed Versions:
17.0.0, 16.1.2.2
427094-1 : Accept-language is not respected if there is no session context for page requested.
Links to More Info: BT427094
Component: Access Policy Manager
Symptoms:
Localization settings are determined when the session is created.
As a result, when the user logs out, there is user context left for APM to determine what language to present to the user.
So, when user is using the localized logon page, after the refresh it turns to the default language.
Conditions:
After configuring the preferred language, When refreshing login page twice, language is changed to default Eng.
Impact:
APM page doesn't load the preferred language after refreshing twice.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
423519-5 : Bypass disabling the redirection controls configuration of APM RDP Resource.
Links to More Info: K74302282, BT423519
Component: Access Policy Manager
Symptoms:
User can bypass RDP resource redirection restrictions between RDP remote machine and local machine.
Conditions:
1. Create RDP resource. Disable redirection parameter.
2. Launch the resource.
3. Launch RDP Client, enable redirection parameter.
Impact:
User can bypass RDP resource restrictions.
Workaround:
NA
Fix:
User is not allowed to perform any redirection controls of the RDP resource.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1615861-2 : TMUI hardening
Component: TMOS
Symptoms:
In certain scenarios, TMUI does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
No work around
Fix:
Best security practices are now applied
Fixed Versions:
16.1.5.1, 15.1.10.5
1593681-2 : Monitor validation improvements
Component: TMOS
Symptoms:
Monitor validation did not follow expected behavior.
Conditions:
N/A
Impact:
N/A
Workaround:
No mitigation
Fix:
Only allow trusted admins to create and upload custom monitors. Do not upload untrusted monitors.
Fixed Versions:
16.1.5, 15.1.10.5
1560497 : Host is unreachable, vector is not mitigated by HW at profile level.
Links to More Info: BT1560497
Component: Advanced Firewall Manager
Symptoms:
HW drops are not getting incremented when traffic was sent to Host. Unreachable vector at profile level.
Conditions:
Configure the Host unreachable vector detection and mitigation limits at profile level.
Impact:
Hardware mitigation does not happen at profile level.
Workaround:
None
Fix:
Handled, neuron support checks for host with unreachable vector as the support was not there, such that, the packets were routed directly to flow table to effect the hardware stats.
Fixed Versions:
16.1.5
1552685-5 : Issues are observed with APM Portal Access on Chrome browser version 122 or later
Links to More Info: K000138771, BT1552685
Component: Access Policy Manager
Symptoms:
Web application using APM Portal Access stops working after upgrading to Chrome browser version 122 or later or a similar MS Edge browser version.
Conditions:
-- Chrome browser version 122 or later or a similar MS Edge browser version
-- APM Portal Access
Impact:
Applications will not work through Portal Access.
Workaround:
An iRule/iFile workaround is available. Refer to K000138771: APM Portal Access stops working after upgrading Chrome to version 122 (https://my.f5.com/manage/s/article/K000138771)
Fix:
APM portal access will work with Chrome browser version 122 or later or a similar MS Edge browser version.
Fixed Versions:
16.1.5
1538173-3 : Bados TLS fingerprints works incorrectly with chrome's new versions
Links to More Info: BT1538173
Component: Anomaly Detection Services
Symptoms:
The requests from the same Chrome browser but from different connections can have different TLS fingerprints
Conditions:
Behavioral L7 DOS is configured, BAD actors behavior detection configured with "Use TLS patterns as part of host identification" option.
Some good clients or attackers use new versions of Chrome
Impact:
The same user will be identified and examined as a different users
Workaround:
Don't use "TLS patterns as part of host identification" option"
Fix:
The requests from the same Chrome browser have different TLS fingerprints
Fixed Versions:
16.1.5
1507913-2 : CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources
Links to More Info: K000139084, BT1507913
1507569-2 : KeyTrap: Extreme CPU consumption in DNSSEC validator
Links to More Info: K000139092, BT1507569
1506049-2 : Parsing large DNS messages may cause excessive CPU load
Links to More Info: K000138990, BT1506049
1506009-1 : Oauth core
Links to More Info: BT1506009
Component: Access Policy Manager
Symptoms:
TMM crashes during a configuration sync while passing OAuth traffic.
Conditions:
-- OAuth configured with opaque token generation
-- A configuration sync occurs
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Identified and addressed the db proxy connection pointer validation in case of rollback when db query fails.
Fixed Versions:
16.1.5
1506005-2 : TMM core occurs due to OAuth invalid number of keys or credential block size
Links to More Info: BT1506005
Component: Access Policy Manager
Symptoms:
TMM crashes during a configuration sync while passing OAuth traffic.
Conditions:
-- OAuth is configured.
-- A configuration sync occurs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Modified the terminating condition based on the credential block length with the number of keys.
Fixed Versions:
16.1.5
1505789-2 : VPN connection fails with Edge client 7.2.4.6 with error "Network is vulnerable"★
Links to More Info: K000138683, BT1505789
Component: Access Policy Manager
Symptoms:
When the user is upgraded to edge client version 7.2.4.6, they may fail to connect to the VPN server.
Conditions:
1. If LTM VS/NATed device is present before APM VPN enabled virtual server or any cases where client receives the VPN server IP different in the IP header and pre/config message.
2. BIG-IP versions v17.1.1.1 or v16.1.4.2 or v15.1.10.3 used along with edge client version 7.2.4.6.
Impact:
The user fails to connect to the VPN.
Workaround:
See the Recommended Actions at K000138683: Users cannot connect to BIG-IP APM virtual servers with BIG-IP Edge Client 7246, available at https://my.f5.com/manage/s/article/K000138683
Fix:
The user should be able to connect to the VPN even after the upgrade.
Fixed Versions:
16.1.5
1505753-1 : Maximum Fragment Length extension is not visible in ServerHello even though it is present in ClientHello
Links to More Info: BT1505753
Component: Local Traffic Manager
Symptoms:
When the request from the client contains the Maximum Fragment Length header, BIG-IP is able to process it and honors the functionality, but this parameter is not added to the ServerHello.
Conditions:
Send a request from a client that contains the maximum fragment length extension.
Impact:
The ClientHello succeeds but the TLS Handshake fails when the Server Hello is received.
Workaround:
None
Fixed Versions:
16.1.5
1505413 : Error in Wrapper for Array.slice Method When F5_window_link is Undefined
Links to More Info: BT1505413
Component: Access Policy Manager
Symptoms:
When Modern Rewrite Mode is used, an error occurs while processing traffic:
cache-fm-Modern.js:481 Uncaught TypeError: Cannot read properties of undefined (reading 'Array')
Conditions:
Modern Rewrite Mode is used
Impact:
Application does not function properly
Workaround:
Use the below iFile iRule:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if {
[HTTP::path] ends_with "cache-fm-Modern.js"
} {
HTTP::respond 200 content [ifile get ModernCachefm]
}
}
iFile - Contact F5 support for iFile
Fix:
Application is working fine now
Fixed Versions:
16.1.5
1496701-1 : PEM CPPE reporting buffer overflow resulting in core
Links to More Info: BT1496701
Component: Policy Enforcement Manager
Symptoms:
PEM writes into buffer without checking size hence resulting unknown behavior or core.
TMM starts coring and rebooting.
Conditions:
1) PEM policy with action reporting is configured.
2) Reporting ->hsl-> session-reporting-fields has large number of fields.
Impact:
TMM core, hence service disruption.
Fix:
Check the bounds before each write
Fixed Versions:
16.1.5
1496457-2 : TMM crash under certain traffic patterns when an HTTP/2 profile is applied.
Component: Local Traffic Manager
Symptoms:
A TMM crash.
Conditions:
An LTM virtual server with an HTTP/2 profile attached.
Impact:
A TMM crash.
Workaround:
Set up HA pairs when configuring your BIG-IP device.
Fix:
The issue no longer occurs.
Fixed Versions:
16.1.5
1496269-2 : VCMP guest on version 16.1.4 or above might experience constant TMM crashes.★
Links to More Info: BT1496269
Component: TMOS
Symptoms:
VCMP guest on version 16.1.4 or above might experience constant TMM crashes.
Conditions:
VCMP guest running version from 16.1.x software train, 16.1.4 or above.
vCMP host running any other software version.
Impact:
Post upgrade TMM enters crash/core loop on vCMP guest. Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
16.1.5
1495217-3 : TMUI hardening
Links to More Info: K000138636, BT1495217
1494833-3 : A single signature does not match when exceeding 65535 states
Links to More Info: K000138898, BT1494833
Component: Application Security Manager
Symptoms:
One of the attack signatures is not matched.
Conditions:
When all signatures are enabled and custom ones are created.
Impact:
The attack signature is passed instead of getting blocked.
Workaround:
NA
Fix:
All the signatures will be detected and respective violations will be raised.
Fixed Versions:
17.1.1.3, 16.1.4.3, 15.1.10.4
1494293-4 : BIG-IP might fail to forward server-side traffic after a routing disruption occurs.
Links to More Info: BT1494293
Component: Local Traffic Manager
Symptoms:
BIG-IP might fail to forward server-side traffic after a routing disruption occurs.
Conditions:
- CMP forwarding occurs (traffic on ingress is handled by a different TMM on egress).
- Routing disruption happens.
- Flow collision with existing connection happens.
- connection.vlankeyed is enabled (default)
Impact:
Server-side traffic is silently dropped.
Workaround:
Clear the existing connection from the connection table according to K53851362
Fixed Versions:
16.1.5
1494137-1 : Translucent mode vlan-group uses wrong MAC when sending ICMP to client
Links to More Info: BT1494137
Component: Local Traffic Manager
Symptoms:
Translucent mode vlan-group uses source MAC as the vlan-group's MAC address instead of the server's MAC address while responding to an ICMP unreachable request.
Conditions:
1. Configure Vlangroup in Translucent mode on BIG-IP
2. Send an ICMP unreachable request from client to server.
3. Capture the tcpdump on the BIG-IP, observe the response packet has source MAC as the vlan-group's MAC address instead of the server's MAC address while responding to an ICMP unreachable request.
Impact:
The wrong MAC address is used which can cause traffic disruption.
Workaround:
Disable vlangroup.flow.allocate :
tmsh modify sys db vlangroup.flow.allocate value disable
Fix:
Translucent mode vlan-group uses source MAC as the server's MAC address instead of vlan-group's MAC address while responding to an ICMP unreachable request.
Fixed Versions:
16.1.5
1492361-2 : TMUI Security Hardening
Links to More Info: K000138894, BT1492361
1491481-2 : Server changes to support QT upgrade of Mac Clients
Links to More Info: BT1491481
Component: Access Policy Manager
Symptoms:
The old client build was failing due to a pending QT upgrade, the client requires server changes to support.
Conditions:
QTv5.5 and MAC OS(11.1)
Impact:
Cannot establish VPN connection with new clients.
Workaround:
None
Fix:
Server changes to support QT upgrade of clients.
Fixed Versions:
16.1.5
1491165-1 : TMM crashes when saving DAG setting and there are 7 or more blades
Links to More Info: BT1491165
Component: TMOS
Symptoms:
TMM crashes and generates a core file and continues to crash during startup.
Conditions:
A chassis has 7 or more blades installed.
The settings introduced by ID1282181 have been saved.
Impact:
Traffic interruption while TMM restarts.
Workaround:
The issue could be avoided by clearing the variables for ID1282181. However, this takes away the feature.
Fix:
The fix is adjusting the size of the buffers.
Fixed Versions:
16.1.5
1490833-1 : OAuth agent gets misconfigured when adding a new Scope/Claim in VPE
Links to More Info: BT1490833
Component: Access Policy Manager
Symptoms:
OAuth agents gets misconfigured when adding a new scope/claim in the visual policy editor (VPE)
Conditions:
- There are at least 10 scopes/claims attached to the OAuth agent.
- Adding a new scope/claim to the OAuth agent
Impact:
OAuth agent gets misconfigured
Workaround:
None
Fixed Versions:
16.1.5
1490765-2 : Request body can be unordered by bot-defense
Links to More Info: BT1490765
Component: Application Security Manager
Symptoms:
Certain request body, such as request body from a trusted bot, can be unordered after bot-defense applied its enforcement.
Conditions:
- bot-defense profile is in use
- bot-defense performs rDNS lookup for the request
- this manifests once in every five minutes
Impact:
Service or application that receives the unordered request body might not understand the request content and can fail.
Workaround:
Use iRule that disables bot-defense for the specific request, for example
- Check UA, URI, and other
- Disable bot-defense
Fixed Versions:
16.1.5
1489657-3 : HTTP/2 MRF incorrectly end stream for 100 Continue
Links to More Info: BT1489657
Component: Local Traffic Manager
Symptoms:
HTTP2 client resets the stream by PROTOCOL ERROR on seeing END_STREAM flag set in 100 CONTINUE header frame.
Conditions:
HTTP/2 MRF enabled
HTTP/2 on the server side.
HTTP POST with body length > 0
The HTTP request has the "Expect: 100-continue" header
The server responds 100 Continue
And versions that have BugID-1220629 fixed
Impact:
The request would not be processed due to PROTOCOL_ERROR.
Fix:
Special handling for 1xx headers
Fixed Versions:
16.1.5
1473701 : Oauth Discovery task is struck at "SAVE_AND_APPLY" state
Links to More Info: BT1473701
Component: Access Policy Manager
Symptoms:
Initial symptoms could be one of the following:
- Auto JWT discovery task stops or stalls and no reason is provided
- OIDC discovery task stops discovering
- Auto update of JWK fails
- OAuth token does not renew
- Oauth Discovery stuck at "SAVE_AND_APPLY"
- OAuth Provider Discovery Task does not work anymore
Other indications:
-> Stale JWK keys will be present in the config and Authentication fails with the following error in /var/log/apm:"OAuth Scope: failed for jwt-provider-list '/Common/VPN_JWT', error: None of the configured JWK keys match the received JWT token, JWT Header:
"
->restcurl -X GET tm/access/oidc/discover/ outputs the OIDC discovery task status and status will be in "SAVEANDAPPLY"
Conditions:
- jwk keys discovered from the openid well known url should be different from the existing JWK keys in the config
- And mcp should fail while applying the config. We can identify that if the /var/log/restjavad does not show the " Applying access policies" log after the "Updating mcp jwt and jwk objects for provide" log
Impact:
- Config will contain stale JWK keys
Workaround:
- Restart restjavad so that the discovery task starts again
Fix:
- Moved the apply access policy operation into a child thread so that the parent thread does not block itself until it receives a response from the mcp.
- Earlier the OIDC thread would be blocked until it got a successful response from the mcp for "apply access policy" and if it did receive a response, it would be blocked and would stop permanently without rescheduling itself.
- Now, even if the apply access policy fails in the current discovery cycle, the OIDC discovery worker will not be blocked and will be rescheduled for the next interval and the apply access policy will be reattempted as part of the next discovery cycle.
Fixed Versions:
16.1.5
1472853-2 : PVA may not fully come up on large platforms with many tmms
Links to More Info: BT1472853
Component: TMOS
Symptoms:
The PVA may not be fully initialized when tmm starts. This can lead to versions issues such as
* flows not being accelerated
* flows getting reset with idle timeout or "No flow found for ACK" reset cause messages.
Log message similar to the following is seen in /var/log/tmm2:
notice ePVA had not been globally enabled by HSBE2 LBB
Conditions:
-- BIG-IP iSeries i15800 platform.
-- PVA enabled
-- Tmm that has not been restarted since boot.
Impact:
-- flows may not be accelerated
-- flows may get reset with idle timeout or "No flow found for ACK" reset cause messages.
Workaround:
Restart tmm
Fixed Versions:
16.1.5
1472685-2 : Add support for 4 new Webroot Categories
Links to More Info: BT1472685
Component: Traffic Classification Engine
Symptoms:
URL's getting categorised as Uncategorized.
Conditions:
Query any of the URL that fall under new category
Impact:
URL does not get categorised as expected and gets classified as "Uncategorized"
Fix:
Added support for 4 new categories.
Fixed Versions:
16.1.5
1472609 : [APM]Some user roles unable view Access config GUI, getting 403 error
Links to More Info: BT1472609
Component: Access Policy Manager
Symptoms:
Some user roles (except admin, manager, resource manager, and App Editor users) get 403 forbidden when opening Access config in GUI.
Conditions:
- BIGIP versions 16.1.4.1 (or later), 15.1.10.2 (or later), and 17.1.0.3 (or later).
- User roles except for admin, manager, resource manager, and App Editor users.
Impact:
Unable to view APM UI.
Fixed Versions:
16.1.5
1470329-2 : PEM: Multiple layers of callback cookies need input validation in order to prevent crashes.
Links to More Info: BT1470329
Component: Policy Enforcement Manager
Symptoms:
TMM core and restart because of PEM.
Conditions:
1)PEM session attribute lookup via spmdb_session_attr_session_lookup_cb
2) The callback function in the cookie is null.
Impact:
TMM restarts. Service disruption.
Fix:
Fix: adding null check for callback function.
Fixed Versions:
16.1.5
1468809-2 : Attack signature "Staged Since" timestamp is not accurate
Links to More Info: BT1468809
Component: Application Security Manager
Symptoms:
Attack signature "Staged Since" timestamp is not accurate
Conditions:
Signature is set to staging
Impact:
The "Staging: Since" timestamp is inaccurate.
Workaround:
None
Fixed Versions:
16.1.5
1468589 : TypeError: Cannot convert a Symbol value to a string in CSSStyleDeclaration Object Getter and Setter Functions
Links to More Info: BT1468589
Component: Access Policy Manager
Symptoms:
APM is unable to read or modify the CSS properties to dynamically change the style of the element
Conditions:
Modern Rewrite Mode is enabled
Impact:
Unable to read or modify the CSS properties to dynamically change the style of the element
Workaround:
Use the below iRule:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if {
[HTTP::path] ends_with "cache-fm-Modern.js"
} {
HTTP::respond 200 content [ifile get ModernCachefm]
}
}
Request the iFile with the fix via an escalation
Fixed Versions:
16.1.5
1466293-2 : SIP MRF over TCP might cause excessive memory buffering
Component: Service Provider
Symptoms:
SIP MRF over TCP might cause excessive memory buffering.
Conditions:
Certain traffic patterns might flood the BIG-IP over TCP from the server side and cause excessive memory buffering.
Impact:
The system can undergo core
Fix:
Excessive memory buffering is eliminated when certain traffic pattern occurs.
Fixed Versions:
16.1.5
1466289-3 : SIP MRF might leave orphaned connections
Component: Service Provider
Symptoms:
Under certain traffic patterns, SIP MRF may leave orphaned connections.
Conditions:
A system with SIP MRF enabled.
Impact:
It leads to excessive memory buffering.
Fix:
Connections are no longer orphaned.
Fixed Versions:
16.1.5
1462885-2 : LTM should send ICMP port unreachable upon unsuccessful port selection.
Links to More Info: BT1462885
Component: Local Traffic Manager
Symptoms:
In some cases ICMP port unreachable is not sent back to the client when the BIG-IP system is unable to obtain an available port for a connection.
Conditions:
Flow collision happens, BIG-IP is unable to obtain an available port for connection.
Impact:
LTM drops traffic and does not send an ICMP error to the client.
Workaround:
None
Fixed Versions:
16.1.5
1462797-2 : TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection when an HTTP/2 request is sent
Links to More Info: BT1462797
Component: Application Security Manager
Symptoms:
TMM crashes, when HTTP/2 and DoSL7 profiles are enabled on virtual server, and DoS protection is disabled using an iRule. This occurs while sending an HTTP/2 request to the virtual server.
Conditions:
- HTTP/2 and DoSL7 profiles are enabled on virtual server
- DoSL7 disabled using iRule
- HTTP/2 request is sent to virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
16.1.5
1462393 : Quota is not getting updated from the PEM side
Links to More Info: BT1462393
Component: Policy Enforcement Manager
Symptoms:
The quota is not updated when PEM receives the CCR-U message from the OCS.
Conditions:
Once the quota is exhausted,
1. OCS initiates a Re-Auth Request (RAR) to PEM
2. PEM responds with RAA
3. PEM then sends CCRu to OCS to request more quota
4. OCS responds with a CCA for additional quota for the rating group
5. Subscriber Session record did not change with new Granted Units.
Impact:
The quota is not updating from the PEM side.
Fix:
Quota is updating from the PEM side
Fixed Versions:
16.1.5
1461597-2 : IPS IM upgrade is taking more time
Links to More Info: BT1461597
Component: Protocol Inspection
Symptoms:
It takes more time than usual for the upgrade of the protocol inspection updates IM Package.
Conditions:
During IM Upgrade:
1) Go to security -> Protocol Inspection -> Inspection Updates -> Download Package -> From file -> choose file -> Download.
2) select the IM and click on install
3) select the IM and click on deploy
Impact:
It takes more time to upgrade to the latest IM package. This is due to a larger than normal number of signature updates.
Workaround:
None
Fix:
Setting the default action to don't inspect for new signatures in the default profiles.
Fixed Versions:
16.1.5
1455677-2 : ACCESS Policy hardening
Component: Access Policy Manager
Symptoms:
Under certain traffic patterns, ACCESS policy may crash
Conditions:
ACCESS policy evaluation is enabled
Impact:
A TMM core.
Workaround:
None
Fix:
The core is resolved.
Fixed Versions:
16.1.5
1449709-2 : Possible TMM core under certain Client-SSL profile configurations
Links to More Info: K000138912, BT1449709
1429897 : NShield netHSM : Creating new nShield key does not commit this key to an external RFS with nShield 12.60
Links to More Info: BT1429897
Component: Local Traffic Manager
Symptoms:
With nShield software v12.60 when creating a new nShield key on BIG-IP which is a client of an external RFS the new key is not automatically uploaded to RFS.
It works fine with nShield software v12.40 and new keys are committed to RFS without 'rfs-sync -c'.
If we generate a new HSM key with fipskey.nethsm (a wrapper for /opt/nfast/bin/generatekey) the key is committed to RFS.
Conditions:
--> Configure BIG-IP with an external HSM. Use nShield software v12.60.x.
--> Create a new nethsm key using TMSH or WebUI.
Impact:
Upgrading to higher versions of BIG-IP software will cause issues due to the usage of nshield v12.60 in them.
Workaround:
Use 'rfs-sync -c' after creating a new key.
Fix:
None
Fixed Versions:
16.1.5
1410989-3 : DNSX returns a malformed UDP DNS response when the answer count is nonzero but there is no answer section.
Links to More Info: BT1410989
Component: Global Traffic Manager (DNS)
Symptoms:
The BIG-IP system returns a malformed UDP DNS response.
Conditions:
When provided buf_size is able to fit the answer section but not able to fit authority and additional sections.
Impact:
Malformed UDP DNS response.
Workaround:
Use TCP DNS query.
Fix:
None
Fixed Versions:
16.1.5
1410953-2 : Keymgmtd coring or restarting in loop when we have an empty crl file inside crl_file_cache_d path.
Links to More Info: BT1410953
Component: TMOS
Symptoms:
Keymgmtd is coring and restarting in a loop.
Conditions:
Create an empty file in the crl_file_cache_d path and try restarting the keymgmtd.
Impact:
Key management-related operations will fail.
Workaround:
None
Fix:
None
Fixed Versions:
16.1.5
1409453 : [APM][NA]Read Access Denied for 'Manger role' when accessing Network Settings in Network Access config
Links to More Info: BT1409453
Component: Access Policy Manager
Symptoms:
On GUI: 'General database error retrieving information.'
In /var/log/ltm: Read Access Denied: user (es-manager) type (network acces address space include)
Conditions:
-- Non-admin user
-- Network Access configured on APM
Impact:
Non-admin users cannot access Network Access settings.
Workaround:
None
Fixed Versions:
16.1.5
1408381 : BADOS signals might no sync on HA setups
Links to More Info: BT1408381
Component: Anomaly Detection Services
Symptoms:
BADOS signals might no sync on HA setups.
Conditions:
When using High Availability setups with BADOS enabled.
Impact:
Standby machine is not synched in some scenarios.
Workaround:
Manual sync with the script that calls rsync.
Fix:
The state file always stays in sync.
Fixed Versions:
16.1.5
1402421 : Virtual Servers haviing adfs proxy configuration might have all traffic blocked
Links to More Info: BT1402421
Component: Access Policy Manager
Symptoms:
All requests for ADFS proxy will be blocked and will not be allowed.
Conditions:
/var/log/apm should show a line similar to below in a normal scenario
Nov 30 09:10:38 guest1.pslab.local debug adfs_proxy[9282]: 01aeffff:7: (null)::00000000: C: TMEVT_TIMER
TMEVT_TIMER should occur once every minute
These lines will be missing in the non-working case.
Impact:
Traffic to virtual servers having ADFS Proxy configuration will be disrupted.
Workaround:
- Restart adfs_proxy
- bigstart restart adfs_proxy
Fix:
None
Fixed Versions:
16.1.5
1400317-2 : TMM crash when using internal datagroup
Links to More Info: BT1400317
Component: Local Traffic Manager
Symptoms:
When an internal data group matches a local traffic policy, tmm crashes.
Conditions:
Local data group involved. External data groups are fine.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use an external data group if possible
Fix:
Both internal and external data group works
Fixed Versions:
16.1.5
1399809-3 : DNS Resolution for IPv6 clients is not working when dns64 is enabled with secondary in DNS Profile.
Links to More Info: BT1399809
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Resolution for IPv6 clients is not working when dns64 is enabled with secondary in DNS Profile.
Conditions:
--- DNS64 is enabled and set to secondary in DNS Profile.
--- qname-minimisation is enabled by default in code in the latest unbound.
--- That Profile is configured with dns cache.
--- A DNS listener is configured with the above profile.
--- DNS clients requesting ipv6 resolution requests towards the listener.
Impact:
IPv6 resolution is failing.
Workaround:
None
Fixed Versions:
16.1.5
1399645-2 : iRule event BOTDEFENSE_ACTION validation failing a subroutine call
Links to More Info: BT1399645
Component: Local Traffic Manager
Symptoms:
When the BIG-IP system tries to save an iRule that calls a procedure from the BOTDEFENSE_ACTION event, an error occurs.
Conditions:
-- Configure an iRule with event BOTDEFENSE_ACTION.
-- The event calls a procedure.
Impact:
A TCL error is thrown: Rule checker ::tclCheck::checkScript did not complete: can't read "BIGIP::ltmEventCategoryHierarchy(BOTDEFENSE)": no such element in array.
Workaround:
None
Fix:
None
Fixed Versions:
16.1.5
1399289-1 : "XML data does not comply with schema or WSDL document" violations after upgrade to 16.1.4.1
Links to More Info: BT1399289
Component: Application Security Manager
Symptoms:
If the "Attribute" in a schema file has an upper case letter, then schema validation fails.
This does not apply to "Element", which tries to match exact case.
Conditions:
Create a Case insensitive ASM policy. Create an XML Schema profile which has an "Attribute" Tag with at least one upper-case letter in the Attribute name.
Impact:
Requests fail with Violation, even though the Schema file has a specific attribute.
Workaround:
Have the "Attribute" tag name with all lower case letters, then the request does not gets blocked.
Fixed Versions:
16.1.5
1399241-2 : QUIC occasionally erroneously sends connection close with QPACK decoder stream error
Links to More Info: BT1399241
Component: Local Traffic Manager
Symptoms:
QUIC connections are occasionally closed with "QPACK decoder stream error" (error code 514).
Conditions:
The QPACK decoder stream of a QUIC connection receives part of a request in a packet or receives an ack or cancel for a stream that has already been closed.
Impact:
A connection close with "QPACK decoder stream error" is sent and the QUIC connection is closed. Web browsers might also conclude that the BIG-IP's QUIC implementation is not interoperable and stop initiating HTTP/3 connections.
Fix:
Fixed QPACK handling when receiving part of a request in a packet or receiving an ack or cancel for a stream that has already been closed.
Fixed Versions:
16.1.5
1398401-1 : Configuration error: In url-filter <filter name> allowed-category <cat name> does not exist.★
Links to More Info: K000135607, BT1398401
Component: Access Policy Manager
Symptoms:
After an upgrade, the configuration fails to load with one or more errors:
Configuration error: In url-filter <filter name> allowed-category <cat name> does not exist.
Conditions:
Upgrading SWG from a BIG-IP version that uses category names that no longer exist.
Impact:
BIG-IP upgrade fails.
Workaround:
Remove the affected category names before attempting the BIG-IP upgrade.
Fix:
Code exists to map old categories with the new.
Existing mapping code works till BIG-IP 13.x.x, the same code support extended for BIG-IP 15.x.x and later versions.
Fixed Versions:
16.1.5
1398229-1 : Enabling support for SSH-RSA in Non FIPS mode
Links to More Info: BT1398229
Component: TMOS
Symptoms:
Ssh-rsa is disabled in FIPS and non-FIPS mode, as SSH-RSA is a less secure algorithm.
Conditions:
Attempt to use SSH-RSA algorithm
Impact:
Unable to use SSH-RSA algorithm
Fix:
Added support for SSH-RSA in Non-FIPS mode.
It is still disabled in FIPS mode.
Fixed Versions:
16.1.5
1395281-2 : UDP payloads not ending with CRLF are being treated as BAD messages.
Links to More Info: BT1395281
Component: Service Provider
Symptoms:
The UDP SIP payloads that did not end with CRLF are being treated as BAD messages.
Conditions:
The UDP SIP payload did not end with CRLF.
Impact:
The UDP SIP message will be treated as a BAD message if the payload does not end with CRLF.
Workaround:
None
Fix:
Made SIPP parser changes to accept and process UDP SIP messages that do not end with CRLF.
Fixed Versions:
16.1.5
1395081-2 : Remote users are unable to generate authentication tokens
Links to More Info: K000137514, BT1395081
Component: TMOS
Symptoms:
On a BIG-IP version with the fix for ID1147633, remote users are unable to generate authentication tokens. This also results in following pages in the GUI being broken for users:
- Device Management >> Overview
- Local Traffic >> Network Map
Conditions:
-- BIG-IP version with the fix for ID1147633
-- Remote user authentication (such as TACACS, RADIUS, Active Directory, and other)
Impact:
Some parts of the GUI may not load for remote users.
Generating an authentication token for a remote user would result in an error message similar to the following:
{
"code": 400,
"message": "token creation failed; target user [<id>] does not exist in the system",
"referer": "https://<IP>/tmui/tmui/devmgmt/overview/app/index.html?ver=0.0.6.17.1.1",
"restOperationId": <ID>,
"kind": ":resterrorresponse"
}
Workaround:
None
Fix:
The GUI pages are loading successfully for remote users.
Fixed Versions:
17.1.1.1, 16.1.5
1394601-1 : PEM AVR onbox reporting stall
Links to More Info: BT1394601
Component: Policy Enforcement Manager
Symptoms:
When using PEM AVR onbox reporting, the per-subscriber reporting will stop working after a set of time.
Conditions:
- PEM AVR reporting.
Impact:
No per-subscriber reporting is available.
Workaround:
Restart tmm to get it working again.
Fix:
PEM AVR reporting continues to function.
Fixed Versions:
16.1.5
1394445-2 : Password-memory is not remembering passwords to prevent them from being used again
Links to More Info: BT1394445
Component: TMOS
Symptoms:
Password-memory is not remembering passwords to prevent users from using the same password again.
Conditions:
-- Policy-enforcement is enabled.
-- password-memory is configured.
Impact:
System should support "password memory" for each user and can't use previous password.
Workaround:
None
Fixed Versions:
16.1.5
1391357-1 : Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address
Links to More Info: K000136909, BT1391357
1391161-2 : sipmsg_parse_sdp crashes when SIP receives certain traffic pattern.
Component: Service Provider
Symptoms:
When the SIP message body has a certain traffic pattern, the sipmsg_parse_sdp crashes.
Conditions:
A pattern that can cause sipmsg_parse_sdp to crash.
Impact:
The system may core.
Fix:
Sipmsg_parse_sdp does not crash when SIP receives the traffic pattern that caused the core previously.
Fixed Versions:
16.1.5
1391081-2 : TMM crash when running HTTP/3 and persist record
Links to More Info: BT1391081
Component: Local Traffic Manager
Symptoms:
TMM crashes when handling an HTTP/3 request.
Conditions:
HTTP/3 traffic on a BIG-IP system with multiple TMMs and the use of persistence.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
16.1.5
1389225-2 : For certain iRules, TCP::close does not close the TCP connection
Links to More Info: BT1389225
Component: Local Traffic Manager
Symptoms:
When an iRule generates a TCP::close before a server-side connection is established, the BIG-IP system does not close the connection.
Conditions:
Example 1
With this iRule, if there are 2 pipelined http requests, the close will not happen after the first request
Sample iRule:
proc redirect {loc} {
HTTP::redirect $loc
TCP::close
}
when HTTP_REQUEST priority 1 {
call redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
Example 2:
In this second example of iRule where there are no pools involved (say redirects or error message return 404 not found...) when no servers are connected to. In such case, the close will not happen.
ltm rule tcp_it {
when CLIENT_ACCEPTED {
TCP::collect 1
}
when CLIENT_DATA {
table or other commands for example
TCP::respond "reply" (or 404 not found...)
TCP::release
TCP::close
}
when CLIENT_CLOSED {
log local0. "Client closed"
}
when SERVER_CONNECTED {
log local0. "Server here"
}
}
When such rule involves no servers to be connected - hence "Server here" not displayed - the close will never happen.
Impact:
TCP connection lingers in TMM until expiration.
Workaround:
None
Fixed Versions:
16.1.5
1389049-1 : Frequent instances of provisioning-pending count spiking on various PEM devices
Links to More Info: BT1389049
Component: Policy Enforcement Manager
Symptoms:
PEM intermittently fails to provision subscribers and a large number of subscriber sessions go into the provisioning-pending state.
Conditions:
-- PEM is enabled
-- BIG-IP is configured to create subscriber dynamically and receive subscriber policy from PCRF
-- BIG-IP receives a large number of subscriber login/logout requests in a short period.
Impact:
New subscribers provisioning fails. Subscribers remain in the provision-pending state.
Workaround:
None
Fix:
With fix, new subscriber provisioning and old subscriber deletion is successful.
Fixed Versions:
16.1.5
1389033-2 : In an iRule SSL::sessionid returns an empty value★
Links to More Info: K000137430, BT1389033
Component: Local Traffic Manager
Symptoms:
The irule SSL::sessionid command used returns an empty value after an upgrade to v15.1.9.1, when used with a TLS1.3 session.
While SSL::sessionid in v15.1.8.2 returns the value specified in the ClientHello for a TLSv1.3 session, upgrading to v15.1.9.1 results in empty values returned when calling SSL::sessionid.
Conditions:
1. Use SSL::sessionid in an iRule
2. Use an affected BIG-IP version
3. Client establishes a TLS1.3 connection
Impact:
SSL::sessionid returns an empty value, which could result in unintended behavior for applications that use that iRule command.
Workaround:
None
Fixed Versions:
16.1.5
1388985-2 : The daemon dwbld uses 100% CPU when max port value configured in TMC port list
Links to More Info: BT1388985
Component: Advanced Firewall Manager
Symptoms:
When Traffic Matching Criteria (TMC) port list range is configured that includes maximum port value of 65535, counter is incremented till 65535 and wraps back to 0, as the variable used to store the counter is uint16_t.
Conditions:
- AFM license enabled.
- Daemon dwbld enabled
- Any TMC port list configured with maximum port value of 65535
Impact:
The daemon dwbld consumes 100% CPU impacting system performance.
Workaround:
Avoid configuring maximum port value of 65535 in TMC port list range.
Fix:
The counter is changed to uint32_t to avoid rollover when maximum port value is included in port list range.
Fixed Versions:
16.1.5
1388621-2 : Database monitor with no password marks pool member down
Links to More Info: BT1388621
Component: Local Traffic Manager
Symptoms:
If an LTM or GTM database monitor is configured with a username to log in to the database, but without a password, pool members monitored by that monitor will be marked Down.
When this issue occurs, an error message similar to the following (for a postgresql monitor in this example) will appear in the DBDaemon log file (/var/log/DBDaemon-*.log):
[MonitorWorker-###] - incomplete parameters: m_connectStr:'jdbc:postgresql://###.###.###.###:##/postgres' m_user:'*********' m_password:'null' max_use:'#' m_inst_id:'******'
The "incomplete parameters" and "m_password:'null'" items are the relevant parts of this error message.
Conditions:
This may occur under the following conditions:
-- LTM or GTM pool members are configured to use a database monitor, such as:
-- mssql
-- mysql
-- oracle
-- postgresql
-- The monitor is configured with a username, but no password
-- And this configuration is otherwise valid: The username is a configured in the target database with no password, and no password is required by the database for authentication of that user.
-- The version of BIG-IP, or BIG-IP Engineering Hotfix,
which includes a fix for Bug ID1025089.
Impact:
Pool members monitored by a database monitor, the configured will be marked Down.
Workaround:
Following is workaround for this issue:
-- Configure the database user with a password, and require password authentication for the user
-- Configure the database monitor with the correct password for the configured username
Fix:
Database monitors with usernames configured without a password (which matches the configuration of that user in the database itself) will report correct health status of monitored pool members.
Fixed Versions:
16.1.5
1388341-2 : tmm crash upon context reference that was already released (HUDEVT_SHUTDOWN)
Links to More Info: BT1388341
Component: Anomaly Detection Services
Symptoms:
While requests are delayed in TMM due to various reasons, their virtual server and BADOS profile might be deleted.
This may lead to a TMM crash.
Conditions:
-- BIG-IP System, passing traffic.
-- The virtual server has objects attached, such as complex iRules or BADOS, which cause the requests to take more time to get through the tmm.
-- A connection is dropped while the request is still being handled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
If possible, avoid using objects that cause requests to be delayed, such as iRules and behavioral DoS.
Fix:
TMM does not crash when a connection is dropped while a request is still in the progress.
Fixed Versions:
16.1.5
1382329 : Handling 'active' attribute in introspection response
Links to More Info: BT1382329
Component: Access Policy Manager
Symptoms:
When Google is configured as an authorization server it does not include an 'active' attribute in response to the token validation endpoint. OAuth Scope fails without any error message.
Conditions:
BIG-IP configured as OAuth Client + Resource Server and Google as Authorisation server.
Impact:
BIG-IP Administrator will not be able to figure out why OAuth Scope fails by looking at the debug logs.
Workaround:
None
Fix:
Log an error message describing the absence of an 'active' attribute.
Fixed Versions:
16.1.5
1381565-2 : ADMD stability improvements when configured with TLS signatures
Component: Anomaly Detection Services
Symptoms:
- ADMD restart
- High CPU utilization of ADMD
- TMM restart
Conditions:
BADOS configured with TLS signatures
Impact:
- High CPU utilization
- Traffic loss
Workaround:
None
Fix:
- No ADMD restarts.
- ADMD consumes reasonable CPU resources
- No TMM restarts
Fixed Versions:
16.1.5
1381357-2 : CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability
Links to More Info: K000137365, BT1381357
1381065-1 : Custom Request implementation modifies the Request object's prototype, resulting in the lack of the 'signal' property.
Links to More Info: BT1381065
Component: Access Policy Manager
Symptoms:
Cache-fm-Modern.js:405 TypeError: Failed to execute 'fetch' on 'Window': Failed to read the 'signal' property from 'RequestInit': Failed to convert value to 'AbortSignal'.
Conditions:
When going through Portal Access Modern Rewrite mode
Impact:
Fetch request fails and throws an error
Workaround:
Mitigate the issue with below iFile iRule:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if {
[HTTP::path] ends_with "cache-fm-Modern.js"
} {
HTTP::respond 200 content [ifile get ModernCachefm]
}
}
For iFile - Escalate a case explaining to open an SR requesting for such iFile
Fix:
NA
Fixed Versions:
16.1.5
1378329-2 : Secure internal communication between Tomcat and Apache
Links to More Info: K000137353
Component: TMOS
Symptoms:
For more details see: https://my.f5.com/manage/s/article/K000137353
Conditions:
For more details see: https://my.f5.com/manage/s/article/K000137353
Impact:
For more details see: https://my.f5.com/manage/s/article/K000137353
Workaround:
Note: This fix is related to CVE-2023-46747. However, systems with only the fix for ID1240121 are also not affected by CVE-2023-46747
For more details see: https://my.f5.com/manage/s/article/K000137353
Fix:
Communication between Tomcat and Apache is secured.
Fixed Versions:
16.1.5, 15.1.10.5
1369673-2 : OCSP unable to staple certificate chain
Links to More Info: BT1369673
Component: Local Traffic Manager
Symptoms:
When a server returns a certificate chain that involves an archived Let's Encrypt certificate, the OCSP is unable to staple the full chain.
Conditions:
An OCSP is configured on the serverside profile, and the client tries to connect to a server that returns certificate chain using an archived Let's Encrypt certificate.
Impact:
The OCSP is unable to staple the certificate chain. If the stapling is required by the client, the connection will be broken.
Workaround:
None
Fixed Versions:
16.1.5
1366593-2 : HTTPS monitors can fail when multiple bigd processes use the same netHSM
Links to More Info: BT1366593
Component: Local Traffic Manager
Symptoms:
Monitors going down accompanied by netHSM FIPS errors in /var/log/ltm.
Following is an example error:
01960005:3: netHSM: Shared memory error [Failed to fetch result].
Conditions:
HTTPS monitors having server_ssl profile that is storing a key in netHSM.
Impact:
Intermittently seeing HTTPS monitors fail for brief periods, causing some pool members to briefly be marked down.
Workaround:
Configure bigd to run in single process mode by running the following commands:
tmsh modify sys db bigd.numprocs value 1
bigstart restart bigd
Fixed Versions:
16.1.5
1366445-3 : [CORS] "Replace with" and "Remove header" CORS functionalities does not work
Links to More Info: BT1366445
Component: Application Security Manager
Symptoms:
"Replace with" and "Remove header" CORS functionalities do not work
Conditions:
-- Allow CORS Enabled
"Replace headers" Or "Remove headers" enabled with Header 'AAA'
-- Disallowed header 'AAA' in request sent
Impact:
The request is blocked with "VIOL_CROSS_ORIGIN_REQUEST" violation
Workaround:
None
Fix:
The request passes with no violations.
Fixed Versions:
16.1.5
1366401 : [APM]"F5RST: HTTP internal error" occurring after BIG-IP initiated client-ssl renegotiation
Links to More Info: BT1366401
Component: Access Policy Manager
Symptoms:
You may see observe below logs in /var/log/apm
<date> <hostname> err tmm3[29020]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_process_state_server_init, Line: 5382
<date> <hostname> err tmm3[29020]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 4075
Conditions:
ASM is configured along with APM on the same virtual server.
Impact:
Connections failing with [F5RST: HTTP internal error (bad state transition)]
Workaround:
None
Fixed Versions:
16.1.5
1366229-5 : Leaked Credentials Action unexpectedly modified after XML-format policy export and re-import
Links to More Info: BT1366229
Component: Application Security Manager
Symptoms:
"Leaked Credentials Detection" action unexpectedly modified after XML-format policy export and re-import.
Conditions:
Create a /login.php and set the Leaked Credentials Action to "Alarm and Leaked Credential Page"/"Alarm and HoneyPot Page". Export and reimport the policy in XML format.
Impact:
"Leaked Credentials Action" is modified to default "Alarm and Blocking Page" after reimporting policy.
Workaround:
Policy can be exported and reimported in Binary format. Issue is not seen with Binary format.
Fix:
Fixed an issue with Leaked Credentials Detection.
Fixed Versions:
16.1.5
1366217-2 : The TLS 1.3 SSL handshake fails with "Decryption error" when using dynamic CRL validator
Links to More Info: BT1366217
Component: Local Traffic Manager
Symptoms:
The SSL handshakes using TLS 1.3 protocol fails with decryption errors when using dynamic CRL validator in SSL profiles on BIG-IP.
Conditions:
1. Create SSL profile with dynamic CRL validator enabled.
2. Create Virtual server and attach the above SSL profile.
3. Connect to VIP using TLS 1.3 protocol.
Impact:
Unable to use CRLDP to authenticate client certificates when using TLS 1.3 protocol.
Workaround:
Use static CRL or OCSP on SSL profiles to validate client entities.
Fix:
This issue has been fixed by pausing the decryption of the application data until certificate status response is received from CRL validator in the case of TLS 1.3 handshakes.
Fixed Versions:
16.1.5
1366089 : HSB firmware version 2.12.4.0 bitstream release for VIPRION B2250 blade
Links to More Info: BT1366089
Component: TMOS
Symptoms:
The High-Speed Bridge (HSB) version 2.12.4.0 bitstream is available for VIPRION B2250 blades.
Conditions:
VIPRION B2250 blades
Impact:
Unable to capture or provide RQM debugging data for HSB bitstreams on VIPRION B2250 blades.
- 'DNS malformed' DoS vector drops valid DNS queries for qnames that begin with an underscore character, refer ID 1156753.
- Client enables Window Scale in the first SYN packet with a specific factor value, however the BIG-IP system disables Window Scale in its SYN or ACK response, refer ID 1125733.
-- Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware, refer ID 1167949.
Workaround:
None
Fix:
The High-Speed Bridge (HSB) version 2.12.4.0 bitstream is available for VIPRION B2250 blades, which includes the following updates from HSB version 2.12.3.0:
- Implement Request Queue Manager (RQM) Debug registers to help diagnose certain HSB-specific issues.
- 'DNS malformed' DoS vector correctly handles valid DNS queries for qnames that begin with an underscore character, refer ID 1156753.
- Correct server-side Window Scale behavior, refer ID 1125733.
- Hardware offload is performed correctly for "IPv6 fragmented" and "IPv6 atomic fragment" vectors, refer ID 1167949.
Fixed Versions:
16.1.5
1366025-2 : A particular HTTP/2 sequence may cause high CPU utilization.
Links to More Info: K000137106, BT1366025
1361169-2 : Connections may persist after processing HTTP/2 requests
Links to More Info: K000133467, BT1361169
1360917-4 : TMUI hardening
Links to More Info: K000138520, BT1360917
1360757 : The OWASP compliance score generation failing with error 501 "Invalid Path"
Links to More Info: BT1360757
Component: TMOS
Symptoms:
The Compliance Rate is stuck at "Calculating policy score" and the network analyzer displays, the response code for the "/mgmt/tm/asm/owasp/generate-score" request receives an error 501 response code "Invalid Path".
Conditions:
Following are the conditions where the issue is observed:
- 24 CPU cores
- Use an Eval license "F5-BIG-LTM-VE-24-V18-LIC" with "WF, High Performance VE, 4 vCPUs"
- Provisioned with ASM and FPS only, without LTM
Impact:
Unable to get the OWASP score calculated (for policies) for Security >> Compliance >> OWASP Compliance view
Workaround:
None
Fix:
Delayed the designated worker by sometime to ensure the essential configuration is loaded into the iControlREST application. That will avoid early initialisation prior to the respective configuration to complete its loading activity.
Fixed Versions:
16.1.5
1359281-2 : Attack signature is not detected when the value does not have '='
Links to More Info: BT1359281
Component: Application Security Manager
Symptoms:
Attack signature is not detected by BIG-IP for non RFC-compliant Cookie.
Conditions:
Cookie is not RFC compliant
Impact:
Attack signature is not detected by BIG-IP.
Workaround:
None
Fix:
Attack signature is detected.
Fixed Versions:
16.1.5
1359245 : Apmd cored when processing oauth token response when response code is not "200" and "ContentType" header "text/html
Links to More Info: BT1359245
Component: Access Policy Manager
Symptoms:
Apmd cores when processing non 200 http response for a get oauth token request when the response contains "ContentType" header as "text/html" and HTTP data as HTML
Conditions:
-- OAuth client is configured on BIG-IP and it requests a token
-- HTTP response is received with a response code other than 200 OK and "Content-type" header text/html with HTML content
Impact:
Apmd crashes. Access traffic disrupted while apmd restarts.
Workaround:
None
Fix:
Fixed an apmd core related to processing HTTP response during an OAuth session.
Fixed Versions:
16.1.5
1355377-2 : Subroutine gating criteria utilizing TCL may cause TMM to restart
Links to More Info: BT1355377
Component: Access Policy Manager
Symptoms:
APM per-request policies with subroutines using gating criteria which executes TCL script may cause TMM to restart on multi-TMM instances.
Conditions:
- More than one TMM.
- APM pre-request policy.
- Subroutine gating criteria containing TCL script.
Impact:
TMM may restart, resulting in a traffic outage.
Workaround:
None
Fix:
APM per-request policies with subroutines using gating criteria executing TCL script now executes correctly.
Fixed Versions:
16.1.5
1355149-3 : The icrd_child might block signals to child processes
Links to More Info: BT1355149
Component: TMOS
Symptoms:
When icrd_child is abruptly killed with SIGKILL signal, the underlying tmsh call is not killed respectively which is leaving the traces of the file descriptors to /var/system/tmp directory files. Thus causing /var partition disk out of use.
Conditions:
When the transitive call to tmsh command through icrd_child is invoked by restjavad module, and it ended as a fatal error or took more than the configured timeout value, restjavad issues SIGKILL command to icrd_child to force-kill the process. But, it is not killing the child processes (tmsh) initiated from icrd_child process.
Impact:
The /var partition disk is out of use.
Workaround:
Use the following command:
[killall -9 tmsh] to kill all the stale tmsh processes and clean up the files in [/var/system/tmp] directory
Fixed Versions:
16.1.5
1355117-2 : TMM core due to extensive memory usage★
Links to More Info: K000137374, BT1355117
Component: Access Policy Manager
Symptoms:
User observes TMM core due to extensive memory usage.
Conditions:
- Using BIG-IP 15.1.10
- When APM is used and users login and logoff multiple times.
- Each logoff may lead to some memory leak.
Impact:
User observes TMM core and fail over will occur.
Workaround:
None
Fix:
TMM does not core due to successive logoffs.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10.3
1354253-2 : HTTP Request smuggling with redirect iRule
Links to More Info: K000137322, BT1354253
Component: Local Traffic Manager
Symptoms:
See: https://my.f5.com/manage/s/article/K000137322
Conditions:
See: https://my.f5.com/manage/s/article/K000137322
Impact:
See: https://my.f5.com/manage/s/article/K000137322
Workaround:
See: https://my.f5.com/manage/s/article/K000137322
Fix:
See: https://my.f5.com/manage/s/article/K000137322
Behavior Change:
HTTP Parser of HTTP message header (for requests and responses) performs additional checks on value for Content-Length header, allowing values, matching BNF definition in RFC2616 (only digits), not causing integer overflow, allowed in multiple instances both in comma-separated lists and multiple Content-Length headers. An additional check introduced for Transfer-Encoding header to allow only RFC-compliant combinations for this header.
Fixed Versions:
17.1.1.1, 16.1.4.2, 15.1.10.3
1353957-2 : The message "Error getting auth token from login provider" is displayed in the GUI★
Links to More Info: K000137505, BT1353957
Component: TMOS
Symptoms:
When you access GUI pages that use REST API token-based authentication, the pages fail to load with the message "Error getting auth token from login provider".
You may also observe a red banner with the message: "The iApp LX sub-system is currently unresponsive."
For example, accessing the policies list from the following location:
iApps ›› Application Services : Applications LX Security ›› Application Security : Security Policies : Policies List
Conditions:
If the auth-pam-idle-timeout is other than 1200
list sys httpd auth-pam-idle-timeout
sys httpd {
auth-pam-idle-timeout 1200
}
Impact:
GUI pages that use REST API token-based authentication will not load.
Workaround:
Use the following tmsh commands:
tmsh modify sys httpd auth-pam-idle-timeout 1200
tmsh save sys config
tmsh restart sys service httpd
wait for 2 minutes
Delete cookies from /var/run/pamcache
rm -f /var/run/pamcache/*
Users authenticated in the TMUI will log out automatically. After logging back in, TMUI pages should load properly.
for VIPRION
tmsh modify sys httpd auth-pam-idle-timeout 1200
tmsh save sys config
clsh tmsh restart sys service httpd
wait for 2 minutes
Edit csyncd settigs prevent old cookies sync from other blade.
clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)
clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"
clsh "bigstart restart csyncd"
Delete cookies from /var/run/pamcache
clsh rm -f /var/run/pamcache/*
Revert csyncd settigs.
clsh "sed -i '/run\/pamcache/,+2s/^#//' /etc/csyncd.conf";
clsh "bigstart restart csyncd"
Note: Modifying the auth-pam-idle-timeout value will sync between devices in a sync-failover device group, but the workaround steps above must be performed on each device individually.
Fix:
Restjavad layer modified to accommodate idle timeout values other than 1200
Fixed Versions:
17.1.1.2, 16.1.5
1352945-1 : Rewrite plugin memory leak
Links to More Info: BT1352945
Component: Access Policy Manager
Symptoms:
Rewrite plugin memory usage is significantly higher.
Conditions:
Using the rewrite plugin
Impact:
Out-of-memory crashes on systems with low amounts of memory.
Workaround:
None
Fixed Versions:
16.1.5
1351493 : Invalid JSON node type while support-introspection enabled
Links to More Info: BT1351493
Component: Access Policy Manager
Symptoms:
As per RFC 7519, the expected value “exp” in the JWT token is a numerical value. JSON itself does not have a native type for integers, so all numerical values are represented as either numbers (without quotes) or strings (with quotes). In our case, we throw an exception if it is not a number to consider the string value. We also have an additional check to ensure it is a valid type.
Conditions:
The issue occurs only when support-introspection is enabled.
Impact:
Support-introspection cannot be enabled.
Workaround:
Disable support-introspection.
Fix:
None
Fixed Versions:
16.1.5
1350997-1 : Changes to support pre-logon when secondary logon service is disabled on windows edge client
Links to More Info: BT1350997
Component: Access Policy Manager
Symptoms:
Pre-logon used to fail when the secondary logon service was disabled in the Windows Edge Client.
Conditions:
1. Have secondary logon disabled in the Edge Client.
2. Use Edge Client on Windows.
Impact:
Cannot support pre-logon when secondary logon service is disabled in the Windows Edge Client.
Workaround:
None
Fix:
Changes to support pre-logon when secondary logon service is disabled in the Windows Edge Client.
Fixed Versions:
16.1.5
1350717-3 : When the client IP address changes immediately after the authentication to the Configuration Utility, HTTPD could enforce the source IP check even if 'auth-pam-validate-ip' is set to 'off'
Links to More Info: BT1350717
Component: TMOS
Symptoms:
The sys httpd auth-pam-validate-ip setting is 'on' by default. This setting restricts each client session to a single source IP address: the session is terminated if the source IP of the client changes during the session.
If browsers connect to the Configuration Utility through a proxy, their source IP addresses might change during a session: in this case you might want to set auth-pam-validate-ip to 'off' to avoid session termination when mod_auth_pam detects a client IP change for one of the existing sessions tokens (see https://my.f5.com/manage/s/article/K13048).
When auth-pam-validate-ip is set to 'off', the setting does not work as expected if the client IP address of the browser changes immediately after the HTTP POST that authenticates the user into the Configuration utility.
If the client IP address changes after a few HTTP requests and responses, instead of changing immediately after the user authentication, then the user is correctly allowed to continue their Configuration utility session.
Conditions:
- The "tmsh /sys httpd auth-pam-validate-ip" configuration setting is set to 'off'.
OR
- The same setting in the Configuration utility, the check box under "System > Preferences > Require A Consistent Inbound IP For the Entire Web Session", is cleared.
- The client IP address of the browser changes immediately after the HTTP POST that authenticates the user into the Configuration utility.
Impact:
A user trying to authenticate into the Configuration utility is redirected to the authentication page immediately after inserting their username and password, even if the username and password are accepted by the system.
Workaround:
If the users of the Configuration utility are behind a proxy that might change their IP address, use the same IP address for as long as possible (configure source address persistence on the proxy).
Fixed Versions:
16.1.5
1350693-2 : Log publisher using replicated destination with unreliable destination servers may leak xfrags
Links to More Info: BT1350693
Component: TMOS
Symptoms:
Over time, xfrag usage increases and does not return to the previous level when traffic is stopped.
Conditions:
The issue occurs under the following conditions:
-- Log publisher with replicated destination.
-- Replicated destination with a pool of more than 1 member.
-- Pool members go up and down over time.
Impact:
F5 box encountered aggressive sweeper mode leading to loss of traffic.
Workaround:
None
Fix:
None
Fixed Versions:
16.1.5
1350273-2 : Kerberos SSO Failing for Cross Domain After Upgrade from 15.1.8.2 to 15.1.9.1★
Links to More Info: BT1350273
Component: Access Policy Manager
Symptoms:
401 Unauthorised received from backend server even if SSO succeeds.
Conditions:
-- Kerberos SSO configured on 15.1.9
Impact:
Users unable to do SSO or basic auth using credentials.
Workaround:
None
Fixed Versions:
16.1.5
1350141-1 : Duplicate user-defined Signature Set based on Attack Type is created upon policy import during upgrade★
Links to More Info: BT1350141
Component: Application Security Manager
Symptoms:
After an upgrade, the user-defined sets attached to a policy are upgraded with the wrong empty value, instead of a NULL value, for sig_tag_val field.
Conditions:
Before upgrade, there is a policy which is using a user defined set based on a filter which is not sig_tag_op (so the sig_tag_val has a NULL value in the database)
Impact:
Importing the same policy into the upgraded system will create a duplicate set and the upgraded set will not be used.
Workaround:
You can repair the policy by navigating to “Security ›› Application Security : Policy Building : Learning and Blocking Settings”, clicking on “change”, and choosing the original created sets instead of the duplicated sets. Save, and then apply the policy. The duplicated sets can be deleted after that.
Fix:
After upgrade, the value for sig_tag_val is the correct NULL value.
Fixed Versions:
16.1.5
1348841 : TMM cored with SIGSEGV when using dtls by disabling the unclean shutdown flag.
Links to More Info: BT1348841
Component: Local Traffic Manager
Symptoms:
TMM cores
Conditions:
- DTLS traffic through a Virtual Server with an ssl profile.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fix:
BIG-IP now properly closes and frees memory for DTLS connections. This prevents the crash and further restarting of TMM.
Fixed Versions:
16.1.5
1348425-3 : Header name or parameter name is configured with space.
Links to More Info: BT1348425
Component: Application Security Manager
Symptoms:
ASM may crash due to header/parameter configuration with space.
Conditions:
-- A header name or parameter name is configured with a space.
-- More than 37 custom headers and/or parameter header name (location header) is configured. One of the headers or parameter names has space.
Impact:
Traffic disrupted while bd restarts.
Workaround:
Do not configure header names or parameter names with a space.
Fix:
No crash after configuring header or parameter with space.
Fixed Versions:
16.1.5
1348153 : Assigned IP Address session variable always as IPv6 Address
Links to More Info: BT1348153
Component: Access Policy Manager
Symptoms:
When a BIG-IP Administrator configures a Network Access resource with IPv4 and IPv6 support. In a RADIUS Authentication, we find the assigned address always to be an IPv6 address.
Conditions:
The session.assigned.clientip session variable is populated multiple times in the source code last being the IPv6 address.
Impact:
The BIG-IP Administrator will not be able to get an IPv4 session.assigned.clientip after the VPN connection.
Workaround:
Configure the Network Access resource with only IPv4.
Fix:
None
Fixed Versions:
16.1.5
1347569-1 : TCL iRule not triggered due to handshake state exceeding trigger point
Links to More Info: BT1347569
Component: Local Traffic Manager
Symptoms:
- Inbound TLS traffic's SNI isn't proxied from client-side to server-side
- TLS handshakes might fail
Conditions:
Create an inbound SSL Orchestrator setup and attach the iRules.
Impact:
TLS handshakes might fail.
Workaround:
Add the iRule LB::detach before enabling the server-side SSL using iRule SSL::enable at CLIENTSSL_HANDSHAKE in iRule-gw_in_t.tcl iRule that is attached to the virtual server when the sslo-inbound is created.
Fix:
BIG-IP now performs handshakes properly and can anticipate the desired outcomes.
Fixed Versions:
16.1.5
1346461-3 : Bd crash at some cases
Links to More Info: BT1346461
Component: Application Security Manager
Symptoms:
When bd uses an Openapi policy to handle a request, it may crash.
Conditions:
-- Openapi security policy;
-- Release contains fix of ID1190365.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fix:
Crash fixed.
Fixed Versions:
16.1.5
1346101-1 : SSL Orchestrator can crash TMM
Links to More Info: BT1346101
Component: Local Traffic Manager
Symptoms:
In rare circumstances, the use of the SSL Orchestrator split session filter crashes TMM.
Conditions:
SSL Orchestrator in use.
Impact:
TMM crashes.
Workaround:
None
Fix:
TMM does not crash anymore.
Fixed Versions:
16.1.5
1345997-2 : Very large number of custom URLs in SWG can impact performance.
Links to More Info: BT1345997
Component: Access Policy Manager
Symptoms:
High TMM CPU usage. Inability to support expected number of connections.
Conditions:
- SWG and APM provisioned.
- Large numbers of glob pattern matches in custom URL categories, e.g. tens of thousands.
- Bulk of the matches are similar to "*://www.hostname.com" or "http://*.domain.com"
Impact:
Degraded TMM performance.
Workaround:
None
Fixed Versions:
16.1.5
1345989 : "Rest framework is not available" being displayed when navigating to the "Device Management >> Overview" page
Links to More Info: BT1345989
Component: TMOS
Symptoms:
Com.f5.rest.workers.storage.ThreadPoolStorageRequestProcessorjava.lang.OutOfMemoryError: Java heap space
Conditions:
Under HA pair setup, over the period of 6 months or more, the device-discovery-tasks accumulate, causing restjavad to fail repeatedly, once every 20 seconds, logging the message: "com.f5.rest.workers.storage.ThreadPoolStorageRequestProcessorjava.lang.OutOfMemoryError: Java heap space".
Impact:
REST Framework not being available, causing the "Device Management >> View" screen to show failure.
Workaround:
Run clear-rest-storage once a week and try increasing the restjavad.extramb BIGdb variable from 192 to 768.
Fix:
The REST Framework no longer becomes unavailable.
Fixed Versions:
16.1.5
1341849 : APM- tmm core SIGSEGV in saml artifact usage
Links to More Info: BT1341849
Component: Access Policy Manager
Symptoms:
This can occur while processing SAML traffic.
Conditions:
SAML configured with artifact usage in idp.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm core related to SAML artifact usage.
Fixed Versions:
16.1.5
1338993-2 : Failing to fetch the installed RPM, throwing an error Object contains no token child value
Links to More Info: BT1338993
Component: TMOS
Symptoms:
This issue is caused as generation of tokens for root user is restricted because root user is an internal user.
An error is displayed when trying to fetch the list of global installed RPM packages using below tmsh command which makes a REST call to fetch the list by passing an authenticated token to get the authorization:
tmsh list mgmt shared iapp global-installed-packages
Conditions:
This issue occurs when a few iApps are installed and used by customer from BIG-IP and while trying to read the information of the installed packages on BIG-IP using a tmsh command.
Impact:
Limits the generation of token for root user, which subsequently impacts fetching list of global installed RPMs on BIG-IP and also cannot validate whether installation of package is successful or not from tmsh end.
Workaround:
After the package is installed, to get the list of packages installed use the following REST call instead of the tmsh command:
restcurl /shared/iapp/package-management-tasks/12a8b01c-acba-45cb-a03e-644f15fbe8f7
{
Fix:
Unrestricted the token generation for a root user which will enable fetching the list of installed packages.
Fixed Versions:
17.1.1, 16.1.5
1338837 : [APM][RADIUS] Support Framed-IPv6-Address in RADIUS Accounting STOP message
Links to More Info: BT1338837
Component: Access Policy Manager
Symptoms:
When the VPN tunnel is terminated, 'Radius Accounting-Request (STOP)' does not include AVP Framed-IP-Address when the Network Access resource is configured with IPv4 & IPv6.
Conditions:
This issue occurs under the following conditions:
-- Network Access resource is configured with both IPv4 and IPv6.
-- PPP IP address can be either static (obtained from RADIUS) or dynamic (obtained from the lease pool).
-- Using an Edge client or a browser.
-- VPN tunnel is terminated.
Impact:
APM sends a 'Radius Accounting-Request (STOP)' that does not include the AVP Framed-IP-Address.
Workaround:
Configure only IPv4 IP addresses for the Network Access resource.
Fix:
Include Framed IPv6 Address in RADIUS Acct STOP message when assigned clientip is IPv6.
Fixed Versions:
16.1.5
1332769-2 : Wildcard order incorrect for JSON Policy Import
Links to More Info: BT1332769
Component: Application Security Manager
Symptoms:
When importing a JSON policy, the wildcard order is set incorrectly (in reverse).
Conditions:
Import JSON policy and inspect the wildcard order of the file types in the policy.
Impact:
The Wildcard order is incorrect.
Workaround:
None
Fix:
The order of the wildcard is correctly set in the policy. (excepting the pure wildcard "*" remains last).
Fixed Versions:
16.1.5
1330473-2 : Response_log_rate_limit is not applied
Links to More Info: BT1330473
Component: Application Security Manager
Symptoms:
Response_log_rate_limit is not applied in a certain scenario
Conditions:
Response logging is enabled
Impact:
Response_log_rate_limit is not applied to response logging in the certain scenario.
Workaround:
Disable response logging
Fixed Versions:
16.1.5
1329893-1 : TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection based on IP, when an HTTP/2 request is sent
Links to More Info: BT1329893
Component: Application Security Manager
Symptoms:
TMM crashes, when HTTP/2 and DoSL7 profiles are enabled on virtual server, and DoS protection is disabled based on IP using an iRule. This occurs while sending an HTTP/2 request to the above configured virtual server.
Conditions:
- HTTP/2 and DoSL7 profiles are enabled on virtual server
- DoSL7 disabled using iRule based on IP
- HTTP/2 request is sent to virtual server.
Impact:
TMM crashes, traffic disruption can occur.
Workaround:
None
Fixed Versions:
16.1.5
1329477-2 : Auto-initialization does not work with certain MRF connection-mode
Links to More Info: BT1329477
Component: Service Provider
Symptoms:
When using certain connection-mode, no connections are initiated automatically to the peer server.
Conditions:
The following connection mode will not take auto-initialization into account: per-peer-alternate-tmm
Only these will:
per-peer
per-blade
per-tmm
Impact:
Auto-init not working
Workaround:
If possible, use other connection-mode for which auto-initialization is working.
Fixed Versions:
17.1.1, 16.1.5
1329065-1 : Hostname violation when hostname starts with multiple 0's
Links to More Info: BT1329065
Component: Application Security Manager
Symptoms:
Request blocked with "bad hostname violation".
Conditions:
Enable bad hostname violation.
Impact:
Request is blocked.
Fixed Versions:
16.1.5
1328433 : TMM cores while using VPN with ipv6 configured
Links to More Info: BT1328433
Component: Access Policy Manager
Symptoms:
TMM cores.
Conditions:
VPN configured for both ipv4 and ipv6.
Impact:
Traffic disrupts when TMM cores.
Fixed Versions:
16.1.5
1326501-2 : Configure DAG fold_bits to improve connection distribution
Links to More Info: BT1326501
Component: TMOS
Symptoms:
Some traffic patterns can cause traffic to be pinned to one CPU.
Conditions:
When there are very limited number of client and server IP addresses.
Impact:
Traffic is not loaded equally to all tmm's which causes tmm pinning. Frequent warning messages of connection limit reached observed though the Current Connections showed lesser value than the connection-limit configured for the virtual server.
Workaround:
None
Fix:
Configure DAG fold_bits to improve connection distribution
using sys db dag.hash.fold.bits.
Restart the services after modifying the sys db value.
Fixed Versions:
16.1.5
1324745-2 : An undisclosed TMUI endpoint may allow unexpected behavior
Links to More Info: K000135689, BT1324745
1322973-2 : A particular sequence of HTTP packets may cause TMM to crash
Component: Local Traffic Manager
Symptoms:
Tmm crashes and restarts
Conditions:
A basic http virtual server with rfc-compliance enabled in http profile and client sending the request with headers more than the max-header-count, results in crash under rare conditions
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Tmm does not crash anymore.
Fixed Versions:
16.1.5
1322701-3 : Vulnerability scanner reports BIG-IP is disclosing sensitive information
Component: TMOS
Symptoms:
Log in to BIG-IP GUI as an administrator role user, then log in to client2. There is no need to log in or access the login.jsp page, observe that the "previousUsername" variable is still populated with the administrator role user's name.
Conditions:
When the first user logged in as admin and logged off without closing the browser or tab.
Impact:
A malicious attacker may be able to enumerate the administrator role users in the BIG-IP and try logging in with known passwords, potentially taking over the BIG-IP.
Workaround:
None
Fix:
Encoded enter username by creating a Base64-encoded ASCII string from a binary string and made the attribute "prevun" hidden in tmui/login/index.jsp.
Fixed Versions:
16.1.5
1322497-2 : GTM monitor recv string with special characters causes frequent iquery reconnects
Links to More Info: BT1322497
Component: Global Traffic Manager (DNS)
Symptoms:
Resources flap, frequent iquery reconnects occur.
Logs similar to this:
err gtmd[12952]: 011ae0fa:3: iqmgmt_receive: SSL error: SSL read (6)
err gtmd[12952]: 011ae0fa:3: During SSL shutdown: SSL error: SSL_ERROR_SYSCALL (5)
err gtmd[12952]: 011ae0fa:3: iqmgmt_receive: SSL error: SSL read (6)
err gtmd[12952]: 011ae0fa:3: During SSL shutdown: SSL error: SSL_ERROR_SYSCALL (5)
012b2004:4: XML parsing error not well-formed (invalid token) at line 3810
012b2004:4: XML parsing error not well-formed (invalid token) at line 7719
012b2004:4: XML parsing error not well-formed (invalid token) at line 16837
012b2004:4: XML parsing error not well-formed (invalid token) at line 298
Conditions:
GTM monitor recv string containing special characters like below:
recv "\{\x94status\x94:\x94UP\x94"
Impact:
--Monitor flaps.
--Frequent iquery reconnects.
Workaround:
No special characters in GTM recv string.
Fixed Versions:
16.1.5
1321713-2 : BIG-IP Rewrite Profile GUI and URI Validation is inconsistent
Links to More Info: K000135858, BT1321713
Component: Access Policy Manager
Symptoms:
The rewrite profile GUI and Validation is inconsistent.
New rewrite UI displays in the following navigation:
Rewrite Profile (Local Traffic --> Profiles --> Services --> Rewrite), and click on Create button.
Old rewrite UI displays in the following navigation:
Virtual Server (Local Traffic --> Virtual Servers --> Virtual Server List), and click on the Create button.
Conditions:
Create rewrite profile
Impact:
Creating Virtual servers will show old rewrite UI and URI Validations.
Workaround:
None
Fixed Versions:
16.1.5
1320889-3 : Sock interface driver might fail to forward some packets.
Links to More Info: BT1320889
Component: TMOS
Symptoms:
Sock interface driver might drop packets that require reassembly/re-segmentation on one side of the connection. For example, when client-side is configured with tcp-nagle and the server-side sends a stream of multiple small packets.
This can increase latency on BIG-IP Virtual Edition on Azure when TSO/LRO is enabled.
Drops can be monitored by running the following command:
'tmctl -d blade tmm/ndal_tx_stats -w 300' column 'drop_rej_dd'.
Conditions:
-- sock driver. (See K10142141)
-- BIG-IP performing reassembly/re-segmentation on one side of the connection
Impact:
Some packets might never be forwarded by the BIG-IP system.
Workaround:
In some cases disabling Nagle Algorithm in TCP profile to avoid reassembly/re-segmentation might improve the performance.
Fixed Versions:
17.1.1, 16.1.5
1320389-1 : vCMP guest loses connectivity because of bad interface mapping
Links to More Info: BT1320389
Component: TMOS
Symptoms:
A vCMP guest is no longer able to receive traffic when packets arrive on a trunk interface from other slots.
Conditions:
-- A vCMP guest has a trunk interface with one interface on the same slot as the guest and another interface on another slot.
-- Another Guest on the same slot is provisioned with more cores, triggering a reboot of that slot
Impact:
Traffic disrupted to the vCMP guest
Workaround:
A reboot will resolve the issue.
Fixed Versions:
16.1.5
1319365-2 : Policy with external data group may crash TMM or return nothing with search contains
Links to More Info: BT1319365
Component: Local Traffic Manager
Symptoms:
TMM may crash or return no result found when there is one when using contains external data group.
Conditions:
External data group sets first to "starts-with" and then switch to "contains" may crash the TMM. If on the other hand, TMM is started with search "contains" from the start, no results may be found by policy even though there might be a result.
The is because, the external policy is not populated at all or entirely before the search happens. The starts-with works as it is populating on demand and is the reason and will partially populate it as needed, but when a switch to
"contains" happens, it expects it to be entirely populated.
Impact:
TMM crashes or result not found when there should be a result.
Workaround:
A workaround is possible if starts-with could be used instead of "contains".
Fix:
Search with "contains" will make sure the policy with external data group is entirely populated, avoiding the crash and making a search result successful if there is a match.
Fixed Versions:
17.1.1, 16.1.5
1317705-2 : TMM may restart on certain DNS traffic
Links to More Info: K000139037, BT1317705
1316529-3 : Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails with hidden DOS
Links to More Info: BT1316529
Component: Application Security Manager
Symptoms:
Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails. The machine stays offline.
Conditions:
This issue occurs when the hidden DOS profile exists.
Impact:
The machine stays offline and the update fails.
Workaround:
Change the error response page body from default to custom.
Fix:
Allow DOS hidden profile captcha default to be updated.
Fixed Versions:
17.1.1, 16.1.5
1316277-2 : Large CRL files may only be partially uploaded
Links to More Info: K000137796, BT1316277
Component: TMOS
Symptoms:
When updating a large CRL file in BIG-IP using tmsh, the file may only be partially read due to internal memory allocation failure.
Please note that the size of the CRL file causing this issue varies across hardware types, network bandwidth and usage, and system resources.
Conditions:
1. Using tmsh, a large CRL file is updated to an existing CRL.
2. This large CRL file is attached to multiple profiles.
3. The system is under heavy load
Impact:
When a large CRL file is attached to a profile, an update may indicate success when only a partial upload has occurred. Connections to VIP with this profile may have unexpected results, such as a certificate not being blocked as expected.
Workaround:
A large CRL file can be divided into smaller chunks and loaded into multiple profiles.
Fix:
If an error occurs during CRL upload or update, the profiles containing this partial CRL file will be invalidated and further connections to the VIP will be terminated. An error will be logged to /var/log/ltm whenever a CRL file read operation fails due to memory allocation.
The log received will look like:
01260028:2: Profile <profile name> - cannot load <CRL file location> CRL file error: unable to load large CRL file - try chunking it to multiple files.
Fixed Versions:
17.1.1, 16.1.4.2, 15.1.10.3
1315193-1 : TMM Crash in certain condition when processing IPSec traffic
Links to More Info: K000138728, BT1315193
1314301-2 : TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled
Links to More Info: K000137334, BT1314301
1313369-3 : Significant performance drop observed for DNS cache validating resolver for responses with indeterminate and insecure validation status
Links to More Info: BT1313369
Component: Global Traffic Manager (DNS)
Symptoms:
Performance drop observed when changing DNS cache resolver to validating resolver for responses with indeterminate and insecure validation status.
To know more about the validation status, check RFC 4035 (section 4.3).
Conditions:
- Create a DNS cache validating resolver.
- Ensure the responses are with Indeterminate and Insecure validation status.
- Observe the performance as compared to responses with secured validation status.
Impact:
Performance of validating resolver will be less than expected.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1312225-2 : System Integrity Status: Invalid with some Engineering Hotfixes
Links to More Info: BT1312225
Component: TMOS
Symptoms:
After installing an Engineering Hotfix,
when to attempt to verify the TPM system integrity with either the "tpm-status" or "tmsh run sys integrity status-check" command, the following error massage may appear:
System Integrity Status: Invalid
Running the "tpm-status" command with a Verbosity of 1 (or greater) reveals the following detail:
Verifying system integrity...
...
The signature in 17 is valid
Output wrong commandline parameters
cmdline is *ro ima_hash=sha256 mce=ignore_ce *
The pcr value in 17 is invalid.
...
System Integrity Status: Invalid
Conditions:
This may occur if the Engineering Hotfix contains changes which cause the following packages to be included in the Engineering Hotfix ISO:
-- sirr-tmos
-- tboot
But the Engineering Hotfix ISO does not contain the following package:
-- nash-initrd
The contents of the Engineering Hotfix ISO can be checked using the 'isoinfo' utility:
isoinfo -Rf -i <path/to/Hotfix-*.iso> | grep -e sirr -e tboot -e nash
Impact:
The TPM System Integrity Status is shown as Invalid.
This may incorrectly suggest that system integrity has been compromised.
Fixed Versions:
16.1.5
1312145-1 : Bcdatabase file gets truncated, deleted and re-downloaded in a loop
Links to More Info: BT1312145
Component: Policy Enforcement Manager
Symptoms:
Bcdatabase file gets truncated, deleted and re-downloaded in a loop due to BcMd5ChecksumFile function isn't calculating the expected checksum properly and causing the bcdatabase file to re-download in a continuous loop.
Conditions:
The expected checksum does not match the checksum calculated by BcMd5ChecksumFile function.
Impact:
The bcdatabase file downloading fails.
Workaround:
None
Fix:
Fixing the BcMd5ChecksumFile function to calculate the expected checksum properly.
Fixed Versions:
16.1.5
1312105-2 : The tmm/ehash_stat inuse field for listener name hash is incremented but not decremented
Links to More Info: BT1312105
Component: Local Traffic Manager
Symptoms:
The tmm/ehash_stat inuse field for listener name hash is incremented but not decremented.
Conditions:
When a virtual server is added or removed or changed.
Impact:
Cosmetic issue
Workaround:
None
Fix:
The stat is now decremented properly
Fixed Versions:
16.1.5
1312057-1 : bd instability when using many remote loggers with Arcsight format
Component: Application Security Manager
Symptoms:
When using multiple arcsight remote loggers for an ASM policy, certain requests may cause bd to restart and leave a core file.
Conditions:
ASM policy is attached to VS.
Multiple remote storage loggers, using arcsight format are attached to vs.
Certain traffic patterns.
Impact:
bd will restart and leave a core file.
Workaround:
None.
Fix:
bd processes traffic as expected.
Fixed Versions:
17.1.1, 16.1.4
1312041 : Connection RST with reason "STREAM max match size exceeded" after upgrading to v16.1.x★
Links to More Info: BT1312041
Component: Local Traffic Manager
Symptoms:
After upgrading from version 15.1.8.2 to version 16.1.3.4, connections reset with reason "STREAM max match size exceeded"
Conditions:
1. Configure a virtual server with rewrite profile.
2. Configure an iRule with the stream profile.
Impact:
Connection resets causes traffic disturbance.
Workaround:
None
Fixed Versions:
16.1.5
1311561-1 : Unable to add Geo regions with spaces into blacklist, Error: invalid on shun entry adding
Links to More Info: BT1311561
Component: Advanced Firewall Manager
Symptoms:
Unable to add Geo regions with spaces into blacklist categories.
Ex: New South Wales, West Bengal.
However, we are able to add regions without spaces
Ex:Delhi.
Conditions:
Provision AFM license and try to add any geo regions having spaces into blacklist category.
Impact:
Cannot mitigate traffic from the above particular Geo regions.
Workaround:
No Workaround
Fix:
After the code fix, we are able to add the above regions and mitigate traffic.
Fixed Versions:
17.1.1, 16.1.5
1311253-3 : Set-Cookie header has no value (cookie-string) in server-side, due to asm.strip_asm_cookies
Links to More Info: BT1311253
Component: Application Security Manager
Symptoms:
Set-Cookie header has no value (cookie-string) in server-side.
Conditions:
- asm.strip_asm_cookies is enabled.
- Cookie header from client has TS cookie(s) that are the only cookie.
Impact:
Cookie header without value (cookie-string) is sent to server-side
Workaround:
Use an iRule to delete Cookie header in the server-side.
Fixed Versions:
16.1.5
1311169-3 : DNSSEC response is not signed when failure-rcode-response is enabled and no record is returned
Links to More Info: BT1311169
Component: Global Traffic Manager (DNS)
Symptoms:
DNS response is not signed for DNSSEC zone for DNSSEC request.
Conditions:
1. A DNSSEC zone exists.
2. Return Code on Failure is enabled and SOA Negative Caching TTL is set to 0.
3. A query hits that wideIP and does not get a pool member selected.
Impact:
DNS response is not signed.
Workaround:
SOA Negative Caching TTL set to a number larger than 0.
Fixed Versions:
17.1.1, 16.1.5
1311125-3 : DDM Receive Power value reported in ltm log is ten times too high
Links to More Info: BT1311125
Component: TMOS
Symptoms:
The BCM56xxd process reports erroneous Receive Power value for an interface when Digital Diagnostics Monitoring (DDM) is enabled. The reporting within /var/log/ltm is erroneous by shifting a decimal point and is off by a factor of 10:
2023-06-14T17:10:35.282+00:00 bigip1 err bcm56xxd[11534]: 012c0017:3: DDM interface:2.2 receive power too high warning. Receive power:7.7933 mWatts
The "show /net interface-ddm" output for this interface displays a different value:
Digital Diagnostic Monitoring Interface:2.2
Laser Transmit and Receive Power Value
Receive Power1 0.7904mW -1.02dBm
Conditions:
DDM is enabled with the "ddm.bcm56xxd.enable" db variable:
sys db ddm.bcm56xxd.enable {
value "enable"
}
Impact:
Incorrect Receive Power value is recorded in warning logs.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1311053-2 : Invalid response may be sent to a client when a http compression profile and http analytics profile attached to a virtual server
Links to More Info: BT1311053
Component: Local Traffic Manager
Symptoms:
The number 617 and a script is included in the beginning of an HTTP response that is sent to a client.
Conditions:
-- Both the http compression profile and http analytics profile are attached to a virtual server
-- The server replies with a chunked response
Impact:
An invalid HTTP response is sent to the client.
Workaround:
None
Fixed Versions:
16.1.5
1308269 : OpenSSL vulnerability CVE-2022-4304
Links to More Info: K000132943, BT1308269
1307517-2 : Allow SIP reply with missing FROM
Links to More Info: BT1307517
Component: Service Provider
Symptoms:
SIP Reply with a missing FROM in the header is dropped.
Conditions:
- SIP header not compliant with RFC requirement that a FROM must be present.
Impact:
SIP reply drop impacts the client not getting a response.
Workaround:
None
Fix:
Set allow-unknown-methods to be enabled in the SIP session profile, which relaxes the SIP parser to allow unknown SIP messages to be used.
Fixed Versions:
17.1.1, 16.1.5
1306249-1 : Hourly spike in the CPU usage causing delay in TLS connections★
Links to More Info: BT1306249
Component: Local Traffic Manager
Symptoms:
1. An hourly spike in CPU usage occurs.
2. TMM Idle enforcer gets activated.
3. Users may complain of slow connections once per hour, or timeouts may occur briefly once per hour.
Conditions:
This issue occurs when the Clientssl profile is assigned to a virtual server and passing traffic. This happens during the normal operation while running an affected software version.
Impact:
TMM CPU Usage goes high for about one second, which may cause a delay in traffic handling, and the Idle Enforcer gets activated briefly.
Workaround:
When a workaround fix is applied via an EHF, a DB key is needed to be disabled for the fix to take effect.
tmm.ssl.useffdhe
It enables or disables the timely generation of FFDHE key pairs and the default value is set to true.
When the db variable is true (enabled), BIG-IP will generate FFDHE key pairs periodically as usual.
When the db variable is false (disabled), BIG-IP will disable the periodic generation of FFDHE key pairs of size >= 2048 bits. If ClientHello sends only DH groups during handshake to a virtual server, and BIG-IP is configured with tmm.ssl.useffdhe = false, then BIG-IP can still provide the FFDHE key pair for the handshake through the DH key pair available in the cache if any, or offload the request to software crypto.
To enable the fix post-EHF installation, you should run
$ tmsh modify sys db tmm.ssl.useffdhe value false
Fix:
A new db variable is introduced in the fix - tmm.ssl.useffdhe
It enables or disables the timely generation of FFDHE key pairs and the default value is set to true.
When the db variable is true (enabled), BIG-IP will generate FFDHE key pairs periodically as usual.
When the db variable is false (disabled), BIG-IP will disable the periodic generation of FFDHE key pairs of size >= 2048 bits. If ClientHello sends only DH groups during handshake to a virtual server, and BIG-IP is configured with tmm.ssl.useffdhe = false, then BIG-IP can still provide the FFDHE key pair for the handshake through the DH key pair available in the cache if any, or offload the request to software crypto.
Fixed Versions:
16.1.5
1305697-3 : TMM may crash after performing a full sync, when in-tmm monitors are configured and ssl-profile is changed
Links to More Info: BT1305697
Component: Local Traffic Manager
Symptoms:
TMM may crash after performing a full sync
Conditions:
- In-tmm monitors are configured (bigd.tmm = enable)
- Full sync is performed
- Monitors are using a custom ssl profile
- The ssl profile was changed as part of the full sync.
Impact:
Traffic disrupted on the BIG-IP that recieved the config sync while tmm restarts.
Workaround:
Disable in-tmm monitors, and avoid performing a full sync after modifying in-tmm ssl monitors.
Fixed Versions:
17.1.1, 16.1.5
1305361-2 : Flows that are terminated by an ILX streaming plugin may not expire immediately
Links to More Info: BT1305361
Component: Local Traffic Manager
Symptoms:
Flows that are terminated from a plugin may not shutdown/expire properly until expiry timeout which leads to bloating of the flow table
Conditions:
-- ILX streaming plugin configured
-- Connection close initiated from the plugin (flow.client.end)
Impact:
Flows will stay in the table till expiry and may bloat up the flow table
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1305329 : HTTP iRule event HTTP_REQUEST_DATA is triggered even though there is no data collected via HTTP::collect command.
Links to More Info: BT1305329
Component: Local Traffic Manager
Symptoms:
When an HTTP request does not have any payload, and nothing is collected from HTTP::collect but HTTP_REQUEST_DATA event is triggered on v16.1.x onwards but in v15.1.x it's not triggered.
Conditions:
-- iRule configured with HTTP::collect in HTTP_REQUEST event.
-- HTTP request does not contain any payload.
Impact:
Change in behavior due to unintended event trigger.
Workaround:
None
Fixed Versions:
16.1.5
1305125-2 : Ssh to localhost not working with ssh-rsa
Links to More Info: BT1305125
Component: TMOS
Symptoms:
The password prompt is not displayed when trying ssh to localhost.
Conditions:
1. Create test_user,
# tmsh create auth user test_user password abcde shell bash session-limit -1 partition-access replace-all-with { all-partitions { role admin } }
# tmsh save sys config
2. Try login localhost using test_user,
config # ssh test_user@localhost
config # --->!!!!! no password prompt shown up
Impact:
SSH to localhost will not work.
Workaround:
Ssh-rsa key was deprecated on 17.1.0,1 and need to replace/copy ECDSA key to ssh_known_hosts.
Replacing the RSA key in ssh_known_hosts with the ECDSA key.
sed -ie '/^localhost/s//#&/' /config/ssh/ssh_known_hosts; echo "locahost,localhost.localdomain $(cat /config/ssh/ssh_host_ecdsa_key.pub)" >> /config/ssh/ssh_known_hosts
Fixed Versions:
17.1.1, 16.1.5
1304957-6 : BIG-IP Edge Client for macOS vulnerability CVE-2023-5450
Links to More Info: K000135040, BT1304957
1304297-2 : A certain client sequence via MRF passthrough may cause TMM to core
Component: Service Provider
Symptoms:
If the client sends certain traffic through a SIP ALG VIP with passthrough enabled, MRF cores the TMM.
Conditions:
Client needs to send certain traffic pattern.
Impact:
TMM core
Fix:
MRF doesn't core TMM when certain traffic is played through a SIP ALG VIP with passthrough enabled
Fixed Versions:
16.1.5
1304289-2 : Pool member monitored by both GTM and LTM monitors may be erroneously marked Down
Links to More Info: BT1304289
Component: Local Traffic Manager
Symptoms:
A GTM or LTM pool member may occasionally be marked Down in error if it is being monitored by the same type of monitor with the same name as another LTM or GTM pool member with the same address and port.
Conditions:
This may occur if all of the following conditions are true:
-- A pool member for one module (GTM or LTM) has the same address and port as a pool member for a different module (LTM or GTM).
-- Both pool members are monitored by a monitor of one of the following types:
-- Microsoft SQL
-- MySQL
-- Oracle
-- PostgreSQL
-- lDAP
-- Radius
-- Radius-Accounting
-- Scripted
-- SIP
-- WAP
-- Both pool members are monitored by monitors of the same type (from the list above).
-- Both monitors have the same name (exact match).
Impact:
A GTM or LTM pool member may occasionally be marked Down in error.
Workaround:
To work around this issue, assign different names to GTM versus LTM health monitors of the same time (from the list of types above) that are used to monitor pool members for different modules with the same address and port values.
Fixed Versions:
17.1.1, 16.1.5
1304189-3 : Duplicate SYNs to a mirrored FastL4 virtual may result in connection failures
Links to More Info: BT1304189
Component: Local Traffic Manager
Symptoms:
If a duplicate SYN arrives on a connection before the SYN/ACK is processed and the connection is pushed into PVA, then when it is later evicted from PVA it may stop passing traffic and be reset with the RST cause "Handshake Timeout".
Conditions:
- PVA enabled
- Mirroring enabled
- Duplicate SYNs on the network
Impact:
Connection will stop passing traffic and resets when they are evicted from PVA.
Workaround:
Perform one of the following as a workaround:
- Disable PVA
- Disable mirroring
- Modify sys db tm.fastl4_ack_mirror value to Disable
- Modify sys db tm.fastl4_mirroring_taciturn value to Enable.
Fixed Versions:
17.1.1, 16.1.5
1303185-4 : Large numbers of URLs in url-db can cause TMM to restart
Links to More Info: BT1303185
Component: SSL Orchestrator
Symptoms:
TMM continuously restarts during startup.
Conditions:
This was seen when the url-db had about 64K glob URLs. Most of the globs were of the form "*foo*".
Impact:
TMM is unusable.
Workaround:
Large numbers of globs that start with the below should be OK:
".*://"
".*://.*\\."
Note that there should be no other special glob characters, so ".*://www.example.com" would be OK but ".*://www.example.com*" might not be.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1302869 : AFM is not accounting Nxdomain attack for TCP query
Links to More Info: BT1302869
Component: Advanced Firewall Manager
Symptoms:
AFM is not accounting NXDOMAIN query with tcp.
At the device level, NXDOMAIN stats are incorrect.
Conditions:
-- DNS cache is activated
-- An NXDOMAIN DoS vector occurs
Impact:
NXDOMAIN flood attack is not detected.
Workaround:
None
Fix:
AFM is now accounting Nxdomain attack for TCP query
Fixed Versions:
16.1.5
1302825-3 : Allow configuration of the number of times the CNAME chase is performed
Links to More Info: BT1302825
Component: Global Traffic Manager (DNS)
Symptoms:
The client receives a SERVFAIL when the CNAME queried to the BIG-IP DNS resolver takes more than the limit configured in the DNS Cache. The limit is set as 11 for BIG-IP v17.1.0 and later. It is fixed as 8 for earlier releases.
Conditions:
A BIG-IP DNS is configured as a resolver (as a cache or a net resolver). The domain of which CNAME resolution is asked requires chasing more times than what is pre-configured in the DNS Cache.
Impact:
The clients cannot resolve DNS names if the count of the CNAME chases goes beyond the limit configured in the DNS cache.
Workaround:
The providers whose CNAME is queried can be asked to keep chains shorter than the pre-configured limits (the limits vary between different versions of BIG-IP).
Fixed Versions:
17.1.1, 16.1.5
1302689-3 : ASM requests to rechunk payload
Links to More Info: BT1302689
Component: Application Security Manager
Symptoms:
ASM requests TMM to rechunk payload in following scenarios:
- Content-Length header was not found on response headers.
- Response with headers only.
Conditions:
Content-Length header is missing from the HTTP response.
Impact:
Transfer-Encoding: chunked header is added to the response.
Workaround:
None
Fix:
On "Fixed" versions, create an internal ASM parameter as "is_disable_rechunk" below and restart ASM service, which would then stop tagging "Transfer Encoding: Chunked" in the Response header.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1302677-4 : Memory leak in PEM when Policy is queried via TCL
Links to More Info: BT1302677
Component: Policy Enforcement Manager
Symptoms:
Memory leak of struct size ummem_alloc_112.
Conditions:
[PEM::session config policy get [IP::client_addr]]
If above configuration is present in irule/format script
and subscriber has ipv6 address.
Impact:
Memory leak of struct size ummem_alloc_112.
TMM may go out of memory, may restart and cause service disruption.
Workaround:
Avoid getting policy via tcl command for IPv6 subscriber.
Remove below configuration:
[PEM::session config policy get [IP::client_addr]]
Fix:
Code fixed to avoid memory leak.
cb_cookie object was not getting freed sometimes. Made sure its freed in all the required cases.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1302077-4 : Virtual address statistics being counted for different virtual address after changing the destination address of a virtual server
Links to More Info: BT1302077
Component: Local Traffic Manager
Symptoms:
After modifying the destination address of a virtual server to a new address, the virtual address statistics for subsequent traffic are still being tracked in the original virtual address.
Conditions:
-- Create the virtual server with a destination address
-- Change the destination address of a virtual server to new address
Impact:
Incorrect statistics will fail to reflect actual virtual address load.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1301197-3 : Bot Profile screen does not load and display large number of pools/members
Links to More Info: BT1301197
Component: Application Security Manager
Symptoms:
Bot Defense profile menu fails to display (it appears trying to load but it does not load).
Conditions:
Large number of pools, for example 2500 pools, and members configured on the box.
Impact:
Bot Profile screen cannot be loaded.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1300925-3 : Shared memory race may cause TMM to core
Links to More Info: BT1300925
Component: Local Traffic Manager
Symptoms:
TMM may core while managing shared memory segments.
Conditions:
Issue is observed during TMM startup.
Impact:
Rare shared memory related TMM cores.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1298161-2 : Ts_cookie_add_attrs is not effective with cookies that have non-root path or domain attribute
Links to More Info: BT1298161
Component: Application Security Manager
Symptoms:
Add_cookie_attributes bd internal is not effective with TS cookie if the server cookie has non-root path attribute or domain attribute.
Conditions:
The server cookie has non-root path or domain attribute.
Impact:
An internal parameter configuration is not working in a specific condition which can create some issues.
Workaround:
Https://community.f5.com/t5/technical-articles/irule-to-set-samesite-for-compatible-clients-and-remove-it-for/ta-p/278650
Fixed Versions:
16.1.5
1298133-3 : BFD sessions using floating self IP do not work well on multi-blade chassis
Links to More Info: BT1298133
Component: TMOS
Symptoms:
BFD sessions using floating self IP do not work well on multi-blade chassis. In an event of failure on a standby unit sessions might become unstable on an active unit.
Conditions:
- Multi-blade VIPRION chassis configured in high availability (HA) setup.
- BFD sessions configured from floating self IPs.
- Standby blade experiences any sort of failure. For example, tmm/tmrouted crash; cmp transistion.
Impact:
Standby blade might start sending BFD packets causing BFD session flaps on an active unit.
Workaround:
Restart tmrouted on a blade that is incorrectly sending BFD packets.
Fixed Versions:
16.1.5
1298029-3 : DB_monitor may end the wrong processes
Links to More Info: BT1298029
Component: Local Traffic Manager
Symptoms:
If there are a lot of LTM or GTM database monitors in use, then the DB_monitor process may, in extremely rare circumstances, inadvertently end the processes that are not intended to be stopped.
Conditions:
Many database monitors, frequent PID reuse. This should be extremely rare.
Impact:
Some linux processes may unexpectedly end.
Workaround:
Preiodically clean up with PID files:
find /var/run/ -iname \*SQL__* -mtime +1 -exec rm -vf '{}' ';'
and/or increase the number of available Linux PIDs:
echo 4194304 > /proc/sys/kernel/pid_max
Fixed Versions:
17.1.1, 16.1.5
1297257-2 : Pool member Forced Offline then Enabled is marked down on peer after Incremental sync
Links to More Info: BT1297257
Component: TMOS
Symptoms:
When a Pool Member has been marked Forced Offline then later marked Enabled on one member of the Device Group, the Pool Member may be marked Down on Device Group members other than the member where the Pool Member was marked Enabled.
On the BIG-IP system (Device Group member) where the Pool Member was marked Enabled, the Pool Member's status will be marked correctly according to its actual state, as determined by the Health Monitor configured for the affected Pool or Pool Member.
Conditions:
This issue occurs on BIG-IP versions where ID1095217 is fixed for the following conditions:
-- Multiple BIG-IP systems are configured in a Sync-Failover Device Group
-- The Device Group is configured for Incremental sync
-- A pool member or the parent Node has been marked Forced Offline
-- A Health Monitor is configured for the pool or pool member
-- The same monitor assigned to the pool member is not set to the rule for LTM default-node-monitor
-- The pool member or its parent Node is later marked as Enabled on one member of the Device Group
-- This change is synced to the Device Group (either manually or automatically, through Incremental sync, not Full sync)
Impact:
The affected pool member does not receive traffic as expected as the other Device Group members.
-- If the pool member is re-enabled on the Standby member, traffic on the Active member will not be sent to the pool member.
-- If the pool member is re-enabled on the Active member, traffic on the Standby member will not be sent to the pool member if the Active member fails over to the Standby member.
Workaround:
Perform one of the following actions as a workaround:
Option 1:
-- Perform a Full sync to the Device Group from the Device Group member with the correct pool member status.
Option 2:
-- Set the pool member as Disabled
-- Sync the change with the Device Group
-- Set the pool member Enabled
-- Sync the change with the Device Group
Option 3:
-- Remove the configured Health Monitor from the affected pool or pool member.
Note: If the Health Monitor is removed from the pool, all pool members may become unavailable, halting new connections to pool members.
-- Sync this change to the Device Group.
-- Add the previously configured Health Monitor back to the pool or pool member.
-- Sync the change to the Device Group.
Option 4:
Do not use WebUI for Force Offline or Enable. But, use the following TMSH command with the ‘replace-all-with’ option to set Force Offline/Enable.
For example:
tmsh modify ltm pool http_pool { members replace-all-with { 10.xx.xx.xx:yy { session user-disabled state user-down } } }
tmsh modify ltm pool http_pool { members replace-all-with { 10.xx.xx.xx:yy { session user-disabled state user-up } } }
Note: Option 4 does not resolve the issue; it prevents the issue from occurring.
Fix:
The pool member status is now correctly synced to other Device Group members after being Forced Offline and then Enabled on one Device Group member.
This fix causes a return of ID1095217 on versions where ID1095217 had previously been Fixed.
Fixed Versions:
16.1.5
1297089-3 : Support Dynamic Parameter Extractions in declarative policy
Links to More Info: BT1297089
Component: Application Security Manager
Symptoms:
When a policy is exported in JSON format, the dynamic parameter extractions configuration is not exported to the policy file and when it is imported back into the policy, the dynamic extraction configuration is lost.
Conditions:
Policy contains Dynamic parameter extraction and it is exported in JSON format.
Impact:
Dynamic extraction configuration is lost.
Workaround:
Export the policy in xml or binary format.
Fix:
Added support in JSON policy also to dynamic parameter extractions.
Fixed Versions:
17.1.1, 16.1.4
1296553-1 : Include RQM Debug registers in hsb_snapshot for B2250 blade
Links to More Info: BT1296553
Component: TMOS
Symptoms:
RQM debug registers have been implemented in some recent HSB bitstreams for VIPRION B2250 blades to aid in troubleshooting certain HSB-specific issues.
Updates are required to display these registers in the "hsb_snapshot" tool.
Conditions:
-- VIPRION B2250 blades
-- HSB bitstreams for B2250 blades which implement RQM debug registers, including:
-- HSB v2.8.7.0 bitstream for v14.1.x
-- HSB v2.12.4.0 bitstream for v16.1.x
Impact:
Unable to obtain RQM debugging data from HSB bitstreams on VIPRION B2250 blades.
Fix:
RQM debug register contents are now displayed in the "hsb_snapshot" tool for HSB bitstreams which implement these registers for VIPRION B2250 blades.
Fixed Versions:
16.1.5
1296489-3 : ASM UI hardening
Links to More Info: K000138047, BT1296489
1296469-2 : ASM UI hardening
Component: Application Security Manager
Symptoms:
The ASM UI does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
NA
Fix:
The ASM UI now follows best security practices.
Fixed Versions:
17.1.1, 16.1.4
1295661-2 : BIG-IP Edge Client for macOS vulnerability CVE-2023-38418
Links to More Info: K000134746, BT1295661
1295565-3 : BIG-IP DNS not identified in show gtm iquery for local IP
Links to More Info: BT1295565
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP DNS is not identified in show gtm iquery for local IP.
Conditions:
The connection between local big3d and gtmd gets backlogged;
or
The connection between local big3d and gtmd gets reset.
Impact:
TMSH show gtm iquery does not show correct server type.
Workaround:
Restart big3d.
Fixed Versions:
17.1.1, 16.1.5
1295481-2 : FIPS keys are not restored when BIG-IP license is renewed after it expires
Links to More Info: BT1295481
Component: TMOS
Symptoms:
FIPS key are deleted
Conditions:
An expired license is renewed on the BIG-IP system.
Impact:
FIPS keys are deleted and cannot be used
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1295057-3 : Installation of Attack Signatures file reported as fail after 1 hour
Links to More Info: BT1295057
Component: Application Security Manager
Symptoms:
Installation of Attack Signatures file reported as fail after 1 hour. Installation process finished successfully including apply new signatures to all active policies after more than 1 hour, but reported as fail because of 1 hour of timeout.
Conditions:
Installing attack signatures with high number of active policies or high number of user defined signature sets.
Impact:
ASU file installation failed while installation successfully finished.
Workaround:
None
Fix:
Attack signature update will be done asynchronously now. The timeout is increased to 120 minutes.
Fixed Versions:
16.1.5
1295017-4 : TMM crash when using MPTCP
Links to More Info: K000138477, BT1295017
1295009-1 : "JSON data does not comply with JSON schema" violation is raised when concurrent requests occur with same JSON data
Links to More Info: BT1295009
Component: Application Security Manager
Symptoms:
JSON schema validation fails when concurrent requests occur with the same JSON data.
Conditions:
Concurrent HTTP requests contain the same JSON data.
Impact:
JSON schema validation fails.
Workaround:
None
Fix:
JSON schema validation does not fail in case of concurrent requests with same JSON data.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1294993 : URL Database download logs are not visible
Links to More Info: BT1294993
Component: Access Policy Manager
Symptoms:
DB download happens either at regular intervals or when explicitly requested by the user. Download status should be visible as part of apm logs and currently, those are missing.
Conditions:
Urldb configured
Impact:
Database download status information will be unknown.
Fix:
- Removing the obsolete DB variables that were used for apm logging, also led to the removal of the log configuration for swg that is being used by urldb and urldbmgrd for logging.
- Updated swg member in the apm log configuration structure during initialization and run-time execution.
Fixed Versions:
17.1.1, 16.1.5
1294289-2 : SSL Persist leaks memory on when client and server hello exceeds MSS
Links to More Info: BT1294289
Component: Local Traffic Manager
Symptoms:
TMM memory leak growing linearly with Aggressive Reaper activated.
Conditions:
This issue occurs under the following conditions:
- SSL persistence should be configured in the virtual server.
- Small client-side MSS.
Impact:
TMM cores are observed during memory leaks.
Workaround:
None
Fix:
None
Fixed Versions:
16.1.5
1294109-3 : MCP does not properly read certificates with empty subject name
Links to More Info: BT1294109
Component: TMOS
Symptoms:
A certificate that is not a CA certificate that does not have subject populated is valid if it contains subject alternative name, but missing subject is treated as invalid.
Conditions:
- Create a certificate with an empty subject by setting the
subject alternative name.
Impact:
MCP does not show certificate details and GUI details suggest that the certificate is self-signed.
Workaround:
None
Fixed Versions:
16.1.5
1293193-2 : Missing MAC filters for IPv6 multicast
Links to More Info: BT1293193
Component: TMOS
Symptoms:
Certain drivers are missing MAC filters for multicast. This prevents TMM from receiving messages sent to All Nodes and All Routers addresses.
Conditions:
- BIG-IP VE
- Using TMM's IAVF driver
Impact:
TMM does not receive multicast messages and traffic sent to All Nodes and All Routers, dropping potentially vital packets.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1292793-3 : FIX protocol late binding flows that are not PVA accelerated may fail
Links to More Info: BT1292793
Component: Local Traffic Manager
Symptoms:
FastL4 connections with late binding enabled typically used for FIX protocol can stall or hang if they are evicted from PVA and not re-offloaded.
Conditions:
- Late binding enabled on a FastL4 flow. The flow is not accelerated, and if the flow recieves approximately 50 packets, then it will hang. Captures would show packets ingressing to the BIG-IP and not being forwarded to the peer.
Impact:
Connection may stall.
Workaround:
Disable late binding. If late binding cannot be disabled, then
disable pva-flow-aging and pva-flow-evict to avoid the issue.
Fix:
FIX protocol flow works as expected.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1292685-2 : The date-time RegExp pattern through swagger would not cover all valid options
Links to More Info: BT1292685
Component: Application Security Manager
Symptoms:
Some valid hours option would not match the Regular Expression (RegExp).
Conditions:
Creating a policy using swagger file and uploading a swagger file which contains parameter in date time format.
Impact:
Valid hours options 10 and 19 would not match the RegExp.
Workaround:
Manually fix the regular expression in the parameter
from:
'^([12]\d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01]))T(0\d|2[0-3]):([0-5]\d):([0-5]\d)(\.\d+)?(Z|((\+|-)(0\d|2[0-3]):([0-5]\d)))$'
to:
'^([12]\d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01]))T(0\d|1\d|2[0-3]):([0-5]\d):([0-5]\d)(\.\d+)?(Z|((\+|-)(0\d|1\d|2[0-3]):([0-5]\d)))$'
Fix:
The date-time regular expression for swagger is fixed and now suppose to cover all valid options.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1292645-2 : False positive CORS violation can occur after upgrading to 17.1.x under certain conditions★
Links to More Info: BT1292645
Component: Application Security Manager
Symptoms:
CORS violation can start appearing after upgrading to 17.1.x.
Conditions:
1) CORS violation is enabled.
2) CORS configuration is done with port 80 on a particular URL.
3) Request with URL from step 2 which BIG-IP receives, is of HTTPS type.
Impact:
Requests with HTTPS protocol can get blocked with CORS violation.
Workaround:
Change configured CORS port to 443 for URLs that receive HTTPS traffic.
Fix:
Added a new bd internal variable "cors_default_port_80" which can be used to allow HTTPS traffic with CORS port configured as 80.
Fixed Versions:
17.1.1, 16.1.5
1292493 : Enforcement of non-approved algorithms in FIPS or Common Criteria mode.
Links to More Info: BT1292493
Component: TMOS
Symptoms:
FIPS and Common Criteria require that only FIPS-approved algorithms be used for keys.
Conditions:
OpenSSH used in FIPS or Common Criteria mode.
Impact:
OpenSSH accepts non-approved algorithms in FIPS or Common Criteria mode.
Workaround:
None
Fix:
The allowed cipher list is changed to allow only FIPS-Approved algorithms.
Fixed Versions:
16.1.5
1292141-1 : TMM crash while processing myvpn request
Links to More Info: BT1292141
Component: Access Policy Manager
Symptoms:
TMM crashes while processing traffic on the virtual server.
Conditions:
Network Access resource is configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1292093 : Neuron based HW SYN cookie broken due to ZBDDOS feature porting to 16.1.x
Links to More Info: BT1292093
Component: Advanced Firewall Manager
Symptoms:
In 16.1.x, Neuron based HW SYN cookie is broken.
Conditions:
-- Neuron-equipped hardware (BIG-IP iSeries)
-- Configure TCP Half Open at profile level.
-- Send Traffic.
-- Check HW SYN Cookies.
Impact:
This breaks the HW SYN cookie functionality
Workaround:
None
Fix:
Updates are implemented to return the correct parameters and HW SYN Cookie is working fine
Fixed Versions:
16.1.4
1291565-2 : BIG-IP generates more multicast packets in multicast failover high availability (HA) setup
Links to More Info: BT1291565
Component: Local Traffic Manager
Symptoms:
BIG-IP generates additional high availability (HA) multicast packets when the device name is changed.
Running the following commands shows the duplicate multicast entries on mgmt:mgmt interface on /var/log/sodlog file
# /usr/bin/cmd_sod get info
Conditions:
-- BIG-IPs configured with Multicast failover .
-- The self-device name is changed.
Impact:
BIG-IP multiplies the number of multicast packets when the device name is changed.
Workaround:
Restarting the sod would remove the duplicate multicast entries.
#bigstart restart sod
Fix:
Cleanup the multicast entries populated on old device name when the name is updated.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1291217-1 : EasySoap++-0.6.2 is not coded to add an SNI
Links to More Info: BT1291217
Component: TMOS
Symptoms:
Microsoft Azure has a firewall that blocks any outgoing TLS ClientHello without the SNI extension.
This causes our clients to be unable to orchestrate F5 VMs as they cannot successfully license the device automatically.
Conditions:
Clients using our devices on Azure cannot automatically license the device via f5-bigip-runtime-init using the command: /usr/bin/tmsh install /sys license registration-key ${LICENSE_KEY}
Impact:
Cannot successfully license the device automatically.
Fix:
Updated EasySoap++-0.6.2 with SNI fix
Fixed Versions:
16.1.5
1291149-3 : Cores with fail over and message routing
Links to More Info: BT1291149
Component: Service Provider
Symptoms:
Seg faults for an active unit in an high availability (HA) pair when it goes to standby.
Conditions:
- Generic message routing is in use.
- high availability (HA) pairs
- This issue is observed when generic messages are in flight when fail over happens but there is some evidence that it can happen without fail over.
Impact:
This is a memory corruption issue, the effects are unpredictable and may not become visible for some time, but in testing seg faults leading to a core were observed in the device going to standby within 10-25s of the device failing over. This happened roughly for about 50% of the time but the effect will be sensitive to memory layout and other environmental perturbations.
Workaround:
None
Fix:
The MR message store iteration is fixed, no corruption or cores observed.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1290889-4 : TMM disconnects from processes such as mcpd causing TMM to restart
Links to More Info: K000134792, BT1290889
Component: TMOS
Symptoms:
When tunnels are in use on the BIG-IP, TMM may lose its connection to MCPD and exit and restart. At the time of the restart, a log message similar to the following will be seen in /var/log/ltm:
crit tmm6[19243]: 01010020:2: MCP Connection expired, exiting
When this occurs, in a default configuration, no core file is generated.
TMM may also disconnect unexpectedly from other services (i.e. tmrouted).
TMM may also suddenly fail to match traffic for existing virtual server connections against a connection flow. This could result in traffic stalling and timing out.
Conditions:
-- An IPsec, GRE or IPIP tunnel is in use.
Impact:
-- Traffic disrupted while tmm restarts.
-- Sudden poor performance
Workaround:
Do not use tunnels.
Fix:
TMM will not unexpectedly reset connections when tunnels are in use.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1289845-3 : Pool member marked as offline while matching both receive string and receive disable strings
Links to More Info: BT1289845
Component: In-tmm monitors
Symptoms:
The monitor is marked offline when the expected state is up/available.
Conditions:
- Monitor configured to monitor in TMM.
- Monitor configured with receive string and receive disable string.
- Monitor associated with a member where the response to the health monitor matches the receive string and receive disable string and the member is marked as offline.
Impact:
The monitor is marked offline potentially impacting traffic to the pool when the health monitor is matching both receive and receive disable strings.
Workaround:
Configure the monitor such that the response does not match both the receive and receive disable strings at the same time. Alternatively, adjust the receive and receive disable strings such that they will not match at the same time.
Fix:
None
Fixed Versions:
16.1.5
1289417 : SSL Orchestrator SEGV TMM core
Links to More Info: BT1289417
Component: SSL Orchestrator
Symptoms:
TMM crashes while passing SSL Orchestrator traffic.
Conditions:
This can occur when a service is added or when an existing connector node configuration is freed.
Impact:
TMM crash occurs. Traffic disrupted while TMM restarts. This issue occurs intermittently.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1289365-1 : The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode★
Links to More Info: BT1289365
Component: SSL Orchestrator
Symptoms:
The Proxy Select agent in the per-request policy does not select the pool or upstream proxy in explicit proxy mode. This prevents SSL Orchestrator or BIG-IP from forwarding the egress data to the upstream proxy.
Conditions:
- Proxy Select agent is used in the per-request policy.
- Proxy Select agent is set to explicit proxy mode.
- Flow is set to be bypassed using per-req policy agents such as IP Based SSL Bypass Set or dynamic bypass based on SSL profiles.
Impact:
SSL Orchestrator or BIG-IP does not forward any egress data to the upstream proxy.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1289189-3 : In certain traffic patterns, TMM crash
Links to More Info: K000137333, BT1289189
1288517-2 : Item filter does not work on /mgmt/tm/asm/tasks/export-suggestions/
Links to More Info: BT1288517
Component: Application Security Manager
Symptoms:
Filter is not applied for export suggestions task.
Conditions:
Having a policy with suggestions. try to export in declarative format:
restcurl -u admin:admin /mgmt/tm/asm/tasks/export-suggestions/ -d '{"policyReference":{"link":"https://localhost/mgmt/tm/asm/policies/uaDQEF3ndTdKkawROqwQow"},"filter":"status eq 'accept'","inline":true}'
Impact:
You are unable to get filtered suggestions in a declarative format.
Workaround:
None
Fixed Versions:
16.1.5
1287873 : Hardware mitigation is not working for a few SIP vectors
Links to More Info: BT1287873
Component: Advanced Firewall Manager
Symptoms:
Hardware mitigation not happening as int_drops are not incrementing
bd_stats are incrementing but SPVA stat bd_hit is not incrementing
Conditions:
Configure SIP vectors with the threshold levels in any Hardware platform and send the related traffic
Impact:
Hardware mitigation will not happen for SIP Vectors
Workaround:
NA
Fix:
Neuron rules had been written in the neuron chip for these vectors so that stats were counting correctly
Fixed Versions:
16.1.4
1287425 : Observed crash while running sweep flood tests
Links to More Info: BT1287425
Component: Advanced Firewall Manager
Symptoms:
While testing sweep flood tests, the TMM crashes.
Conditions:
The sweep flood test case was failing.
Impact:
TMM crash
Workaround:
None
Fix:
Fixed the issue where no crash is observed while testing the sweep flood tests.
Fixed Versions:
16.1.4
1287313-2 : SIP response message with missing Reason-Phrase or with spaces are not accepted
Links to More Info: BT1287313
Component: Service Provider
Symptoms:
BIG-IP drops SIP response messages that are missing the Reason-Phrase.
Conditions:
A SIP response message in this format
SIP/2.0 424 \r\n
are dropped
If the message has a reason text
Status-Line = SIP-Version SP Status-Code SP Reason-Phrase CRLF
Like this
SIP/2.0 404 Not Found\r\n
then it would not be dropped
Impact:
Connectivity issue.
Workaround:
None
Fix:
BIG-IP now accepts SIP response with Status-line missing a reason text.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1287045-3 : In-TMM monitor may mark pool member offline despite its response matches Receive Disable String
Links to More Info: BT1287045
Component: In-tmm monitors
Symptoms:
Despite response matching monitor's Receive Disable String, pool member may by marked offline by the in-TMM monitor while the BIGD monitor would mark it as available/disabled. It is particularly likely if the matched pattern is located in the front of the pool member's response data.
Conditions:
-- HTTP, HTTP2, or TCP monitor is used.
-- In-TMM monitor is enabled.
-- Both Receive String and Receive Disable String are provided.
Impact:
Pool member is marked offline while it should be marked available/disabled by the in-TMM monitor.
Workaround:
Use BIGD instead of in-TMM monitor.
Fix:
When pool member's response matches Receive Disable String it is correctly marked as Availabe/Disabled by in-TMM monitor. The same as BIGD monitor.
Fixed Versions:
16.1.5
1286101-1 : JSON Schema validation failure with E notation number
Links to More Info: BT1286101
Component: Application Security Manager
Symptoms:
An unexpected JSON Schema validation failure is seen with E notation number.
Conditions:
The E notation is without a dot.
For example, the following trigger this issue:
- 0E-8
- 0e-8
But, the following do not trigger this issue:
- 0.0E-8
- 0.0e-8
The problematic E notation number is used in object value, and the object is under an array, and the object is not the last member of the array.
Impact:
False positive.
Workaround:
Use E notation with a dot or disable schema validation violation.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1285173-3 : Improper query string handling on undisclosed pages
Links to More Info: K000133474, BT1285173
1284993-1 : TLS extensions which are configured after session_ticket are not parsed from Client Hello messages
Links to More Info: BT1284993
Component: Local Traffic Manager
Symptoms:
When the client Hello message contains session_ticket extension, it was observed that the extensions which are configured after the session ticket extension were not processed and all the extensions are being ignored.
Conditions:
Configure SSL extensions along with session_ticket extension.
Impact:
A few requests are not forwarded correctly, for example, in scenario where server_name extension is configured after session_ticket but due to the current issue, [SSL::extensions exists -type 0] is returning 0 even though the server_name extension is present in Client Hello.
Workaround:
Configure all the required extensions before the session_ticket extension.
Fix:
TLS extensions which are configured after session_ticket are not parsed from Client Hello messages. Changes have been made in such a way that ext_sz variable which holds the size of all the extns configured in client Hello message is not limited to SSL_SZ_SESSIONID which is 32 bytes.
Fixed Versions:
17.1.1, 16.1.4
1284969-1 : Adding ssh-rsa key for passwordless authentication
Links to More Info: BT1284969
Component: TMOS
Symptoms:
In FIPS 140-3, SSHD does not support the ssh-rsa key for passwordless authentication.
Conditions:
The system must be in FIPS 140-3 mode.
Impact:
SSHD does not support the ssh-rsa key for passwordless authentication.
Workaround:
None
Fix:
SSHD should support the ssh-rsa key for passwordless authentication.
Fixed Versions:
17.1.0.1, 16.1.4
1284589-2 : HTTP CONNECT request from client is not successful with iRule HTTP::disable discard command
Links to More Info: BT1284589
Component: Local Traffic Manager
Symptoms:
When you use HTTP::disable discard command, proxy connect/ connection to server is not established.
Conditions:
-> Basic HTTP VS
-> iRule
when HTTP_REQUEST {
HTTP::disable discard
node <ip port>
}
Impact:
HTTP CONNECT requests from clients hangs.
Workaround:
Use HTTP::disable command
Fixed Versions:
16.1.4
1284413 : After upgrade to 16.1.3.2 from 16.0.1.1, BIG-IP can send CONNECT requests when no proxy select agent is used★
Links to More Info: BT1284413
Component: Local Traffic Manager
Symptoms:
BIG-IP uses a CONNECT to forward requests regardless of the PRP branch in use.
Conditions:
-- Configure BIG-IP as Explicit Forward proxy with SSL Orchestrator or SWG.
-- Configure an access policy and a prp and apply to the forwarding Virtual Server.
-- In the PRP, use multiple branches where one branch contains a proxy select agent, and another branch does not.
Impact:
Requests fail intermittently
Workaround:
None
Fixed Versions:
16.1.5
1284261-3 : Constant traffic on DHCPv6 virtual servers may cause a TMM crash.
Links to More Info: BT1284261
Component: Local Traffic Manager
Symptoms:
TMM may crash/core if there is a constant stream of DHCP traffic from the server towards the clients, not allowing a connection timeout.
Conditions:
Constant stream of traffic coming from DHCP server not allowing a connection timeout.
Very aggressive lease settings causing constant lease refresh may be a configuration example leading to the problem.
Impact:
Failover/crash.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1284097-2 : False positive 'Illegal cross-origin request' violation
Links to More Info: BT1284097
Component: Application Security Manager
Symptoms:
Under the right configurations, an HTTP request with an HTTPS origins header may get blocked for 'Illegal cross-origin request' violation.
Conditions:
A request that is sent to a virtual server with an HTTP port, that has an Origin header with HTTPS value, will trigger the violation under the following conditions:
1) 'Illegal cross-origin request' violation is enabled.
2) In Security ›› Application Security : Security Policies : Policies List ›› Auto_Security_Policy_Services ›› Headers ›› Host Names -> is configured with the Origin header value.
3) The URL to where the request is sent has 'Enforce on ASM' in 'HTML5 Cross-Domain Request' configuration enabled.
Impact:
'Illegal cross-origin request' violation is reported in version 17.1.x unlike version 16.1.x with the same configurations and the same traffic.
Workaround:
Add HTTPS protocol and Origin name to the desired URL in 'Allowed Origins' that is located in 'HTML5 Cross-Domain Request'
Fix:
With the internal parameter enabled, 'Illegal cross-origin request' violation will not be reported.
The internal parameter is enabled following, It is disabled by default
/usr/share/ts/bin/add_del_internal add cors_match_protocol_port 1
/usr/share/ts/bin/add_del_internal add cors_default_port_80 1
tmsh restart sys service asm
Fixed Versions:
17.1.1, 16.1.5
1284073-3 : Cookies are truncated when number of cookies exceed the value configured in "max_enforced_cookies"
Links to More Info: BT1284073
Component: Application Security Manager
Symptoms:
When a request contains more cookies than configured in “max_enforced_cookies” and the “strip_asm_cookies” parameter is enabled, the cookie header is truncated and not all the cookies reach the server.
Conditions:
Occurs when
- ASM is provisioned.
- Request contains more cookies than configured in “max_enforced_cookies”.
- Parameter “strip_asm_cookies” is enabled.
Impact:
All the cookies do not reach the server.
Workaround:
-- Disable the internal parameter “strip_asm_cookies”.
-- Disabling the database key makes the behavior similar to the behavior in BIG-IP version 14. For more information, see K30023210.
-- If you don’t want the old behavior before BIG-IP version 14, you can use the same solution as for versions before BIG-IP version 14: disable the sys db key. You can also use an iRule to remove the TS cookie from the server side. For more information, see K66438993.
Fix:
Skipping the removal of ASM cookies when the cookies are more than max_enforced_cookies.
Fixed Versions:
17.1.1, 16.1.5
1283645 : Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued
Links to More Info: BT1283645
Component: Access Policy Manager
Symptoms:
The WebView based End Point Inspection does not work in Mac Edge Client.
Conditions:
When using Edge Client on MacOS "Ventura" 13.3 Beta2 and later.
Impact:
Affected MacOS Edge client is unable to proceed with establishing the VPN connection.
Workaround:
Use the browser-based VPN. Note that there are some limitations if you are using your VPN in the AutoConnect mode and in the Blocked mode; it means the system cannot access the external network until you are disconnected.
The issue is not fixed in the BIG-IP versions 14.1.5.5, 16.1.3.5, and 17.1.0.2 releases. Refer to the KB article K000134990 for recommended actions.
Fix:
The issue is fixed by invoking the EPI helper application instead of the inspection host plugin in Mac Edge Client running on 13.3 and newer.
For more details on the deployment of the fix, refer to the K000133476 article.
For more details regarding the issue, refer to the K000132932 article.
Fixed Versions:
17.1.0.3, 16.1.4, 15.1.9, 14.1.5.6
1282357-1 : Double HTTP::disable can lead to tmm core
Links to More Info: BT1282357
Component: Local Traffic Manager
Symptoms:
Calling the HTTP::disable command more than once in an irule can result in the tmm process crashing.
Conditions:
->Basic http configuration
-> iRule
when CLIENT_ACCEPTED {
set collects 0
TCP::collect
}
when CLIENT_DATA {
if { $collects eq 1 } {
HTTP::disable
HTTP::disable
}
TCP::release
TCP::collect
incr collects
}
when HTTP_REQUEST {
log local0. "Request"
}
when HTTP_DISABLED {
log local0. "Disabled"
}
Impact:
BIG-IP may crash during an HTTP CONNECT request from a client.
Workaround:
Avoid calling HTTP::disable more than once per connflow
Fix:
Treat disable via iRule as a NOP when a disable is in progress
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1282281-3 : Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns
Links to More Info: BT1282281
Component: Application Security Manager
Symptoms:
Roll forward upgrade fails.
The following error message in /ts/log/ts_debug.log and WAF enforcement is not complete:
----------------------------------------------------------------------
Can't locate object method "id_field" via package "F5::ASMConfig::Entity::ThreatCampaign" (perhaps you forgot to load "F5::ASMConfig::Entity::ThreatCampaign"?) at /usr/local/share/perl5/F5/ImportExportPolicy/Binary.pm line 2171.
----------------------------------------------------------------------
Conditions:
- Roll forward upgrade when there is a policy that has unapplied changes and Threat Campaigns.
Impact:
Incorrect enforcement until workaround is applied.
Workaround:
Perform an apply policy operation on all policies.
Fix:
Roll forward upgrade is successful.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1282181-1 : High CPU or increased translation errors following upgrade or restart when DAG distribution changes
Component: TMOS
Symptoms:
Dagv2 tables are randomized and may change when a tmm is restarted. This can result in a change of traffic distribution, which in some cases may lead to traffic disruption.
The specific condition when this option was introduced is using a CGNAT pool that is not large enough.
Other ways of encountering include increased translation failed errors following an upgrade or restart or blade replacement.
Conditions:
- tmm is restarted (or chassis rebooted)
Impact:
- dag distribution changes which may cause a traffic disruption.
Workaround:
You can restart tmm until the distribution is good, which can be checked using tools like cmp_dest.
Fix:
Added a DB variable to control dagv2 behavior.
A tmm restart is required after locking the new dag tables.
Behavior Change:
A new DB variable is available that allows you to lock the current dagv2 tables:
tmsh modify sys db dag.dagv2.pgs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_pgs -s table)
tmsh modify sys db dag.dagv2.hsbs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_hsbs -s table)
tmsh modify sys db dag.dagv2.mirror.pgs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_mirror_pgs -s table)
tmsh modify sys db dag.dagv2.mirror.hsbs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_mirror_hsbs -s table)
It's important to store both normal and mirroring tables because of internal dag workings.
The change also requires cmp state to be the same as defined in tables - this is important in case a blade is lost etc.
This also works on SP DAG in LSN NAPT deployments
Fixed Versions:
16.1.4
1281709-3 : Traffic-group ID may not be updated properly on a TMM listener
Links to More Info: BT1281709
Component: Local Traffic Manager
Symptoms:
A few virtual servers may belong to incorrect traffic-group after a full sync or when mcp transaction is performed.
Conditions:
- The BIG-IP High Availability (HA) is configured with full load on sync.
- Traffic-group is changed on a virtual-address belonging to multiple virtuals.
- Sync happens, leaving the device receiving a sync in an incorrect state.
OR
An MCP transaction that is updating a virtual-address along with a profile change on a virtual-server is executed.
Impact:
Listeners may not belong to a correct traffic group and the the traffic is not forwarded.
Workaround:
Use an incremental sync. Do not use MCP transactions.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1281637-1 : When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE
Links to More Info: BT1281637
Component: Local Traffic Manager
Symptoms:
A RST_STREAM is observed from BIG-IP to server after receiving response from server.
Conditions:
- HTTP/2 full proxy configuration.
- Server to send a DATA_FRAME with END_STREAM flag with a delay.
Impact:
Once the server gets around to process the RST_STREAM, it stops accepting new requests on that connection.
Workaround:
None
Fix:
The message HUDEVT_RESPONSE_DONE is delayed until the HTTP completes EV_BODY_COMPLETE action.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1281397-1 : SMTP requests are dropped by ASM under certain conditions
Links to More Info: BT1281397
Component: Application Security Manager
Symptoms:
When virus check is enabled on SMTP security profile, sometimes ASM drops the request even though no violation is reported.
Conditions:
- SMTP security profile is configured and applied with virus check on.
- ICAP server is configured
Impact:
ASM sometimes drops valid SMTP requests even when no violation is reported.
Workaround:
None
Fix:
SMTP requests are now processed.
Fixed Versions:
17.1.1, 16.1.5
1281389-1 : Bot Defense can crash when using SMTP security profile
Links to More Info: BT1281389
Component: Application Security Manager
Symptoms:
Under certain conditions, Bot Defense can crash when SMTP security profile is being used.
Conditions:
- SMTP security profile is configured and applied with DNS check on.
- SPF record cannot be resolved by DNS servers.
Impact:
BD crashes leading to disruption of traffic.
Workaround:
None
Fix:
BD does not crash when using SMTP security profile.
Fixed Versions:
16.1.5
1280281-1 : SCP allow list may have issues with file paths that have spaces in them
Links to More Info: BT1280281
Component: TMOS
Symptoms:
SCP may error out.
Conditions:
A file path with a space that is allowlisted in /config/ssh/scp.whitelist.
This affects BIG-IP 14.x.x and BIG-IP 15.x.x only if running an EHF with BugID 819429 is included.
Impact:
May not copy files to a path present under allow list.
Workaround:
Remove spaces from any allowlisted file paths.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1277381-3 : PEM resource leak in MW layer leads to crash of Diameter interface
Component: Policy Enforcement Manager
Symptoms:
The BIG-IP PEM connects to the PCRF through a TCP DIAMETER connection. Under certain situations, CCR or AVP messages may remain queued indefinitely. If message queues build up, middleware enforces flow control, halting further CCR messages to the PCRF.
Conditions:
The response from the PCRF is being dropped at the DIAMETER level when in response to certain AVPs or CCR messages.
Impact:
No further transactions with PCRF once the MW bus is exhausted with resources.
Workaround:
Only a restart of TMM will restore regular operation.
Note: Devices configured with BIG-IP LTM should not reproduce this issue.
Fix:
Incorporated the sweeper feature to remove outdated entries from the MW bus upon reaching a 20-second timeout. This 20-second duration represents the maximum time that users can set for retrying DIAMETER messages. Once this timeout elapses, the MW bus will systematically clear all entries and transmit a notification to the PEM.
Fixed Versions:
16.1.5
1273881-4 : TMM crashes while processing traffic on the virtual server
Links to More Info: BT1273881
Component: Access Policy Manager
Symptoms:
TMM crashes while processing traffic on the virtual server.
Conditions:
Network Access resource is configured.
Impact:
TMM crashes leading to disruption in traffic flow.
Workaround:
None
Fix:
None
Fixed Versions:
16.1.5
1272501 : Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure"
Links to More Info: BT1272501
Component: Local Traffic Manager
Symptoms:
Application failures with reset-cause: "F5RST: HTTP redirect rewrite failure".
Conditions:
-- HTTPS virtual server with redirect-rewrite of HTTP profile set to 'matching' or 'all'.
Impact:
Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure".
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1271349-3 : CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy
Links to More Info: K000133098, BT1271349
1270497-2 : MRF SIP/ALG Core dump observed while accessing trans_data in sipmsg_register_ingress_register_request_session_reply_common method
Links to More Info: BT1270497
Component: Service Provider
Symptoms:
TMM generates core file while MRF SIP handles register request.
Conditions:
- SIP ALG configuration with SNAT.
Impact:
TMM generates core file while running SIP traffic with ALG configuration. Traffic is disrupted.
Workaround:
None
Fixed Versions:
16.1.5
1270133-3 : bd crash during configuration update
Links to More Info: BT1270133
Component: Application Security Manager
Symptoms:
bd crash occurred during the configuration update.
Conditions:
This issue occurs during configuration update.
Impact:
bd crash that causes failover in High Availability (HA) pair. Intermittent offline with standalone system.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.5
1269889-3 : LTM crashes are observed while running SIP traffic and pool members are offline
Links to More Info: BT1269889
Component: Service Provider
Symptoms:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer
Conditions:
- When all pool members are offline or there are no pool members in the pool.
Impact:
TMM is inoperative while reloading after crash.
Workaround:
Avoid use of the following pick_host, particularly the use of carp:
MR::message pick_host peer <peer-object-name> [carp <carp-key>]
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1269845-2 : When upgrading IM, seeing errors like MCPD timed out and Error: 'insp_id'
Links to More Info: BT1269845
Component: Protocol Inspection
Symptoms:
During the hitless upgrade, MCPD will be timed out and the IM upgrade will fail.
Conditions:
IM Package upgrade to the latest IM.
Impact:
New signatures will not be part of the IPS IM library.
Workaround:
Need to reinitiate the hitless upgrade.
Fix:
The hitless upgrade will be successful without any issues.
Fixed Versions:
16.1.5
1269773-3 : Convert network-order to host-order for extensions in TLS1.3 certificate request
Links to More Info: BT1269773
Component: Local Traffic Manager
Symptoms:
The network-order length is sent as argument instead of host-order length.
Conditions:
- A signature algorithms extension is present in the certificate request message from the server.
Impact:
Handshake fails with illegal parameter alert.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1269733-3 : HTTP GET request with headers has incorrect flags causing timeout
Links to More Info: BT1269733
Component: Local Traffic Manager
Symptoms:
The 504 Gateway Timeout pool member responses are generated from a Microsoft webserver handling HTTP/2 requests.
The tcpdump shows that the HTTP/2 stream sends the request without an appropriate End Stream flag on the Headers packet.
Conditions:
The server has to provide settings with max-frame-size small enough to force BIG-IP to split the headers across multiple HTTP/2 frames, otherwise this issue does not occur.
Impact:
The HTTP GET request causing timeout.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1269709-1 : GUI should throw the error when the VS is configured with both vdi and HTTP/2 profiles
Links to More Info: BT1269709
Component: Access Policy Manager
Symptoms:
As the VDI profile is currently not supported in the HTTP/2 environment for which there is no warning message on the BIG-IP GUI about this limitation.
Conditions:
When both VDI Profile and HTTP/2 Profile is attached to the VS.
Impact:
The customer wants this error to be displayed on the BIGIP GUI if vdi and http/2 profiles both are attached to the VS together.
Workaround:
None
Fix:
Display the warning message on the BIG-IP GUI for the Configuration error: "Virtual server cannot have vdi and http/2 profiles at the same time" when both vdi and http/2 profiles are attached on the VS.
Fixed Versions:
16.1.5
1269593-2 : SSH client fails to connect using host key type ssh-rsa
Links to More Info: K000137127, BT1269593
Component: TMOS
Symptoms:
When trying to connect to BIG-IP via SSH, the connection fails with an error:
Unable to negotiate with <IP> port 22: no matching host key type found. Their offer: rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
This issue is observed only in non FIPS mode.
Conditions:
-- SSH connection
-- The algorithm is set to ssh-rsa
-- The BIG-IP system is not operating in FIPS mode
Impact:
The ssh-rsa as a host key algorithm fails to connect to BIG-IP in non FIPS mode.
Workaround:
None
Fix:
Enabling ssh-rsa as host-key algorithm, in Non-FIPS mode for ssh connections.
Fixed Versions:
16.1.5
1268521 : SAML authentication with the VCS fails when launching the applications/remote desktops from the APM Webtop when multiple RD resources are assigned to the APM Webtop
Links to More Info: BT1268521
Component: Access Policy Manager
Symptoms:
User fails to authenticate when VMware VDI with SAML authentication is used with multiple RD resources assigned to Webtop.
Conditions:
1. Webtop is used to connect to a remote desktop.
2. Multiple VCS servers are used.
3. SAML authentication is configured in remote desktop SSO configuration.
Impact:
Remote desktop is not opened.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1265425-2 : Improper query string handling on undisclosed pages
Links to More Info: K000134535, BT1265425
1259489-3 : PEM subsystem memory leak is observed when using PEM::subscriber information
Links to More Info: BT1259489
Component: Policy Enforcement Manager
Symptoms:
TMM may show a higher memory allocation in the PEM category observed in the memory_usage_stat table.
Conditions:
- PEM is provisioned.
- PEM iRules are used that access PEM::session or PEM::subscriber information.
Impact:
TMM can have excessive memory consumption.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1256841-1 : AWS Metadata crawling fails due to incorrect cloud provider name set by cloud-init script
Links to More Info: BT1256841
Component: TMOS
Symptoms:
On the customer’s BIG-IP instances, the cloud-init script fails to render the cloud provider’s name correctly. And so, cloud_name=unknown is set.
Conditions:
Deploy BIG-IP VE on AWS in autoscaling group (1-NIC deployments) using Terraform.
Impact:
Whenever the cloud provider is not set to AWS, the DataSourceEc2.py cloud-init script, which is supposed to set up minimal network config with an ephemeral interface including fetching DHCP lease info, fails to do what it is supposed to and as a result metadata service is unreachable
Workaround:
The Identify_aws function is responsible to set the cloud name as AWS. The existing function fails when the network is not up. The customer had faced a similar issue. I have modified the function to check for UUID and serial. As these are available during boot-up itself, we are not dependent on network status.
Fix:
Cloud-init now renders the cloud provider name (AWS) successfully. It does not depend on the network status anymore. Thus, AWS metadata crawling goes through smoothly.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1256777-3 : In BGP, as-origination interval not persisting after restart when configured on a peer-group.
Links to More Info: BT1256777
Component: TMOS
Symptoms:
When as-origination interval is configured on a peer-group the setting might not survive a process restart or configuration reload.
Conditions:
- When as-origination interval is configured on a peer-group.
Impact:
The as-origination interval resets to default (15s) after a process restart or configuration reload.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4
1252537-3 : Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role
Links to More Info: BT1252537
Component: TMOS
Symptoms:
The Resource Admin role has reboot and shutdown options are available in GUI but unavailable in TMSH.
Conditions:
- Resource Admin accessing reboot and shutdown options in TMSH.
Impact:
Limited availability, forces Resource Admin to use GUI.
Workaround:
Resource admin can still use GUI to initiate a reboot or shutdown.
Fix:
Resource Administrator can now initiate a reboot and shutdown using both the GUI or TMSH.
Fixed Versions:
17.1.1, 16.1.4
1252005 : VMware USB redirection does not work with DaaS
Links to More Info: BT1252005
Component: Access Policy Manager
Symptoms:
User is unable to access a USB device connected to the client machine in remote desktop using an APM VDI and VMware DaaS setup.
Note: This works as expected if a VCS server is used.
Conditions:
1. VMware DaaS setup is used
2. APM VDI desktop resource is accessed from native client or desktop
Impact:
USB device is not available.
Workaround:
None.
Fix:
USB device should be available
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1251157-3 : Ping Access filter can accumulate connections increasing the memory use
Links to More Info: BT1251157
Component: Access Policy Manager
Symptoms:
The maximum HTTP header count value for ping access is 128. The connection to the backend is aborted if there are more than 128 headers.
Conditions:
- Ping access is configured.
- The HTTP header count is more than 128.
Impact:
Connection is aborted by the BIG-IP, users are unable to access the backend.
Workaround:
None
Fix:
Fixed the issue with the ping access filter.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1251013-2 : Allow non-RFC compliant URI characters
Links to More Info: BT1251013
Component: Service Provider
Symptoms:
The MRF Parser fails if the URIs are not as per RFC.
It is required to not validate against the RFC for proper URI formatting, required message headers, and usage of defined method names.
Conditions:
- SIP URIs are not formatted as per RFC.
Impact:
MRF parser allows URI formats which are not comply with RFC.
Workaround:
None
Fix:
Set allow-unknown-methods to enabled in SIP session profile, which relaxes the SIP parser to allow unknown SIP messages to be used.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1250085-3 : BPDU is not processed with STP passthough mode enabled in BIG-IP
Links to More Info: BT1250085
Component: Local Traffic Manager
Symptoms:
- Connected interfaces under a VLAN.
- Bridge Protocol Data Unit (BPDU) is not transmitted through BIG-IP which is in passthrough mode.
- Can see DST MAC STP (Mac: 01:80:c2:00:00:00) IN packets and missing OUT packets in TCP dump.
- No packet drop for DST MAC PVST (MAC:01:00:0C:CC:CC:CD) and VTP (MAC:01:00:0C:CC:CC:CC).
tshark -nnr < .pcap >
Conditions:
- Platforms C117, C115, C112, and C113
Impact:
BPDU packets will not pass through other devices if BIG-IP is in the middle of the topology with passthrough mode enabled.
Workaround:
None
Fix:
STP passthrough mode now works as expected on C117, C115, C112, and C113 platforms
Fixed Versions:
17.1.1, 16.1.4
1240937-3 : The FastL4 TOS specify setting towards server may not function for IPv6 traffic
Links to More Info: BT1240937
Component: Local Traffic Manager
Symptoms:
The ip-tos-to-server setting in a FastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a serverside flow. There are three special values mimic, pass-through, and specify.
The "specify" setting causes the TMM to set the egress TOS to the specific value configured from GUI for that connflow.
The IPv6 serverside egress TOS is not set to the expected "specify" value. No issue is observed with IPv4 connflow.
Conditions:
- FastL4 profile with ip-tos-to-client set to "specify" with value.
-Connflow is IPv6.
Impact:
The IPv6 serverside egress TOS is not set to the expected value.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1240121-1 : CVE-2023-46747 and CVE-2022-36760: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp
Links to More Info: K000132643, BT1240121
1239901-2 : LTM crashes while running SIP traffic
Links to More Info: BT1239901
Component: Service Provider
Symptoms:
LTM crashes are observed while running SIP traffic.
Conditions:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer
Impact:
TMM is inoperative while reloading after crash.
Workaround:
Avoid use of the following pick_host, particularly the use of carp:
MR::message pick_host peer <peer-object-name> [carp <carp-key>]
Fix:
TMM does not crash while running SIP traffic.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1238693-2 : Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519
Links to More Info: BT1238693
Component: TMOS
Symptoms:
In FIPS 140-3 mode, SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.
Conditions:
System must be in FIPS 140-3 mode.
Impact:
SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.
Workaround:
None
Fix:
SSHD should support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and must reject ED25519.
Fixed Versions:
17.1.0.1, 16.1.4
1238629-1 : TMM core when processing certain DNS traffic with bad actor (BA) enabled
Links to More Info: K000137521, BT1238629
1238529-2 : TMM might crash when modifying a virtual server in low memory conditions
Links to More Info: BT1238529
Component: Local Traffic Manager
Symptoms:
Messages similar to the following are seen in the LTM log:
Feb 1 14:17:09 BIG-IP err tmm[1139]: 01010008:3: Listener config update failed for /Common/virtual: ERR:ERR_MEM
TMM restarts and writes a core file.
Conditions:
- Low memory available in TMM.
- A virtual server modification is made.
Impact:
Traffic is interrupted while TMM writes a core file and restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1238413-3 : The BIG-IP might fail to update ARL entry for a host in a VLAN-group
Links to More Info: BT1238413
Component: Local Traffic Manager
Symptoms:
ARP requests through a transparent or translucent VLAN-group might fail.
The command "tmsh show net arp" displays the VLAN as the VLAN-group rather than a child VLAN. This symptom might be intermittent.
Conditions:
- A transparent or translucent VLAN-group is configured.
- ARP requests passing through the VLAN-group.
- Higher gaps (approximately 9 hours) in layer 2 traffic seen by the BIG-IP from the target of the ARP request.
Impact:
ARP resolution failure.
Workaround:
Create a monitor on the BIG-IP to monitor the target of the ARP resolution. This will ensure that layer 2 traffic is seen by the BIG-IP from that host, keeping the ARL entries current.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1238329 : Intermittent request for /vdesk/c_ses.php3?orig_uri is reset with cause Access encountered error: ERR_NOT_FOUND
Links to More Info: BT1238329
Component: Access Policy Manager
Symptoms:
->RST is sent by the BIG-IP and the following logs are seen in /var/log/apm:
Dec 19 10:39:19 LBENDMZQ01.fibe.fortis warning tmm2[13658]: 01490573:4: /Common/NPEUSECUQ_OAuth:Common:eb204975: Decryption failed for ORIG_URI with error: ERR_NOT_FOUND
Dec 19 10:39:19 LBENDMZQ01.fibe.fortis warning tmm2[13658]: 01490573:4: /Common/NPEUSECUQ_OAuth:Common:eb204975: Decryption failed for ORIG_URI with error: ERR_NOT_FOUND
Dec 19 10:39:19 LBENDMZQ01.fibe.fortis err tmm2[13658]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_redirect_client_to_original_uri, Line: 9404
Dec 19 10:39:19 LBENDMZQ01.fibe.fortis err tmm2[13658]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_process_state_client_enforce_policy, Line: 9653
Dec 19 10:39:19 LBENDMZQ01.fibe.fortis err tmm2[13658]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 3481
Dec 19 10:39:19 LBENDMZQ01.fibe.fortis notice tmm[13658]: 01490567:5:
Conditions:
->packetcapture to BIG-IP virtual server should have request /vdesk/c_ses.php3?orig_uri=...
Impact:
The end user is trying to re-authenticate and just receives a blank page.
Fix:
Access will create a new sessionkey if the existing key is not found
Fixed Versions:
16.1.5
1238321-4 : OpenSSL Vulnerability CVE-2022-4304
Links to More Info: K000132943
1238249-1 : PEM Report Usage Flow log is inaccurate
Links to More Info: BT1238249
Component: Policy Enforcement Manager
Symptoms:
PEM Report Usage Flow log for Flow-duration-seconds and Flow-duration-milli-seconds sometimes report incorrectly.
Conditions:
- HSL logging is configured.
Impact:
The statistics for flow duration report longer than the actual, this can result in showing incorrect data and can impact the policy behaviour.
Workaround:
None
Fix:
Updated the flow duration calculation for Flow-duration-seconds and Flow-duration-milli-seconds.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1235813-9 : OpenSSL vulnerability CVE-2023-0215
Links to More Info: K000132946, BT1235813
1235801-4 : OpenSSL vulnerability CVE-2023-0286
Links to More Info: K000132941, BT1235801
1232997-1 : IPSEC: The tmm process may exit with 'Invalid policy remote index'
Links to More Info: BT1232997
Component: TMOS
Symptoms:
The tmm process restarts after logging the following message to /var/log/tmm*:
notice panic: iked/isakmp.c:2338: Assertion "Invalid policy remote index" failed.
Conditions:
May occur during an SA deletion or an update of IPsec configuration.
Impact:
Unexpected high availability (HA) failover, or interruption to traffic processing on a standalone unit, while the tmm process restarts.
Workaround:
None
Fix:
When the remote index is null, the system gracefully fails the init packet creation. Continuous traffic to the BIG-IP system retriggers the tunnel, and the IPsec config will be updated by then.
Fixed Versions:
16.1.4, 15.1.10
1232977-3 : TMM leaking memory in OAuth scope identifiers when parsing scope lists
Links to More Info: BT1232977
Component: Access Policy Manager
Symptoms:
It is observed that oauth_parse_scope fails to increment the index then storing discrete scope identifiers into the output array. Thus all scope identifiers are stored in element 0 and all but the last element parsed are leaked.
Conditions:
OAuth functionality, scope comparisons happen if a scope is provided in request.
Impact:
Failure of High Availability (HA) due to memory issues in TMM over time.
Workaround:
None
Fix:
Increment the index so that all scope identifiers are stored and parsed without any leaks.
Fixed Versions:
17.1.1, 16.1.4
1232521-2 : SCTP connection sticking on BIG-IP even after connection terminated
Component: TMOS
Symptoms:
After an SCTP client has terminated, the BIG-IP still shows the connection when issuing "show sys conn protocol sctp"
Conditions:
Under certain conditions, an SCTP client connection may still exist even if the client has sent a SHUTDOWN request.
Impact:
Memory resources will be consumed as these type of lingering connections accumulate
Fix:
SCTP connections are properly internally closed when required.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1231137-3 : During signature update, Bot signature from one user partition affecting the Bot profile created in another Partition
Links to More Info: BT1231137
Component: Application Security Manager
Symptoms:
Signature update is not allowed.
Conditions:
- In Security > Bot Defense > Bot Defense Profiles, when the field Signature Staging upon Update is set to Enabled.
Impact:
None
Workaround:
Set the field Signature Staging upon Update to Disabled.
Fix:
None
Fixed Versions:
16.1.5
1231001-2 : PEM flow-term-on-sess-delete can cause cores
Links to More Info: BT1231001
Component: Policy Enforcement Manager
Symptoms:
SOD sends a SIGABRT to TMM which then cores.
Conditions:
* PEM is provisioned.
* `pem global-settings session-mgmt-attributes flow-term-on-sess-delete` is enabled.
Impact:
TMM is restarted causing traffic interruption.
Workaround:
Disable `pem global-settings session-mgmt-attributes flow-term-on-sess-delete`.
Fixed Versions:
16.1.5
1230709-1 : Remove unnecessary logging with nsec3_add_nonexist_proof
Links to More Info: BT1230709
Component: Global Traffic Manager (DNS)
Symptoms:
For few DNSSEC queries to non-existent domains, NSEC3 records will be missing.
Following log message is included:
nsec3_add_nonexist_proof: to_prove returns NULL with qname
Conditions:
Receives DNSSEC request to a non-existent query.
Impact:
Missing NSEC3 records.
Workaround:
None
Fixed Versions:
16.1.4, 15.1.10
1229813-2 : The ref schema handling fails with oneOf/anyOf
Links to More Info: BT1229813
Component: Application Security Manager
Symptoms:
In JSON schema validation, it fails in handling of a ref schema that is referenced from multiple places under oneOf/anyOf.
Conditions:
Using oneOf or anyOf, a ref schema is referenced multiple times from oneOf/anyOf section.
Impact:
JSON schema validation fails and request gets blocked.
Workaround:
Change schema structure so that the single ref schema is not referenced from multiple places under oneOf/anyOf.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1229417-2 : BIG-IP iRulesLX: CVE-2020-7774 nodejs-y18n prototype pollution vulnerability
Component: Local Traffic Manager
Symptoms:
A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality.
It may cause denial of service and data integrity when untrusted input via locale.
Conditions:
Denial of service or in rare circumstances, impact to data integrity or confidentiality
Impact:
When node inspector gets untrusted input passed to y18n, it may affect data confidentiality and system availability.
Workaround:
NA
Fix:
The library has been patched to address the issue.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1229369-3 : The fastl4 TOS mimic setting towards client may not function
Links to More Info: BT1229369
Component: Local Traffic Manager
Symptoms:
The ip-tos-to-client setting in a fastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a clientside flow. There are two special values - 'mimic' and 'pass-through'.
The mimic setting causes tmm to set the egress TOS to the value seen on the last ingress packet for that connflow.
In affected versions of BIG-IP, this is not set correctly, and behaves like pass-through (uses the TOS value seen arriving on the serverside flow)
Conditions:
FastL4 profile with ip-tos-to-client set to "mimic" (shown as the value 65534 in tmsh)
Impact:
The clientside egress TOS is not set to the expected value
Workaround:
Use an irule to set IP::tos to the desired value. Note that processing every packet with an irule will incur a performance penalty.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1226121-2 : TMM crashes when using PEM logging enabled on session
Links to More Info: BT1226121
Component: Policy Enforcement Manager
Symptoms:
TMM may crash when using PEM logging.
Conditions:
When a sessions has PEM logging enabled on it:
pem global-settings subscriber-activity-log
Impact:
TMM crashes and restarts, losing all prior connection.
Workaround:
Disabling PEM logging on sessions will avoid the issue.
Fix:
PEM session logging can be used as expected.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1225797-4 : SIP alg inbound_media_reinvite test fails
Links to More Info: BT1225797
Component: Service Provider
Symptoms:
On BIG-IP versions that fixed ID 1167941, certain SIP ALG inbound media re-invite test cases fail.
Conditions:
This occurs for re-invites on inbound calls.
Impact:
The re-invite will be dropped.
Workaround:
None
Fix:
BIG-IP will drop the messages only when the header is not registered and if it’s a request on the client side of an ephemeral listener.
Fixed Versions:
17.1.1, 16.1.5
1225789-2 : The iHealth API is transitioning from SSODB to OKTA
Links to More Info: BT1225789
Component: TMOS
Symptoms:
The iHealth is switching to OKTA from using SSODB for authentication. The ihealth-api.f5.com and api.f5.com are replaced by ihealth2-api.f5.com and identity.account.f5.com.
Conditions:
- Authentication
Impact:
Qkview file will not be uploaded to iHealth automatically.
Workaround:
Qkview file must be uploaded manually to iHealth.
Fix:
Qkview file will be uploaded to iHealth automatically once Client ID and Client Secret are configured.
TMSH interface will still display ihealth user/password rather than client ID/ Client Secret. For more details, see article K000130498.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1225061-3 : The zxfrd segfault with numerous zone transfers
Links to More Info: BT1225061
Component: Global Traffic Manager (DNS)
Symptoms:
The zxfrd restart loop with cores occasionally.
Conditions:
Numerous dns express zones are doing zone transfers at the same time.
Impact:
The zxfrd restart loops or cores.
Workaround:
Do not add large number of DNS express zones at the same time and also reduce the total number of DNS express zones.
Fixed Versions:
16.1.5
1224409 : Unable to set session variables of length >4080 using the -secure flag
Links to More Info: BT1224409
Component: Access Policy Manager
Symptoms:
Secure Session Variables are limited to 4k length in the access filter, unable to set variables of length >4080 using the "ACCESS::session data set -secure". On trial an error "Operation not supported" gets raised in LTM.
Conditions:
The limit imposed on the maximum URI in CL1416175 in 2015 restricts setting secure session variables greater than 4K in size.
Impact:
Customers have the requirement of setting variables more than 6K in length, but due to internal limits imposed on the session variables they are unable to capture them in the session.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1224125-1 : When you upgrade to 16.1.3.2 or 17.1, keys that are not approved in FIPS 140-3 are permitted to be used.
Links to More Info: BT1224125
Component: TMOS
Symptoms:
As part of the upgrade from older versions to 16.1.3.2 and 17.1, the use of non-approved keys as per FIPS 140-3 standards is permitted for RSA keys with a length of 1024 and 512 bits, as well as for EC521, DSA, and SM2 keys.
It should be noted that the creation of new keys is not permitted.
Conditions:
The FIPS 140-3 non-approved ciphers, that is, RSA keys with a length of 1024 and 512 bits, EC521, DSA and SM2 keys are only permitted in the following cases:
1) When upgrading from the older versions to FIPS 140-3 supported versions (16.1.3.2 and 17.1)
2) Importing UCS from the older versions to FIPS 140-3 supported versions (16.1.3.2 and 17.1)
Impact:
Non-Approved keys could exist in the configuration after the BigIP version upgrade and UCS installation on a FIPS 140-3 approved system.
Workaround:
When upgrading or installing UCS, ensure that you do not use any non-approved ciphers (as per FIPS 140-3) in the configuration.
Fix:
Added a warning message in /var/log/ltm when non-approved keys are imported during upgrade or UCS installation
Sample log:
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b5004e:4: /Common/TEST_KEY_SI_2.key: FIPS 140-3 mode does not support the use of key sizes 512 and 1024.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b5004e:4: /Common/TEST_KEY_SI_23.key: FIPS 140-3 mode does not support the use of key sizes 512 and 1024.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b50050:4: /Common/TEST_KEY_TYPE_DSA2.key: FIPS 140-3 mode does not support the use of private and public keys of type DSA and SM2.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b50050:4: /Common/TEST_KEY_TYPE_DSA.key: FIPS 140-3 mode does not support the use of private and public keys of type DSA and SM2.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b50052:4: /Common/TEST_KEY_curve3.key: FIPS 140-3 mode does not support EC curve secp521r1.
Fixed Versions:
17.1.0, 16.1.4
1223369-3 : Classification of certain UDP traffic may cause crash
Links to More Info: K000135946, BT1223369
1220629-3 : TMM may crash on response from certain backend traffic
Links to More Info: K000137675, BT1220629
1218813-4 : "Timeout waiting for TMM to release running semaphore" after running platform_diag
Links to More Info: BT1218813
Component: Access Policy Manager
Symptoms:
The platform_diag might not complete properly leaving TMM in an inoperational state. The 'bigstart restart' is required to recover.
Conditions:
Running platform_diag tool on a platform licensed with URL filtering.
Impact:
Unable to run platform_diag tool. TMM remains inoperative.
Workaround:
Open /etc/bigstart/scripts/urldb and modify the dependency list to be:
# wait for processes
depend ${service} mcpd running 1 ${start_cnt}
require ${service} urldbmgrd running 1 ${start_cnt}
require ${service} tmm running 1 ${start_cnt}
Then restart urldb:
> bigstart restart urldb
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1216573-1 : AFM Learning Domain issue when trying with many valid domains
Links to More Info: BT1216573
Component: Advanced Firewall Manager
Symptoms:
Trying with too many valid domains and not all these domains have entries created in the NXDOMAIN table when they are trying to do learning.
Conditions:
The NXDOMAIN vector is enabled be it at the device level, virtual server level, or at both levels.
Impact:
We will not be able to honor the legitimate DNS A query when an NXDOMAIN attack is detected.
Workaround:
None
Fixed Versions:
16.1.4
1216297-1 : TMM core occurs when using disabling ASM of request_send event
Links to More Info: BT1216297
Component: Application Security Manager
Symptoms:
When adding an iRule to disable ASM on request_send event, the TMM core occurs.
Conditions:
ASM is provisioned and attached to policy.
Add iRule that disables ASM and HTTP on HTTP_REQUEST_SEND event.
Impact:
TMM cores, system is down.
Workaround:
Remove the iRule, or disable ASM for all events of the URL.
Fixed Versions:
17.1.1, 16.1.4
1215401-1 : Under Shared Objects, some country names are not available to select in the Address List
Links to More Info: BT1215401
Component: Advanced Firewall Manager
Symptoms:
Users can create a shared object list to define countries to block traffic from. On searching a name, a list will be shown from which the user can choose and add it to the address list.
There is a limit of only 8 entries in the drop-down menu to choose from.
Some countries are not shown in this list due to the ordering of entries returned from the database.
Conditions:
DOS is enabled
Impact:
As some countries are not available to select, they cannot be included in the Address List to block traffic.
Workaround:
Instead of the country (which is not available to select), all the regions within the country can be added to the block list. This is very cumbersome and error-prone as the list of regions should be known that are configurable in BIG IP.
Fix:
The database query is modified such that the list of countries is ordered first followed by a list of countries with regions.
Fixed Versions:
16.1.4, 15.1.9
1213469-1 : MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP is dropped
Links to More Info: BT1213469
Component: Service Provider
Symptoms:
BIG-IP does not translate the SDP or via headers IP with listener IP for an outbound call which causes it to drop the 200 OK response.
Conditions:
In SIP ALG, the INVITE request contains an FQDN Route header.
Impact:
Media pinholes are not created for INVITE.
Workaround:
In the SIP_REQUEST event, a specific Route header could be removed and Insert it again in the SIP_REQUEST_SEND event before sending the request out. For example,
when SIP_REQUEST {
set pd_route_hdr_count [SIP::header count Route]
set pd_route_unset 0
set pd_route [SIP::header Route]
if {[SIP::method] == "INVITE" && ($pd_route_hdr_count equals 1) && $pd_route contains "sip:someclient.site.net;lr" } then {
SIP::header remove "Route"
set pd_route_unset 1
}
}
when SIP_REQUEST_SEND {
if {[SIP::method] == "INVITE" && ($pd_route_unset == 1)} {
SIP::header insert "Route" $pd_route
}
}
Fix:
In SIP ALG, if the Route header is FQDN in INVITE, then it should allow it to pass without any modification.
Fixed Versions:
17.1.1, 16.1.4
1213333 : Check box to select all attack signatures does not work properly
Links to More Info: BT1213333
Component: Application Security Manager
Symptoms:
The check box to select all attack signatures does not select all attack signatures correctly
Conditions:
After creating ASM policy navigate to attack-signatures section :
Security ›› Application Security : Security Policies : Policies List ›› phpauction
Click on the check box
Impact:
Attack signatures are not selected properly
Workaround:
None
Fix:
Check box selects all attack signatures correctly
Fixed Versions:
16.1.4
1213305-3 : Improper query string handling on undisclosed pages
Links to More Info: K000132726, BT1213305
1212081-2 : The zxfrd segfault and restart loop due to incorrect packet processing
Links to More Info: BT1212081
Component: Global Traffic Manager (DNS)
Symptoms:
The zxfrd process becomes stuck in a crash/restart loop
Conditions:
During zone transfer, the zxfrd process may core when performing processing of an undisclosed packet.
Impact:
The zxfrd process manages zone transfers (AXFR) packets from backend DNS servers. If this process is crashing, zone updates will not be received, and DNS express may return stale results.
Workaround:
None
Fix:
None
Fixed Versions:
16.1.5
1211985-4 : BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring
Links to More Info: BT1211985
Component: In-tmm monitors
Symptoms:
When configured with a high number of In-TMM monitors and a high portion are configured as either Reverse monitors or as monitors using the Receive Disable field, the BIG-IP may not mark Nodes and Pool Members DOWN immediately once the configured timeout lapses for non-responsive targets.
Conditions:
This may occur when both:
- In-TMM monitoring is enabled through sys db bigd.tmm.
- A portion of the monitors are configured as Reverse monitors or use the Receive Disable field.
Impact:
Non-Responsive Nodes or Pool Members may not be marked DOWN.
Workaround:
You can work around this issue by disabling In-TMM monitoring, at the expense of decreased monitoring performance (higher CPU usage by the bigd daemon).
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1211905-2 : Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts"
Links to More Info: BT1211905
Component: Application Security Manager
Symptoms:
Unable to import the XML format policy.
Conditions:
Having an XML policy with violation_rating_counts elements.
Impact:
Unable to import XML policy.
Workaround:
1) Remove the elements from an exported policy file.
sed -i '/<violation_rating_counts\/>/d' *xml
2) Import the policy again.
Fix:
None
Fixed Versions:
16.1.5
1211513-2 : Data payload validation is added to HSB validation loopback packets
Links to More Info: BT1211513
Component: TMOS
Symptoms:
Send validation loopback packets to the HSB on the BIG-IP platforms.
Conditions:
This issue occurs while running a BIG-IP hardware platform with HSB.
Impact:
No impact, this is a new diagnostic feature.
Workaround:
None
Fix:
Loopback validation now occurs on hardware platforms equipped with HSB, except on iSeries platforms i4600, i4800, i2600, i2800, and i850 as wd_rx_timer is disabled by default.
Behavior Change:
A new diagnostic feature with failsafe periodically sends validation loopback packets to the HSB on BIG-IP platforms with the hardware component.
The feature adds following two new db variables that can be altered with TMSH modify sys db:
- The variable tmm.hsb.loopbackValidation is enabled by default, change it to disabled to stop the loopback validation packets sent to HSB.
- The variable tmm.hsb.loopbackvalidationErrthreshold is set to 0 by default. If this value is set to 0, the BIG-IP will only log corruption detection without taking any action. If the value is set to greater than 0, then an HSB nic_failsafe will be triggered when the number of detected corrupt loopback packets reaches the value.
An HSB reset typically dumps some diagnostic information in /var/log/tmm and reboots the system.
If a validation loopback packet is found to be corrupt, one or more messages like the following will appear in /var/log/tmm:
notice HSB loopback corruption at offset 46. tx: 0x4f, rx: 0x50, len: 2043
These logs are rate-limited to 129 logs per 24-hour period. If the variable tmm.hsb.loopbackvalidationErrthreshold is set to a value greater than 0 and the number of corrupt packets reaches this value, the following log message will also appear:
notice Reached threshold count for corrupted HSB loopback packets
Typically, the log message will then be followed by a reboot.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1211341-4 : Failed to delete custom monitor after dissociating from virtual server
Links to More Info: BT1211341
Component: Global Traffic Manager (DNS)
Symptoms:
When dissociated from virtual server, unable to delete custom monitor.
Conditions:
- Dissociate the custom monitor from virtual server
- Delete the custom monitor
Impact:
Unable to delete custom monitor.
Workaround:
None
Fix:
The custom monitor can be deleted after dissociating from virtual server.
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1211297-3 : Handling DoS profiles created dynamically using iRule and L7Policy
Links to More Info: BT1211297
Component: Anomaly Detection Services
Symptoms:
Persistent connections with HTTP requests that may switch according to dynamic change of DoS policy (using iRule or L7Policy) can cause a TMM crash.
Conditions:
A request arrives to BIG-IP and is waiting to be served (it is delayed using iRule), however, if the DoS profile is unbound during that time from the virtual server and a dynamic DoS profile change decision is made, it could potentially cause the request to be incorrectly associated with a context that has already been freed.
Impact:
In few scenarios, when DoS policy is changed during connection lifetime, TMM might crash.
Workaround:
None
Fix:
No TMM crash due to persistent connections.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1211189-3 : Stale connections observed and handshake failures observed with errors
Links to More Info: BT1211189
Component: Local Traffic Manager
Symptoms:
SSL handshake fails.
Invalid or expired certificates are being used in the handshake.
Conditions:
- When the certificates in BIG-IP are expired and being renewed remotely.
- When the clientssl or serverssl profiles are dynamically being attached to a virtual server through iRule.
Impact:
SSL handshake fails.
Vitual server (SSL Profiles) use old or expired certificates.
Workaround:
Restart the TMM or BIG-IP to resolve the issue temporarily (until next expiry time of the certificates).
Fix:
None
Fixed Versions:
17.1.1, 16.1.4
1211021-4 : Enforcement does not happen for entries in new and modified IPI feed lists due to lock issues
Links to More Info: BT1211021
Component: Advanced Firewall Manager
Symptoms:
Entries added or updated in IP Intelligence (IPI) feed lists are not enforced. This occurs when threads in Dynamic White or Black Daemon (DWBLD) module are in deadlock.
Conditions:
- IPI license is enabled.
- Feed lists and policies are configured.
Impact:
Enforcement of entries in new and updated IPI feed lists does not happen.
Workaround:
Run the command "bigstart restart dwbld" to resolve the issue.
Check for "Empty items" message in /var/log/dwbld.log. If same message is seen for more than 100 times continuously, threads are in lock state and we can recover by restarting DWBLD module.
Fix:
The function "set_curl_state" was returning without unlocking mutex in a condition.
The mutex is now unlocked appropriately and prevents locking up of DWBLD threads.
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1210469-3 : TMM can crash when processing AXFR query for DNSX zone
Links to More Info: BT1210469
Component: Local Traffic Manager
Symptoms:
TMM crash with SIGABRT and multiple log messages with "Clock advanced by" messages.
Conditions:
Client querying AXFR to a virtual server or wideip listener that has DNSX enabled in the DNS profile and has a large amount of DNSX zones with a large amount of resource records.
Impact:
TMM cores and runs slow with "Clock advanced by" messages.
Workaround:
Disable zone transfer for the DNS profile associated with the virtual server.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1210321-1 : Parameters are not created for properties defined in multipart request body when URL include path parameter
Links to More Info: BT1210321
Component: Application Security Manager
Symptoms:
Security policy parameters are not created for OpenAPI schema properties in multipart request body section.
Conditions:
Request body defined for URL that include path parameter.
Impact:
Some parameters defined by OpenAPI file will not be created in security policy.
Workaround:
Missed parameters should be created manually through GUI, REST, or TMSH.
Fixed Versions:
16.1.5
1209709-4 : Memory leak in icrd_child when license is applied through BIG-IQ
Links to More Info: BT1209709
Component: TMOS
Symptoms:
The memory use for icrd_child may slowly increase, eventually leading to an OOM condition.
Conditions:
License applied through BIG-IQ.
Impact:
Higher than normal control-plane memory usage, possible OOM related crash.
Workaround:
Periodically kill the icrd_child processes. The restjavad will restart them automatically.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1209409-3 : Address lists with thousands of addresses can cause MCPD to become unresponsive and use 100% CPU
Links to More Info: BT1209409
Component: Advanced Firewall Manager
Symptoms:
If there are thousands of addresses in an address list, validation of the addresses can take extended time. While MCPD is validating the addresses it will use nearly 100% of the CPU. Also, during this time, other daemon might timeout their connection with MCPD and/or restart.
Conditions:
- Thousands of addresses in an address list.
Impact:
- Longer load /sys configuration time including on upgrade.
- Longer configuration sync time, where full configuration sync is more prone to cause this issue.
- Modifications using the webUI consume longer time and might timeout.
Depending on how long MCPD spends validating the addresses, other daemons, including TMM, might timeout their connection to MCPD and/or restart.
Workaround:
None
Fix:
The time it takes mcpd to validate an addresses list that contains nested address lists is greatly reduced.
Fixed Versions:
16.1.4
1209197-1 : Gtmd crash with SIGSEGV while importing or exporting a key or certificate to the BIG-IP
Links to More Info: BT1209197
Component: Local Traffic Manager
Symptoms:
The crash occurs while importing or exporting a key or certificate to the BIG-IP.
Conditions:
While importing the exported buffer, an improper initialization of the variable may create a condition leading to the crash.
Impact:
GSLB traffic disrupted while gtmd restarts.
Workaround:
None
Fix:
Added a fix to handle this issue. Initialized the variable to 0. Hence, it will not have any other value which can be used for fetching the PEM string information.
Fixed Versions:
17.1.0, 16.1.5
1208989-3 : Improper value handling in DOS Profile properties page
Links to More Info: K000132726, BT1208989
1208949-1 : TMM cored with SIGSEGV at 'vpn_idle_timer_callback'
Links to More Info: BT1208949
Component: Access Policy Manager
Symptoms:
TMM cores.
Conditions:
Network Access is in use.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1208529-4 : TMM crash when handling IPSEC traffic
Links to More Info: K000132420, BT1208529
1208001-1 : iControl SOAP vulnerability CVE-2023-22374
Links to More Info: K000130415, BT1208001
1207821-3 : APM internal virtual server leaks memory under certain conditions
Links to More Info: BT1207821
Component: Access Policy Manager
Symptoms:
Memory leaks are observed while passing traffic in the internal virtual server used for APM.
Client/Backend is slow in responding to packets from the BIG-IP. Congestion is observed on the network which prompts BIG-IP to throttle egress.
Conditions:
- Traffic processing in the internal virtual server used for APM.
Impact:
TMM memory grows over time, this will lead to out of memory for TMM and eventual restart. Traffic is disrupted when TMM restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1207793-1 : Bracket expression in JSON schema pattern does not work with non basic latin characters
Links to More Info: BT1207793
Component: Application Security Manager
Symptoms:
Pattern matching in JSON schema has an issue of unable to match string in a specific pattern expression.
Conditions:
When all the following conditions are satisfied:
- a non-basic latin character is in bracket expression []
- the bracket expression is led by ^ or followed by $
- there is at least one character just before or after bracket expression
Following are examples for pattern that has issue:
- /^[€]1/
- /1[€]$/
The bracket would have multiple characters in real scenario.
Following are examples for patterns that do not have the issue:
- /^[€]/
- /[€]1/
- /^€1/
Impact:
The JSON content profile fails matching legitimate JSON token with JSON schema, resulting a false positive.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1207661-4 : Datasafe UI hardening
Links to More Info: K000132768, BT1207661
1207381-3 : PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored
Links to More Info: BT1207381
Component: Policy Enforcement Manager
Symptoms:
From the following example, a PEM policy rule flow filter
matches the traffic from any source address and any port, to any destination address and port 81 (the port number is an example):
Source Address Source Port VLAN Destination Address Destination Port
0.0.0.0/0 0 ANY 0.0.0.0/0 81
When the rule is updated through the GUI or CLI to match traffic from any source address and any port, to any destination address and any port:
Source Address Source Port VLAN Destination Address Destination Port
0.0.0.0/0 0 ANY 0.0.0.0/0 0
The updated rule is correctly saved into the configuration as shown by the GUI and the CLI, but the new flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule (destination port 81 in the example).
Conditions:
An existing PEM policy rule flow filter that is updated through GUI or CLI selecting Source Port '0' ('any') and/or destination port '0' ('any').
Impact:
The updated flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule.
Workaround:
- Restart TMM to make the updated flow filter effective.
or
- Remove the flow filter altogether instead of replacing it with a filter like '0.0.0.0/0:0 --> 0.0.0.0/0:0' .
The intended result is the same: the rule will catch all traffic.
or
- Create a new additional rule with port number 0 and place in higher precedence (under the same policy).
- For example, rule with precedence 10 allow flow for port 80 (instead of modifying this rule) and
- Create a new rule with precedence 9 to allow flow for port "0" and delete the old rule.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1205501-2 : The iRule command SSL::profile can select server SSL profile with outdated configuration
Links to More Info: BT1205501
Component: Local Traffic Manager
Symptoms:
Under few circumstances, an iRule selected server SSL profile can send previously configured certificate to the peer.
Conditions:
The iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made to the profile.
Impact:
The TLS handshake may use an outdated certificate that does not match the current configuration, potentially leading to handshake failures.
Workaround:
Terminate all traffic running on the virtual servers that are using the iRule command for the update to take effect.
or
Do not make changes to a profile that is actively being used by the iRule command.
Fix:
The server SSL profiles will now reloaded successfully after changes are made.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1205029 : WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application
Links to More Info: BT1205029
Component: Access Policy Manager
Symptoms:
In some cases of WEBSSO same token is sent to different sessions in the backend.
Conditions:
WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application
Impact:
Situations where JWTs (via WEBSSO / OAuth Bearer profile) are being sent downstream for requests which belong to a different user. The problem seems to be related to when these requests share the same client IP address. This is a big problem when clients are using NAT themselves to mask different users/sessions behind the same IP address.
Workaround:
None
Fix:
BIG-IP now clears the cache tokens when sessions are different so that new tokens are generated for different sessions.
Fixed Versions:
17.1.1, 16.1.4
1204961-4 : Improper query string handling on undisclosed pages
Links to More Info: K000132726, BT1204961
1204793-4 : Improper query string handling on undisclosed pages
Links to More Info: K000132726, BT1204793
1200929-2 : GTM configuration objects larger than 16384 bytes can cause the GTM sync process to hang
Links to More Info: BT1200929
Component: Global Traffic Manager (DNS)
Symptoms:
If GTM objects larger than 16384 bytes are created, then the GTM sync process will not complete. In addition, the gtm_add process (which requests a GTM sync for all objects) will not complete.
Following is the symptom for gtm_add:
After "Retrieving remote GTM configuration...", the process will pause for 300 seconds (5 minutes), and then exit, with a message "Syncer failed to retrieve configuration".
For a normal GTM sync, where gtm_add is not being used, the symptom is that the synchronisation of configuration changes is not working.
Conditions:
The presence of any MCPD object in the GTM configuration (/config/bigip_gtm.conf) which is larger than 16384 bytes, for example a large GTM rule.
Note: The GTM iRules are distinct from LTM iRules. Only GTM objects, such as GTM rules (applied to wideIPs) are relevant to this issue.
Impact:
Unable to complete GTM sync, unable to add a new GTM into the sync group.
Workaround:
Reduce the size of the problematic object to lower than 16384 bytes. For example, if the issue is with a GTM iRule, then try removing comments, blank lines, or unnecessary log statements that do not affect the functionality of the rule.
Fix:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1196537-1 : BD process crashes when you use SMTP security profile
Links to More Info: BT1196537
Component: Application Security Manager
Symptoms:
The BD process may crash when an SMTP security profile is attached to a virtual server, and the SMTP request is sent to the same virtual server.
Conditions:
- SMTP security profile is attached to VS
- SMTP request is sent to VS
Impact:
Intermittent BD crash
Workaround:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1196477-3 : Request timeout in restnoded
Links to More Info: BT1196477
Component: Device Management
Symptoms:
The below exception can be observed in restnoded log
Request timeout., stack=Error: [RestOperationNetworkHandler] request timeout.
At ClientRequest. <anonymous> (/usr/share/rest/node/src/infrastructure/restOperationNetworkHandler.js:195:19)
Conditions:
When BIG-IP is loaded with a heavy configuration.
Impact:
SSL Orchestrator deployment will not be successful.
Workaround:
1. mount -o remount,rw /usr
2. In getDefaultTimeout : function() at /usr/share/rest/node/src/infrastructure/restHelper.js
replace 60000 with required required timeout.
3. bigstart restart restnoded
4. mount -o remount /usr
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1196401-2 : Restarting TMM does not restart APM Daemon
Links to More Info: BT1196401
Component: Access Policy Manager
Symptoms:
Due to asynchronous nature of TMM threads and APM plugin channel threads, a core can trigger when TMM exited and APM Daemon (APMD) is still available with earlier TMM plugin handlers.
Conditions:
When TMM restarts and APM still has old TMPLUGIN handle (which will become invalid eventually).
Impact:
Might observe APMD core.
Workaround:
Restart APM, when TMM is restarted.
Fix:
Updated TMM bigstart scripts to restart APMD and related tm_plugin services.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1196053-3 : The autodosd log file is not truncating when it rotates
Links to More Info: BT1196053
Component: Advanced Firewall Manager
Symptoms:
The autodosd file size increasing continuously irrespective of log rotation occurring every hour.
Conditions:
- DOS profiles (at Device/VS) configured with fully automatic, autodosd daemon will calculate the thresholds periodically and updates the log file with relevant logs.
Impact:
Logs are not truncated as expected. The autodosd log file size continue to increase even though it is rotated every hour.
Workaround:
Restarting autodosd daemon will truncate the log file content to zero.
Fix:
The bigstart script of autodosd deamon is updated to open the file in correct mode.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1196033-2 : Improper value handling in DataSafe UI
Links to More Info: K000132726, BT1196033
1195489-2 : iControl REST input sanitization
Links to More Info: K000137522, BT1195489
1195385 : OAuth Scope Internal Validation fails upon multiple providers with same type
Links to More Info: BT1195385
Component: Access Policy Manager
Symptoms:
The Claim Validation in OAuth Scope Fails when two Azure providers with different tenant ID are provided in the JWT provider list such that, the non-expected provider comes first and expected one comes later. Once failure is logged OAuth flow is redirected to Deny Page.
Conditions:
When the list of providers are sent to TMM for Signature Validation the invalid provider is sent back as response indicating that it has passed the signature validation for the access_token that has been acquired in previous steps.
There are chances where Azure as AS might be using same key ID (kid) for different tenants, so in such cases even the invalid provider passes the signature validation.
In general practice, Claim Validation Comes after Signature Validation, when the invalid provider is sent back from TMM it fails Claim Validation in APMD.
Impact:
The policy rule displays the deny page.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4
1195377 : Getting Service Indicator log for disallowed RSA-1024 crypto algorithm
Links to More Info: BT1195377
Component: TMOS
Symptoms:
Displaying disallowed algorithm as approved. It must not display approved log for disallowed algorithms when FIPS license is installed on the platform.
Conditions:
- FIPS license is installed on the platform.
- Creating a bit key.
Impact:
Creating keys for approved algorithms only
Workaround:
Change log statements or do not create a key for disallowed algorithms.
Fix:
Approved log for disallowed algorithms is not displayed.
Fixed Versions:
17.1.0, 16.1.4
1195125 : "Failed to allocate memory for nodes of size 0, no variables found in query" BD log message fix
Links to More Info: BT1195125
Component: Application Security Manager
Symptoms:
A GraphQL query without variables in its query will cause the error message to be reported in BD logs, even though it's not an error.
Conditions:
A request with GraphQL query without variables.
Impact:
Error prints in the enforcer logs.
Fix:
No error reports are detected in the BD logs.
Fixed Versions:
16.1.4
1194173-2 : BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value
Links to More Info: BT1194173
Component: Application Security Manager
Symptoms:
Attack signature check is not run on normalised parameter value.
Conditions:
- A parameter with location configured as a cookie is present
in the parameters list.
- Request contains the explicit parameter with URL encoded
base64 padding value.
Impact:
- Attack signature not detected.
Workaround:
None
Fix:
The attack signature check runs on normalised parameter value.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1191137-3 : WebUI crashes when the localized form data fails to match the expectations
Links to More Info: BT1191137
Component: TMOS
Symptoms:
In the Chinese BIG-IP, when multicast rate limit field is checked (enabled) and updated, the webUI is crashing.
Conditions:
On the Chinese BIG-IP:
- Navigate to the System Tab > Configuration.
- In Configuration, select Local Traffic > General.
- In Multicast Section, enable Maximum Multicast Rate Checkbox and click on Update.
Impact:
Chinese BIG-IP webUI is crashing.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1190365-3 : OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly
Links to More Info: BT1190365
Component: Application Security Manager
Symptoms:
The method used by ASM enforcer to serialize an OpenAPI object configured with "style:form", "explode:true", and "type:object" is not functioning as expected.
Conditions:
Repeated occurrences of parameter names in the query string with "type:object/explode:true/style:form" configured OpenAPI file.
Impact:
The violation "JSON data does not comply with JSON schema" is raised due to the repeated parameters from the query string with "array" configuration.
Workaround:
None
Fix:
The enforcer serializes the OpenAPI object correctly, no violation reported.
Note: In case of single occurrence of a parameter name in query string, it will be handled as a primitive (non-array) type.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1190353-3 : The wr_urldbd BrightCloud database downloading from a proxy server is not working
Links to More Info: BT1190353
Component: Policy Enforcement Manager
Symptoms:
Downloading BrightCloud database is not working with the proxy.
Conditions:
BrightCloud database download through Proxy management.
Impact:
URL categorization disruption as database not getting downloaded.
Workaround:
None
Fix:
Added the proxy settings in wr_urldbd BrightCloud database.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1190025-2 : The OAuth process crash
Links to More Info: BT1190025
Component: Access Policy Manager
Symptoms:
The Oauth process crashes and you may observe the following log in /var/log/messages
Nov 4 06:24:56 <hostname> notice logger[16306]: Started writing core file: /var/core/oauth.bld0.175.14.core.gz for PID 20854
Conditions:
Unknown
Impact:
OAuth stopped working.
Fixed Versions:
16.1.5
1189865-2 : "Cookie not RFC-compliant" violation missing the "Description" in the event logs
Links to More Info: BT1189865
Component: Application Security Manager
Symptoms:
When a request is blocked due to "Cookie not RFC-compliant' violation, the description field in the request log details is shown as "N/A" instead of having the description (for example "Invalid equal sign preceding cookie name" or "Invalid space in cookie name").
Conditions:
-- The violation is blocked due to "Cookie not RFC-compliant" violation
-- Looking at the request log details.
Impact:
The description is empty it is not possible to determine what is the problem with the request.
Workaround:
None
Fix:
After the fix, the description is shown in the request log details in the description field
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1189513-4 : SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header
Links to More Info: BT1189513
Component: Service Provider
Symptoms:
The SIP MRF failed to extract the SDP data and not created media flow pinholes, if SDP Multipurpose Internet Mail Extensions (MIME) multipart body is not generated with content-length header.
Conditions:
An INVITE message contained a MIME multipart payload and body parts miss content-length header.
Impact:
Media flow pinholes are not created.
Workaround:
None
Fix:
The SIP MRF extracts the SDP information and media flow pinholes are created on the BIG-IP even when the SDP MIME body part does not have a content-length header.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1189465-3 : Edge Client allows connections to untrusted APM Virtual Servers
Links to More Info: K000132539, BT1189465
1189461-3 : BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-36858
Links to More Info: K000132563, BT1189461
1189457-3 : Hardening of client connection handling from Edge client.
Links to More Info: K000132522, BT1189457
1188417-2 : Failure in the SelfTest/Integrity test triggers a reboot action.
Links to More Info: BT1188417
Component: Access Policy Manager
Symptoms:
BIG-IP may reboot or become unresponsive with the following error log in /var/log/apm.
err websso.7[8608]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
Conditions:
This issue occurs when the WebSSO is configured.
Impact:
Traffic is disrupted while the system reboots or becomes unresponsive.
Workaround:
None
Fix:
Proper locking mechanisms have been introduced to prevent race conditions in multi-threaded WebSSO environments for the RAND_bytes API used in the OpenSSL crypto library.
Fixed Versions:
16.1.5
1186925-4 : When FUA in CCA-i, PEM does not send CCR-u for other rating-groups
Links to More Info: BT1186925
Component: Policy Enforcement Manager
Symptoms:
When Final Unit Action (FUA) in CCA-i, the traffic is immediately blocked for that rating-group.
But, PEM does not send CCR-u for other rating-groups any more, which causes all other rating-groups traffic to pass through.
If FUA in CCA-u, everything works as expected.
Conditions:
When FUA received in in CCA-i.
Impact:
PEM receives FUA redirect first and ignores further requests.
Workaround:
Use iRule to remove FUA in CCA-i.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1186789-2 : DNSSEC keys stored on an internal FIPS card do not work after upgrading to versions >= 16.x
Links to More Info: BT1186789
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC signatures are not generated after the upgrade.
Conditions:
DNSSEC key stored on FIPS card;
and
Upgrade to versions >= 16.x.
Impact:
DNSSEC signing will not work.
Workaround:
Edit bigip_gtm.conf and update the key generation handles to match the first 32-hex characters of the key modulus and then run these commands:
# tmsh load sys config gtm-only
# bigstart restart gtmd
(OR)
Before the upgrade, modify the key handle as mentioned above and then reload the config with 'tmsh load sys config gtm-only'
Fixed Versions:
17.1.1, 16.1.5
1186661-2 : The security policy JSON profile created from OpenAPI file should have value "any" for it's defense attributes
Links to More Info: BT1186661
Component: Application Security Manager
Symptoms:
The JSON profile of security policy created from OpenAPI file has defense attributes required for JSON content validation. Defense attributes created with default values specific to each defense attribute. The default values can be incorrect, thus by default JSON defense attributes should not be enforced and they should have value "any".
Conditions:
- Creating JSON profile from OpenAPI file.
Impact:
Security policy created from OpenAPI file may enforce some requests with JSON content while it was not required by OpenAPI file.
Workaround:
None
Fixed Versions:
16.1.5
1186649 : TMM keep crashing after vCMP Guest Upgrade to BIG-IP v16.1.3.2★
Links to More Info: BT1186649
Component: TMOS
Symptoms:
TMM process keeps crashing after vCMP Guest Upgrade to BIG-IP v16.1.3.2.
Conditions:
Hosts running BIG-IP versions lower than 14.1.0, Guests running BIG-IP versions greater than 16.0.x.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Downgrade to previous version, or upgrade the vCMP hypervisor to a higher version.
Note version 14.1.x and below are no longer supported, so it is strongly advised to upgrade vCMP host software version
Fixed Versions:
16.1.5
1186437-1 : Link to Server Technologies is not working
Links to More Info: BT1186437
Component: Application Security Manager
Symptoms:
Link to configure Server technologies under category ' A6 Security Misconfiguration' of OWASP Top 10 dashboard says "The requested URL was not found on this server."
Conditions:
Click on category A6 - Server Technologies link
Impact:
Configuring Server technologies is not linking to the expected page
Workaround:
None
Fix:
Linked the correct page to Server Technologies; the policy configuration page
Fixed Versions:
16.1.4
1186401-2 : Using REST API to change policy signature settings changes all the signatures.
Links to More Info: BT1186401
Component: Application Security Manager
Symptoms:
When you use iControl REST to modify the signatures associated with a policy, the modifications are applied to all the signatures.
Conditions:
-- Create a policy named 'test'
-- Associate a signature set like "SQL Injection Signatures" to the policy
For example, remove the "Generic Detection Signatures (High/Medium Accuracy)" set
-- Look at the low-risk signatures associated with the policy
Commmand:
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' | jq . | head
-- Turn off staging for these signatures:
Commands:
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": false }' -X PATCH | jq . | head
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": true }' -X PATCH | jq . | head
-- The "totalItems" shows that 187 signatures were changed
Impact:
The user was unable to leverage the REST API to make the desired changes to the ASM signature policy.
Workaround:
Add 'inPolicy eq true' to the filter
Command :
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low+and+inPolicy+eq+true' -d '{ "performStaging": false }' -X PATCH | jq . | head
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1186385-1 : Link to 'Enforced Cookies' and 'SameSite Cookie Attribute Enforcement ' is opening the Policies List page
Links to More Info: BT1186385
Component: Application Security Manager
Symptoms:
The wrong page is linked to 'Enforced Cookies' and 'SameSite Cookie Attribute Enforcement'.
Conditions:
Clicking on Enforced Cookies or SameSite Cookie Attribute Enforcement
Impact:
You are taken to the Policies List page.
Workaround:
None
Fix:
Updated the correct links for both the entities
Fixed Versions:
16.1.4
1186249-2 : TMM crashes on reject rule
Links to More Info: BT1186249
Component: Local Traffic Manager
Symptoms:
The TMM crashes when the configuration has a rule that contains a reject in an HTTP_RESPONSE.
Conditions:
The crash happens when this rule is processed after a client has disconnected.
Impact:
TMM crashes every time this condition occurs. Traffic disrupted while tmm restarts.
Workaround:
If possible, avoid the use of reject or use HTTP::disable before the reject.
Fix:
Reject can be used without a crash.
Fixed Versions:
17.1.0, 16.1.4
1185421-4 : iControl SOAP uncaught exception when handling certain payloads
Links to More Info: K000133472, BT1185421
1185257-4 : BGP confederations do not support 4-byte ASNs
Links to More Info: BT1185257
Component: TMOS
Symptoms:
The BGP confederations do not support 4-byte AS numbers. Only 2-byte ASNs are supported.
Conditions:
Using BGP confederations.
Impact:
Unable to configure 4-byte AS number under BGP confederation.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1185133-2 : ILX streaming plugins limited to MCP OIDs less than 10 million
Links to More Info: BT1185133
Component: Local Traffic Manager
Symptoms:
When trying to get started with iRules LX, every script attempted results in the following error:
"Sep 16 11:16:26 pid[6958] streaming tm_register failed"
Conditions:
MCP configuration (MCP OID's) should go beyond 10 million.
Impact:
Unable to run iRules LX streaming plugins.
Workaround:
The below command forces MCPD to load the configuration from the text file with an empty database, thus the OID counter is reset to 0.
bigstart stop
rm -f /var/db/mcpdb*
bigstart start
Fix:
The TMSTAT segment names are limited to 31 characters (not including terminating NUL). With 23 characters used by the constant portion, 8 characters are left for both OID and CPU. The CPU will be 1 or 2 characters, leaving 6 or 7 characters for the OID. When exceeded, the tmstat_create fails.
tmplugin_nodejsplugin_1000000_0 err 0
tmplugin_nodejsplugin_10000000_0 err -1
Change the plugin class from "nodejsplugin" to "nodejs" or similar, to allow 6 more digits of OID space (allowing to 10 trillion).
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1184929-1 : GUI link displays mixed values FULFILLED or Requirement Fulfilled and NOT FULFILLED or Requirement Not Fulfilled
Links to More Info: BT1184929
Component: Application Security Manager
Symptoms:
Mismatch of configuration seen on OWASP dashboard. GUI link displays mixed values FULFILLED or Requirement Fulfilled and NOT FULFILLED or Requirement Not Fulfilled
Conditions:
Entity details in OWASP compliance dashboard.
Impact:
GUI link displays inconsistent values for entity details.
Workaround:
None
Fix:
Values are updated to FULFILLED and NOT FULFILLED to maintain consitency.
Fixed Versions:
16.1.4
1184841-2 : Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API
Links to More Info: BT1184841
Component: Application Security Manager
Symptoms:
Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API.
Conditions:
- ASM-Sync enabled
- Auto-Sync enabled
- Updating URL through REST API
Impact:
Configuration will be de-synced.
Workaround:
Use TMUI to update configuration.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1184629-2 : Validate content length with respective to SIP header offset instead of parser offset
Links to More Info: BT1184629
Component: Service Provider
Symptoms:
The SIP parser is validating the content length of the SIP message with respective to the parser offset instead of SIP actual header. Validating the content length with parser offset is inaccurate.
Conditions:
The SIP message should have content length greater than zero and should have content.
Impact:
The SIP parser is calculating the SIP message body size inaccurately.
Workaround:
None
Fix:
Validating the content length with respective to SIP header offset instead of parser offset.
Fixed Versions:
17.1.0, 16.1.5, 15.1.9
1184153-2 : TMM crashes when you use the rateshaper with packetfilter enabled
Links to More Info: BT1184153
Component: Local Traffic Manager
Symptoms:
Tmm might crash when you use the packet-filter with the packetfilter.established option enabled, and when rate-class is applied via packet-filter rule.
Conditions:
- packet-filter with packetfilter.established option enabled.
AND
- rate-class is applied via packet-filter rule.
Impact:
TMM crash/failover.
Workaround:
Do not apply rate-class via packetfilter or disable the packetfilter.established option.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1183453-1 : Local privilege escalation vulnerability (CVE-2022-31676)
Links to More Info: K87046687
1182353-3 : DNS cache consumes more memory because of the accumulated mesh_states
Links to More Info: BT1182353
Component: Global Traffic Manager (DNS)
Symptoms:
DNS cache consumes more memory and the mesh_states are accumulated quickly.
Conditions:
Mixed queries with rd flag set and cd flag set/unset.
Impact:
TMM runs out of memory.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1181833-2 : Content is not updating under respective tab of webUI when CSRF enabled
Links to More Info: BT1181833
Component: Application Security Manager
Symptoms:
The JS tabs under webUI are not functional and content is not being updated.
Conditions:
- When CSRF feature is enabled.
Impact:
- Content is not visible under individual tabs when clicked on any tab button in the webUI.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.0, 16.1.5
1181757-4 : BGPD assert when sending an update
Links to More Info: BT1181757
Component: TMOS
Symptoms:
BGPD might trip an assert when sending an update to a peer.
Conditions:
Large number of prefixes advertised to a peer (~800). This happens rarely, as it requires a specific update layout.
Impact:
BGPD may crash or core.
Workaround:
None
Fix:
None
Fixed Versions:
16.1.5
1181613-1 : IPsec IKEv2: BIG-IP version 16.1.0 introduced RFC5996 non-compliance in IKE SA delete
Links to More Info: BT1181613
Component: TMOS
Symptoms:
After the deletion of an IKE SA, the child IPsec SAs will not be deleted.
Conditions:
-- IKEv2 IPsec tunnels
-- Tunnels use Route Domains.
-- An IPsec SA is deleted.
Impact:
The BIG-IP believes it still has valid IPsec SAs to use, while the remote peer does not. In this case, if the BIG-IP is normally the initiator, the tunnel will be unusable until the lifetime expires on the existing IPsec SAs.
Workaround:
None
Fix:
IPsec SAs are now deleted after the related IKE SA is deleted.
Fixed Versions:
17.1.0, 16.1.4
1180365-2 : APM Integration with Citrix Cloud Connector
Links to More Info: BT1180365
Component: Access Policy Manager
Symptoms:
-- Configure Citrix cloud connector instead of Citrix Delivery controller to publish apps and desktops from the cloud configured using DaaS.
-- Apps/Desktop will not be published.
Conditions:
-- Citrix cloud connector is used to publish apps instead of Citrix Delivery controller
-- The user clicks on the App/Desktop
Impact:
The cloud connector sends an empty response, and users will not be able to publish any Apps/Desktops in webtop which are published through Citrix Cloud Connector.
Workaround:
None
Fix:
After integration of APM with Citrix Cloud Connector, the user is able to publish Apps/Desktops which are published through Citrix Cloud Connector.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1178221-3 : In IPsec IKEv2, packet memory corruption after retransmitted ISAKMP with NAT
Links to More Info: BT1178221
Component: TMOS
Symptoms:
When the retransmit happens, and other side is not reachable, the BIG-IP logs the "err packet length does not match field of ikev2 header" and then "ERR dropping unordered message".
Conditions:
Tunnel is established between Initiatior and Responder.
Responder is able to send DPD request. but not able to receive response.
Impact:
Wrong information logged.
DPD response packet corruption.
Workaround:
None
Fix:
Logs will display correct message.
Packet will not corrupt.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1174873-3 : Query string separators ? or / in MutiDomain or SAML use cases are incorrectly converted to "%3F" or "%2F"
Links to More Info: BT1174873
Component: Access Policy Manager
Symptoms:
In muti-domain Single Sign-On (SSO) or SAML Auth, the location header query string separator is converted from "?" to "%3F" or / to "%2F"
Conditions:
- Create an access policy with a redirect to login page.
Impact:
MultiDomain Auth or SAML Auth will fail
Workaround:
None
Fix:
A function that was used to normalize URLs was corrected.
Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1174085-1 : Spmdb_session_hash_entry_delete releases the hash's reference
Links to More Info: BT1174085
Component: Policy Enforcement Manager
Symptoms:
Tmm crashes while passing traffic. Multiple references accessing and trying to modify the same entry
Conditions:
BIG-IP passing certain network traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Delete the entry for every reference
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1174033-2 : The UPDATE EVENT is triggered with faulty session_info and resulting in core
Links to More Info: BT1174033
Component: Policy Enforcement Manager
Symptoms:
The UPDATE EVENT requires a proper initialization of the session_info which in turn is used to set the tcl pcb's cmdctx. With properly defined cmdctx, the sess_data is populated successfully. But, without proper initialization of the session_info makes the cmdctx to carry incorrect vaules, thus resulting in a core when populating the sess_data.
Conditions:
Enable the Global UPDATE-EVENT option and make sure you log
some session attributes as part of the UPDATE EVENT.
Impact:
Results in a core.
Workaround:
None
Fix:
Triggering UPDATE EVENT is not causing any core.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1173669-1 : Unable to reach backend server with Per Request policy and Per Session together
Links to More Info: BT1173669
Component: Access Policy Manager
Symptoms:
It is observed that backend pool is not reachable.
Conditions:
The OAuth case with Per Request policy and Per Session together.
Impact:
Backend Pool is not reachable.
Workaround:
None
Fix:
Variables pushed with server configuration into per request flow are accessed with last rather than the server configuration.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1173493-4 : Bot signature staging timestamp corrupted after modifying the profile
Links to More Info: BT1173493
Component: Application Security Manager
Symptoms:
Bot signature timestamp is not accurate.
Conditions:
Have a bot signature "A" in staging, record the timestamp.
Using webUI, set another bot signature "B" to be in staging and click Save.
The time stamp on "A" is updated and shows the year 1970 in webUI.
Impact:
Can not verify from when the signature was in staging.
Workaround:
Use TMSH, instead of webUI, to update the profile.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1173441-3 : The 'tmsh save sys config' call is being triggered when REST Authentication tokens (X-F5-Auth-Token) are deleted or expired
Links to More Info: BT1173441
Component: TMOS
Symptoms:
The 'tmsh save sys config' call is being triggered when REST authentication tokens (X-F5-Auth-Token) are deleted or expired.
Conditions:
The REST authentication tokens (X-F5-Auth-Token) are deleted or expired.
Impact:
There is no functional impact. However, in the BIG-IPs where there is huge configuration, a 'tmsh save sys config' call takes a lot of time and thus impacts the performance.
Workaround:
None
Fix:
The REST authentication tokens (X-F5-Auth-Token) are deleted or expired without triggering the 'tmsh save sys config' call as the call is unnecessary.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1168157-2 : OpenAPI: Special ASCII characters in "schema" block should not be converted to UTF8
Links to More Info: BT1168157
Component: Application Security Manager
Symptoms:
Content of "schema" entry in OpenAPI file is source of new "JSON schema validation file" created in security policy based on OpenAPI file. This content of "schema" entry is converted to UTF8 encoding to fulfil requirements of "JSON schema" requirements. In case "schema" entry contain ASCII special characters those characters should not be converted to UTF8.
Conditions:
ASCII special characters found under schema entry in OpenAPI file
Impact:
The entity "JSON schema validation file" in security policy will not be created for "schema" entry that contain special ASCII characters.
Workaround:
None
Fixed Versions:
16.1.5
1168137-3 : PEM Classification Auto-Update for month is working as hourly
Links to More Info: BT1168137
Component: Traffic Classification Engine
Symptoms:
After configuring PEM classification signature auto-update as monthly, but it runs on hourly.
If the update schedule is set to daily or weekly, then the latest IM package is downloaded based on the set update schedule. But, when it is set to monthly, it is working on hourly.
Conditions:
Automatic updates for classification signatures is configured and enabled, and update schedule should be set to monthly.
Impact:
Classification update is not working on monthly basis.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1167985-2 : Network Access resource settings validation errors
Links to More Info: BT1167985
Component: Access Policy Manager
Symptoms:
When trying to add "0.0.0.0/1" under the IPV4 LAN Address Space and in a Network Access resource, the UI would throw such error:
"Invalid IP or Hostname"
When trying to add DNS Exclude Address Space starting with an underscore (such as "_ldap._tcp.dc._msdcs.test.lan"), the UI would throw such error:
01b7005b:3: APM Network Access (/Common/test) DNS name (_ldap._tcp.dc._msdcs.test.lan) is not a valid domain name
Conditions:
Use a Network Access resource in split tunneling mode.
Add "0.0.0.0/1" under the IPV4 LAN Address Space
Add DNS Exclude Address Space starting with an underscore
Impact:
Administrators could not correctly configure some network access resource settings.
Fixed Versions:
17.1.1, 16.1.4
1167941-3 : CGNAT SIP ALG INVITE loops between BIG-IP and Server
Links to More Info: BT1167941
Component: Service Provider
Symptoms:
On an inbound call on the ephemeral listener, if the INVITE message TO header is not registered, and From header is registered, then INVITE is sent out on the ephemeral listener which might cause a loop issue, if the server sends back the INVITE to BIG-IP again.
Conditions:
It occurs with inbound calls.
Impact:
It could lead to performance issue if the loop continues.
Workaround:
Step 1 or 2 can be used as a workaround based on the use case.
1)If the From and To headers are the same, 400 bad response is given.
Also, the packets are dropped in case the destination address is not translated.
ltm rule sip_in_rule {
when SIP_REQUEST_SEND {
if {[SIP::method] == "INVITE" && [IP::addr [IP::remote_addr] equals $localAddr]} {
SIP::discard
}
}
when SIP_REQUEST {
set localAddr [IP::local_addr]
set from [substr [SIP::header from] 0 ";"]
set to [substr [SIP::header to] 0 ";"]
if {[SIP::method] == "INVITE" && $from equals $to} {
SIP::respond 400 "Bad Request"
}
}
(tmos)# modify ltm virtual vs_alg_sip_private { rules { sip_in_rule } }
2)below Irule would drop all inbound calls.
ltm rule sip_drop_rule {
when MR_INGRESS {
if { [MR::transport] contains "_$" } {
MR::message drop
}
}
(tmos)# modify ltm virtual vs_alg_sip_private { rules { sip_drop_rule } }
Fix:
BIG-IP will drop the messages in the following cases.
a)If From and To headers are the same in the sip INVITE message.
b)If the SIP INVITE message To header is not registered and From is registered.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1167929-4 : CVE-2022-40674 - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c
1167897-6 : [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c
1167889 : PEM classification signature scheduled updates do not complete
Links to More Info: BT1167889
Component: Traffic Classification Engine
Symptoms:
After configuring PEM classification signature updates to run at an defined interval, the updates may not actually occur.
Via tmsh:
ltm classification auto-update settings { }
via GUI:
Traffic Intelligence -> Applications -> Signature Update -> Automatic Update Settings
In the /var/log/ltm log, the following message may be seen
mcpd[xxxx]: 01070827:3: User login disallowed: User (guest) is not an administrator, does not have a UID of zero, and has not been assigned a role on a partition.
Conditions:
Automatic updates for classification signatures is configured and enabled.
Impact:
The classification updates do not occur.
Workaround:
Run the classification update manually.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1166449-2 : APM - NTLM authentication will stop working if any of DC FQDN is not resolvable in the configured DC list
Links to More Info: BT1166449
Component: Access Policy Manager
Symptoms:
NTLM authentication will stop working.
Conditions:
If any of the DC FQDN is not resolvable in the configured NTLM Auth Config DC list during below scenarios:
- Create/Modify NTLM Auth Configuration
- Restart ECA/NTLM service
- Restart, Power cycle or after upgrade
- Active/Stand by switch over.
Impact:
NTLM authentications targeted towards this NTLM Auth Config will start to fail.
Workaround:
User need to remove the non-resolvable DC FQDN from the NTLM Auth configuration's DC list.
Fix:
Fix will be provided to try FQDN resolution for all entries in the NTLM Auth configuration's DC list, NTLM Auth will proceed if at least one of the DC is resolvable and reachable.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1166329-2 : The mcpd process fails on secondary blades, if the predefined classification applications are updated.
Links to More Info: BT1166329
Component: TMOS
Symptoms:
If a user installs and deploys a classification update (classification-update-*.im) the predefined classification applications are changed to "user modified".
This change causes the mcpd process to fail and restart on secondary blades during startup.
Conditions:
- Multi-slot VIPRION or vcmp guest
- PEM provisioned
- Classification applications updated either with tmsh load sys config merge or by using the Signature Update option in the Traffic Intelligence tab from the GUI or tmsh
Impact:
No impact
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4
1162081-6 : Upgrade the bind package to fix security vulnerabilities
Component: Global Traffic Manager (DNS)
Symptoms:
Upgrade the bind package to fix the following security vulnerabilities:
- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178
Conditions:
Upgrade the bind package to fix the following security vulnerabilities:
- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178
Impact:
Upgrade the bind package to fix the following security vulnerabilities:
- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178
Workaround:
None
Fix:
Upgraded the bind package to 9.16.33.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1161965-3 : File descriptor(fd) and shared memory leak in wr_urldbd
Links to More Info: BT1161965
Component: Traffic Classification Engine
Symptoms:
When updating the customdb, fd and shared memory leaks were observed in wr_urldbd.
Conditions:
The issue happens when a urldb feed list is modified multiple times in a loop.
Impact:
Updating customdb will not work.
Workaround:
No
Fix:
Handled the updating of the customdb more efficiently to prevent any fd or shared memory leaks.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1161913-1 : Upgrades from BIG-IP versions 15.1.8, 15.1.8.1, 15.1.8.2, or v15.1.9 to 16.1.1, 16.1.2, 16.1.3 (not 16.1.4) or 17.0.x (but not 17.1.x) fail, and leaves the device INOPERATIVE★
Links to More Info: BT1161913
Component: TMOS
Symptoms:
The loading configuration process fails after an upgrade from 15.1.8, 15.1.8.1, 15.1.8.2, or v15.1.9 to any 16.x (prior to 16.1.4), or to any 17.0.x release. Upgrades to 16.1.4 or 17.1.x are not affected.
The system posts errors similar to the following:
-- crit tmsh[16188]: 01420001:2: Can't load keyword definition (vlan.dag_adjustment) : framework/SchemaCmd.cpp, line 825
-- crit tmsh[25644]: 01420001:2: Can't load keyword definition (vlan.nti) : framework/SchemaCmd.cpp, line 825
-- Can't find matched schema tag for association's attribute fw_zone_log_profile.pzname during loading cli version syntax: 15.1.8
-- Can't find matched schema tag for association's attribute fw_protected_zone.pzname during loading cli version syntax: 15.1.8
-- Unexpected Error: "Can't load keyword definition (vlan.dag_adjustment)"
-- fatal: (Can't load keyword definition (vlan.nti)) (framework/SchemaCmd.cpp, line 825), exiting...
-- emerg load_config_files[16186]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Loading schema version: 15.1.8
-- err mcpd[10702]: 01070422:3: Base configuration load failed.
Conditions:
The issue occurs when an upgrade happens from one of the following releases:
-- BIG-IP version 15.1.8 or later in the v15.1.x branch.
to any of the following releases:
-- BIG-IP version 16.0 through v16.1.3.4
-- BIG-IP version 17.0 through v17.0.0.2
Impact:
After the upgrade, the configuration does not load. The system hangs at the base configuration load failure status and leaves the system inoperative.
Workaround:
It is not possible to avoid running into a config load failure when attempting the upgrade or restoring a UCS archive from v15.1.8 or v15.1.8.1 or v15.1.8.2 or v15.1.9 on one of the listed versions. However, as long as the system is not using the zone-based DDoS AFM functionality, it is possible to load the configuration after the upgrade via the manual workaround shown below. If upgrading to 16.1.4 or a later version there is no need to use this workaround, and it should not be used.
1. While the system is inoperative, log into the system as root or an administrative user and launch bash.
2. Copy and paste the following series of commands and run them in bash
### BEGIN COMMANDS
(shopt -s nullglob; sed -E -i.workaround.bak -e '/dag-adjustment /d' /config/bigip_base.conf /config/partitions/*/bigip_base.conf)
(shopt -s nullglob; sed -E -i -e '/^KEYWORD dag-adjustment/d' -e '/^KEYWORD nti/d' /var/libdata/tmsh/syntax/15.1.{8,9,10}*/auto_schema_data_net_cli.dat)
for dir in /var/libdata/tmsh/syntax/15.1.{8,9,10}*; do
[ -d "$dir" ] || continue
/bin/mv "$dir"/auto_schema_data_security_cli.dat{,.workaround.bak}
awk '
/^<REF_CMD fw-protected-zone / { refcmd=1; depth=1; next }
/^<CMD fw-protected-zone/ { cmd=1; depth=1; next }
/^<ASSOCIATION.*fw-protected-zone/ { depth=depth+1; next }
/^>/ {
if (refcmd || cmd) {
if (!--depth) {
refcmd = 0;
cmd = 0;
}
next;
}
}
/.?/ {
if (refcmd || cmd) next
print
}' < "$dir"/auto_schema_data_security_cli.dat.workaround.bak > "$dir"/auto_schema_data_security_cli.dat
/bin/rm "$dir"/auto_schema_data_security_cli.dat.workaround.bak
done
### END COMMANDS
3. Load the configuration again:
tmsh load sys config
4. If the config loads successfully, save it once:
tmsh save sys config
Fix:
None
Fixed Versions:
16.1.4
1161733-4 : Enabling client-side TCP Verified Accept can cause excessive memory consumption
Links to More Info: K000134652, BT1161733
1160805-2 : The scp-checkfp fail to cat scp.whitelist for remote admin
Links to More Info: BT1160805
Component: TMOS
Symptoms:
Attempt SCP file to BIG-IP:
/shared/images
root user success
remote admin user fails, following is an example:
$ scp test.iso apiuser@10.201.69.106:/shared/images
Password:
cat: /co: No such file or directory
cat: fig/ssh/scp.whitelist: No such file or directory
"/shared/images/test.iso": path not allowed
Conditions:
-- Running BIG-IP version with fix for ID 1097193.
-- Create remote admin user.
-- Use SCP command to transfer a file to remote admin user path.
Impact:
SCP command is not working for the remote admin users.
Workaround:
None
Fix:
Issue is with the Internal Field Separation (IFS) environment variable from /bin/scp-checkfp file. Following is an example for IFS:
IFS=$"\n" -->
This means, it expects a string character.
It should expect a character value to read the paths from the SCP files.
IFS=$'\n' -->
This means, it expects a character.
Fixed Versions:
16.1.4, 15.1.9
1159569-2 : Persistence cache records may accumulate over time
Links to More Info: BT1159569
Component: Local Traffic Manager
Symptoms:
The persistence cache records accumulate over time if the expiration process does not work reliably. The 'persist' memory type grows over time when multiple TMMs are sharing the records.
Conditions:
- Non-cookie, persistence configured.
- Multi TMM box
- Traffic that activates persistence is occurring.
Impact:
Memory pressure eventually impacts servicing of traffic in multiple ways. Aggressive mode sweeper runs and terminates active connections. TMM may restart. Traffic is disrupted while TMM restarts.
Workaround:
None
Fix:
Persistence records are now reliably expired at the appropriate time.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1159397-1 : The high utilization of memory when blade turns offline results in core
Links to More Info: BT1159397
Component: Policy Enforcement Manager
Symptoms:
The TMM memory utilization continue to increase after a blade turns offline.
Conditions:
Blade turns offline.
Impact:
The TMM memory utilization will finally cause out-of-memory errors or cores and TMM processes will restart. The service will be interrupted.
Workaround:
None
Fix:
Error code ERR_MEM will be handled successfully.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1156889-3 : TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions
Links to More Info: BT1156889
Component: Application Security Manager
Symptoms:
When using bot-defense profile with a browser verification and performing redirect actions, there is a memory leak in TMM.
Conditions:
- The bot-defense profile with "Verify After Access" or "Verify Before Access" browser verification is configured.
- Surfing using a browser, during grace period (5 Minutes after config change) to a non-qualified URL, or configuring "Validate Upon Request" in "Cross Domain Requests" configuration, and configuring A and B as "Related Site Domains".
- Surfing using a browser from Domain A to Domain B.
Impact:
Degraded performance, potential eventual out-of-memory.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1156697-3 : Translucent VLAN groups may pass some packets without changing the locally administered bit
Links to More Info: BT1156697
Component: Local Traffic Manager
Symptoms:
Translucent VLAN groups may pass some packets without changing the locally administered bit.
Conditions:
The destination mac address of the ingress packet does not match the nexthop.
Impact:
Connections may fail, packet captures show the packets being egressed the VLAN group with the locally administered bit set.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1156105-2 : Proxy Exclusion List is not configurable if VLAN group and route-domain are in non default partition
Links to More Info: BT1156105
Component: Local Traffic Manager
Symptoms:
Unable to add IP apart from /Common to Proxy Exclusion List.
Conditions:
- Route-Domain is created with default-route-domain in same partition.
#tmsh create auth partition part5
#tmsh create net route-domain /part5/rd5 id 5
#tmsh modify auth partition part5 default-route-domain 5
Impact:
The following command fails:
tmsh modify net vlan-group /part5/RD5-VLAN-GRP proxy-excludes add { 10.10.20.196 }
Workaround:
- The following command is used to create route-domain in /Commom:
#tmsh create net route-domain /part5/rd5 id 5
Modify this command as following:
#tmsh create net route-domain rd5 id 5
- Manually edit the bigip.conf file in partitions and add IP address manually, and then reload the config.
Fix:
IP can be added to Proxy Exclusion List.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1155733-1 : NULL bytes are clipped from the end of buffer
Links to More Info: BT1155733
Component: TMOS
Symptoms:
In logs the key length is less then the actual key length.
Conditions:
- Establish IPSec tunnel.
- Check the logs.
Impact:
Incomplete information in the logs.
Workaround:
None
Fix:
Printing all bytes in the buffer irrespective of NULL bytes.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1155393-2 : Failure to remove chunk headers from chunked response with Rewrite/HTML profile and compression
Links to More Info: BT1155393
Component: Local Traffic Manager
Symptoms:
The BIG-IP fails to remove chunk headers when compressing a chunked response from a pool member.
The chunk headers are compressed and delivered to the client as part of the payload.
Conditions:
-- Version with the fix for ID902377
-- Rewrite/HTML profile
-- Compression profile
-- Chunked response from pool member (With "Transfer-Encoding: Chunked" header)
-- HTTP response eligible for compression
Impact:
Chunk header and terminating 0 length chunk are compressed and delivered to the client as part of the payload, resulting in broken application functionality.
Workaround:
One of the following:
- Change HTTP response-chunking to either 'unchunk' or 'rechunk' in the HTTP profile for the virtual server.
- Remove the compression profile.
- Modify the compression profile to ensure the response in question is no longer eligible for compression.
Fix:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1154933-4 : Improper permissions handling in REST SNMP endpoint
Component: TMOS
Symptoms:
Certain requests to the REST SNMP endpoint improperly handle user permissions.
Conditions:
Not specified
Impact:
Security best practices are not followed
Workaround:
Only allow trusted users to have access to the REST interface.
Fix:
User permissions work as expected.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1154381-4 : The tmrouted might crash when management route subnet is received over a dynamic routing protocol
Links to More Info: BT1154381
Component: TMOS
Symptoms:
The tmrouted might crash when management route subnet is received over a dynamic routing protocol.
Conditions:
- Management route subnet is received over a dynamic routing protocol.
- Multi-bladed VIPRION.
- Blade failover or IP address change occurs.
Impact:
Dynamic routes are lost during tmrouted restart.
Workaround:
Do not advertise a management subnet over a dynamic routing protocol towards BIG-IP. Use route-map to suppress incoming update.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1153969-2 : Excessive resource consumption when processing LDAP and CRLDP auth traffic
Links to More Info: K000134516, BT1153969
1153865-4 : Restjavad OutOfMemoryError errors and restarts after upgrade★
Links to More Info: BT1153865
Component: TMOS
Symptoms:
After upgrade to an affected version, restjavad restarts intermittently or frequently, and/or may use high CPU.
The restjavad logs, /var/log/restjavad.X.log, may report the following errors:
java.lang.OutOfMemoryError: Java heap space
restjavad may instead, or as well, run many full garbage collection cycles one after another, causing high CPU. This will be shown by frequent logs with [FullGC] in /var/log/restjavad-gc.log.X.current
Conditions:
- Update to affected version: 14.1.5.1-, 15.1.7-15.1.8.2, 16.1.3.1-16.1.3.5, 17.0.0.1-17.0.0.2
- Value of sys db restjavad.useextramb is true.
- Value of sys db provision.restjavad.extramb is 192 or lower than previous restjavad heap size.
- Use of REST API calls that need a lot of memory. Heavy users of REST API, such as SSL Orchestrator, may be very affected.
Impact:
May have problems in the GUI with certain pages or tabs, such as network map with very large config or SSL Orchestrator or iLX related tabs.
Other services that use REST API, internal and external to BIG-IP, may be impacted with low performance or service instability
Workaround:
Before upgrade to an affected version - if you set sys db restjavad.useextramb to value false before install of new version you will have more restjavad memory, the default 384MB, after upgrade.
tmsh modify sys db restjavad.useextramb value false
If you restart restjavad you can see if that value works before upgrade. If you don't restart then it will come into effect after reboot.
If that no longer has issues after update then leave that setting at false. Otherwise set back to true (no restart) and increase provision.restjavad.extramb as in After upgrade section below.
After upgrade:
Set sys db provision.restjavad.extramb to an appropriate value and restart restjavad.
Run the following command:
tmsh modify sys db provision.restjavad.extramb value X
bigstart restart restjavad
Iterate as necessary.
The value of X is derived by using one of the following formulae:
- When updating from versions before 14.1.4 and 15.1.3, to affected versions, a value that preserves the maximum previous restjavad heap size is:
192MB + 80% of MIN(provision.extramb|2500)
the minimum possible heap size was:
192MB + 20% of MIN(provision.extramb|2500)
The actual restjavad heap size would be between those extremes. SSL Orchestrator systems would typically need the maximum.
- When updating from 14.1.4-14.1.5, from 15.1.3-15.1.6.1 or from 16.0.x to affected versions:
384MB + 80% of MIN(provision.extramb|2500)
- When updating from 16.1.0-16.1.3 or from 17.0.0.0 to affected versions:
384MB + 90% of MIN(provision.extramb|4000)
Fix:
After upgrade, the system now sets the default value for provision.restjavad.extramb variable to 384MB. This sets the maximum heap size to 384MB. For values of provision.restjavad.extramb of 384 and lower the starting heap size is set at 96MB. For values above 384MB the starting heap size is set to the same value as maximum heap size.
When upgrading from a version that has provision.restjavad.extramb and it is explicitly set to a value*, rather than just takes default value, that value will be preserved and take affect in the new version. This will happen even if restjavad.useextramb had been set to false.
Where sys db restjavad.useextramb was set to value true in the previously used version, and provision.restjavad.extramb doesn't already exist, the value for provision.restjavad.extramb is based on a calculation of the maximum restjavad heap size that could have been used.
Usually this maintains the same or very similar restjavad heap size as used previously with more ability to fine tune it. The default size works in a wider range of settings.
When upgrading from a version that had a smaller starting heap size than maximum heap size, so before 14.1.4 or 15.1.3, and restjavad.useextramb set to true, it's possible that restjavad will use more memory than required. That's because for values above the default size of 384MB for provision.restjavad.extramb starting heap size is set the same as maximum heap size to lower performance issues when large memory sizes are required. You can lower restjavad memory use by lowering the value of provision.restjavad.extramb and restarting it if needed.
Note: This fix also removes the db variable restjavad.useextramb as it is no longer needed.
*Note: The command 'tmsh list sys db X' will return the value for DB key where set, or the default value for X otherwise. printdb can be used to display both value and default.
eg
printdb -n provision.restjavad.extramb
Name: Provision.Restjavad.extraMB
Realm: common
Type: integer
Default: 384
Value: 600
SCF_Config: true
Min: 192
Max: 8192
shows a default of 384 and an explicitly set value of 600 that would override the default. Where the value hadn't been set the 'Value:' line will not be present.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1148009-2 : Cannot sync an ASM logging profile on a local-only VIP
Links to More Info: BT1148009
Component: Application Security Manager
Symptoms:
If an ASM profile, such as a logging profile is applied to a virtual that is local-only, then the state changes to "Changes Pending" but configuration sync breaks.
Conditions:
- ASM provisioned
- high availability (HA) pair
- ASM profile, such as a logging profile is applied to a virtual that is local-only.
Impact:
The state changes to "Changes Pending" but configuration sync breaks.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1147849-4 : Rest token creation does not follow all best practices
Component: TMOS
Symptoms:
No input sanitization for X-Forwarded-For header.
Conditions:
X-Forwarded-For accepts any input values in /mgmt/shared/authn/login endpoint and the same was stored in auth token.
Impact:
Any malicious texts can be stored as part of the token.
Workaround:
Pass only valid addresses in X-forwarded-for
Fix:
Only valid X-Forwarded-For data (IPV4 and IPv6 address) are allowed to persist in the auth token. All other contents are filtered out.
Fixed Versions:
16.1.5
1147633-2 : Hardening of token creation by users with an administrative role
Component: TMOS
Symptoms:
Using certain endpoints, a user with an administrative role can generate tokens for noneligible users.
Conditions:
A user with an administrative role and access to certain iControl REST endpoints.
Impact:
Undisclosed
Workaround:
Ensure that only trusted users are given administrative roles.
Fix:
Token creation for non-eligible users is now disallowed.
Fixed Versions:
17.1.1, 16.1.5
1147621-2 : AD query do not change password does not come into effect when RSA Auth agent used
Links to More Info: BT1147621
Component: Access Policy Manager
Symptoms:
When RSA auth along with AD query is used the Negotiate login page checkbox "Do not change password" is not working as expected.
Even though "Do not change password" is checked the AD query is receiving F5_challenge post parameter with earlier RSA auth agent OTP content, And PSO criteria would not meet.
So when they click on "logon", it states 'The domain password change operation failed. Your new password must be more complex to meet domain password complexity requirements' and prompts for the fields "New password" and "verify password" again.
Conditions:
RSA Auth with OTP along with AD query agent with the negotiate logon page.
Impact:
User readability/experience even though "Do not change password" is checked it prompts as if user entered the logon credentials.
Workaround:
If you click on "logon" again in the Negotiate page, it goes to the webtop (next agent) with the previous logon or last logon credentials.
Fix:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1146377-2 : FastHTTP profiles do not insert HTTP headers triggered by iRules
Links to More Info: BT1146377
Component: Local Traffic Manager
Symptoms:
Virtual servers configured with the FastHTTP profile will not insert HTTP headers even when triggered by iRules.
Conditions:
A virtual server configured with FastHTTP, and an iRule that would insert an HTTP header.
Impact:
The expected headers will not be inserted on packets sent to servers.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1146341-2 : TMM crashes while processing traffic on virtual server
Links to More Info: BT1146341
Component: Access Policy Manager
Symptoms:
TMM crashes while processing traffic on virtual server.
Conditions:
- Assigning a per-request policy to virtual server.
or
- Configuring Network Access resource.
Impact:
TMM crashes leading to disruption in traffic flow.
Workaround:
None
Fix:
TMM does not crash with APM per-request policy.
Fixed Versions:
17.1.0, 16.1.5, 15.1.10
1146241-2 : FastL4 virtual server may egress packets with unexpected and erratic TTL values
Links to More Info: BT1146241
Component: Local Traffic Manager
Symptoms:
A FastL4 virtual server may egress (either towards the client or the server) IP packets with unexpected and erratic TTL values. The same also applies to IPv6, where the TTL field is known as Hop Limit.
Conditions:
- The BIG-IP system is a Virtual Edition (VE).
- The Large Receive Offload (LRO) is enabled on the system (which it is by default), and is operating in software mode. You can determine whether LRO is enabled on the system by inspecting the tm.tcplargereceiveoffload DB key, and you can determine whether LRO is operating in software mode by trying to query the tcp_lro tmstat table (tmctl -d blade tcp_lro). If the table exists, LRO will be operating in software mode.
- The FastL4 profile is configured to decrement the TTL (this is the default mode).
- The virtual server uses mismatched IP versions on each side of the proxy (for example, an IPv6 client and an IPv4 server).
Impact:
Depending on the actual TTL values that will be sent out on the wire (which can be random and anything within the allowed range for the field) traffic can be dropped by routers on the way to the packet's destination.
This will happen if there are more routers (hops) on the way to the packet's destination than the value specified in the TTL field.
Ultimately, this will lead to retransmissions and possibly application failures.
Workaround:
You can work around this issue by doing either of the following things:
- Disable LRO on the BIG-IP system by setting DB key tm.tcplargereceiveoffload to disable.
- Use a TTL mode for the FastL4 profile other than decrement (for example, use proxy or set).
Fix:
The TTL decrement mode now works as expected under the conditions specified above.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1146037-1 : Updating the firmware for a FIPS protected internal HSM due to SDK or driver upgrade
Links to More Info: BT1146037
Component: Local Traffic Manager
Symptoms:
In this release, FIPS HSM SDK and Driver version upgraded to 1.1-6.
Conditions:
This applies to all BIG-IP FIPS platforms, except for BIG-IP 5250F, 7200F, 10200F, 11000F, and 11050F.
Impact:
Without manual firmware upgrade, FIPS HSM may have a not recommended firmware version, which may lead to unpredictable behavior.
Workaround:
None
Fix:
The FIPS device firmware need to be manually upgraded to version 1.1-5. For more information, refer to the article https://support.f5.com/csp/article/K26061560.
Fixed Versions:
17.1.0, 16.1.4
1146017-1 : WebUI does not displays error when parent rewrite profile is not assigned to user defined rewrite profile
Links to More Info: BT1146017
Component: TMOS
Symptoms:
WebUI does not show error when parent profile is empty.
Conditions:
1) Navigate to Access > Connectivity/VPN > Portal Access > Rewrite.
2) Enter the details, do not assign any parent rewrite profile.
3) Click Create.
Impact:
No webUI error is seen as parent profile is not assigned to user defined rewrite profile.
Workaround:
Enter details in the parent profile field and click Create.
Fix:
WebUI error is displayed when the parent profile filed is empty and clicked on Create button.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1145989-2 : ID token sub-session variables are not populated
Links to More Info: BT1145989
Component: Access Policy Manager
Symptoms:
When refresh token is used, ID token sub-session variables are not populated.
Conditions:
- Configured APM as OAuth Client in per-request policy.
- OIDC is enabled.
- After token expires and refresh token is used to fetch new token (grant_type=refresh_token).
Impact:
The sub-session variables related to the ID token are not populated when APM per-request policy uses a refresh token to request a new access token and ID token.
Workaround:
None
Fix:
The sub-sessions of ID token populated in refresh token use-case.
Fixed Versions:
16.1.5
1145729-3 : Partition description between GUI and REST API/TMSH does not match
Links to More Info: BT1145729
Component: TMOS
Symptoms:
When creating a partition with a description via the REST API, the description is not shown in the GUI.
For example:
[root@ltm1:Active:Standalone] config # curl -sku admin:<pass> -X POST https://localhost/mgmt/tm/auth/partition/ -H 'Content-Type: application/json' --data '{"name": "partition1", "description": "this is partition 1"}'
{
"kind": "tm:auth:partition:partitionstate",
"name": "partition1",
"fullPath": "partition1",
"generation": 154,
"selfLink": "https://localhost/mgmt/tm/auth/partition/partition1?ver=14.1.5.2",
"defaultRouteDomain": 0,
"description": "this is partition 1"
}
The description "this is partition 1" is not visible when viewing the partition1 object in the GUI at System >> Users >> Partition List.
Similarly, a partition description entered via the GUI is not retrieved with a REST API call to /mgmt/tm/auth/partition.
A partition description updated via the GUI is not retrieved with TMSH.
Conditions:
-- Partition description
-- GUI
-- REST API
-- TMSH
Impact:
GUI and REST API partition descriptions are inconsistent.
GUI and TMSH partition descriptions are inconsistent.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1145361 : When JWT is cached the error "JWT Expired and cannot be used" is observed
Links to More Info: BT1145361
Component: Access Policy Manager
Symptoms:
When JWT is cached, then the error "JWT Expired and cannot be used" is observed.
Conditions:
WebSSO is used with bearer option to generate JWT tokens.
Impact:
No impact.
Workaround:
None
Fix:
Removed the lee way default configured static value internally.
Proper fix would be to provide a leeway configuration option.
Fixed Versions:
17.1.1, 16.1.4
1144497-2 : Base64 encoded metachars are not detected on HTTP headers
Links to More Info: BT1144497
Component: Application Security Manager
Symptoms:
Base64 encoded illegal metachars are not detected.
Conditions:
No specific condition.
Impact:
False negative, illegal characters are not detected and request not blocked.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1144477-1 : IKE_SA_INIT uses src port 500 and dst port 4500 after IKE SA deleted
Links to More Info: BT1144477
Component: TMOS
Symptoms:
The new IPsec tunnel IKE INIT exchange source port is 500, and the destination port is 4500, but the destination port should be 500.
Conditions:
This issue is observed after deleting IKE SA from tmsh.
Impact:
Interoperability issue, tunnel will not get established with other devices.
Workaround:
None
Fix:
Default configuration was overwritten after tunnel establishment, added valid conditions before overwriting the configuration.
Fixed Versions:
17.1.0, 16.1.4
1144373-4 : BIG-IP SFTP hardening
Links to More Info: BT1144373
Component: TMOS
Symptoms:
Under certain conditions SFTP does not follow current best practices.
Conditions:
- Authenticated high-privilege user
- SFTP file transfer
Impact:
BIG-IP does not follow current best practices for filesystem protection.
Workaround:
None
Fix:
All filesystem protections now follow best practices.
Behavior Change:
When you are using SFTP to transfer the files from BIG-IP to remote-machine and vice versa,
1. filename should have absolute file paths.
2. un-encrypted files cannot be transferred when fips/cc-mode is enabled.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1144117-3 : "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands
Links to More Info: BT1144117
Component: Local Traffic Manager
Symptoms:
The "More data required" TCL error may occur and the connection may be terminated prematurely when using the 'HTTP::payload' or 'HTTP::payload length' commands.
Conditions:
Using the 'HTTP::payload' or 'HTTP::payload length' TCL commands.
Impact:
Some HTTP transactions might fail.
Workaround:
Do not use the 'HTTP::payload' or 'HTTP::payload length' TCL commands.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1142389-3 : APM UI report displays error "Error Processing log message ..." when the log contains some special character received in client request
Links to More Info: BT1142389
Component: Access Policy Manager
Symptoms:
Following message is displayed in APM Access Report:
"Error Processing log message. Original log_msg in database"
Conditions:
Checking APM Access Report while accessing VPN.
Impact:
Unable to see correct log messages in APM Access Report.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1141853-2 : SIP MRF ALG can lead to a TMM core
Links to More Info: BT1141853
Component: Service Provider
Symptoms:
SIP MRF ALG can lead to a TMM core
Conditions:
SIP MRF ALG in use
Impact:
TMM core
Workaround:
None
Fix:
TMM does not core anymore when SIP MRF ALG is in use.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1141845-4 : RULE_INIT with a call that contains an extra colon character (:) will crash BIG-IP.
Links to More Info: BT1141845
Component: Local Traffic Manager
Symptoms:
If a RULE_INIT contains an extra colon character (:)
when RULE_INIT {
catch { call sv::hsl:open "/Common/publisher-syslog_server_pool" }
}
It will crash instead of reporting the error.
In this example, the extra : before 'open' is an error. Instead of logging the error, it crashes the process.
Conditions:
RULE_INIT contains more than 2 colon characters (:) on a rule.
Impact:
The tmm process crashes.
Workaround:
Avoid creating a RULE_INIT containing a third colon character(:).
Fix:
Correctly log an error instead of trying to process it.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1141665-2 : Significant slowness in policy creation following Threat Campaign LU installation
Links to More Info: BT1141665
Component: Application Security Manager
Symptoms:
Significant and consistent slowness in policy creation in Layered Policies suites in BVT (asmdp).
Conditions:
Slowness was triggered by installing a Threat Campaign LU.
Impact:
Slow policy creation when we have Threat Campaign LU.
Workaround:
None
Fix:
Optimized policy creation following Threat Campaign LU installation.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1137993-2 : Violation is not triggered on specific configuration
Links to More Info: BT1137993
Component: Application Security Manager
Symptoms:
The HTTP compliance violation is not triggered for the unparsable requests due to a specific scenario.
Conditions:
A microservice is configured in the security policy.
Impact:
Specific violation is not triggered. A possible false negative.
Workaround:
It is possible to do an irule workaround that checks the length of the URL and issues a custom violation.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1137717-2 : There are no dynconfd logs during early initialization
Links to More Info: BT1137717
Component: Local Traffic Manager
Symptoms:
Regardless of the log level set, the initial dynconfd log entries are not displayed.
Setting the dynconfd log level (through DB variable or /service/dynconfd/debug touch file) will not catch the early logging during startup.
Conditions:
This occurs when using FQDN nodes or pool members on affected BIG-IP versions.
Impact:
Missing some informational logging from dynconfd during startup.
Workaround:
None
Fix:
The dynconfd logs are now logged at default (info) level during initial startup of the dynconfd process.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1137569-3 : Set nShield HSM environment variable.
Links to More Info: BT1137569
Component: Global Traffic Manager (DNS)
Symptoms:
The HSM Management fail to set a makepath.
Conditions:
When nShield HSM is configured .
Impact:
GTM rfs-sync fail.
Workaround:
N/A.
Fix:
Sync issue is fix.
Fixed Versions:
16.1.5, 15.1.10
1137485-2 : Gtmd produces excessive logging and may also crash (SIGSEGV) repeatedly
Links to More Info: BT1137485
Component: Global Traffic Manager (DNS)
Symptoms:
1. --An excessive number log lines are seen in /var/log/gtm, which indicate a state change even though a state change has not occurred (eg, blue --> blue, green --> green), for example:
/var/log/gtm:
alert gtmd[13612]: 011a6006:1: SNMP_TRAP: virtual server ltm1 (ip:port=192.168.0.1:0) (Server /Common/vs1) state change blue --> blue ()
2. If, on affected version, the GTM configuration contains virtual servers with a depends-on clause, the gtmd process can exit abnormally ("crash") and produce a gtmd core file. The process restarts immediately automatically, but may then exit and restart again every few seconds or minutes, and continues to do this indefinitely.
In /var/log/user.log, many messages similar to the following may be seen
notice logger[26789]: Started writing core file: /var/core/gtmd.bld0.0.6.core.gz for PID 26739
notice logger[26800]: Finished writing 35032053 bytes for core file: /var/core/gtmd.bld0.0.6.core.gz for PID 26739
Conditions:
- For the excessive logging issue: A GTM server object exists with one or more virtual servers configured under it
- For the gtmd crashing issue: One or more GTM server object's virtual-servers has a depends-on clause referring to another virtual-server.
Impact:
- Flood of SNMP trap logs are seen
- gtmd process exits abnormally, bringing down iquery connection and potentially impacting GTM monitoring
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1137245-1 : Issue with injected javascript can cause an error in the browser.
Links to More Info: BT1137245
Component: Application Security Manager
Symptoms:
DosL7 module injected javascript causes an error on the browser when some conditions apply.
Conditions:
Specific response-side conditions can cause this error to appear in the browser console.
Impact:
Website malfunction with errors.
Workaround:
None
Fixed Versions:
16.1.5
1137217-2 : DNS profile fails to set TC flag for the responses containing RRSIG algorithm 13
Links to More Info: BT1137217
Component: Global Traffic Manager (DNS)
Symptoms:
DNS express sends a malformed response when the UDP size limit is set to 512.
Conditions:
- The UDP size limit is set to 512 and a zone signed with algorithm 13 (ECDSA Curve P-256 with SHA-256), the DNS express responds with a malformed packet.
- Malformed responses were also seen without DNSSec; when the message size was equal to the EDNS buffer size advertised by the client.
--Malformed response for nslookup without DNSSec.
Impact:
Malformed DNS express responses are received when the UDP size limit is set to exactly 512 and a zone is signed with algorithm 13.
Workaround:
None
Fixed Versions:
16.1.5
1137037 : System boots into an inoperative state after installing engineering hotfix with FIPS 140-2/140-3 license in version 16.1.x★
Links to More Info: BT1137037
Component: Local Traffic Manager
Symptoms:
The BIG-IP persistently starts in an inoperative state after installing an engineering hotfix with a console error similar to the following:
- FIPS or Common Criteria power-up self-test failure.
- This system has been placed in an error state.
- To recover return to the grub menu and select another volume or reinstall the system.
- On many devices pressing the escape key followed by the key will bring up a menu which allows the system to be restarted.
Power-up self-test failures: <number>
Unmounting file systems
System halting.
Conditions:
- First boot after installing an engineering hotfix.
- FIPS 140-2 or FIPS 140-3 license.
- Running BIG-IP version 16.1.x releases or later, for example 16.1.3.1.
Impact:
Unable to boot the BIG-IP system into an operational state after applying an engineering hotfix, and required to boot to a known good volume. For more information about FIPS mode preventing system boot, see https://support.f5.com/csp/article/K52534643
Workaround:
None
Fix:
The BIG-IP system successfully boots after installing an Engineering hotfix on a system with a FIPS 140-2 or FIPS 140-3 license.
Fixed Versions:
16.1.3.2
1136921-4 : BGP might delay route updates after failover
Links to More Info: BT1136921
Component: TMOS
Symptoms:
The BGP might delay route updates after failover.
Conditions:
- The BGP configured on an High Availability (HA) pair of BIG-IP devices.
- The BGP redistributing kernel routes.
- Failover occurs.
Impact:
New active unit might delay route advertisement up to 15 sec.
New standby unit might delay route withdrawal up to 15 sec.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1136917-1 : TMM crashed when dos-profile (with BDOS and White-list enabled) disassociated from Virtual Server.
Links to More Info: BT1136917
Component: Advanced Firewall Manager
Symptoms:
This happens only if the specific sequence of events occur. The reason for TMM crash is accessing a Dangling Pointer memory.
Conditions:
This issue only happens if the following sequence of events occur:
1) Attach dos-profile to a Virtual Server (VS) (The dos-profile should be enabled with White-list and BDOS).
2) There should be active connections on the VS.
3) Disable BDOS from the dos-profile while it is still attached to the VS.
4) Detach the dos-profile from the VS.
5) While processing the incoming traffic, TMM will crash.
Impact:
TMM Cores.
Workaround:
This only happens if the sequence mentioned in Conditions are followed.
Modify the profile and add to the virtual server to avoid TMM crash.
Fix:
The Dangling pointer will not be available when the actual memory is freed.
Fixed Versions:
17.1.0, 16.1.4
1136837-4 : TMM crash in BFD code due to incorrect timer initialization
Links to More Info: BT1136837
Component: TMOS
Symptoms:
TMM crashes in BFD code due to incorrect timer initialization.
Conditions:
- BFD configured
- Multi-bladed system
- One of blades experiences failure.
Impact:
Crash or core.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1136429-4 : Closing of unrelated MCPD connection causes an errant reply to an in-progress transaction or request group
Links to More Info: BT1136429
Component: TMOS
Symptoms:
MCPD can send an unexpected (another request group) result response message to a current processing request group in the middle of a transaction
Conditions:
While MCPD processing multiple request groups.
Impact:
MCPD closes the connection of the current request group and
subscriber of that particular request group never get requested data.
Workaround:
Restart the subscriber daemon.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1135961-7 : The tmrouted generates core with double free or corruption
Links to More Info: BT1135961
Component: TMOS
Symptoms:
A tmrouted core is generated.
Conditions:
The system is a multi-blade system.
Impact:
A tmrouted core is generated. There are no other known impacts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1135313-4 : Pool member current connection counts are incremented and not decremented
Links to More Info: BT1135313
Component: Local Traffic Manager
Symptoms:
With a certain configuration the connection counts on a gateway pool may increment and not be decremented.
Conditions:
- A gateway pool with more than one member.
- Autolasthop disabled.
- A pool monitor with a TCP monitor where the pool member responds to the TCP handshake with data. Common services that do this are SSH, SMTP, and FTP.
Impact:
The connection counts are inflated.
Workaround:
- Configure autolasthop.
- Configure a receive string on the TCP monitor.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1135073-3 : IPS signature update webUI warning message "An active subscription is required to access certain inspections" is always enabled
Links to More Info: BT1135073
Component: Protocol Inspection
Symptoms:
Following warning message is displayed on BIG-IP webUI in Security ›› Protocol Security: Inspection Updates:
"An active subscription is required to access certain inspections"
Conditions:
If the BIG-IP has AFM and IPS subscription license, then this warning message on webUI should not be displayed.
Impact:
There is no impact if AFM and IPS subscription license are installed on BIG-IP. All the IPS signatures and compliances will work as usual.
Workaround:
None
Fix:
Based on the IPS full subscription flag in the license the warning message is displayed. Earlier, it was verified on the wrong feature flag.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1134509-4 : TMM crash in BFD code when peers from ipv4 and ipv6 families are in use.
Links to More Info: BT1134509
Component: TMOS
Symptoms:
TMM crashes in BFD code when peers from ipv4 and ipv6 families are in use.
Conditions:
- BFD configured
- Mixed IPv4 and IPv6 peers.
Impact:
Crash or core
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1134301-3 : IPsec interface mode may stop sending packets over tunnel after configuration update
Links to More Info: BT1134301
Component: TMOS
Symptoms:
An interface mode IPsec policy handles traffic through a route-domain to send over the IPsec tunnel. When the traffic-selector is updated, the static default route for the route-domain no longer works. Even if the tunnel is functional, traffic is not sent over it.
Conditions:
- IPsec tunnel with ipsec-policy in interface mode.
- The sys db ipsec.if.checkpolicy is disabled (by default it is enabled).
- Static routes pointing to the IPsec interface.
- Tunnel configuration updated.
Other unknown conditions could trigger the behavior, but updating the tunnel configuration is a confirmed condition.
Impact:
The tunnel is functional but the BIG-IP does not send packets into it. No ESP packets related to that tunnel will be seen leaving the BIG-IP.
Workaround:
There are two similar workaround options for when the issue is observed:
Option 1: Delete the route to the remote network that points to the IPsec interface and create the route again.
Option 2: Alternatively, leave the existing route in place and create a similar specific route that points to the same IPsec interface. The issue should be immediately resolved and so the new route can be immediately deleted.
Fix:
Traffic can pass over the IPsec tunnel after a configuration update.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1134085-2 : Intermittent TMM core when iRule is configured with SSL persistence
Links to More Info: BT1134085
Component: Local Traffic Manager
Symptoms:
The TMM core file is observed.
Conditions:
Under certain conditions, the TMM core file is observed with iRule and SSL persistence.
Impact:
TMM core file is observed.
Workaround:
Perform either of the following tasks:
- Disable SSL persistence
- Disable iRule
Fix:
Added fix to handle cases which can lead to the TMM core file generation.
Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1
1134057-4 : BGP routes not advertised after graceful restart
Links to More Info: BT1134057
Component: TMOS
Symptoms:
The BGP routes not advertised after a graceful restart.
Conditions:
The BGP with graceful restart configured.
Impact:
The BGP routes not advertised after graceful restart.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1133997-3 : Duplicate user-defined Signature Set based on untagged signatures is created upon policy clone or import
Links to More Info: BT1133997
Component: Application Security Manager
Symptoms:
A duplicate user-defined Signature Set is created upon policy import or cloning when the Set has a filter using untagged signatures.
Conditions:
A policy using a user-defined Signature Set with a filter using untagged signatures is exported.
Impact:
A duplicate user-defined Signature Set is created upon policy import or cloning.
Workaround:
Modify the policy to use the original Signature Set, and then delete the duplicated Signature Set.
Fixed Versions:
17.1.1, 16.1.4
1133881-2 : Errors in attaching port lists to virtual server when TMC is used with same sources
Links to More Info: BT1133881
Component: Local Traffic Manager
Symptoms:
When creating a virtual server that has identical traffic matching criteria with another virtual server, but uses a source address defined same as configured in TMC object, and when we try to attach the port-list it fails, with an error similar to the following:
01b90011:3: Virtual Server /Common/vs2-443's Traffic Matching Criteria /Common/vs2-443_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs1-443 destination address, source address, service port.
Conditions:
- Port lists are used.
- The first virtual server uses a wildcard source, for example, 0.0.0.0/0.
- The second virtual server uses an identical destination, protocol, and port, with the same source address configured in TMC object.
Impact:
Inability to utilize 'port lists' to configure the virtual server.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1133625-2 : The HTTP2 protocol is not working when SSL persistence and session ticket are enabled
Links to More Info: BT1133625
Component: Local Traffic Manager
Symptoms:
Connection gets dropped when SSL persistence is enabled with session ticket and HTTP2 protocol.
Conditions:
When SSL persistence is enabled with session ticket and HTTP2 protocol.
Impact:
Connection will get dropped.
Workaround:
-- Disable SSL persistence OR
-- Disable session ticket.
Fix:
Provided fix to handle this defect.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1133557-2 : Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name
Links to More Info: BT1133557
Component: Local Traffic Manager
Symptoms:
When the BIG-IP (dynconfd process) is querying a DNS server, dynconfd log messages do not identify which server it is sending the request to. When more than one DNS server is used and there is a problem communicating with one of them, it might be difficult for system admin to identify the problematic DNS server.
Conditions:
This occurs when using FQDN nodes or pool members on affected BIG-IP versions.
Impact:
There are no show commands or log displaying which DNS is currently being used to resolve LTM node using FQDN. Problems with communications between the BIG-IP and DNS server(s) may be more difficult to diagnose without this information.
Workaround:
You can confirm which DNS server is being queried by monitoring DNS query traffic between the BIG-IP and DNS server(s).
Fix:
The DNS server being queried to resolve LTM node FQDN names is now logged by default in the /var/log/dynconfd.log file.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1133201-1 : Disabling a GTM pool member results in the same virtual server no longer being monitored in other pools
Links to More Info: BT1133201
Component: Global Traffic Manager (DNS)
Symptoms:
If you disable a GTM pool member in one of the pools, monitoring appears to be disabled for the members in the other pools.
Incorrect probe behavior when toggling or untoggling the monitor-disabled-objects GTM global setting.
Conditions:
- Same virtual server or monitor combination is used in multiple GTM pools.
- Disable the GTM pool member in one of the pool.
Impact:
Incorrect pool monitoring..
Workaround:
Enable the 'Monitor Disabled Objects' or, assign a different monitor to pools.
Fixed Versions:
17.1.1, 16.1.5
1132981-2 : Standby not persisting manually added session tracking records
Links to More Info: BT1132981
Component: Application Security Manager
Symptoms:
The Session tracking records, with Infinite Block-All period, have an expiration time on the Standby unit after sync.
Conditions:
ASM provisioned
Session Tracking enabled
session tracking records, with Infinite Block-All period, are added
Impact:
Infinite Session Tracking records being removed from standby ASMs.
Workaround:
Use auto-sync DG (instead of manual sync).
After changing the configuration on UI at Security->Application Security: Sessions and Logins: Session Tracking.
You must "Apply Policy" and wait for the DG status to become In-Sync before adding new data-points on UI at Security->Reporting: Application: Session Tracking Status.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1132925-3 : Bot defense does not work with DNS Resolvers configured under non-zero route domains
Links to More Info: BT1132925
Component: Application Security Manager
Symptoms:
When a DNS Resolver is configured under a non-zero route domain, the bot defense does not use the DNS resolver to perform DNS queries, resulting in some bots not being detected.
Conditions:
DNS Resolver is configured under non-zero route domain.
Impact:
Some bots are not detected by bot defense mechanism.
Workaround:
Configure DNS Resolver under route domain 0.
Fix:
Enhanced bot defense to use resolvers from any corresponding route domain. However, bot defense does not support route domain modification of DNS resolvers. Resolvers must be deleted and created again in the correct route domain.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1132765-4 : Virtual server matching might fail in rare cases when using virtual server chaining.
Links to More Info: BT1132765
Component: Local Traffic Manager
Symptoms:
When using virtual server chaining (for example iRule 'virtual' command sending traffic to another virtual server explicitly), a small percentage of packets might be dropped.
Conditions:
- Virtual server chaining.
- virtual servers have the vlan_enabled feature configured.
- DatagramLB or idle-timeout = 0 configured on protocol profile.
- High packet rate of incoming traffic.
Impact:
Some packets fail to match a virtual server and get dropped.
Workaround:
- Remove vlan_enabled feature
- OR remove datagramLB/set idle-timoeut > 0 on protocol profile.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1132741-2 : Tmm core when html parser scans endless html tag of size more then 50MB
Links to More Info: BT1132741
Component: Application Security Manager
Symptoms:
Tmm core, clock advanced by X ticks printed
Conditions:
- Dos Application or Bot defense profile assigned to a virtual server
- Single Page Application or Validate After access.
- 50MB response with huge html tag length.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Exclude html parser for url in question.
tmsh modify sys db dosl7.parse_html_excluded_urls value <url>
Fix:
Break from html parser early stage for long html tags
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1132697-3 : Use of proactive bot defense profile can trigger TMM crash
Links to More Info: BT1132697
Component: Application Security Manager
Symptoms:
TMM crash is triggered.
Conditions:
This causes under a rare traffic environment, and while using a proactive bot defense profile.
Impact:
The TMM goes offline temporarily or failover. Traffic disruption can occur.
Workaround:
Remove all proactive bot defense profiles from virtuals.
Fix:
TMM no longer crashes in the scenario.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1132405-4 : TMM does not process BFD echo pkts with src.addr == dst.addr
Links to More Info: BT1132405
Component: Local Traffic Manager
Symptoms:
TMM does not process BFD echo pkts with src.addr == dst.addr.
Conditions:
- TMM does not process BFD echo pkts with src.addr == dst.addr.
Impact:
TMM does not process BFD echo pkts with src.addr == dst.addr.
Workaround:
None
Fix:
TMM now processes BFD echo pkts with src.addr == dst.addr.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1132105-2 : Database monitor daemon (DBDaemon) uses unsupported Java version
Component: Local Traffic Manager
Symptoms:
The BIG-IP database monitor daemon DBDaemon depends on Java 7, and is built using OpenJDK 1.7.0.
Security Support for Java 7 / OpenJDK 1.7.0 ended Ended 01 Jul 2019.
Current versions of components which operate within the Java runtime environment are not supported by Java 7.
Such components include JDBC (Java DataBase Connectivity) drivers which implement vendor-specific functionality to support multiple database implementations within a common Java-base programming environment.
Conditions:
This component provide core functionality for the following BIG-IP LTM and GTM monitor types:
-- mssql
-- mysql
-- oracle
-- postgresql
Impact:
The BIG-IP database monitor daemon DBDaemon does not benefit from updates to the Java runtime environment or other Java components (such as vendor-specific JDBC drivers).
Workaround:
None
Fixed Versions:
16.1.5
1128721-2 : L2 wire support on vCMP architecture platform
Links to More Info: BT1128721
Component: Local Traffic Manager
Symptoms:
L2 wire works on BIG-IP, virtual-wire on vCMP architecture platform will be based on Network Tenant Interface (NTI) objects.
Tenant related data path and control plane changes.
Conditions:
- vCMP architecture based on NTI.
- F5OS is completely responsible to create/modify/delete NTI objects and synchronizing it to the tenants.
Impact:
The virtual-wire is one of the most important features used under operating in L2 domain. This mode of operation involves very little changes to topology and configuration and thereby can easily plug in a BIG-IP device with virtual-wire configuration.
Workaround:
None
Fix:
Tenant (data/control) plane changes for virtual-wire support on vCMP architecture.
Fixed Versions:
17.1.0, 16.1.4, 15.1.8
1128689-2 : High BD CPU utilization
Links to More Info: BT1128689
Component: Application Security Manager
Symptoms:
The signature engine in BD uses more CPU cycles than it actually needs to complete the task.
Conditions:
ASM provisioned and in use
Impact:
Slower system performance
High CPU utilization with BD
Workaround:
None
Fix:
Some modifications are done to the signature engine to improve performance.
Fixed Versions:
16.1.4, 15.1.9
1128629 : Neurond crash observed during live install through test script
Links to More Info: BT1128629
Component: TMOS
Symptoms:
Neurond core is observed during live install followed by FPGA firmware upgrade through the test script.
Conditions:
Live install through the test script
Impact:
No functional impact
Workaround:
None
Fix:
N/A
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1128505-2 : HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy
Links to More Info: BT1128505
Component: Local Traffic Manager
Symptoms:
The ORBIT framework added HUDEVT_ACCEPTED handling through hud_orbit_accepted_handling. This allows ORBIT to move releasing HUDEVT_ACCEPTED from the filter to ORBIT, HTTP adopted this new feature.
When HTTP is disabled, HUDEVT_ACCEPTED handling is explicitly disabled by HTTP when going into passthru, subsequent enabling of HTTP does not restore this handling. If this sequence happens prior to the first HTTP request, then HUDEVT_ACCEPTED is released prematurely up the chain, thus the server-side connection may be established before the first request is processed. Attempts to manipulate the LB criteria at that point may fail due to the criteria being locked, this may result in the connection being RST with an "Address in use" reset cause.
Conditions:
-- HTTP Virtual server
-- HTTP::disable is called from CLIENT_ACCEPTED and the subsequently re-enabled before the first request arrives at HTTP in CLIENTSSL_HANDSHAKE
Impact:
Connection is reset with "Address in use" reset cause.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4
1128369-1 : GTM (DNS) /Common/bigip monitor instances may show 'big3d: timed out' state
Links to More Info: BT1128369
Component: Global Traffic Manager (DNS)
Symptoms:
On affected versions of BIG-IP DNS, targets monitored with a "bigip" type monitor may show as 'big3d: timed out', or flap between that state and green.
While there can be many causes of the 'big3d: timed out' state (which indicates that a GTM monitor probe reply was expected, but not received within the timeout period), this particular cause is due to the order that the probes are sent, resulting in a bunching effect, where all the probes related to the same big3d (LTM) device are sent in rapid succession, leading to the message buffer between big3d and mcpd on the LTM becoming congested.
When gtmd schedules monitor probes, all the probes with the same interval are grouped together and spread out across the interval period. The issue is that within that list, monitors for the same gtm server can be grouped together, causing them to be sent to big3d in rapid succession.
When this happens, some of the messages relating to BIG-IP monitor probes may be dropped, and no response is sent back to the members of the GTM sync group.
Conditions:
- Running an affected version of BIG-IP DNS (versions that include the changes from ID863917)
- Use of a /Common/bigip monitor probe type
- Monitoring of sufficient targets per LTM to cause the message buffer between big3d and mcpd to fill (there is no indication or log message when this has happened)
Impact:
DNS (GTM) monitored targets that use a /Common/bigip probe type may be incorrectly marked down with a state of 'big3d: timed out'.
Note that this is not the only cause of this down state.
Workaround:
It is possible to work around this issue by creating separate monitor lists for each gtm server, so that all the probes related to the same big3d are spread out in time across the monitoring interval.
To do this:
- Create a separate BIG-IP monitor for each gtm server object with monitored virtual servers.
- Set the interval value for each of those BIG-IP monitors to a different value. For example, instead of the default 30-second BIG-IP probe interval, create monitors of 30,31,32,33,34,35,... seconds. Values of less than 30 seconds are not recommended, as these will increase the monitoring load further.
- Apply the new monitors to each gtm server so that each one has a different monitoring interval.
Fix:
gtmd monitor probes with the same interval are scrambled in oder so that the probes related to a target big3d (LTM) will be spread evenly across the entire interval time.
This results in avoiding the bunching of probes to a given target LTM, thereby preventing congestion at the target LTM.
Fixed Versions:
16.1.5
1128169-1 : TMM core when IPsec tunnel object is reconfigured
Links to More Info: BT1128169
Component: TMOS
Symptoms:
TMM may core when a "tunnel tunnels" object related to an IPsec interface is reconfigured.
For example, a command that changes the IP address of the object may lead to a core:
# tmsh modify net tunnels tunnel my-ipsec-tunnel remote-address 1.2.3.4
Conditions:
-- IPsec IKEv1 or IKEv2.
-- Tunnel is in "interface" mode.
-- Tunnel object is reconfigured while the tunnel is up.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure the tunnel is down before reconfiguring it.
-- Set the IKE-Peer config state to disabled.
-- Delete an established IKE SA and IPsec SA related to that peer.
For example:
# tmsh modify net ipsec ike-peer <Name> state disabled
# tmsh delete net ipsec ike-sa peer-ip <IP>
# tmsh delete net ipsec ipsec-sa dst-addr <IP>
"Name" is the specific name given to the ike-peer config object.
"IP" is the address configured to use for the remote peer.
Then make the desired changes and enable the IKE-Peer.
# tmsh modify net ipsec ike-peer <name> state enabled
Fixed Versions:
17.1.0, 16.1.4
1127809-2 : Due to incorrect URI parsing, the system does not extract the expected domain name
Links to More Info: BT1127809
Component: Application Security Manager
Symptoms:
The system will fail to send webhook requests to the server.
Conditions:
Add webhook to the policy and execute Apply policy on BIG-IP.
Impact:
Webhook requests will fail
Fix:
After the fix, BIG-IP will send webhook requests to the server.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1127445-3 : Performance degradation after Bug ID 1019853
Links to More Info: BT1127445
Component: Performance
Symptoms:
Performance degradation is observed with BD in TPS in the versions that have the fix for Bug ID 1019853.
Conditions:
Versions that have the fix for Bug ID 1019853.
Impact:
Lower TPS performance with BD.
Workaround:
None
Fix:
The part of the change for Bug ID 1019853 has been reverted while still addressing the problem reported in ID1019853.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1127169 : The BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG
Links to More Info: BT1127169
Component: TMOS
Symptoms:
There is a possibility that BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG.
Conditions:
- BIG-IP versions 16.1.3 and above.
- FIPS 140-3 license is installed on BIG-IP or it is a FullBoxFIPS device.
- Establish multiple SSL/TLS connections.
Impact:
The BIG-IP device reboots randomly.
Workaround:
None
Fix:
Updated serialization to use RDTSC instruction to read CPU time stamp in jitterentropy-lib to generate random numbers.
Fixed Versions:
17.1.0, 16.1.4
1127117-1 : High Memory consumption for NAT translations of NAPT/PBA End Point Independent modes
Links to More Info: BT1127117
Component: Advanced Firewall Manager
Symptoms:
Memory consumption increases with the number of connections.
Conditions:
1. Configure LSN Pool in CGNAT with Persistence mode with Address and Port.
OR
1. Configure AFM NAT source Translations with DPAT and PBA with End Point Independent Mode
Impact:
Memory keeps increasing and eventually might reach 100% utilization.
Sample Comparison table below:
Connection_Count: 30M
Memory_Usage_on_14.x_Version: ~3GB
Memory_usage_on_15+_Version: ~30GB
Workaround:
-- Increase the available RAM if possible
OR
-- Reduce the connection timeout interval
OR
-- Try using other options like Address Pooling Paired Mode in PBA
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1126841-3 : HTTP::enable can rarely cause cores
Links to More Info: BT1126841
Component: Local Traffic Manager
Symptoms:
The TMM crashes with seg fault.
Conditions:
- SSL profile used.
- The iRule that uses HTTP::enable.
Impact:
The TMM restarts causing traffic interruption.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1126805-3 : TMM CPU usage statistics may show a lower than expected value on Virtual Edition
Links to More Info: BT1126805
Component: TMOS
Symptoms:
The self-reported CPU statistics of TMM may show a usage value that is lower than the expected number. Some TMM threads may show lower CPU usage than others even if the threads are processing the same amount of traffic. When this issue occurs, a high number of idle polls are observed in the tmm_stat table for the affected TMM.
Conditions:
Virtual Edition
Impact:
TMM CPU stats may not be accurate.
Fix:
The cpu stats are now accurate.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1126409-3 : BD process crash
Links to More Info: BT1126409
Component: Application Security Manager
Symptoms:
BD process restarts with a core file.
Conditions:
Unknown
Impact:
The unit goes offline for a short period of time.
Workaround:
None
Fix:
A sanity check has been added in order to avoid possible crash.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1126329-2 : SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT★
Links to More Info: BT1126329
Component: Local Traffic Manager
Symptoms:
SSL Orchestrator sends a TLS client hello instead of the expected HTTP CONNECT, leading to a failure in the client environment after an upgrade.
Conditions:
SSL Orchestrator in explicit proxy mode with proxy chaining enabled
Impact:
The exit proxy gives an HTTP 5xx error in response to the unexpected TLS Client Hello.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1126285-1 : TMM might crash with certain HTTP traffic
Links to More Info: K000135873, BT1126285
1126093 : DNSSEC Key creation failure with internal FIPS card.
Links to More Info: BT1126093
Component: Local Traffic Manager
Symptoms:
You are unable to create dnssec keys that use the internal FIPS HSM.
When this issue happens the following error messages appear in /var/log/gtm
Jul 20 04:37:47 localhost failed to read password encryption key from the file /shared/fips/nfbe0/pek.key_1, error 40000229
Jul 20 04:37:47 localhost.localdomain err gtmd[28729]: 011a0312:3: Failed to initiate session with FIPS card.
Jul 20 04:37:47 localhost.localdomain err gtmd[28729]: 011a0309:3: Failed to create new DNSSEC Key Generation /Common/abcd:1 due to HSM error.
Conditions:
-- Internal FIPS card present.
-- Clean installation from an installation ISO file.
-- DNSSKEY creation using internal FIPS card.
Impact:
DNSSEC deployments with internal FIPS HSMs are impacted.
Workaround:
Change the /shared/fips directory permissions.
Ex: chmod 700 /shared/fips
Fixed Versions:
17.1.1, 16.1.4
1125733-3 : Wrong server-side window scale used in hardware SYN cookie mode
Links to More Info: BT1125733
Component: TMOS
Symptoms:
Client enables Window Scale in the first SYN packet with a specific factor value, however the BIG-IP system disables Window Scale in its SYN/ACK response.
Instead, disabling the Window Scale TCP option in both peer BIG-IPs, TMM honors the Window Scale presented by the client in the first SYN, whereas client assumes Window Scale is disabled. This will cause BIG-IP to send data payload bytes exceeding the client's Windows Size.
Conditions:
Below conditions must be met in order to match this issue:
- Client and server enables timestamp TCP option.
- Client enables Window Scale TCP option.
- SYN Cookie HW is activated in BIG-IP.
Impact:
This can cause performance issues because some packets could need to be retransmitted.
In rare cases where client TCP stack is configured to abort the connection when it receives a window overflow, the connection will be RST by the client.
Workaround:
The preferred workaround is changing to Software SYN Cookie mode.
Fix:
Correct server-side Window Scale behavior is provided when:
- Client and server enables timestamp TCP option
- Client enables Window Scale TCP option
- SYN Cookie HW is activated in BIG-IP
Fixed Versions:
17.1.0, 16.1.5, 15.1.9
1124209-3 : Duplicate key objects when renewing certificate using pkcs12 bundle
Links to More Info: BT1124209
Component: TMOS
Symptoms:
Duplicate key objects are getting created while renewing the certificate using the pkcs12 bundle command.
Conditions:
When the certificate and key pair is present at the device and the pkcs12 command is executed to renew it.
Impact:
1) If the certificate and key pair is attached to the profile then certificate renewal is failing.
2) Duplicate key objects are getting created.
Workaround:
Delete the existing cert and key pair, and then execute the pkcs12 bundle command.
Fix:
Added the fix which has the capability to pass cert-name and key-name with the PKCS12 bundle command.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1124149-2 : Increase the configuration for the PCCD Max Blob size from 4GB to 8GB
Links to More Info: BT1124149
Component: Advanced Firewall Manager
Symptoms:
There was a limit of 4GB for the firewall rules prior to this change being checked in. The user could configure a blob size of 4GB only.
Conditions:
PCCD rules provisioning with an AFM license.
Impact:
Provisioning firewall rules. The PCCD blob size was restricted to 4GB.
Workaround:
None
Fix:
With these changes, the user will now be able to provision FW rules with a blob size of 8G.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1124109-2 : Add "typ":"JWT" to JOSE Header while generating JWT token from OAuth AS
Component: Access Policy Manager
Symptoms:
The "typ":"JWT" is missing in the JWT header.
Conditions:
The JWT token is generated from OAuth Authorization Server (AS).
Impact:
The "typ":"JWT" is missing.
Workaround:
None
Fix:
The "typ":"JWT" is added in the header, it is available whenever JWT token is generated from OAuth AS.
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1123885-2 : A specific type of software installation may fail to carry forward the management port's default gateway.
Links to More Info: BT1123885
Component: TMOS
Symptoms:
After performing a specific type of software installation, the unit returns on-line without the management port's default gateway.
Conditions:
-- A software installation that does not carry forward the entirety of the BIG-IP system's configuration is performed. For example, this is achieved by running "image2disk --format=volumes <...>", or by using the live-install subsystem after disabling the liveinstall.saveconfig and liveinstall.moveconfig db keys. This type of installation, however, does carry forward the management port's configuration (IP address, subnet mask, and default gateway).
-- In addition to the default gateway, the management port is configured with additional static routes (for example, to a log server, dns server, etc.).
-- When mcpd is queried for the management routes, the default gateway is not the first entry in mcpd's reply (this is something outside of your control that entirely depends on the name of the objects and how the config was loaded).
Impact:
On Virtual Edition systems, this issue coupled with the removal of autolasthop from the management port means you will not be able to connect to the BIG-IP system's management port from non-directly connected clients after the installation.
On all systems, this issue means the BIG-IP system will not be able to initiate connections to non-directly connected systems over the management port after the installation.
Note: If the system is configured for dual-stack (IPv4 and IPv6) this issue can affect either (or both) stack.
Workaround:
After the issue has occurred, you can connect to the affected BIG-IP system by means of serial console or video console and apply the default gateway again.
If you are trying to prevent this issue, you can remove all management routes except the default one before performing this type of installation.
Fix:
The issue has been corrected; this specific type of software installation now correctly carries forward the management port's default gateway.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1123169-1 : Error saving an iRule when calling a procedure from HTML_TAG_MATCHED event
Links to More Info: BT1123169
Component: Local Traffic Manager
Symptoms:
When the BIG-IP system tries to save an iRule that calls a procedure from HTML_TAG_MATCHED event, an error occurs.
Conditions:
-- configure an iRule with event HTML_TAG_MATCHED
-- The event calls a procedure
Impact:
A TCL error is thrown: Rule checker ::tclCheck::checkScript did not complete: can't read "BIGIP::ltmEventCategoryHierarchy(CLIENTSIDE)": no such element in array
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1123153-3 : "Such URL does not exist in policy" error in the GUI
Links to More Info: BT1123153
Component: Application Security Manager
Symptoms:
Unable to create a parameter under Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs ›› URL Parameters
Conditions:
When the policy setting "Differentiate between HTTP/WS and HTTPS/WSS URLs" is set to "Disabled".
Impact:
User is unable to create a Parameter with a URL.
Workaround:
N/A
Fix:
Resolved non-existent URL error during Parameter creation.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1123149 : Sys-icheck fail for /etc/security/opasswd
Links to More Info: BT1123149
Component: TMOS
Symptoms:
In common criteria mode, when password-memory is set to > 0 and create the user and login from CLI causes the system integrity check to failed
An error message may be logged "ERROR: S.5...... c /etc/security/opasswd (no backup)"
Conditions:
--- common criteria mode enabled
--- password-memory set to > 0 in password-policy configuration
--- create a new user and login first time using CLI
--- run sys-icheck
Impact:
System integrity check failure when common criteria mode is enabled
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1
1122497-4 : Rapid response not functioning after configuration changes
Links to More Info: BT1122497
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Rapid Response is not functioning and stats are not present and/or not changing as requests are being sent to the virtual server.
Conditions:
- DNS Rapid Response is set on the virtual.
- Rapid response is toggled off and back on in the DNS profile.
Impact:
DNS rapid response remains disabled.
Workaround:
Restarting services will allow rapid-response to begin functioning again.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1122473-4 : TMM panic while initializing URL DB
Links to More Info: BT1122473
Component: Access Policy Manager
Symptoms:
TMM panic because of a race condition which prevents the TMM from accessing files related to the URL database.
Conditions:
While the BIG-IP system is rebooting, if an infrequent timing delay occurs, one or more files related to the URL database may be created in the wrong order of sequence.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None. Repeated attempts at rebooting may eventually succeed.
Fixed Versions:
17.1.0, 16.1.3.3, 15.1.9
1122377-2 : If-Modified-Since always returns 304 response if there is no last-modified header in the server response
Links to More Info: BT1122377
Component: Local Traffic Manager
Symptoms:
Requests sent with an If-Modified-Since header always return a 304 Not Modified response
Conditions:
The Last Modified header is not included in the origin server response headers.
Impact:
When the Last Modified header is not present in the response, its default value i.e., Thu, 01 Jan 1970 00:00:00 GMT, is used and 304 Not Modified is sent to the client.
Workaround:
Add the Last-Modified header to the response headers using iRule
when HTTP_RESPONSE priority 1 {
set time [clock format [clock seconds] -gmt 1 -format "%a, %d %b %Y %H:%M:%S %Z"]
HTTP::header insert Last-Modified $time
log local0.debug "Inserting Last-Modified header as $time"
}
Fix:
Use date header value when Last-Modified is not present in Response headers
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1122205-1 : The 'action' value changes when loading protocol-inspection profile config
Links to More Info: BT1122205
Component: Protocol Inspection
Symptoms:
The "action" values for signatures and compliances in Protocol Inspection profiles change when a new config or UCS file is loaded.
Conditions:
Use case 1:
a) Create a protocol-inspection profile.
GUI: Security ›› Protocol Security : Inspection Profiles
-> Click "Add" >> "New"
1. Fill in the Profile Name field (pi_diameter in my example).
2. Services: pick "DIAMETER".
3. In the table for SYSTEM CHECKS, tick the checkboxes of all the items.
4. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".
5. In the table of signatures and compliances for DIAMETER, tick the checkboxes of all the items.
6. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".
7. Click "Commit Changes to System".
b) Check the current config via tmsh. Confirm there is no line with "action".
# tmsh list security protocol-inspection profile pi_diameter
c) Copy the result of the command in step b.
d). Delete the profile.
# tmsh delete security protocol-inspection profile pi_diameter
e). Load the config.
# tmsh
(tmos) # load sys config from-terminal merge
(tmos) # save sys config
Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change.
f) Check the config via tmsh. The action value has changed.
(tmos) # list security protocol-inspection profile pi_diameter
Use case 2:
a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances.
b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase.
c) tmsh load sys config default.
d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf.
Use case 3: Restore configuration by loading UCS/SCF after RMA.
Use case 4: Perform mcpd forceload for some purpose.
Use case 5: Change VM memory size or number of core on hypervisor.
Use case 6: System upgrade
Impact:
Some of the signatures and compliance action values are changed
Following commands output lists affected signatures and compliances.
## Signatures ##
tmsh list sec protocol-inspection signature all-properties | egrep "protocol-inspection|^\s*action" | awk '{ if($2 == "drop" || $2 == "reject") { print prev"\n"$0 } } { prev = $0 }'
## Compliances ##
tmsh list sec protocol-inspection compliance all-properties | egrep "protocol-inspection|^\s*action" | awk '{ if($2 == "drop" || $2 == "reject") { print prev"\n"$0 } } { prev = $0 }'
Workaround:
Workaround for use case 1:
Follow the work-around mention below when you want to load the ips profile configuration from the terminal.
a) Create a protocol-inspection profile.
GUI: Security ›› Protocol Security: Inspection Profiles
-> Click "Add" >> "New" >> ips_testing
b) Check the current config via tmsh.
# tmsh list security protocol-inspection profile ips_testing all-properties
c) Copy the result of the command in step b.
d) Delete the profile.
# tmsh delete security protocol-inspection profile ips_testing
e) Load the config.
# tmsh
(tmos) # load sys config from-terminal merge
(tmos) # save sys config
Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change.
f) Check the config via tmsh using all-properties
(tmos) # list security protocol-inspection profile ips_testing all-properties
Workaround for use case 2:
a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances.
b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase
c) tmsh load sys config default
d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
e) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
Workaround for use case 3:
a) Load the ucs/scf config file twice.
tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
Workaround for use case 4, 5, 6:
a) Before performing any of the operations of Use case 4, 5, 6, save the config.
tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase
b) Once the operation in use cases are done then perform the load operation.
tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
Fix:
After fixing the issue, the action value will not be changed for signatures and compliances.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1121661-2 : TMM may core while processing HTTP/2 requests
Links to More Info: K000133467, BT1121661
1121521-2 : Libssh upgrade from v0.7.7 to v0.9.6
Links to More Info: BT1121521
Component: Advanced Firewall Manager
Symptoms:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/
Conditions:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/
Impact:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/
Workaround:
NA
Fix:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/
Fixed Versions:
17.1.0, 16.1.4, 15.1.8
1121517-2 : Interrupts on Hyper-V are pinned on CPU 0
Links to More Info: BT1121517
Component: TMOS
Symptoms:
CPU 0 utilization is much higher relative to other CPUs due to high amount of softirq.
Conditions:
BIG-IP is deployed on a Hyper-V platform.
Impact:
Performance is degraded.
Fix:
Interrupts are balanced across all CPUs.
Fixed Versions:
16.1.4, 15.1.10
1121349-2 : CPM NFA may stall due to lack of other state transition
Links to More Info: BT1121349
Component: Local Traffic Manager
Symptoms:
When processing LTM policy rules as they apply to the incoming data, the CPM (Centralized Policy Matching) the state machine may incorrectly process the pattern, resulting in some of the policy rules not being applied
Conditions:
-- HTTP virtual server with LTM policy and iRule that triggers on "HTTP URI path contains" some value
Impact:
LTM policy rule does not trigger when it would be expected to
Workaround:
Change rule from "HTTP URI path contains" to "HTTP URI full string contains"
Fixed Versions:
17.1.1, 16.1.5
1120685 : Unable to update the password in the CLI when password-memory is set to > 0
Links to More Info: BT1120685
Component: TMOS
Symptoms:
A BIG-IP system with password-memory enabled will fail to update the user password in the first login using the CLI
Conditions:
Password-memory set to > 0 in password-policy configuration
Impact:
Not able to update the user password in the first login using the CLI.
Workaround:
Create the user using the GUI and log in from the GUI.
Fixed Versions:
17.1.0, 16.1.3.1
1120433-2 : Removed gtmd and big3d daemon from the FIPS-compliant list
Links to More Info: BT1120433
Component: TMOS
Symptoms:
The gtmd is not able to establish a secure connection to big3d due to failure in handshake because no common ciphers were found between big3d and gtmd in FIPS mode.
Conditions:
-- BIG-IP versions 16.1.2.2 and above
-- FIPS 140-3 license is installed on the BIG-IP or its a FullBoxFIPS device.
-- Connections are established between big3d and gtmd in FIPS mode.
Impact:
SSL handshakes fail between big3d and gtmd because no common ciphers are present.
Workaround:
None
Fix:
Gtmd and big3d can now communicate when FIPS mode is enabled.
Fixed Versions:
17.1.0, 16.1.3.1
1117609-2 : VLAN guest tagging is not implemented for CX4 and CX5 on ESXi
Links to More Info: BT1117609
Component: Local Traffic Manager
Symptoms:
Tagged VLAN traffic is not received by the BIG-IP Virtual Edition (VE).
Conditions:
Mellanox CX4 or CX5 with SR-IOV on VMware ESXi.
Impact:
Host-side tagging is required.
Workaround:
If only one VLAN is required, use host-side tagging and set the VLAN to "untagged" in the BIG-IP guest.
If multiple VLANs are required, use the "sock" driver instead. Edit the /config/tmm_init.tcl file and restart the Virtual Edition (VE) instance. Network traffic is disrupted while the system restarts.
echo "device driver vendor_dev 15b3:1016 sock" >> /config/tmm_init.tcl
CPU utilization may increase as a result of switching to the sock driver.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1117305-6 : The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials
Links to More Info: BT1117305
Component: TMOS
Symptoms:
The /api returns 401 when incorrect Basic Authorization credentials are supplied.
The /api returns 404 when correct Basic Authorization credentials are supplied.
Conditions:
Irrespective of the DB variable "httpd.basic_auth" value set to enable or disable.
Impact:
There is no functional impact, but all other non-existent URIs return a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials, /api should also be invariably exhibiting the same behavior.
Workaround:
None
Fix:
The /api like any other non-existent URI now returns a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1117297-1 : Wr_urldbd continuously crashes and restarts★
Links to More Info: BT1117297
Component: Traffic Classification Engine
Symptoms:
Malloc failed while wr_urldb is started
Conditions:
Intermittently reproduced when rebooting to a new version or after restarting wr_urldbd
Impact:
Wr_urldbd crashes.
Workaround:
- Stop the wr_urldbd to stabilize(#bigstart stop wr_urldbd)
-- Update the customdb(i.e. delete or add custom urls) on the backend server
-- Start wr_urldbd to download and load the new DB(#bigstart start wr_urldbd)
Fix:
After the fix, malloc is properly done and no crash
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1117245-2 : Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file
Links to More Info: BT1117245
Component: Application Security Manager
Symptoms:
You only see this message in /var/log/tomcat/liveupdate.log file. No other log messages are written, causing troubleshooting capability with LiveUpdate.
liveupdate.script file is corrupted, live update repository initialized with default schema
This error is emitted during tomcat startup.
/var/log/tomcat/catalina.out
java.io.FileNotFoundException: /usr/share/tomcat/logs/liveupdate.log (Permission denied)
Conditions:
You are running on a version which has a bug fix for ID907025. For more information see https://cdn.f5.com/product/bugtracker/ID907025.html
Impact:
Losing troubleshooting capability with LiveUpdate
Workaround:
chown tomcat:tomcat /var/log/tomcat/liveupdate.log
bigstart restart tomcat
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1117229-1 : CVE-2023-46747 and CVE-2022-26377: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp
1116941-1 : Need larger Content-Length value supported for SIP
Links to More Info: BT1116941
Component: Service Provider
Symptoms:
SIP MRF sends error 413 when the content_length value in the SIP message is greater than 65535 (0xff).
Conditions:
The SIP content_length has to be greater than 65535 (0xff) on SIP MRF configuration
Impact:
The SIP messages with content_length greater than 65535 can't be processed by the BIG-IP successfully because of the hard coded constraint on the SIP content_length
Workaround:
None
Fix:
Make the allowable SIP content_length dynamic with respective to the configured max_msg_size in the SIP MRF session profile configuration.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1116845-4 : Interfaces using the xnet driver are not assigned a MAC address
Links to More Info: BT1116845
Component: TMOS
Symptoms:
Interfaces on BIG-IP Virtual Edition that are capable of 100gb are unusable when the default driver of xnet is used.
The following validation error will be present in /var/log/ltm
"01071ab7:3: 'not-supported' is an invalid forward-error-correction setting for Interface"
The interfaces will not report a MAC address in either of:
- tmsh list /net interfaces
- tmsh show /sys mac
Conditions:
BIG-IP Virtual Edition where the interfaces report a 100gb max speed and the xnet driver is used.
Impact:
Interfaces are not assigned a MAC address, therefore are unusable.
Workaround:
Force the interface(s) to use a driver other then xnet.
In order to apply the workaround you will need to get 1) the available drivers and 2) the pci id of the interfaces.
The available drivers are reported using this tmctl command:
# tmctl -d blade tmm/device_probed
pci_bdf pseudo_name type available_drivers driver_in_use
------------ ----------- --------- -------------------- -------------
0000:00:03.0 F5DEV_PCI mlxvf5, xnet, sock,
0000:00:05.0 1.1 F5DEV_PCI mlxvf5, xnet, sock, xnet
0000:00:06.0 1.2 F5DEV_PCI mlxvf5, xnet, sock, xnet
The pci id is reported with the lspci -nnvvv command:
In this example: the pci id is 15b3:101a
# lspci -nnvvv | grep -i ethernet
00:03.0 Ethernet controller [0200]: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function] [15b3:101a]
00:05.0 Ethernet controller [0200]: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function] [15b3:101a]
00:06.0 Ethernet controller [0200]: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function] [15b3:101a]
And to force the use of a different driver you need to modify /config/tmm_init.tcl by adding a line such as:
device driver vendor_dev 15b3:101a mlxvf5
Where the last values of that line are the pci id and driver name.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1115041-1 : BIG-IP does not forward the response received after GOAWAY, to the client.
Links to More Info: BT1115041
Component: Local Traffic Manager
Symptoms:
After receiving a GOAWAY from the server followed by data on the same stream, the BIG-IP system does not forward that data to the client but rather sends RESET_STREAM.
Conditions:
1. Configure an NGINX server to handle two streams per connection
2. Virtual server with http2 profile
3. Send more than two requests on the same connection
Impact:
The client does not get a proper response
Workaround:
None
Fix:
The client should receive proper response.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1113961-1 : BIG-IP 16.1.3 VE with FIPS 140-3 May Fail to start in AWS-China
Links to More Info: K43391532, BT1113961
Component: TMOS
Symptoms:
BIG-IP 16.1.3 VE with FIPS 140-3 may fail to start in AWS-China
Conditions:
Running BIG-IP 16.1.3 VE with FIPS 140-3 with 16.1.3 in AWS China region
Impact:
BIG-IP 16.1.3 VE with FIPS 140-3 may fail to start in AWS-China
Workaround:
Upgrade to 16.1.3.1 when it is available.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1113881-2 : Headers without a space after the colon, trigger an HTTP RFC violation
Links to More Info: BT1113881
Component: Application Security Manager
Symptoms:
An "Unparsable request content" violation is detected for valid headers that do not have a space after the header's name ':'.
Conditions:
Any header without a space between the colon ':' and the header value will trigger "Unparsable request content".
With v14.1.x, there are no affected versions.
With v15.1.x, this issue was introduced in 15.1.7
With v16.1.x, there are no affected versions.
With v17.0.x, this issue was introduced in 17.0.0.1
With v17.1.x, there are no affected versions.
Impact:
Requests that are suppose to pass are blocked by the ASM enforcer.
Workaround:
The client has to send headers with space after ':'.
Fix:
No "Unparsable request content" violation for headers with space after ':'.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1113753-2 : Signatures might not be detected when using truncated multipart requests
Links to More Info: BT1113753
Component: Application Security Manager
Symptoms:
On special cases when sending long requests that include a multipart section, signatures that should be detected in the multipart body might not be detected.
Conditions:
1. WAF-policy is attached to virtual server.
2. Signatures are enabled in the WAF policy.
3. Signatures contain special characters, i.e. ;"=\n
4. Request is longer than the value in max_raw_request_len.
5. Sending a multipart request.
Impact:
Signature is not detected.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1113693-3 : SSL Certificate List GUI page takes a long time to load
Links to More Info: BT1113693
Component: TMOS
Symptoms:
SSL Certificate List GUI page under System->Certificate Management->Traffic Certificate Management->SSL Certificate List does not load or takes a long time to load (more than 3 minutes).
Conditions:
-- When clicking on SSL Certificates List menu in the GUI.
-- BIG-IP is loaded with heavy configuration and more number of certificates.
-- BIG-IP is vCMP guest.
Impact:
Certificates list is not presented from GUI.
Workaround:
GET the certificate list through TMSH command
tmsh list sys crypto cert
Fix:
SSL Certificate list menu is displayed with out any delay.
Fixed Versions:
16.1.5
1113661-1 : When OAuth profile is attached to access policy, iRule event in VPE breaks the evaluation
Links to More Info: BT1113661
Component: Access Policy Manager
Symptoms:
After upgrading to 16.1.2.1, the OAuth configuration does not work anymore.
Based on the below observations, an internal redirect to /renderer/agent_irule_event_form.eui is initiated but it is not processed, so the ACCESS_POLICY_AGENT_EVENT event is never fired.
Observations:
Following are the results from in-house troubleshooting:
Test 1: Access Policy evaluation works with a standard Access Profile, clientless mode set with iRule, and an iRule event.
Test 2: Access Policy evaluation fails with a standard Access Profile but an OAuth profile attached to access policy (clientless mode to be set automatically) and an iRule event.
Conditions:
As soon as the iRule event is removed from VPE in Test 2, the access policy evaluation works fine.
Impact:
ACCESS_POLICY_AGENT_EVENT event is never fired
Fix:
Pass on the packet to the upper hudfilter handles.
Fixed Versions:
17.1.0, 16.1.4
1113609-2 : GUI unable to load Bot Profiles and tmsh is unable to list them as well.
Links to More Info: BT1113609
Component: TMOS
Symptoms:
If there are 10s of bot defense profiles that all have hundreds of staged signatures, neither the GUI nor tmsh will be able to list the Bot Profiles.
Conditions:
Tens of bot defense profiles that have 100s of staged signatures.
Impact:
-- Unable to edit bot profiles in the GUI.
-- Unable to save to config files or UCS
Workaround:
Remove staging for bot-signatures.
Fixed Versions:
17.1.1, 16.1.5
1113549-3 : System boots into an inoperative state after installing engineering hotfix with FIPS140-2/140-3 License★
Links to More Info: BT1113549
Component: Local Traffic Manager
Symptoms:
The BIG-IP system persistently starts up in an inoperative state after installing an engineering hotfix with a console error similar to:
*** FIPS or Common Criteria power-up self-test failure.
*** This system has been placed in an error state.
*** To recover return to the grub menu and select another volume
*** or reinstall the system.
***
*** On many devices pressing the escape key followed by the (
*** key will bring up a menu which allows the system to be restarted.
Power-up self-test failures: <number>
Unmounting file systems
System halting.
Conditions:
- First boot after installing an engineering hotfix.
- FIPS 140-2 or FIPS140-3 license.
Impact:
You are unable to boot the BIG-IP system into an operational state after applying an engineering hotfix, and you are required to boot to a known good volume.
For more information, see K52534643: Overview of the Platform FIPS BIG-IP system :: https://support.f5.com/csp/article/K52534643
Workaround:
None
Fix:
The BIG-IP system successfully boots after installing an engineering hotfix on a system with a FIPS 140-2 or FIPS140-3 license.
For a complete solution for BIG-IP software v16.1.3.1 and later v16.1.x releases, you must also have the additional fix described in ID 1137037 https://cdn.f5.com/product/bugtracker/ID1137037.html.
Fixed Versions:
17.1.0, 16.1.3.1
1113385-4 : Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP
Links to More Info: BT1113385
Component: TMOS
Symptoms:
REST tokens which are present in /var/run/pamcache on BIG-IP are not deleted after token expiration when there are a large number of tokens.
Conditions:
When a large number of tokens are generated.
Impact:
More memory will be used as /run/pamcache is an in memory filesystem
Workaround:
Try to remove token files from /run/pamcache manually.
You can check what would be deleted by the command below by using -print in place of -delete
# find /run/pamcache -regextype posix-extended -type f -regex '/run/pamcache/[A-Z0-9]{26}' -delete
Restart httpd processes:
bigstart restart httpd
Fix:
Expired token are removed from /run/pamcache by the BIG-IP system.
Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1113333-3 : Change ArcSight Threat Campaign key names to be camelCase
Links to More Info: BT1113333
Component: Application Security Manager
Symptoms:
The threat_campagin_names and staged_threat_campaign_names do not follow other key name format. Changing these key names to be camelCase (threatCampaignNames and stagedThreatCampaignNames).
Conditions:
ArcSight is in use with ASM remote logging.
Impact:
Inconsistent key name formatting.
Workaround:
None
Fix:
Changed name format to be camelCase (threatCampaignNames and stagedThreatCampaignNames).
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1113181-2 : Self-IP allows no traffic following a modification from "Allow Custom (Include Default)" to "Allow Custom".
Links to More Info: BT1113181
Component: Local Traffic Manager
Symptoms:
Although a Self-IP address appears configured correctly (for example, when this is inspected using the WebUI or the tmsh utility), the Self-IP address does not allow through any traffic. Effectively, the Self-IP address behaves as if it was set to "Allow None".
Conditions:
The port-lockdown setting of the Self-IP address was recently modified from "Allow Custom (Include Default)" to "Allow Custom".
Impact:
The Self-IP does not allow through any traffic, whereas it should allow through the traffic in your custom list of ports and protocols.
Workaround:
You can work around this issue by temporarily setting the affected Self-IP to "Allow None" and then again to "Allow Custom", specifying your desired custom list of ports and protocols.
Fix:
Self-IP port-lockdown modifications from "Allow Custom (Include Default)" to "Allow Custom" are now handled correctly.
Fixed Versions:
16.1.4, 15.1.9
1113161-2 : After upgrade, Learning and Blocking Settings page is not loading because some policies are still pointing to deleted factory Negsig sets★
Links to More Info: BT1113161
Component: Application Security Manager
Symptoms:
Learning and Blocking Settings page is not loading
Conditions:
Some policies are using factory sets which were deleted in later versions, and an upgrade was performed.
Impact:
When trying to open "Security ›› Application Security : Policy Building : Learning and Blocking Settings" page, GUI is stuck on 'loading' status
Workaround:
Run this mysql in the BIG-IP in order to fix the database, it will remove all unreferenced policy sets from the system:
mysql -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password(user => q{root})'` -e "delete from PLC. PL_POLICY_NEGSIG_SETS where set_id not in (SELECT set_id from PLC.NEGSIG_SETS);"
Fix:
After the fix, the 'Learning and Blocking Settings' page will be loaded with no error.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1112805-4 : ip_address_intelligence field is not populated with value in ArcSight remote log when source IP is IPv4
Links to More Info: BT1112805
Component: Application Security Manager
Symptoms:
The key used for the ip_address_intelligence field is mapped to an IPv6 Address in the latest CEF standard.
Conditions:
-- IP Intelligence is enabled.
-- An ArcSight remote logger is configured.
-- A HTTP transaction is carried out with a malicious Source IP Address
Impact:
The ip_address_intelligence field value is not populated in the ArcSight remote log
Workaround:
None
Fix:
A new key for ip_address_intelligence is implemented specific to IPv4
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1112781 : DNS query drops on Virtual Edition platform if the packet size is above 1500 for NAPTR record.
Links to More Info: BT1112781
Component: Advanced Firewall Manager
Symptoms:
The BIG-IP system drops the packet if the DNS response size is larger than 2048.
Conditions:
When the DNS server sends a response larger than 2048 bytes.
Impact:
The BIG-IP system drops the packet and does not respond to the client.
Workaround:
If possible, switch from UDP to TCP to avoid dropping the packet.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1112745-2 : System CPU Usage detailed graph is not accessible on Cerebrus+
Links to More Info: BT1112745
Component: Local Traffic Manager
Symptoms:
When accessing performance reports of CPU usage detailed graph, error "Error trying to access the database." is displayed since the CPU graph name is getting truncated.
Conditions:
When on a single blade, if we have more than 17 TMMs this error will be seen.
Impact:
Detailed graph for system CPU usage will not be accessible.
Workaround:
No workaround
Fix:
Increased the size of the detail string to support more than 32 TMMs.
Fixed Versions:
17.1.0, 16.1.4, 15.1.7
1112537-2 : LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete.
Links to More Info: BT1112537
Component: TMOS
Symptoms:
Upon attempting to delete a LTM or GTM monitor, the system returns an error similar to the following example, even though the monitor being deleted is no longer in use anywhere:
01070083:3: Monitor /Common/my-tcp is in use.
Conditions:
-- The configuration was loaded from file (for example, as restoring a UCS archive would do).
-- A BIG-IP Administrator deletes all objects using the monitor, and then attempts to delete the monitor itself.
Impact:
LTM or GTM monitor no longer in use anywhere cannot be deleted from the configuration.
Workaround:
Run one of the following sets of commands (depending on the affected module) and then try to delete the monitor again:
tmsh save sys config
tmsh load sys config
tmsh save sys config gtm-only
tmsh load sys config gtm-only
Fix:
Unused monitors can now be deleted correctly.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1112385-3 : Traffic classes match when they shouldn't
Links to More Info: BT1112385
Component: Local Traffic Manager
Symptoms:
Traffic classes may match when they should not.
Conditions:
* Fix for ID1074505 is present (without that fix this bug is hidden).
* Traffic class uses none (or equivalently all 0s) for source-address.
Impact:
Traffic is not categorized properly.
Workaround:
Specify a source address, e.g.
ltm traffic-class /Common/blah {
source-address 1.1.1.1
source-mask none
...
}
Note that because the mask is none this won't have any effect (other than working around this bug).
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1112349-4 : FIPS Card Cannot Initialize
Links to More Info: BT1112349
Component: Local Traffic Manager
Symptoms:
Initializing the FIPS card for the first time which contains the FIPS firmware CNN35XX-NFBE-FW-1.1-02 may cause the below error and will not be able to initialize the card:
Enter new Security Officer password (min. 0, max. 0 characters):
ERROR: Too long input (max.: 0 characters)
ERROR: Failed to read password
ERROR: INITIALIZATION FAILED!
Conditions:
First time initialization of new device with "tmsh run util fips-util -f init" command which contains the FIPS firmware CNN35XX-NFBE-FW-1.1-02
Impact:
FIPS card cannot be used for the FIPS key traffic and will not be able to re-initialize.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1112109-4 : Unable to retrieve SCP files using WinSCP or relative path name
Links to More Info: K000134769, BT1112109
Component: TMOS
Symptoms:
When you attempt to retrieve a file with WinSCP, you receive an error dialog and the session will be terminated:
"SCP Protocol error: Invalid control record (r; elative addresses not allowed)
Copying files from the remote side failed."
If you attempt to transfer a file by the relative path with a command line utility the transfer will fail with the message:
"relative addresses not allowed"
Conditions:
-- Running BIG-IP version with a fix for ID 915981
-- Using WinSCP set to use SCP protocol to retrieve files from a BIG-IP system.
-- Using a relative remote path to transfer a file with the command line SCP utility.
Impact:
Cannot use WinSCP to retrieve files such as packet captures, log archives, or other diagnostic data from the BIG-IP system.
Workaround:
Use a command line SCP tool that allows specifying an absolute path for the source and/or destination file (a path that starts with a forward slash /), when the source and/or destination locations are a BIG-IP device.
You may use WinSCP in SFTP mode if the user ID is permitted to do so.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1111993-2 : HSB tool utility does not display PHY settings for HiGig interfaces
Links to More Info: BT1111993
Component: TMOS
Symptoms:
When running the hsb_tool utility, PHY settings for HiGig interfaces are not displayed.
Conditions:
Run hsb_tool on a BIG-IP system with HSB functionality.
Impact:
None
Workaround:
None
Fix:
The HSB tool now displays PHY settings for HiGig interfaces.
Following is an example:
[root@localhost:/S1-green-P::LICENSE EXPIRED:Standalone] config # hsb_tool
no nde found
no anti-nde found
HSB Debug Tool:
hsb_tool <-m module > [-o option] [-n dev_idx] [-p multi_params]
module: lbb
option: info # show bus info for hsb and pde
option: memory
option: phy # show phy settings for higig interfaces
module: pde
option: memory
module: edag or edagv2 # edagv2 refers to edag version 2
option: default
src_clst # show source cluster tables
dst_clst # show dest cluster tables
dst_assn # show dest assignment tables
vcmp_dsag # show VCMP disaggregation table
hash_cfg # show edag hash config
module: epva
option: mac_src # show epva mac src table
module: nde
option: memory
module: ande
option: memory
device idx params:
device indexes seperated by comma: e.g. -n 1,3,5
-p params:
option memory
3 params seperated by comma [offset, size, mode], e.g. -p 0x300,64,0
mode = 1 means binary mode, display in bytes
mode = 0 means register mode, display in 4 bytes
option mac_src
2 params [start, size], e.g. -p 1,10
Device index convention:
The device index is assigned in the pci device enumeration order
For example: hsb0 on bus 20:0:0, and hsb1 on 21:0:0
Note: the device index assigned in this tool might not be the same as BIG-IP software.
Please refer to the bus.dev.func for discrepancy.
Examples:
display edag info on all HSBs
hsb_tool -m edag
display edag source cluster table for hsb1
hsb_tool -m edag -o src_clst -n 1
display memory for pde 0 & pde 1 with offset 0x200, size 64, register mode
hsb_tool -m pde -o memory -p 0x300,64,0 -n 0,1
display first 10 entries in the epva mac src table
hsb_tool -m epva -o mac_src -p 0,10
[root@localhost:/S1-green-P::LICENSE EXPIRED:Standalone] config # hsb_tool -m lbb -o phy
no nde found
no anti-nde found
lbb0 on bus 1:0:0 phy dump
hsb version 0x03100100
PHY dump for [HGM1] started.
channel:00 drive:00000020
channel:00 pre:00000000
channel:00 post1:00000000
channel:00 post2:00000011
channel:00 rxdcgain:00000004
channel:00 rxeq:0000000c
channel:01 drive:00000020
channel:01 pre:00000000
channel:01 post1:00000000
channel:01 post2:00000011
channel:01 rxdcgain:00000004
channel:01 rxeq:0000000c
channel:02 drive:00000020
channel:02 pre:00000000
channel:02 post1:00000000
channel:02 post2:00000011
channel:02 rxdcgain:00000004
channel:02 rxeq:0000000c
channel:03 drive:00000020
channel:03 pre:00000000
channel:03 post1:00000000
channel:03 post2:00000011
channel:03 rxdcgain:00000004
channel:03 rxeq:0000000c
PHY dump for [HGM1] completed.
PHY dump for [HGM2] started.
channel:08 drive:00000020
channel:08 pre:00000000
channel:08 post1:00000000
channel:08 post2:00000011
channel:08 rxdcgain:00000004
channel:08 rxeq:0000000c
channel:09 drive:00000020
channel:09 pre:00000000
channel:09 post1:00000000
channel:09 post2:00000011
channel:09 rxdcgain:00000004
channel:09 rxeq:0000000c
channel:0a drive:00000020
channel:0a pre:00000000
channel:0a post1:00000000
channel:0a post2:00000011
channel:0a rxdcgain:00000004
channel:0a rxeq:0000000c
channel:0b drive:00000020
channel:0b pre:00000000
channel:0b post1:00000000
channel:0b post2:00000011
channel:0b rxdcgain:00000004
channel:0b rxeq:0000000c
PHY dump for [HGM2] completed.
lbb1 on bus 82:0:0 phy dump
hsb version 0x03100100
PHY dump for [HGM1] started.
channel:00 drive:00000020
channel:00 pre:00000000
channel:00 post1:00000000
channel:00 post2:00000011
channel:00 rxdcgain:00000004
channel:00 rxeq:0000000c
channel:01 drive:00000020
channel:01 pre:00000000
channel:01 post1:00000000
channel:01 post2:00000011
channel:01 rxdcgain:00000004
channel:01 rxeq:0000000c
channel:02 drive:00000020
channel:02 pre:00000000
channel:02 post1:00000000
channel:02 post2:00000011
channel:02 rxdcgain:00000004
channel:02 rxeq:0000000c
channel:03 drive:00000020
channel:03 pre:00000000
channel:03 post1:00000000
channel:03 post2:00000011
channel:03 rxdcgain:00000004
channel:03 rxeq:0000000c
PHY dump for [HGM1] completed.
PHY dump for [HGM2] started.
channel:08 drive:00000020
channel:08 pre:00000000
channel:08 post1:00000000
channel:08 post2:00000011
channel:08 rxdcgain:00000004
channel:08 rxeq:0000000c
channel:09 drive:00000020
channel:09 pre:00000000
channel:09 post1:00000000
channel:09 post2:00000011
channel:09 rxdcgain:00000004
channel:09 rxeq:0000000c
channel:0a drive:00000020
channel:0a pre:00000000
channel:0a post1:00000000
channel:0a post2:00000011
channel:0a rxdcgain:00000004
channel:0a rxeq:0000000c
channel:0b drive:00000020
channel:0b pre:00000000
channel:0b post1:00000000
channel:0b post2:00000011
channel:0b rxdcgain:00000004
channel:0b rxeq:0000000c
PHY dump for [HGM2] completed.
Fixed Versions:
17.1.0, 16.1.5, 15.1.10
1111981-3 : Decrement in MQTT current connections even if the connection was never active
Links to More Info: BT1111981
Component: Local Traffic Manager
Symptoms:
Current connections statistics display unrealistic values.
Conditions:
When MQTT Over Websockets setup is in passthrough mode.
Impact:
The correct count of the current connections is lost.
Fix:
Added a new field called 'activated' in pcb, to verify if the connection was activated at least once.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1111793-2 : New HTTP RFC Compliance check for incorrect newline separators between request line and first header
Links to More Info: BT1111793
Component: Application Security Manager
Symptoms:
ASM does not enforce incoming HTTP requests where the request line and the first header are separated with a line feed ('\n').
Conditions:
Any HTTP request with a line feed only at the end of the request line will not be enforced.
Impact:
Invalid requests might pass through ASM enforcement.
Workaround:
None
Fix:
HTTP requests with LF('\n') as the only separator between the request line and the first header are enforced, and "Unparsable request content" is reported.
Fixed Versions:
17.1.0, 16.1.4, 15.1.7
1111629-4 : Messages with "Failed Read: User, referer" are logged in /var/log/httpd/httpd_errors
Links to More Info: BT1111629
Component: TMOS
Symptoms:
After logging in to the GUI you may observe these logs under /var/log/httpd/httpd_errors
warning httpd[7698]: [auth_pam:warn] [pid 7698] [client 10.6.4.2:61221] AUTHCACHE Error processing cookie AFQ6MCL2VWASB6NZTAWGQLFFWY - Failed Read: User, referer:
Conditions:
- Using token authentication for rest calls
- Login to the GUI
Impact:
- Increased disk space usage under /var/log
- Increased memory size of httpd processes
Workaround:
None
Fix:
These messages are no longer logged when not needed.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1111473-4 : The error Invalid monitor rule instance identifier occurs, and possible blade reboot loop after sync with FQDN nodes
Links to More Info: BT1111473
Component: Local Traffic Manager
Symptoms:
Log messages similar to the following may be observed in /var/log/ltm:
bigip1 err mcpd[4783]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 29.
This may also result in a few unresponsive monitors in checking state.
If this occurs on a VIPRION system or a multi-slot tenant on a VELOS system, one or more secondary blades may reboot repeatedly while logging messages similar to the following:
err mcpd[####]: 01020036:3: The requested monitor instance (/Common/?????? ##.##.##.## ### ?????????) was not found.
err mcpd[####]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/Common/?????? ##.##.##.## ### ?????????) was not found.... failed validation with error 16908342.
Conditions:
The initial "requested monitor instance ... was not found" message may occur when:
-- FQDN nodes exist on the configuration.
-- A full config sync occurs.
-- Device contains a fix for Bug ID 1017513.
-- May happen regardless of bigd or in-tmm monitoring.
In addition, the message "Configuration error: Configuration from primary failed validation" and secondary blade/slot reboot loop may occur on VIPRION or VELOS systems.
Impact:
-- A few monitor statuses may not be correctly reported.
-- A few monitors may be unresponsive in checking state.
-- On VIPRION or VELOS systems, one or more secondary blades may be unresponsive in a reboot loop.
Workaround:
Force the MCPD process to reload the BIG-IP configuration. For more information refer K13030.
Fix:
The monitors are responsive, no errors are recorded.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1111421-1 : IPsec SA info cannot be viewed in TMSH or the web UI
Links to More Info: BT1111421
Component: TMOS
Symptoms:
Established IPsec Security Associations (SAs) are not viewable in GUI or TMSH.
GUI network -> ipsec -> diagnostic -> traffic-selectors -> security association details shows no SAs
tmsh show net ipsec ipsec-sa traffic-selectors outputs no SA
Conditions:
-- Configure an IPsec tunnel.
-- Start the tunnel.
-- Check the IPsec SA.
Impact:
This is a cosmetic issue only. An admin is unable to see any IPsec SA in the GUI or TMSH.
Workaround:
None
Fix:
IPsec SAs can now be viewed.
Fixed Versions:
17.1.0, 16.1.4
1111397-4 : [APM][UI] Wizard should also allow same patterns as the direct GUI
Links to More Info: BT1111397
Component: Access Policy Manager
Symptoms:
Device wizard fails if a certain string is used in the access policy name:
- access policy name that fails: abc_1234_wxyz
- access policy name that works: abc-1234-wxyz
An error can be found in the log:
ERROR SAWizard.SACreateAccessPolicy:error - java.sql.SQLException: General error: 01020036:3: The requested Access Profile /common/abc_1234_wxyz was not found. in statement [DELETE FROM profile_access WHERE name = ?]
Conditions:
Using certain string patterns when creating an access policy via the wizard (specifically the underscore character).
Impact:
The wizard fails and throws errors.
Workaround:
None
Fix:
Fixed the naming mismatch by removing function to concat strings with extra _x.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1111189-2 : Listing errors in tmsh and installation failures when the configuration includes an AVR scheduled-report.
Links to More Info: BT1111189
Component: Application Visibility and Reporting
Symptoms:
-- The tmsh utility may return an error when listing analytics configuration.
-- TMOS installations may fail and return an error.
-- Saving new UCS archives may fail and return an error.
In all cases, the error is similar to the following example:
TSocket::open() getaddrinfo() <Host: 127.3.0.2
Port: 9090>Name or service not known
std exception: (Could not resolve host for client socket.), exiting...
Conditions:
-- Multi-blade VIPRION system (either metal or in the form of a vCMP guest).
-- AVR is provisioned.
-- At least one AVR scheduled-report is present in the configuration.
-- An action such as listing the config, saving a UCS archive, performing a TMOS installation, etc. is performed on a secondary blade.
Impact:
The operation you were attempting fails and an error is returned.
Workaround:
The only workaround consists in removing all AVR scheduled-reports, performing the intended task, and then re-defining the AVR scheduled-reports as necessary. This is of course disruptive and may not be indicated for your site. If you require an Engineering Hotfix for this issue, please contact F5 Support.
Fix:
The presence of AVR scheduled-reports in the configuration no longer interferes with administrative tasks.
Fixed Versions:
17.1.0, 16.1.4
1111149-2 : Nlad core observed due to ERR_func_error_string can return NULL
Links to More Info: BT1111149
Component: Access Policy Manager
Symptoms:
The following symptoms are observed
In /var/log/ltm:
err nlad[17535]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
Nlad core is observed
/var/log/kern.log:Apr 7 03:46:53 <vs name > info kernel: nlad[13119]: segfault at 0 ip <> sp <> error 4.
Conditions:
NLAD core is SIGSEGV - crashing while processing a SSL Certificate via a SAML login.
Impact:
Core results in disruption of APM sessions
Workaround:
None
Fix:
NA
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1111097-6 : gzip arbitrary-file-write vulnerability CVE-2022-1271
Links to More Info: K000130546, BT1111097
1110893-4 : Some portions of the BIG-IP GUI do not work when accessed behind an HTTP proxy
Links to More Info: BT1110893
Component: TMOS
Symptoms:
Some sections of the BIG-IP GUI fail to load properly, and may report "An error occurred:" Additionally, iControl REST calls may fail with a 401 unauthorized error.
Conditions:
-- BIG-IP GUI or iControl REST is accessed behind a proxy that that includes an X-Forwarded-For header
-- The "httpd.matchclient" BigDB key is set to true (this is the default).
Impact:
Some portions of the GUI are broken as well as iControl REST calls may fail.
Workaround:
Disable the "httpd.matchclient" DB key:
tmsh modify sys db httpd.matchclient value false
bigstart restart httpd
Fix:
REST Auth token client ip address and mod_auth_pam client ip address should match
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1110813-3 : Improve MPTCP retransmission handling while aborting
Links to More Info: BT1110813
Component: Local Traffic Manager
Symptoms:
- MPTCP enabled TCP connection is aborting.
- TMM cores.
Conditions:
- MPTCP is enabled.
- MPTCP enabled TCP connection is aborting.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable MPTCP option in the TCP profile.
Fix:
Improved MPTCP retransmission handling while aborting.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1110489-3 : TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event
Links to More Info: BT1110489
Component: Access Policy Manager
Symptoms:
Tmm crashes.
/var/log/tmm contains
May 24 18:06:24 sslo.test.local notice panic: ../net/nexthop.c:165: Assertion "nexthop ref valid" failed.
Conditions:
An iRule is applied to a virtual Server containing a ACCESS_ACL_ALLOWED iRule event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1110281-2 : Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable
Links to More Info: BT1110281
Component: Application Security Manager
Symptoms:
Non-HTTP traffic is not forwarded to the backend server.
Conditions:
- ASM provisioned
- Behavioral DoS profile assigned to a virtual server
- DOSL7::disable and HTTP::disable applied at when CLIENT_ACCEPTED {}
Impact:
Broken webapps with non-HTTP traffic.
Workaround:
Instead of using DOSL7::disable, redirect non-HTTP traffic to a non-HTTP aware virtual server using the iRule command virtual <virtual_server_name>.
Fix:
Fixed the Behavioral DoS HTTP::disable command handler in the tmm code.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1110241-2 : in-tmm http(s) monitor accumulates unchecked memory
Links to More Info: BT1110241
Component: In-tmm monitors
Symptoms:
Connflows growing larger than expected/desired.
Conditions:
-- in-TMM monitors are enabled
-- http(s) monitors are configured
-- Pool members continue spooling chunked data
Impact:
If an http(s) server does not close its connection to BIG-IP and continues spooling chunked data, the connflow remains and can eventually cause similar issues.
Workaround:
Three possible:
1. Fix the server.
2. Periodically reboot the server.
3. Use BigD LTM monitors.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1110205-2 : SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown
Links to More Info: BT1110205
Component: Local Traffic Manager
Symptoms:
If a virtual server has an iRule performing SSL payload processing in CLIENTSSL_DATA, TMM fails to process or forward an ingress TCP FIN from a client, leaving the connection in a zombie state until it eventually idles out.
Conditions:
The issue occurs only when SSL::collect is used in CLIENTSSL_DATA
when CLIENTSSL_DATA {
log local0. "."
SSL::release
SSL::collect
}
Impact:
Unexpected growth in the number of connections idling on a virtual server leads to memory pressure.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.9
1109953-4 : TMM may crash if a data-group is used when an SSL Forward Proxy Bypass/Intercept list contains extremely long entry
Links to More Info: BT1109953
Component: Local Traffic Manager
Symptoms:
A very long entry (exceeding the maximum length allowed by internet stndards) in a data-group used for SSL Forward Proxy Bypass/Intercept hostname list may cause TMM to crash.
Conditions:
All of the below conditions have to be met:
-- A virtual server uses SSL profile
-- This SSL profile has Forward Proxy enabled.
-- The SSL profile has Forward Proxy Bypass enabled.
-- The SSL profile uses Hostname Bypass and/or Hostname Intercept data-group.
-- Anny to the data-groups contains entries which are longer than 255 characters.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Make sure all entries in the data-group used for intercept/bypass hostnanme list do not exceed 255 characters. According to RFC 1035 section 2.3.4, longer hostnames are not valid.
Fix:
TMM no longer crashes when hostname data-group entries are too long. Instead there is an error message logged: 01260000:2: Profile <affected SSL profile name>: could not load hostname bypass/intercept list
However, incorrect entries need to be fixed as they are not valid anyway and make the data-group to be ignored.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1109833-1 : HTTP2 monitors not sending request
Links to More Info: BT1109833
Component: Local Traffic Manager
Symptoms:
HTTP2 monitors do not send monitor traffic, incorrectly marking pool members down.
Conditions:
HTTP2 monitor configured.
Impact:
Pool members marked down erroneously.
Workaround:
Use different monitor type, if possible.
Fixed Versions:
17.1.0, 16.1.3.1
1108681-4 : PEM queries with filters return error message when a blade is offline
Links to More Info: BT1108681
Component: Policy Enforcement Manager
Symptoms:
Attempting to retrieve subscriber session data for a specific subscriber returns the following error: "Data Input Error: ERROR: 'query_view' query reply did not contain a result object."
Conditions:
One of the blades is disabled, and the pem sessiondb query contains a filter, for example subscriber-id or session-ip.
Impact:
Cosmetic error, no impact.
Workaround:
Enable the disabled blades, or send a pem sessiondb query without filters.
Fix:
No error is returned when sending a pem session query with filters when one of the blades is disabled.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1108657-3 : No notification about disabled "Virus detected" violation in case of enabling "Anti-Virus Protection"
Links to More Info: BT1108657
Component: Application Security Manager
Symptoms:
If the "Virus detected" violation is disabled, there is no notification about it after enabling "Anti-Virus Protection".
Conditions:
1. In Security ›› Application Security : Policy Building : Learning and Blocking Settings screen, for Virus Detected violation set at least one of the Learn, Alarm, or Block checkboxes as empty.
2. In Security ›› Application Security : Security Policies : Policies List ›› <selected_policy> screen - check the Scan HTTP Uploads (in Anti-Virus Protection field)
3. No warning is shown.
Impact:
No warning is shown to user which indicates that the related violation settings are switched off (Learning, Alarming or Blocking)
Workaround:
None
Fix:
Warning of the related switched-off violation settings will be shown.
Fixed Versions:
17.1.0, 16.1.4
1108237-2 : Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM.
Links to More Info: BT1108237
Component: Global Traffic Manager (DNS)
Symptoms:
It is possible for monitor probes to a certain destination to be owned by no GTM device in the sync-group. As a result, no monitoring of the destination will be performed, and the monitored object will be incorrectly marked down with reason "no reply from big3d: timed out".
Conditions:
-- GTM sync-group with multiple GTM devices (including a sync-group that contains only a single GTM server with more than one GTM device in it).
-- Monitors specifying an explicit destination to connect to (e.g. with the property "destination 192.168.1.1:*").
-- The destination of a monitored object (e.g. the IP address of the gtm server) is different from the destination explicitly defined in a monitor assigned to the object.
-- The two mismatching destination values are assigned to different GTM devices in the sync-group for monitoring.
Impact:
Monitored GTM objects may have an incorrect status.
Workaround:
None
Fix:
All monitor probes are not correctly assigned to a GTM device.
Fixed Versions:
17.1.1, 16.1.4
1108181-2 : iControl REST call with token fails with 401 Unauthorized
Links to More Info: BT1108181
Component: TMOS
Symptoms:
For a short period after creating or refreshing a token, the iControl REST calls may fail with a 401 Unauthorized error and an HTML body content, or a 401 F5 Authorization Required error and a JSON body content.
When using F5 Ansible modules for BIG-IP, the modules may fail with an error "Expecting value: line 1 column 1 (char 0)".
The AS3 may return an error "AS3 API code: 401".
Conditions:
- REST call using valid token.
- Can commonly occur on the call after a token has been refreshed or a Token list has been requested.
Impact:
The iControl REST calls may temporarily fail (typically less than 1 second) after the creation or refresh of an iControl REST token.
Workaround:
After being issued a token or refreshing a token, wait a second before attempting to use it.
If this does not work, request a new token.
No workaround exists for AS3 or F5 Ansible BIG-IP modules.
Fix:
A race condition on a PAM file update has been resolved. Tokens should remain valid.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
1108109-4 : APM policy sync fails when access policy contains customization images★
Links to More Info: BT1108109
Component: Access Policy Manager
Symptoms:
APM policy sync fails after an upgrade. Mcpd logs an error
err mcpd[6405]: 01b70117:3: local_path (/tmp/psync_local_file) starts with invalid directory. Valid directories are /var/config/rest/, /var/tmp/, /shared/tmp/.
Conditions:
APM access policy contains a custom image file
Impact:
APM policy sync fails.
Workaround:
None
Fix:
Customization image file is allowed to be created from /tmp local_path.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1107565 : SSL Persistence behavior change for TLS1.3 connection between v16.1.0 and v16.1.2.2
Links to More Info: BT1107565
Component: Local Traffic Manager
Symptoms:
The BIG-IP system resets TLS 1.3 connections when the client-hello contains a session-ID.
Conditions:
-- Virtual server has ssl persistence enabled
-- TLS 1.3 is used
-- The client-hello message contains a session-ID.
Impact:
Traffic uses TLS 1.3 and SSL persistence is disrupted.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4
1107549-2 : In-TMM TCP monitor memory leak
Links to More Info: BT1107549
Component: In-tmm monitors
Symptoms:
TMM memory use grows unbounded; aggressive sweeper is engaged
Conditions:
-- In-TMM TCP monitors are enabled
Impact:
TCP peer ingress accumulates over time. Over an extended period of time the aggressive sweeper begins freeing memory.
Workaround:
1. Rebooting the BIG-IP system after the change is made is one potential remedy.
2. Use regular LTM monitors.
Fix:
Fixed a memory leak with in-tmm TCP monitors.
Fixed Versions:
17.1.0, 16.1.4, 15.1.8
1106937-3 : ASM may skip signature matching
Links to More Info: BT1106937
Component: Application Security Manager
Symptoms:
Under certain conditions ASM skips signature matching.
Conditions:
Authorization header type is Bearer.
- When input contains less than or more than 3 parts of JWT token values.
- When base64 decode fails while decoding JWT token.
Impact:
Signature matching gets skipped.
Workaround:
None
Fix:
ASM checks for signature matching.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1106757-3 : Horizon VDI clients are intermittently disconnected
Links to More Info: BT1106757
Component: Access Policy Manager
Symptoms:
VMware Horizon Clients experience intermittent freezes and disconnects as the mapping between blast UUID and session id in CLIENT_CLOSED function is maintained only for 20 seconds.
Conditions:
-- VMware VDI is configured via an iApp
-- The connection to the virtual server is lost for more than 20 seconds
Impact:
VMware Horizon Clients experience freezes and disconnects intermittently.
Workaround:
None
Fix:
VMware Horizon Clients are not being disconnected intermittently.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1106489-2 : GRO/LRO is disabled in environments using the TMM raw socket "sock" driver.
Links to More Info: BT1106489
Component: TMOS
Symptoms:
GRO/LRO packets are not received: "tmctl -d blade tmm/ndal_rx_stats" shows "0" in "lro". The linux host has GRO disabled: "ethtool -k eth1 | grep generic-receive-offload" shows "off".
Conditions:
-- BIG-IP is deployed in a Hyper-V environment.
-- Any environment such that "tmctl -d blade tmm/device_probed" displays "sock" in "driver_in_use".
Impact:
Performance is degraded.
Workaround:
Manually enable GRO on the device: ethtool -K eth1 gro on
Check that it's enabled with: ethtool -k eth1 | grep generic-receive-offload
Fix:
When sending large payload, "tmctl -d blade tmm/ndal_rx_stats" shows "1" in "lro". "tmctl -d blade tmm/ndal_dev_status" shows "y:y" (available:enabled) in "lro". The linux host indicates the device has GRO enabled: "ethtool -k eth1 | grep generic-receive-offload" shows "on".
Fixed Versions:
16.1.4, 15.1.10
1106353-4 : [Zebos] Expand zebos/bgp commands in a qkview
Links to More Info: BT1106353
Component: TMOS
Symptoms:
Improvement to add the following commands to a qkview:
show ip route
show ipv6 route
show ip bgp neighbors
show bgp
show ip bgp attribute-info
show ip bgp scan
show ip pim neighbor
show route-map
show process
Conditions:
None
Impact:
None
Workaround:
None
Fix:
The following commands are added to a qkview:
Show ip route
show ipv6 route
show ip bgp neighbors
show bgp
show ip bgp attribute-info
show ip bgp scan
show ip pim neighbor
show route-map
show process
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1106325 : Upgrade from BIG-IP 16.1.3 to BIG-IP 17.0 does not work when FIPS mode is enabled★
Links to More Info: BT1106325
Component: TMOS
Symptoms:
Upgrade from BIG-IP 16.1.3 to BIG-IP 17.0 does not work when FIPS mode is enabled.
Error displayed in console:
01070911:3: The requested integer (2) is out of range (0 - 1) for fipscipherversion in httpd (/Common/httpd)
Unexpected Error: Loading configuration process failed.
Conditions:
- BIG-IP 16.1.3
- FIPS 140-3 license is installed on BIG-IP 16.1.3 or its a FullBoxFIPS device.
When FIPS 140-3 is enabled in BIG-IP 16.1.3 then the upgrade to version 17.0 will fail.
Impact:
Upgrade from version 16.1.3 to version 17.0 fails when FIPS enabled.
Workaround:
Disable the FIPS 140-3 license and then perform the upgrade.
Fixed Versions:
16.1.3
1106273-3 : "duplicate priming" assert in IPSECALG
Links to More Info: BT1106273
Component: Advanced Firewall Manager
Symptoms:
This is a specific issue with a complicated firewall/NAT/IPSEC scenario. In this case, when applying changes to a firewall policy in transparent mode, IPSECALG triggers a "duplicate priming" assert
Conditions:
When an IPSec session is established from a device with a source IP which has a firewall policy (transparent mode). As soon as traffic is passed over the new IPSec tunnel, this clash in the rules results in a tmm core.
Impact:
TMM asserts with "duplicate priming" assert.
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Data is able to flow through tunnel and no crash
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1105901-2 : Tmm crash while doing high-speed logging
Links to More Info: BT1105901
Component: TMOS
Symptoms:
Tmm crashes
Conditions:
-- High-speed logging is configured
-- Network instability occurs with the logging pool members
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1105341-2 : Decode_application_payload can break exponent notation in JSON
Links to More Info: BT1105341
Component: Application Security Manager
Symptoms:
With decode_application_payload set to 1, the single pass of decoding prior to JSON parsing will convert positive exponents to ascii characters ie "+" to " ". This results in Malformed numeric value violations
Conditions:
Positive exponents with decode_application_payload set to 1.
Impact:
Malformed JSON violations
Workaround:
Disable decode_application_payload
decode_application_payload set to 0.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1105145-2 : Request body on server side egress is not chunked when it needs to be after HTTP processes a 100 continue response.
Links to More Info: BT1105145
Component: Local Traffic Manager
Symptoms:
After HTTP processes a 100 continue responses, the request body is incorrectly not chunked on egress to the server, whenever server-side chunking is expected.
Conditions:
- Basic HTTP virtual server with rechunking iRule.
- Incoming client requests containing 'Expect' header.
Impact:
Server may return an error response, for example, 400 Bad Request.
Workaround:
None
Fix:
The request body is chunked on server-side when expected and the server responses are as per expectation.
Fixed Versions:
17.1.0, 16.1.5
1104773-6 : REST API Access hardening
Component: TMOS
Symptoms:
REST API Access token generation may not follow security best practices.
Conditions:
N/A
Impact:
N/A
Workaround:
Restrict high-privileged access to the BIG-IP filesystem to trusted users.
Fix:
Security best practices are now followed.
Fixed Versions:
17.1.1, 16.1.5
1104517-2 : In SWG explicit proxy, some TCP connections are reset because of inconsistency between sessionDB and local IP2SessionId map
Links to More Info: BT1104517
Component: Access Policy Manager
Symptoms:
Some clients' TCP connections are reset with an error "cl sm driver error (Illegal value)" when the BIG-IP system is in this error state.
Conditions:
SWG explicit proxy is configured.
Impact:
Some clients are unable to access a service.
Workaround:
Disable sessionDB mirroring on both active and standby
# tmsh modify sys db statemirror.mirrorsessions value disable
# tmsh save sys config
Restart tmm on standby
# bigstart restart tmm
Fix:
Fixed an issue causing a TCP reset with certain clients.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1104493-1 : Client-side abort during server-side establishment may cause tmm to behave abnormally in HTTP MRF proxy
1104409-1 : Added Rewrite Control Lists builder to Admin UI
Links to More Info: BT1104409
Component: Access Policy Manager
Symptoms:
Poor usability for admins in Rewrite Control Lists (RCL) functionality
Conditions:
You wish to edit Rewrite Control Lists
Impact:
Previously there was no RCL builder. The RCL strings where added as is.
Now Admin UI has an RCL builder which creates the RCL string.
Workaround:
None
Fix:
RCL Builder added to Admin UI
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1104073-2 : Use of iRules command whereis with "isp" or "org" options may cause TCL object leak.
Links to More Info: BT1104073
Component: Local Traffic Manager
Symptoms:
When iRules command whereis is being used with "isp" or "org" options and underlying GEOIP database(s) have not been loaded,
cur_allocs for tcl memory increases over time and does not return to the prior level.
Conditions:
- iRules command whereis is used with "isp" or "org" options
- The underlying GEOIP database(s) have not been loaded
Impact:
Cur_allocs for tcl memory increases over time and does not return to the prior level.
Workaround:
Load the underlying GEOIP database(s) before using "isp" or "org" options of the iRules command whereis.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1104037-2 : Tmm crash after changing "connection.vlankeyed" to disabled on system with L2 wire
Links to More Info: BT1104037
Component: SSL Orchestrator
Symptoms:
Tmm crashes.
Conditions:
Changing "connection.vlankeyed" from enabled to disabled on a system configured for L2 wire
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Keep "connection.vlankeyed" enabled
Fix:
The crash was eliminated
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1103617-4 : 'Reset on Timeout' setting might be ignored when fastl4 is used with another profile.
Links to More Info: BT1103617
Component: Local Traffic Manager
Symptoms:
'Reset on Timeout' setting might be ignored when Fastl4 profile is configured along with some other profile.
Conditions:
Fastl4 profile is configured along with some other profile (for example IPS).
Impact:
Traffic might be reset unexpectedly.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1103369-2 : DELETE of REST Auth token does not result in deletion of the pamcache token file on a multi-slot VIPRION chassis, vCMP guest, or VELOS tenant
Links to More Info: BT1103369
Component: TMOS
Symptoms:
The REST tokens are not deleted from cache /var/run/pamcache when the tokens are expired or deleted.
Conditions:
- A large number of REST Auth tokens are created in multi-slot VIPRION, multi-slot vCMP Guest, or multi-slot VELOS tenant.
Impact:
The deleted token continue to be available in the cache.
Memory is consumed as cache is stored in an in-memory filesystem.
Workaround:
First take immediate action to recover memory by removing stale tokens and restarting affected processes. This should be done to free memory, even if planning to update software to prevent reoccurrence.
Remove token files from /run/pamcache manually. This may have minor impact to REST API use causing a REST user to need to reauthenticate.
Execute the following command by using -print instead of -delete to verify the tokens to be deleted (recommended to not use clsh):
# clsh "find /run/pamcache -regextype posix-extended -type f -regex '/run/pamcache/[A-Z0-9]{26}' -delete"
httpd processes can be affected - restart them. This has an impact to REST API and GUI for the few seconds until httpd restarts:
# clsh bigstart restart httpd
Restart csyncd - this is expected to have no adverse impact.
# clsh bigstart restart csyncd
Alternatively clear any stale content and restart processes simply by rebooting the chassis (ie all blades together).
Next, it is possible to prevent the issue reoccurring by the following steps, if not quickly updating software to a fixed version.
Execute the following commands in bash to remove the pamcache directory from the set being acted upon by "csyncd":
# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"
# clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"
# clsh "bigstart restart csyncd"
Fix:
Auth tokens in /run/pamcache are deleted as required.
Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1103233-2 : Diameter in-tmm monitor is logging disconnect events unnecessarily
Links to More Info: BT1103233
Component: Service Provider
Symptoms:
Errors are logged to /var/log/ltm:
err tmm[20104]: 01cc0006:3: Peer (<peer>) connection state has changed: disconnected
Conditions:
A diameter in-tmm monitor is configured
Impact:
Debug logs are logged at the error level.
Workaround:
None
Fix:
Log level has been changed to the debug level for the peer disconnected log.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1103117-2 : iAppLX extension using express with httpserver script leaves lingering client-side flow on HTTP requests.
Links to More Info: BT1103117
Component: Local Traffic Manager
Symptoms:
While using an iAppLX extension using express with simple HTTP server script, tmsh show sys conn shows a lingering client-side flow that is eventually expired by the sweeper.
Conditions:
Virtual server with iAppLX extension using express with a simple httpserver script like below:
app.use(express.static('public'));
var plugin = new f5.ILXPlugin();
plugin.startHttpServer(app);
Impact:
The connection table (tmsh show sys conn) shows a lingering client-side flow that is eventually expired by the sweeper.
Workaround:
None
Fixed Versions:
16.1.5
1102849-3 : Less-privileged users (guest, operator, etc) are unable to run top level commands
Links to More Info: BT1102849
Component: TMOS
Symptoms:
Less privileged users are no longer able to run top-level commands such as "show running-config recursive". Executing this command from TMOS results in an error:
Unexpected Error: Can't display all items, can't get object count from mcpd
and mcpd throws error:
result_message "01070823:3: Read Access Denied: user (test) type (Abort Ending Agent)"
Conditions:
User account with a role of guest, operator, or any role other than admin.
Impact:
You are unable to show the running config, or use list or list sys commands.
Workaround:
Logon with an account with admin access.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9, 14.1.5.1
1102837-2 : Use native driver for e810 instead of sock
Links to More Info: BT1102837
Component: TMOS
Symptoms:
Default driver sock cannot provide good performance.
Conditions:
Running BIG-IP Virtual Edition (sock is the default virtual function network driver for VE until 15.1.6 release)
Impact:
Default driver sock cannot provide good performance.
Workaround:
No mitigation when native drivers are not yet available for e810 NIC (for example, 15.1.6 and earlier). Default driver sock are used and that is unable to provide good performance.
Fix:
This release provides a native driver.
Fixed Versions:
17.1.0, 16.1.5, 15.1.7
1102429-2 : iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases.
Links to More Info: BT1102429
Component: Local Traffic Manager
Symptoms:
Invoking the iRule command 'reject' under the iRule event 'FLOW_INIT' may, in some cases, fail to send out the intended reject packet (i.e. TCP reset or ICMP port unreachable).
Conditions:
The issue occurs when the BIG-IP system does not have a route back to the client, and should instead deliver the reject packet by means of autolasthop.
Impact:
The connection is actually removed from the BIG-IP system's connection table, and correctly does not progress. However, the lack of a reject packet could make the client retransmit its initial packet or insist in opening more connections.
Fix:
iRule 'reject' command under 'FLOW_INIT' event now works correctly even when autolasthop should be employed to deliver the reject packet back to the client.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1102301-2 : Content profiles created for types other than video and image allowing executable
Links to More Info: BT1102301
Component: Application Security Manager
Symptoms:
When creating "API Security" policy, "Disallow File Upload of Executables" options are disabled for contents different than video/* or image/*.
Conditions:
Create "API Security" policy with binary content URL.
Impact:
Incorrect violation is raised.
Workaround:
None
Fix:
Disabled Disallow File Upload of Executables in content profiles.
Fixed Versions:
17.1.0, 16.1.4
1101705-2 : RSA-KEX ciphers list are removed from httpd configuration in FIPS mode since these are non-approved ciphers for FIPS 140-3 certification
Links to More Info: BT1101705
Component: TMOS
Symptoms:
- RSA-KEX ciphers list are removed from httpd configuration when FIPS mode is enabled since these are non-approved ciphers for FIPS 140-3 certification.
- Mandatory fix for FIPS 140-3 Certification.
Conditions:
- BIG-IP versions 16.1.3 and above.
- Applies to systems requiring FIPS 140-3 Certification.
- FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device.
- https connections are established using the RSA-KEX based ciphers
Impact:
- BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be running a FIPS 140-3 certified configuration.
- https connection using RSA KEX ciphers will not be successful when FIPS 140-3 license is installed in the device.
Workaround:
None
Fix:
Apply this fix to ensure that the system is compliant with FIPS 140-3 Certification.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3
1101697-2 : TLS1.3 connection failure with 0-RTT and Hello Retry Request (HRR).
Links to More Info: BT1101697
Component: Local Traffic Manager
Symptoms:
Connection failure.
Conditions:
This condition can occur when:
- The 0-RTT is enabled.
- When TLS1.3 session goes for Hello Retry Request (HRR).
Impact:
Connection failure.
Workaround:
Disable the 0-RTT.
Fix:
Added changes which handle this defects.
Fixed Versions:
17.1.0, 16.1.4, 15.1.7
1101453-1 : MCPD SIGABRT and core happened while deleting GTM pool member
Links to More Info: BT1101453
Component: TMOS
Symptoms:
Mcpd crashes while deleting a pool member.
Conditions:
-- Huge GTM configuration
-- One pool members is referenced by 1000 wide IPs
Impact:
Traffic disrupted while mcpd restarts.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1101369-1 : MQTT connection stats are not updated properly
Links to More Info: BT1101369
Component: Local Traffic Manager
Symptoms:
Negative values can be seen in current connections.
Conditions:
This issue can be seen when the 'CONNECT' message is dropped by iRule or when the first message received is not 'CONNECT.'
Impact:
MQTT profile stats are not incremented correctly with CONNECT message.
Workaround:
None
Fix:
MQTT profile stats are incremented correctly with CONNECT message.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1101321-3 : APM log files are flooded after a client connection fails.
Links to More Info: BT1101321
Component: Access Policy Manager
Symptoms:
Once a client connection fails, the var/log/apm log files get flooded with repeat error messages like "queue.cpp func: "printx()" line: 359 Msg: Queued fd"
Conditions:
When the client connection fails, for example, when the client connection is no longer valid, the log files are flooded with all queued connections which are available at that point of time.
Impact:
The continuous error messages in the log files may cause high CPU issues.
Workaround:
None
Fix:
Log level changed so that these logs are only printed in debug log-level.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1101181-2 : HTTP request payload not forwarded by BIG-IP when serverside is HTTP/2 and HTTP MRF router is enabled on virtual server
Links to More Info: BT1101181
Component: Local Traffic Manager
Symptoms:
The BIG-IP forwards HTTP request headers to pool member, but does not forward the request body. This results in a connection stall, and the connection eventually timing out and failing.
Conditions:
-- Virtual server with HTTP/2 full proxy configured (HTTP MRF router is enabled, and HTTP/2 profile present on virtual server).
-- Virtual server has request-logging profile assigned.
-- Serverside connection uses HTTP/2.
-- Client sends a request that includes a payload body (e.g. a POST).
Impact:
HTTP transaction fails; traffic does not pass.
Workaround:
Remove the request-logging profile.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1100669-3 : Brute force captcha loop
Links to More Info: BT1100669
Component: Application Security Manager
Symptoms:
Captchas for a user that failed to login after several attempts will continue after a successful login.
Conditions:
-- A user fails to log in after several attempts.
-- The mitigation is captcha mitigation.
Impact:
If the user eventually provides the correct password, the user will be able to log in.
Workaround:
None
Fix:
Issue with captcha loop was fixed.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1100609 : Length Mismatch in DNS/DHCP IPv6 address in logs and pcap
Links to More Info: BT1100609
Component: TMOS
Symptoms:
The wrong length is shown in logs for DNS/DHCP IPv6 addresses.
Conditions:
-- DNS/DHCP IPv6 configured in IKE-PEER configuration.
-- The tunnel is established.
Impact:
The length is reported incorrectly in the logs. It is reported as 15 when it should be reported as 16.
Workaround:
None
Fix:
Fix the logs.
Fixed Versions:
17.1.0, 16.1.3
1100561 : AAA: a trailing ampersand is added to serverside request when using HTTP forms based auth
Links to More Info: BT1100561
Component: Access Policy Manager
Symptoms:
An extra "&" is added to a request
Conditions:
A query is specified in a Form-Action field
Impact:
The server replies with an error due to the extra trailing & in the request from APM
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1100549-3 : "Resource Administrator" role cannot change ACL order
Links to More Info: BT1100549
Component: Access Policy Manager
Symptoms:
You encounter a 'No Access' error when trying to change ACL order
Conditions:
You are logged in with a Resource Administrator role.
Impact:
You are unable to change the ACL order
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1100409-4 : Valid connections may fail while a virtual server is in SYN cookie mode.
Links to More Info: BT1100409
Component: TMOS
Symptoms:
Some of the valid connections to a TCP virtual server may fail while the virtual server is in SYN cookie mode due to an attack.
Conditions:
-- BIG-IP i4x00 platform.
-- TCP virtual server under SYN flood attack.
Impact:
Failed connections, service degradation.
Workaround:
Disabling SYN cookie in the TCP or fastL4 profile is a possible workaround, but that would leave the virtual server open to SYN flood attacks.
Fix:
The ePVA module is now correctly initialized on the i4x00 platform.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1100393-2 : Multiple Referer header raise false positive evasion violation
Links to More Info: BT1100393
Component: Application Security Manager
Symptoms:
When Multiple Referer headers contains a backslash character ('\') in query string portion, 'IIS backslashes' evasion technique violation is raised.
Conditions:
- 'Url Normalization' is turned on and 'Evasion Techniques Violations' is enabled.
- Multiple Referer header contains a backslash character ('\') in query string part.
Impact:
False positive evasion technique violation is raised for Referer header.
Workaround:
In the HTTP Header Properties screen, turn off the 'Url Normalization' on the 'Normalization Settings' section of the 'referer' property.
Fix:
Fixed Multiple Referer header handling before URL Normalization.
Fixed Versions:
17.1.0, 16.1.4
1100321 : MCPD memory leak
Links to More Info: BT1100321
Component: TMOS
Symptoms:
Viewing virtual server firewall policy rules leaks some memory in MCPD.
Conditions:
- BIG-IP AFM is provisioned
- Virtual server firewall policy rules are viewed, e.g. by running one of the following commands:
tmsh show ltm virtual fw-enforced-policy-rules
tmsh show ltm virtual fw-staged-policy-rules
Impact:
A memory leak occurs when the command is run.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1100197-2 : Mcpd message: Unable to do incremental sync, reverting to full load for device group /Common/gtm
Links to More Info: BT1100197
Component: Global Traffic Manager (DNS)
Symptoms:
GTM may occasionally send the wrong commit_id_originator to other sync group members, causing a full sync to occur instead of an incremental one.
The following message may be seen in the /var/log/gtm log
"Unable to do incremental sync, reverting to full load for device group /Common/gtm"
Conditions:
Frequent GTM group syncs.
Impact:
Unnecessary GTM full sync when an incremental sync would have been more efficient.
Workaround:
None
Fixed Versions:
16.1.5
1100169-1 : GTM iQuery connections may be reset after SSL key renegotiation.
Links to More Info: BT1100169
Component: Global Traffic Manager (DNS)
Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.
Conditions:
This occurs occasionally during routine renegotiation. Renegotiation occurs once very 24 hours, per connection, by default (but can be controlled by the db key big3d.renegotiation.interval)
Impact:
It causes a brief disconnection between the GTMs in the sync group.
Workaround:
None
Fixed Versions:
16.1.5
1100125-4 : Per virtual SYN cookie may not be activated on all HSB modules
Links to More Info: BT1100125
Component: TMOS
Symptoms:
The virtual reports Hardware SYN cookie mode, but some of the SYNs are still processed in software.
Conditions:
On platforms where one TMM instance attached to multiple HSB modules.
Impact:
A portion of an SYN flood is processed in Software instead of Hardware.
Workaround:
-
Fix:
SYN cookie processing is correctly offloaded to all HSB modules.
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1099833-5 : Add additional server side support for f5-epi links.
Component: Access Policy Manager
Symptoms:
f5-epi links do not properly validate during machine info check.
Conditions:
- Machine info check is enabled in access policy.
Impact:
Undesirable behavior
Workaround:
-No-
Fix:
Note: 1081133 must be resolved on the server as well
Behavior is as expected.
Fixed Versions:
16.1.5
1099765-3 : Inconsistent behavior in violation detection with maximum parameter enforcement
Links to More Info: BT1099765
Component: Application Security Manager
Symptoms:
Request with JSON body with more than 600 parameters causes the event log to show incorrect violations.
Conditions:
-- 'Maximum params' configured to 600 in JSON profile
-- 'Maximum array length' configured to 'Any'
-- A request occurs that contains more than 600 parameters in the body in JSON format
Impact:
No violation for passing maximum parameters given in event log, although the maximum number of allowed parameters was exceeded.
Workaround:
None
Fix:
The violations VIOL_HTTP_PROTOCOL and VIOL_JSON_FORMAT are now recorded in the event log.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1099545-2 : Tmm may core when PEM virtual with a simple policy and iRule is being used
Links to More Info: BT1099545
Component: Local Traffic Manager
Symptoms:
Tmm cores with SIGSEGV.
Conditions:
-- PEM virtual with a simple policy and iRule attached.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1099341-4 : CVE-2018-25032: A flaw found in zlib, when compressing (not decompressing!) certain inputs
Links to More Info: K21548854
1099305-2 : Nlad core observed due to ERR_func_error_string can return NULL
Links to More Info: BT1099305
Component: Access Policy Manager
Symptoms:
The following symptoms are observed in /var/log/ltm:
err nlad[17535]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
Nlad core is observed
/var/log/kern.log:Apr 7 03:46:53 <vs name > info kernel: nlad[13119]: segfault at 0 ip <> sp <> error 4.
Conditions:
NLAD core is SIGSEGV - crashing while processing a SSL Certificate via a SAML login.
Impact:
Core results in disruption of APM sessions
Workaround:
None
Fix:
NA
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1099229-4 : SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present
Links to More Info: BT1099229
Component: Local Traffic Manager
Symptoms:
-- A connection to the virtual server hangs from the client device.
-- A memory leak occurs in tmm
Conditions:
-- Virtual server has an L7 policy configured.
-- Virtual server has iRules configured.
Impact:
-- Clients are unable to connect to the virtual server.
-- A memory leak occurs.
Workaround:
Remove the L7 policy or the iRules from the virtual server configuration.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9, 14.1.5.1
1099193-2 : Incorrect configuration for "Auto detect" parameter is shown after switching from other data types
Links to More Info: BT1099193
Component: Application Security Manager
Symptoms:
The Configuration shown in the GUI for the "Auto detect" Parameter value type is incorrect after certain steps are performed.
Conditions:
1. Create a default policy
2. Create new a Parameter with "User-input value" as a Parameter Value Type, and "File Upload" as the Data Type.
3. Save the settings above, and go back to the newly created Parameters settings.
4. Change its Parameter Value Type to "Auto detect".
Impact:
You either see unrelated fields, e.g. "Disallow File Upload of Executables" or missing tabs, like Value Meta Characters.
Workaround:
You can save a configuration with "User-input value" as a Parameter Value type, and "Alpha-Numeric" as Data Type, and then set "Auto detect" as Parameter Value Type.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1098837-1 : Configuration failure due to the DB validation exception happening in the ips_inspection_sig and ips_inspection_compl tables
Links to More Info: BT1098837
Component: Protocol Inspection
Symptoms:
During the upgrade/reboot, configuration error with reason DB validation exception occurs and unique constraint violation in the tables ips_inspection_sig and ips_inspection_compl.
Conditions:
During the upgrade/reboot of the device, there should not be a configuration error with a DB exception message.
Impact:
Some of the signatures and compliances will not load into the MCPD database tables ips_inspection_sig and ips_inspection_compl respectively.
Workaround:
Store the details of the signatures and compliances into the file and run the following command:
"tmsh load sys config merge filename"
Fix:
No DB exception on the tables ips_inspection_sig and ips_inspection_compl.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1098829-6 : Security vulnerabilities found in expat lib(used by iControlSoap) prior to version 2.4.8
1098609-4 : BD crash on specific scenario
Links to More Info: BT1098609
Component: Application Security Manager
Symptoms:
BD crashes while passing traffic.
Conditions:
Specific request criterias that happens while there is a configuration change.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1097821-2 : Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified
Links to More Info: BT1097821
Component: Access Policy Manager
Symptoms:
Creating an APM policy image file with source_path attribute fails.
Conditions:
APM provisioned
Impact:
You are unable to use the source_path attribute for creating APM customization image files.
Workaround:
Copy the image file to one of the directories of /var/config/rest/, /var/tmp/, /shared/tmp/ and use local_path instead of source_path.
E.g. create apm policy image-file test.jpg local-path /var/tmp/<file name>
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5
1097193-2 : Unable to SCP files using WinSCP or relative path name
Links to More Info: K000134769, BT1097193
Component: TMOS
Symptoms:
When attempting to retrieve a file with WinSCP, you receive an error dialog and the session will be terminated:
"SCP Protocol error: Invalid control record (r; elative addresses not allowed)
Copying files from remote side failed."
If attempting to transfer a file by relative path with a command line utility the transfer will fail with the message:
"relative addresses not allowed"
Conditions:
-- Running BIG-IP version with fix for ID 915981
-- Using WinSCP set to use SCP protocol to retrieve files from a BIG-IP system.
-- Using a relative remote path to transfer a file with command line scp utility.
Impact:
No longer able to use WinSCP to retrieve files such as packet captures, log archives, or other diagnostic data from the BIG-IP system.
Workaround:
Use a command line SCP tool that allows specifying an absolute path for the source and/or destination file (a path that starts with a forward slash /), when the source and/or destination locations are a BIG-IP device.
If the user ID is permitted to do so, you may use WinSCP in SFTP mode.
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.9
1096893-1 : TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection
Links to More Info: BT1096893
Component: Local Traffic Manager
Symptoms:
When route metrics are applied by the TCP filter to a connection initiated by a syncookie, TCP sets the effective MSS for packetization, thereafter the egress_mtu will be set as per the route metrics entry, if present. The packets falling between the effective MSS and the lowered egress_mtu end up being unexpectedly IP-fragmented.
Conditions:
SYN cookies enabled and activated. A route metrics PMTU entry for the destination address that is smaller than the VLAN's egress MTU.
Impact:
Application traffic can fail or see disruption due to unexpected IP fragmentation.
Workaround:
Disable syn cookies (Reference: https://support.f5.com/csp/article/K80970950).
Alternatively, you can apply a lower static MTU to the interface.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1096373-2 : Unexpected parameter handling in BIG3d
Links to More Info: K000132972, BT1096373
1095989-1 : PEM behaviour on receiving CCA with result code: 4012 and FUA on the Gy interface
Links to More Info: BT1095989
Component: Policy Enforcement Manager
Symptoms:
PEM received Radius Acct req, and sent Both Gx Gy Interface CCR. When receiving Gy CCA Multi-Services-Credit-Control.Result-code:4012 (Diameter_Credit_Limit_Reached),Final-Unit-Action (Redirect) and "Redirect-Server-address" is NOT installed on the PEM session.
Conditions:
Session quota information is passed from OCS to PCEF on the Gy interface.
Impact:
The action specified in FUI does not get applied to the session. Quota management will not work properly for the session.
Workaround:
None
Fix:
For the case where the PEM receives a CCA with a result code:
4012 and FUI, added changes to install FUA on the session.
Fixed Versions:
17.1.0, 16.1.4
1095217-1 : Peer unit incorrectly shows the pool status as unknown after merging the configuration
Links to More Info: BT1095217
Component: TMOS
Symptoms:
The peer unit incorrectly shows the state of pool members as "checking" after merging the configuration from the terminal.
Conditions:
This is encountered if 2 or more configurations are specified for an already configured pool on the peer device when using the "tmsh load sys config merge from-terminal" command.
For example:
Existing pool:
ltm pool http_pool {
members {
member1:http {
address 10.82.243.131
monitor http
}
}
}
tmsh load sys config merge from-terminal:
ltm pool http_pool {
members none
}
ltm pool http_pool {
members replace-all-with {
member1:http {
address 10.82.243.131
monitor http
}
}
}
Impact:
Pool members are marked with a state of "Checking".
Workaround:
Define all object properties at once (in a single configuration block) instead of multiple times (in multiple configuration blocks) when merging the configuration from the terminal.
Fix:
Specifying the configuration for an LTM pool object multiple times when issuing the "tmsh load sys config merge from-terminal" command no longer causes LTM pool members to remain marked with a state of "Checking".
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1095185-2 : Failed Configuration Load on Secondary Slot After Device Group Sync
Links to More Info: BT1095185
Component: Application Security Manager
Symptoms:
Configuration synchronization fails on secondary slots after the primary slot receives a full sync from a peer in a device group.
Conditions:
Bladed chassis devices are configured in an ASM enabled device group
Impact:
Incorrect enforcement on secondary slots.
Workaround:
None
Fix:
Synchronization to secondary slots is successful.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1095145-3 : Virtual server responding with ICMP unreachable after using /Common/service
Links to More Info: BT1095145
Component: SSL Orchestrator
Symptoms:
After adding /Common/service profile and removing it from the virtual server, the virtual server starts dropping traffic with ICMP unreachable.
This profile is normally only needed in SSLo deployments.
Conditions:
/Common/service was attached and removed from a virtual server.
Impact:
Traffic is dropped on a virtual server.
Workaround:
Restart TMM after making the configuration change.
Fixed Versions:
17.1.0, 16.1.4
1095041-2 : ASM truncates cookies that contain a space in the name and TS cookie as part of cookie list.
Links to More Info: BT1095041
Component: Application Security Manager
Symptoms:
HTTP requests are truncated at the cookie and raise a violation.
Conditions:
-- Cookie list contains TS cookie
-- A cookie contains a space in the name
-- TS cookie stripping is enabled (db asm.strip_asm_cookies is set as true)
Impact:
Backend server does not receive a complete cookie.
Workaround:
Sys db asm.strip_asm_cookies is set as false.
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1094177-4 : Analytics iApp installation fails
Links to More Info: BT1094177
Component: iApp Technology
Symptoms:
By default restjavad.disablerpmtasks value is true. This causes iApp RPM installation to be blocked.
Conditions:
Analytics iApp RPM installation
Impact:
The RPM installation fails with an error "403, Protocol Exception".
Workaround:
Change the restjavad.disablerpmtasks sys db variable to false, and then restart restjavad:
tmsh modify sys db restjavad.disablerpmtasks value false
To restart restjavad on a VIPRION or multi-bladed vCMP guest or multi-bladed F5OS tenant:
clsh tmsh restart sys service restjavad
To restart restjavad on an appliance or single-slot vCMP guest or F5OS tenant:
tmsh restart sys service restjavad
NOTE: This will require a cluster sync for any device groups configured for manual config sync. All updated systems will require a restart of restjavad for the change to take affect.
After restjavad restarts on all affected devices, you can perform the iApp installation.
Fix:
By default, the sys db variable restjavad.disablerpmtasks should be "false". When appliance mode is enabled, this DB key is forced to "true".
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1
1094069-1 : iqsyncer will get stuck in a failed state when requesting a commit_id that is not on the target GTM
Links to More Info: BT1094069
Component: Global Traffic Manager (DNS)
Symptoms:
Too many GTM sync requests are exchanged with the devices and and the config sync may fail sometimes.
Conditions:
DNS/GTM licensed devices are configured in a sync Group. The requested commit_id is not present anymore on the target GTM device.
Impact:
Sync operations are extremely slow (5-8 minutes for a pool to show up) which may fail sometimes. Excessive network traffic.
Workaround:
None
Fixed Versions:
16.1.5
1093973-7 : Tmm may core when BFD peers select a new active device.
Links to More Info: BT1093973
Component: TMOS
Symptoms:
Tmm cores.
Conditions:
-- BFD is in use
-- the active/owner BFD device changes
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
16.1.5
1093933-3 : CVE-2020-7774 nodejs-y18n prototype pollution vulnerability
Component: iApp Technology
Symptoms:
A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality. If an attacker is able to provide untrusted input via locale, they may be able to cause denial of service or in rare circumstances, impact to data integrity or confidentiality.
Conditions:
N/A
Impact:
Denial of service or in rare circumstances, impact to data integrity or confidentiality
Workaround:
N/A
Fix:
The library has been patched to address the vulnerability.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1093621-2 : Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP
Links to More Info: K10347453
1093357-4 : PEM intra-session mirroring can lead to a crash
Links to More Info: BT1093357
Component: Policy Enforcement Manager
Symptoms:
TMM crashes while passing PEM traffic
Conditions:
-- PEM mirroring enabled and passing traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1093253-8 : CVE-2021-3999 Glibc Vulnerability
Links to More Info: K24207649
1092965-2 : Disabled "Illegal Base64 value" violation is detect for staged base64 parameter with attack signature in value
Links to More Info: BT1092965
Component: Application Security Manager
Symptoms:
An "Illegal Base64 value" violation will be reported for a staged parameter even though Alarm/Blocking/Learning is disabled for this violation.
Conditions:
- A parameter has to be set to staging mode with base64 decoding.
- The Alarm/Blocking/Learning flags has to be disabled for the violation "Illegal Base64 value".
- The incoming request has to have the defined parameter in QS with an attack signature that is not base64 encoded in the parameter value.
Impact:
The violation "Illegal Base64 value" is reported.
Workaround:
None
Fix:
The violation "Illegal Base64 value" is not reported if Alarm/Blocking/Learning flags are disabled.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1091969-3 : iRule 'virtual' command does not work for connections over virtual-wire.
Links to More Info: BT1091969
Component: Local Traffic Manager
Symptoms:
iRule 'virtual' command does not work for connections over virtual-wire.
Conditions:
- Connection over a virtual-wire.
- Redirecting traffic to another virtual-server (for example, using an iRule 'virtual' command)
Impact:
Connection stalls on the first virtual-server and never completes.
Fixed Versions:
16.1.4, 15.1.9
1091761-1 : Mqtt_message memory leaks when iRules are used
Links to More Info: BT1091761
Component: Local Traffic Manager
Symptoms:
Mqtt_message memory leaks when iRules like insert_after, insert_before, and respond are used.
Conditions:
Basic mqtt virtual server with any of the below rules ->insert_after
>insert_before
>respond
Impact:
Memory leak occurs and TMM may crash
Workaround:
NA
Fix:
There is no longer a memory leak with iRules usage
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1091725-4 : Memory leak in IPsec
Links to More Info: BT1091725
Component: TMOS
Symptoms:
Slow memory growth of tmm over time.
This leak affects both the active and standby BIG-IPs.
Conditions:
IPsec is in use.
Security associations are being created or recreated.
Impact:
Over time, tmm may exhaust its memory causing a tmm crash.
Fix:
A leak in IPsec security association handling has been fixed.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1091565-1 : Gy CCR AVP:Requested-Service-Unit is misformatted/NULL
Links to More Info: BT1091565
Component: Policy Enforcement Manager
Symptoms:
Observed diameter protocol warning when Requested Service Unit(RSU) is empty for CCR-I and CCR-U requests.
Conditions:
If the 'Initial Quota' is EMPTY in policy under Policy Enforcement ›› Rating Groups, the BIG-IP system reports empty data in AVP: Requested-Service-Unit.
Impact:
In Wireshark, a protocol warning occurs.
Workaround:
None
Fix:
If the Initial PEM Quota values are EMPTY/0 We are updating the RSU values to Zero.
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.9
1091345-2 : The /root/.bash_history file is not carried forward by default during installations.
Links to More Info: BT1091345
Component: TMOS
Symptoms:
By default, the /root/.bash_history file is not included in the UCS archives. As such, this file is not rolled forward during a software installation.
Conditions:
Performing a BIG-IP software installation.
Impact:
This issue may hinder the efforts of F5 Support should the need to determine what was done prior to a software installation arise.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1091249-2 : BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address.
Links to More Info: BT1091249
Component: Global Traffic Manager (DNS)
Symptoms:
As BIG-IP DNS and Link Controller systems connect with one another (or with monitored BIG-IP systems) over iQuery, you may notice:
-- Log messages that specify IPv6 translation addresses non-existent in your configuration and often meaningless (as in not pertaining to some of the more common IPv6 address spaces). For example:
debug gtmd[24229]: 011ae01e:7: Creating new socket to connect to 2001::1 (a06d:3d70:fd7f:0:109c:7000::)
-- If you restart the gtmd daemon, the IPv6 translation address mentioned above between parenthesis changes to a new, random meaningless value.
-- The GTM portion of the configuration fails to synchronize.
Conditions:
IPv6 translation addresses are in use in relevant objects.
Impact:
The logs are misleading and the GTM portion of the configuration may fail to synchronize.
Workaround:
If possible, do not use IPv6 translation addresses.
Fix:
IPv6 translation addresses now function as designed.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1090649-3 : PEM errors when configuring IPv6 flow filter via GUI
Links to More Info: BT1090649
Component: Policy Enforcement Manager
Symptoms:
An error occurs while configuring an IPv6 flow filter using the GUI:
0107174e:3: The source address (::) and source netmask (0.0.0.0) addresses for pem flow info filter (filter0) must be be the same type (IPv4 or IPv6).
Conditions:
Configuring an IPv6 flow filter using the GUI
Impact:
You are unable to configure the IPv6 flow filter via the GUI
Workaround:
The error does not occur when using tmsh.
Fix:
Modified the IPv6 Validation. Able to create IPV6 flow filter after the fix
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1090569-1 : After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV
Links to More Info: BT1090569
Component: TMOS
Symptoms:
Some SSL handshakes are fail when using the CRL certificate validator and tmm crashes.
Conditions:
-- TLS virtual server
-- The virtual server passes network traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm crash related to the CRL certificate validator.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1090441-1 : IKEv2: Add algorithm info to SK_ logging
Links to More Info: BT1090441
Component: TMOS
Symptoms:
Shared key logs do not contain the authentication and encryption algorithm name
Conditions:
When sys-db "ipsec.debug.logsk" is enabled, the shared keys are logged for debugging purpose, but it does not contain the algorithm names.
Impact:
The encryption algorithm name is not included in the logs.
Workaround:
None
Fix:
Authentication and encryption algorithm name is added in shared key logs.
Fixed Versions:
17.1.0, 16.1.4
1089853-2 : "Virtual Server" or "Bot Defense Profile" links in Request Details are not working
Links to More Info: BT1089853
Component: Application Security Manager
Symptoms:
Nothing happens when you click the link for "Virtual Server" or "Bot Defense Profile" in request details on "Security ›› Event Logs : Bot Defense : Bot
Requests" page.
Conditions:
1. Go to Security ›› Event Logs : Bot Defense : Bot
Requests" page and click a Bot Request for details.
2. If "Virtual Server" or "Bot Defense Profile" has a hyperlink, the link does not work.
Impact:
You cannot reach the related pages of Virtual Server or Bot Profile details
Workaround:
Right-click one of the links above - and choose to open it in a new tab or new window.
Fix:
Links are working.
Fixed Versions:
17.1.0, 16.1.4
1089849 : NIST SP800-90B compliance
Links to More Info: BT1089849
Component: TMOS
Symptoms:
Common Criteria and FIPS 140-3 certifications require compliance with NIST SP800-90B; this completes that compliance.
Conditions:
This applies to systems requiring Common Criteria and/or FIPS 140-3 compliance.
Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be using a Common Criteria and/or FIPS 140-3 certified configuration.
Workaround:
None
Fix:
Apply this fix to ensure that the system is compliant with NIST SP800-90B.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3
1089829-3 : PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers
Links to More Info: BT1089829
Component: Policy Enforcement Manager
Symptoms:
SIGSEGV tmm cores with back trace in PEM area.
"pem_sessiondump --list" command will show session with custom attribute name as empty/NULL.
Conditions:
Setting pem session custom attribute value with length more than (1024- attribute name length).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
In the iRule, make sure the custom attribute value size + custom attribute name length is not more than 1024.
Fix:
Adding restriction, allowed custom attribute value size + custom attribute name length should be less than 1024.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1089345-1 : BD crash when mcp is down, usually on startups
Links to More Info: BT1089345
Component: Application Security Manager
Symptoms:
Bd crashes during system start-up when MCP is down for some reason, usually an mcpd crash.
bd.log contains the following log message:
Failed to connect to mcpd, sleep 5 secs and try to re-connect
Conditions:
Mcpd crashed or down.
Impact:
System fails to start, it may successfully start after the crash happened or maybe several such crashes will happen.
Workaround:
Restarting the BIG-IP system usually helps. Determine why mcpd does not work.
Fix:
Prevent a possible crash when bd exits due mcp not available.
Fixed Versions:
17.1.0, 16.1.4
1089233-4 : CVE-2022-0492 Linux kernel vulnerability
Links to More Info: K54724312
1089101-2 : Apply Access Policy notification in UI after auto discovery
Links to More Info: BT1089101
Component: Access Policy Manager
Symptoms:
"apply access policy notification" pops up in GUI
Conditions:
1. OAuth auto discovery is enabled for OAuth provider
2. The relevant access policy has macros in it.
Impact:
Traffic may fail until "apply access policy" is clicked manually
Workaround:
Access policy can be modified to not have macros in it.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1089005-4 : Dynamic routes might be missing in the kernel on secondary blades.
Links to More Info: BT1089005
Component: TMOS
Symptoms:
Dynamic routes might be missing in the kernel on secondary blades.
Conditions:
- Long VLAN names (16+ characters).
- MCPD was unable to load configuration from the binary database (software update/forceload was performed).
Impact:
Kernel routes are missing on secondary blades.
Workaround:
Restart tmrouted on the affected secondary blade. Note, that this will also briefly affect TMM dynamic routes.
<bigstart restart tmrouted>
Fix:
- A new db variable is introduced tmrouted.hareconnectfecretries, defaults to '0' - no change in behavior.
- Suggested value for telstra : sys db tmrouted.hareconnectfecretries = 5. Max wait time 5 x15 seconds before secondary tmrouted connects to primary, then connect anyway if for any reason we have not received any vlan info (for example, no vlans configured).
- The value might need to be further increased for veery large configurations where mcpd takes minutes to load the entire config.
- Proceed with connection to primary right away after vlan info was received.
Fixed Versions:
16.1.5
1088597-2 : TCP keepalive timer can be immediately re-scheduled in rare circumstances
Links to More Info: BT1088597
Component: Local Traffic Manager
Symptoms:
In rare circumstances, the TCP timer is rescheduled immediately due to the utilization of the interval encompassing also the idle_timeout.
Conditions:
Virtual Server with:
- TCP Profile
- SSL Profile with alert timeout configured
Another way this can occur is by manually deleting connections, which effectively only sets the idle timeout to 0.
Impact:
High CPU utilization potentially leading to reduced performance.
Workaround:
If the alert timeout is not re-enabled in the SSL Profile that should be sufficient.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1088445-7 : CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body
1088429-4 : Kernel slab memory leak
Links to More Info: BT1088429
Component: TMOS
Symptoms:
The Linux kernel unreclaimable slab leaks kmalloc-64 (64 byte) allocations due to an issue with ext4 filesystem code.
The kmalloc-64 leaks occur when specific operations are executed on ext4 filesystems, such as copy of file with extended attribute preservation.
Red Hat have documented the issue, refer to the links below.
Note: Red Hat account with appropriate access are required to view these pages.
Posix ACL object is leaked in setattr and fsetxattr syscalls
https://access.redhat.com/solutions/4967981.
This issue is tracked by Red Hat as bug 1543020
https://bugzilla.redhat.com/show_bug.cgi?id=1543020.
Conditions:
This usually happens a small amount, such as 100MB over a year on most systems.
On some systems memory use can grow much faster and the precise file manipulations that might do this are not known at this time.
Impact:
Kernel unreclaimable slab memory grows over time. This will be growth of what F5 term host memory, and will appear as increased other and/or swap memory on memory graphs.
Usually the amount leaked is quite small and has no impact.
If large enough this may leave system with too little host memory and trigger typical out of memory symptoms such as:
- sluggish management by TMUI (GUI) and CLI shell
- possible invocation of oom-killer by kernel leading to termination of a process
- if severe, the system may thrash and become unstable, leading to cores and possibly reboot.
The amount of slab usage can be tracked with the following commands executed from the advanced shell (bash).
# cat /proc/meminfo | grep ^SUnreclaim
SUnreclaim: 46364 kB
The precise use of slab memory by component can be viewed using:
/bin/slabtop --once
Note: This includes both reclaimable and unreclaimable slab use. High reclaimable slab is usually not a concern because as host memory gets filled it can be freed (reclaimed).
Look for the amount of memory in use by kmalloc-64. There will be some use even without the leak documented here. The amount can be compared with free or easily freeable host memory, a good estimate of which is given by the following command:
# cat /proc/meminfo | grep ^MemAvailable
MemAvailable: 970852 kB
Workaround:
None
Fix:
Linux kernel ext4 filesystem module memory leak fixed.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1088389-2 : Admin to define the AD Query/LDAP Query page-size globally
Links to More Info: BT1088389
Component: Access Policy Manager
Symptoms:
The page-size is a fixed value in LDAP and AD query.
Earlier the value was 1000 and later increased to 2048, after the increase in the value the session failed as the AD servers are configured with lesser value.
Require a configurable page-size.
Conditions:
As the latest page-size value is 2048 the AD Query/LDAP Query with the same may have problem with the AD server whose configured/supported value is 1000 which is lower than 2048.
Impact:
AD/LDAP may fail due to the page-size issue.
Workaround:
None
Fix:
A global setting for the page-size for AD/LDAP Query is available:
sys db apm.ldap.cache.pagesize {
value ""2048""
}"
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1088173-2 : With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile
Links to More Info: BT1088173
Component: Local Traffic Manager
Symptoms:
Log files indicate that the client certificate is retained when it should not be.
Conditions:
Enable TLS 1.3 and disable retain-certificate parameter in SSL profile
Impact:
Storage of client certificates will increase memory utilization.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.7
1088037-3 : VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers
Links to More Info: BT1088037
Component: TMOS
Symptoms:
The VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers.
Use `tmsh list/modify net vlan vlan-XYZ dag-adjustment` to view or change the settings.
The recommended and default setting is xor-5mid-xor-5low.
Conditions:
- only even port numbers are used (usually by a Linux client)
Impact:
- only even TMM threads are processing traffic
Workaround:
None
Fix:
VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers. Traffic should be distributed evenly between all TMM threads.
Behavior Change:
VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers. Traffic should be distributed evenly between all TMM threads.
Fixed Versions:
17.1.0, 16.1.4, 15.1.8
1087621-1 : IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload
Links to More Info: BT1087621
Component: TMOS
Symptoms:
The tunnel stops working after initially starting with no problem.
The BIG-IP will send a bad KE (Key Exchange) Payload when rekeying the IKE SA with ECP.
Conditions:
-- IKEv2
-- ECP PFS
-- Peer attempts to re-key IKE SA (CREATE_CHILD SA) over existing IKE SA.
Impact:
IPsec tunnels stop working for periods of time.
Workaround:
Do not use ECP for PFS.
Fix:
ECP will work correctly when rekeying.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1087469-2 : iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate.
Links to More Info: BT1087469
Component: Local Traffic Manager
Symptoms:
When an SSL client connects to BIG-IP system and sends an empty certificate, the CLIENTSSL_CLIENTCERT is not triggered for iRules.
Conditions:
- Virtual server configured on BIG-IP with a clientssl profile
- Client authentication on the virtual server is set to "request"
- iRule relying on CLIENTSSL_CLIENTCERT
- A client connects to BIG-IP using an empty certificate
Impact:
CLIENTSSL_CLIENTCERT irules aren't triggered.
Workaround:
None
Fix:
CLIENTSSL_CLIENTCERT irules are now triggered when receiving empty certificates.
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.6.1
1087217-2 : TMM crash as part of the fix made for ID912209
Links to More Info: BT1087217
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
BIG-IP versions 16.1.0 or later which includes the fix of ID912209.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1
1086897-1 : PEM subcriber lookup can fail for internet side/subscriber side new connections
Links to More Info: BT1086897
Component: Policy Enforcement Manager
Symptoms:
PEM subscriber lookup can fail for internet/subscriber side flow for new connections, as PEM uses the local address to look up the session, which is not the subscriber.
Conditions:
-- PEM enabled and configured
-- Subscriber session has multiple IP's
-- Each IP lands on a different TMM
Impact:
PEM subscriber lookup can fail on the internet side or subscriber side
Workaround:
None
Fix:
PEM subscriber lookup now always succeeds for internet side and subscriber side new connections,
Fixed Versions:
17.0.0, 16.1.2.2
1086677-4 : TMM Crashes in xvprintf() because of NULL Flow Key
Links to More Info: BT1086677
Component: Local Traffic Manager
Symptoms:
TMM crashes while passing traffic
Conditions:
This was observed during internal testing and occurred while making configuration changes while passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm crash.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
1086517-2 : TMM may not properly exit hardware SYN cookie mode
Links to More Info: BT1086517
Component: TMOS
Symptoms:
Due to a race condition, when one TMM exits SYN cookie mode, another may immediately re-enter hardware SYN cookie mode, keeping the virtual server in SYN cookie mode and the mitigation offloaded to hardware. The SYN cookie status of the virtual server is not properly updated and will show 'not-activated'.
Conditions:
Hardware SYN cookie protection is enabled and SYN cookie mode is triggered.
Impact:
A virtual server that once entered hardware SYN cookie mode may remain in that state indefinitely. The reduced MSS size may affect performance of that virtual server.
Workaround:
Disable hardware SYN cookie either locally via the TCP or FastL4 profile, or globally by the PvaSynCookies.Enabled BigDB variable. Software SYN cookie mode is unaffected.
Fix:
The race condition is eliminated, virtual servers properly exit hardware SYN cookie mode.
Fixed Versions:
17.1.0, 16.1.4, 15.1.6.1
1086393-1 : Sint Maarten and Curacao are missing in the GTM region list
Links to More Info: BT1086393
Component: TMOS
Symptoms:
Sint Maarten and Curacao are missing in the GTM region list.
Conditions:
- Create a GTM region record.
- Create a GTM region of Country Sint Maarten or Curacao.
Impact:
Cannot select Sint Maarten and Curacao from the GTM country list.
Workaround:
None
Fix:
Sint Maarten and Curacao are now present in the Countries List. The support for these countries is only provided for Region, ISP and Org Database.
Fixed Versions:
17.1.1, 16.1.5
1085837-2 : Virtual server may not exit from hardware SYN cookie mode
Links to More Info: BT1085837
Component: TMOS
Symptoms:
Once a virtual server enters hardware SYN cookie mode it may not exit until a TMM restart.
Conditions:
-- On B2250 and B4450 platforms.
-- A condition triggers SYN cookie mode and then goes back to normal.
Impact:
-- Virtual servers in hardware SYN cookie mode do not receive TCP SYN packets.
-- The limited number of possible TCP MSS values may have a light performance impact.
Workaround:
Disable hardware SYN cookie mode on the affected objects.
Fix:
Virtual servers properly exit hardware SYN cookie mode.
Fixed Versions:
17.1.0, 16.1.4, 15.1.6.1
1085805-2 : UCS restore with SSL Orchestrator deployed fails due to multiple iFiles and incorrect iFile reference.
Links to More Info: BT1085805
Component: TMOS
Symptoms:
The UCS restore process with SSL Orchestrator deployment fails due to multiple iFiles. This happens because the UCS restore process does not clean up the existing iFile belonging to SSL Orchestrator. On restore, the BIG-IP system contains two iFiles, one created as a part of the UCS and the other existing iFile belonging to SSL Orchestrator.
Additionally, the path in the rest storage referencing the iFile object does not get updated.
In the bigip.conf, the iFile version does not point to the iFile that is restored as part of the UCS restore process.
To check the reference in restDB use the following https://<<MGMT-IP>>/mgmt/tm/sys/file/ifile/~Common~ssloF_global.app~SSL OrchestratoriFile?options=-hidden.
A new bug was created (ID 1185001) for the iFile reference issue in bigip.conf file. The issue is caused by save/sys/config call triggered from SSL Orchestrator code base.
Conditions:
-- UCS contains SSL Orchestrator deployment
-- iFile version number in the UCS and on the BIG-IP before restoring the UCS is different.
-- Multiple iFile which belongs to SSL Orchestrator after restore. This can be verified by executing the below command on the box
ll /config/filestore/files_d/Common_d/ifile_d/ | grep SSL Orchestrator
Impact:
-- Error in the SSL Orchestrator UI.
-- You are unable to make changes through the SSL Orchestrator UI.
Workaround:
Mitigation depends on the user state.
State 1: when you know that a restore will cause multiple iFile creation, use the following.
Before restoring the UCS file, perform the following steps:
a) Delete the iFile object using the following command. Do not create any configuration using SSL Orchestrator UI after deleting the iFile.
tmsh delete sys application service ssloF_global.app/ssloF_global
b) Restore the UCS.
State 2: when you already tried the UCS restore and it is in an error state, use the following
a) On UCS restore when the system is in an error state, use the following command to verify multiple files:
ll /config/filestore/files_d/Common_d/ifile_d/ | grep SSL Orchestrator
b) Use the following commands, to delete the multiple iFiles:
tmsh delete sys application service ssloF_global.app/ssloF_global
rm -fr /config/filestore/files_d/Common_d/ifile_d/\:Common\:ssloF_global.app\:SSL OrchestratoriFile_*
c) Restore the UCS
Fixed Versions:
17.1.0, 16.1.4
1085661-1 : Standby system saves config and changes status after sync from peer
Links to More Info: BT1085661
Component: Application Security Manager
Symptoms:
After running config sync from an Active to a Standby device, the sync status is in SYNC for a short period time.
After a while, it automatically goes to Changes Pending status.
The same symptom was reported via ID698757 and fixed in earlier versions, but the same can happen via different scenario.
Conditions:
Create an ASM policy and let the system determining language encoding from traffic.
Impact:
The high availability (HA) configuration goes out of SYNC.
Workaround:
To prevent the issue from happening, you can manually configure language encoding
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1085597-1 : IKEv1 IPsec peer cannot be created in config utility (web UI)
Links to More Info: BT1085597
Component: TMOS
Symptoms:
It is not possible to configure an IKE peer using the web UI.
Conditions:
-- Configuring an IKEv1 peer
-- Using the configuration utility (web UI)
Impact:
Configuration cannot be created.
Workaround:
Use the tmsh shell to create the ike-peer config.
Fix:
IKEv1 peer config can be created using the config utility.
Fixed Versions:
17.1.0, 16.1.4
1085377-2 : BIND9 upgrade from version 9.11 to 9.16
Links to More Info: BT1085377
Component: Global Traffic Manager (DNS)
Symptoms:
BIND 9.11 reached End of Life (EoL) at the end of March 2022, and needs to be updated.
Conditions:
Usage of BIND 9.11 which has reached EoL.
Impact:
BIND 9.11 has reached EoL and does not receive security updates.
Workaround:
None
Fix:
Upgraded the BIND version from 9.11.36 to 9.16.33.
Fixed Versions:
17.1.0, 16.1.5
1084993 : [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching
Links to More Info: BT1084993
Component: Policy Enforcement Manager
Symptoms:
E2e id and h2h id in Re-Authorisation Answer from PEM to OCS is not matching with Re-Authorisation Request from OCS to PEM.
Conditions:
Diameter-endpoint configuration. PCEF(PEM) communicating over gy interface with OCS for quota information.
Impact:
OCS will not be able to determine for which RAR it got RAA. This is catastrophic for billing.
Workaround:
None
Fix:
There was conversion issue in PEM, fixed it.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1084965-3 : Low visibility of attack vector
Links to More Info: BT1084965
Component: Local Traffic Manager
Symptoms:
The DoS vector FIN 'Only Set' is not triggered and causes lack of visibility of the attack vector.
Conditions:
-- Using BIG-IP Virtual Edition
Impact:
There is reduced visibility of possible attacks on the BIG-IP.
Workaround:
Check 'drop_inv_pkt' with the tmctl table, "tmm/ndal_rx_stats".
Fixed Versions:
17.1.1, 16.1.5
1084857-2 : ASM::support_id iRule command does not display the 20th digit
Links to More Info: BT1084857
Component: Application Security Manager
Symptoms:
ASM::support_id iRule command does not display the 20th digit.
A support id seen in REST/TMUI that has 20 digits, e.g 13412620314886537617 is displayed as 1341262031488653761 with the iRule command ( the last digit '7' is stripped ).
Conditions:
ASM::support_id iRule command
Impact:
Inability to trace request events using the support id
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1084781-6 : Resource Admin permission modification
Component: TMOS
Symptoms:
A user with the Resource Admin role may have incorrect permissions.
Conditions:
A user with Resource Admin role.
Impact:
Undisclosed
Workaround:
None
Fix:
Resource Admin permissions are matched to expected behavior.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1084673-2 : GTM Monitor "require M from N" status change log message does not print pool name
Links to More Info: BT1084673
Component: Global Traffic Manager (DNS)
Symptoms:
The number of probes that are succeeding is changing in between different windows in which the "N" number of probes were sent.
Conditions:
- GTM/DNS is provisioned
- A "require M from N" monitor rule is assigned to a gtm pool or an individual gtm pool member.
Impact:
The log written to provide information on the changing number of successful probes does not contain information about the pool member.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1084257-2 : New HTTP RFC Compliance check in headers
Links to More Info: K11342432, BT1084257
Component: Application Security Manager
Symptoms:
ASM is not enforcing certain HTTP request header formatting.
Conditions:
HTTP request with certain header formatting.
Impact:
Invalid requests according to HTTP RFC might pass through ASM enforcement.
Workaround:
None
Fix:
"Unparsable request content" violation is reported when an HTTP request matching the condition is received.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.4, 15.1.7
1084173-1 : Unable to specify "no caching desired" for ephemeral DNS resolvers (i.e. RESOLV::lookup).
Links to More Info: BT1084173
Component: Global Traffic Manager (DNS)
Symptoms:
Each time the iRule command RESOLV::lookup is invoked with a different target IP address or internal virtual server, a unique resolver context is created.
However, for performance and memory preservation reasons, all ephemeral resolvers are backed by the same set of DNS caches.
This means that repeated identical queries to different ephemeral resolvers will always return the answer from the cache that was retrieved by the first ephemeral resolver (until the TTL of the record expires).
While this is fine in the traditional use of DNS, this may be problematic in certain specific use-cases. For example, this does not allow for per-user DNS servers to return different results for the same query. This technique could be used by an iRule to retrieve user-specific information to then spin up user-unique virtual environments.
Conditions:
Sending repeated queries for the same FQDN to different ephemeral resolvers (before the TTL expires) and expecting different results back.
Impact:
Inability to support specific use-cases in a BIG-IP iRule.
Fix:
Versions with the fix include a new DB key called dnscache.ephemeralsnocache, which defaults to "disable".
When set to "disable", the system behaves exactly as in previous releases.
When set to "enable", ephemeral resolvers spawned in an iRule by the RESOLV::lookup command no longer cache anything, thus allowing for use-cases similar to the example mentioned under Symptoms.
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1
1084157-3 : Possible captcha loop when using Single Page Application
Links to More Info: BT1084157
Component: Application Security Manager
Symptoms:
When using Captcha and a Single Page Application the browser might log Console errors and Captcha cannot be completed.
Conditions:
-- Single Page Application is enabled.
-- Either of these two objects are attached to the virtual server:
-- ASM with Captcha mitigation on brute force
-- Bot Defense profile with Captcha mitigation
-- Special backend server conditions occur
Impact:
Captcha cannot be solved.
Workaround:
None.
Fix:
Fix Captcha handling in single-page applications.
Fixed Versions:
16.1.5
1083989-1 : TMM may restart if abort arrives during MBLB iRule execution
Links to More Info: BT1083989
Component: Local Traffic Manager
Symptoms:
"Unallocated flow while polling for rule work. Skipping." is logged in /var/log/ltm.
*or*
"flow in use" assert fails causing TMM to restart.
Conditions:
- Virtual using MBLB proxy.
- iRule with LB_SELECTED, CLIENT_CLOSED, and SERVER_CLOSED events.
- client connection is aborted while LB_SELECTED is queued for execution.
Impact:
TMM may restart unexpectedly.
Workaround:
Remove LB_SELECTED event from the iRule, if feasible.
Fix:
The MBLB proxy now correctly handles being aborted when it has iRule events queued for execution.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1083977-1 : MCPD crashes when changing HTTPD configuration, all secondary blades of clustered system remain offline★
Links to More Info: BT1083977
Component: TMOS
Symptoms:
Making a configuration change to the HTTPD configuration causes MCPD to hang for five minutes, and then MCPD crashes and restarts.
On a multi-slot VIPRION, vCMP guest, or BIG-IP tenant, after upgrading to an affected version, all secondary blades may remain in an offline state.
Conditions:
Making a configuration change to the management HTTPD configuration.
Impact:
System goes offline and services restart.
On a VIPRION chassis, all secondary blades remain offline.
Workaround:
None
Fix:
The system remains stable when modifying the HTTPD configuration.
Fixed Versions:
17.0.0, 16.1.3
1083913-2 : Missing error check in ICAP handling
Links to More Info: BT1083913
Component: Application Security Manager
Symptoms:
Bd crashes.
Conditions:
Asm policy is configured for ICAP integration
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1083621-1 : The virtio driver uses an incorrect packet length
Links to More Info: BT1083621
Component: Local Traffic Manager
Symptoms:
In some cases, tmm might drop network packets.
In rare circumstances, this might trigger tmm to crash.
Conditions:
BIG-IP Virtual Edition using the virtio driver. You can see this in /var/log/tmm ("indir" is zero):
notice virtio[0:5.0]: cso: 1 tso: 0 lro: 1 mrg: 1 event: 0 indir: 0 mq: 0 s: 1
Impact:
Tmm might drop packets.
In rare circumstances, this might trigger tmm to crash. Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1083537 : FIPS 140-3 Certification
Links to More Info: BT1083537
Component: TMOS
Symptoms:
For FIPS 140-3 Certification
Conditions:
This applies to systems requiring FIPS 140-3 Certification.
Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be running a FIPS 140-3 certified configuration.
Workaround:
None
Fix:
Apply this fix to ensure that the system is compliant with FIPS 140-3 Certification.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.2.2
1083513-1 : BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd
Links to More Info: BT1083513
Component: Application Security Manager
Symptoms:
"Challenge Failure Reason" field in a request event log shows N/A.
Conditions:
The db key has not been changed manually on the system.
Impact:
"Challenge Failure Reason" field is disabled.
Workaround:
Disable the key and re-enable, then save.
tmsh modify sys db botdefense.disable_challenge_failure_reporting value disable
tmsh modify sys db botdefense.disable_challenge_failure_reporting value enable
tmsh save sys config
Fix:
BD now initialize the db key internally, not depending on mcpd, that ensures the default db key value is "enable".
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1082941-2 : System account hardening
Component: TMOS
Symptoms:
System accounts are used by various processes to access resources on the BIG-IP. In some cases, they did not follow security best practices.
Conditions:
N/A
Impact:
Security best practices are not followed.
Fix:
Security best practices are now followed.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1082885-1 : MR::message route virtual asserts when configuration changes during ongoing traffic
Links to More Info: BT1082885
Component: Service Provider
Symptoms:
MR::message route virtual causes TMM to crash / panic when the configuration changes during ongoing traffic. This is due to
an invalid validation of the TYPEIDs when mis-matched virtual servers / proxies are identified because of the configuration change.
Conditions:
A BIG-IP configuration change is made while passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Fix:
With the fix, proper validation of the Proxy TYPEIDs will make the server to gracefully close the connection when PROXIES TYPEIDs mismatch is detected and a relevant error log is printed in the ltm logs as well.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6, 14.1.5
1082581-2 : Apmd sees large memory growth due to CRLDP Cache handling
Links to More Info: BT1082581
Component: Access Policy Manager
Symptoms:
Apmd memory keeps growing slowly over time and finally oom killer kills apmd.
Conditions:
Access policy has the crldp auth agent configured.
Impact:
Apmd killed by oom-killer thereby impacting traffic
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9, 14.1.5.3
1082505 : TLS ciphersuites including RSA-KEX are non-approved ciphers for FIPS 140-3 certification
Links to More Info: BT1082505
Component: Local Traffic Manager
Symptoms:
TLS ciphersuites including RSA KEX are non-approved ciphers as per FIPS 140-3 certification standard
Conditions:
- BIG-IP versions 16.1.3 and above
- FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device.
- f5-fips cipher-group is associated with SSL profiles
- Connections are established using the RSA-KEX based ciphers
Impact:
SSL handshake will not be successful.
Workaround:
Create a custom cipher-group including all the required cipher strings and associate with the SSL profiles.
Fix:
For FIPS 140-3 certification, TLS ciphersuites including RSA-KEX are reported as non-approved ciphers in fips mode, also these cipher strings have been removed from the f5-fips cipher group.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3
1082461-2 : The enforcer cores during a call to 'ASM::raise' from an active iRule
Links to More Info: BT1082461
Component: Application Security Manager
Symptoms:
In the case of 'ASM::raise' call execution from an iRule that contains a list length greater than 100, the enforcer (bd) will core.
Conditions:
A call to 'ASM::raise' with a list length greater than 100 from an iRule.
Impact:
Traffic disrupted while bd restarts.
Workaround:
While constructing the iRule, make sure that the list passed into 'ASM::raise' contains fewer than 100 elements.
Fix:
Fixed an enforcer core.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1082225-4 : Tmm may core while Adding/modifying traffic-class attached to a virtual server.
Links to More Info: BT1082225
Component: Local Traffic Manager
Symptoms:
Tmm may core with 'tmm SIGSEGV' while performing addition/updating of traffic class attached to a virtual server.
Conditions:
-- Some Traffic classes have been removed from the virtual server.
-- A new traffic class is attached to the virtual server, or modification of the existing traffic class is triggered.
Impact:
Traffic disrupted while tmm restarts.
The traffic class might not be applied as expected.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1081649-2 : Remove the "F5 iApps and Resources" link from the iApps->Package Management
Links to More Info: BT1081649
Component: TMOS
Symptoms:
The "F5 iApps and Resources" is being removed.
Conditions:
NA
Impact:
iApp page shows "F5"
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1081641-4 : Remove Hyperlink to Legal Statement from Login Page
Links to More Info: BT1081641
Component: TMOS
Symptoms:
The hyperlink to the legal statement should be removed from the login page.
Conditions:
This appears on the login page of OEM-branded BIG-IP systems.
Impact:
The OEM GUI shows the F5 logo/info.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1081473-5 : GTM/DNS installations may observe the mcpd process crashing
Links to More Info: BT1081473
Component: Global Traffic Manager (DNS)
Symptoms:
1) The mcpd process may crash, potentially leading to failover/momentary traffic disruption while system components restart
2) Log entries refering to the 'iqsyncer' module similar to the following may be observed prior to the crash
notice mcpd[32268]: 01070751:5: start_transaction received without previous end_transaction - connection 0x62773308 (user %iqsyncer)
notice mcpd[6269]: 010714a0:5: Sync of device group /Common/gtm to commit id 17072 7051583675817774674 /Common/abcd.xyz 0 from device %iqsyncer complete.
notice mcpd[6269]: 01070418:5: connection 0x64c0c008 (user %iqsyncer) was closed with active requests
3) Log entries similar to the following may be observed indicating failure and restart in the mcpd component:
err icr_eventd[11664]: 01a10003:3: Receive MCP msg failed: Can't recv, status: 0x1020046
warning snmpd[8096]: 010e0004:4: MCPD query response exceeding 270 seconds.
err icr_eventd[11664]: 01a10003:3: Receive MCP msg failed: Can't recv, status: 0x1020046
notice sod[9497]: 01140041:5: Killing /usr/bin/mcpd pid 12325.
warning sod[9497]: 01140029:4: high availability (HA) daemon_heartbeat mcpd fails action is restart.
crit tmsh[31348]: 01420001:2: The connection to mcpd has been lost, try again. : framework/RemoteMcpConn.cpp, line 74
crit tmsh[31434]: 01420001:2: The connection to mcpd has been lost, try again. : framework/RemoteMcpConn.cpp, line 74
info sod[9497]: 010c0009:6: Lost connection to mcpd - reestablishing.
err mysqlhad[17260]: 014e0006:3: MCP Failure: 1.
Conditions:
DNS/GTM installation with syncgroup members actively exchanging configuration items.
The issue happens rarely unless a lot of configuration changes occur on one of the syncgroup members, which needs to be carried over.
Impact:
Traffic disrupted while mcpd restarts.
Workaround:
None
Fix:
iqsyncer module fixed to process large volume of traffic correctly now
Fixed Versions:
17.1.1, 16.1.5
1081285-1 : ASM::disable iRule command causes HTTP2 RST_STREAM response when MRF is enabled
Links to More Info: BT1081285
Component: Application Security Manager
Symptoms:
Requests are reset and an error is observed in /var/log/ltm
"ASM::enable is not supported in a child context"
Conditions:
-- HTTP2 client and server enabled on a virtual server
-- MRF profile (httprouter) attached to the virtual server
-- ASM policy and DoS profile attached to the virtual server
Impact:
Web application functionality fails
Workaround:
N/A
Fix:
Tmm code adapted to work with uflow at ASM::disable irule command handler
Fixed Versions:
16.1.5
1080613-1 : LU configurations revert to default and installations roll back to genesis files★
Links to More Info: BT1080613
Component: Application Security Manager
Symptoms:
The LiveUpdate configurations, such as 'Installation of Automatically Downloaded Updates', and the update installation history disappears and reverts to default, and the installations roll back to genesis files.
Conditions:
This occurs during the first tomcat restart, after upgrading to the versions that have the fix for ID907025.
Impact:
The LiveUpdate configuration and the installation history are reverted to the default.
Workaround:
Https://support.f5.com/csp/article/K53970412
Fix:
N/A
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1080581-1 : Virtual server creation is not allowed to have TCP, UDP and HTTP together with Client or Server SSL Profiles.★
Links to More Info: BT1080581
Component: Local Traffic Manager
Symptoms:
During the upgrade, the configuration load fails with an error:
err mcpd[6381]: 01070734:3: Configuration error: A virtual server (/Common/my_virtual) is not allowed to have TCP, UDP and HTTP together with Client or Server SSL Profiles.
Conditions:
-- Upgrading from an earlier version that contains a QUIC profile in a virtual server having tcp, UDP, and HTTP together
-- Upgrading to version 15.1.5 or 16.1.2.2
Impact:
BIG-IP will remain in inoperative state after upgrade
Fix:
QUIC protocol is allowed to use tcp and udp protocol in combination
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.5.1
1080569-2 : BIG-IP prematurely closes clientside HTTP1.1 connection when serverside is HTTP2 and HTTP MRF router is enabled on virtual server
Links to More Info: BT1080569
Component: Local Traffic Manager
Symptoms:
When clientside is using HTTP1.1, serverside is using HTTP2 and two HTTP GET requests are sent by the client, BIG-IP completes the first HTTP transaction and sends a FIN, even though HTTP keepalive should be enabled.
Conditions:
-- HTTP2 full proxy is configured i.e. http profile, http2 profile and MRF router is enabled. As per https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-http2-full-proxy-configuration-14-1-0/http2-full-proxy-configuring.html
-- clientside uses HTTP1.1.
-- serverside uses HTTP2.
-- Two subsequent GET requests are sent by the client.
Impact:
Premature TCP connection termination on the clientside.
Workaround:
Disable the MRF router (httprouter).
The drawback is that serverside will always use HTTP1.1 in this case and it might be undesirable if you want to leverage HTTP2.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1080341-4 : Changing an L2-forward virtual to any other virtual type might not update the configuration.
Links to More Info: BT1080341
Component: Local Traffic Manager
Symptoms:
Changing an L2-forward virtual-server to any other virtual-server type might not update the saved configuration.
Conditions:
Changing an L2-forward virtual-server to any other virtual-server type.
Impact:
Traffic still behaves as if L2-forward virtual-server is configured.
Workaround:
Remove and re-create the affected virtual-server.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1080317-3 : Hostname is getting truncated on some logs that are sourced from TMM
Links to More Info: BT1080317
Component: TMOS
Symptoms:
Hostnames in the APM, IPSEC, SAAS, FW_LOG logs that are sourced from TMM are truncated.
Conditions:
The truncation occurs when the hostname contains a period (for example "my.hostname").
Impact:
Some logs contain truncated hostnames and some contain full hostnames. The inconsistent hostnames degrade the readability and therefore the usefulness of the logs.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1080297-1 : ZebOS does not show 'log syslog' in the running configuration, or store it in the startup configuration
Links to More Info: BT1080297
Component: TMOS
Symptoms:
ZebOS does not show the 'log syslog' or 'no log syslog' in the running configuration, nor is it saved to the startup configuration.
There is no way to verify if the 'log syslog' is configured or not by checking the configuration.
Conditions:
-- Under Configure log syslog.
-- Check the show running-config.
Impact:
There is no way to verify if the 'log syslog' is configured or not by checking the configuration.
Workaround:
If logging to syslog is not desired, it must be re-disabled every time the ZebOS daemons are started, using 'no log syslog'.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1079909-1 : The bd generates a core file
Links to More Info: K82724554, BT1079909
Component: Application Security Manager
Symptoms:
The bd generates a core file and restarts.
Conditions:
- ASM running on BIG-IP version 15.1.5.1 or 15.1.6. Other versions are not affected.
- Content profile is configured to check attack signatures.
Impact:
Traffic is disrupted while bd restarts.
Workaround:
Set the internal parameter disable_second_extra_normalization to 1 and restart ASM by executing:
/usr/share/ts/bin/add_del_internal add disable_second_extra_normalization 1
bigstart restart asm
Note: This relaxes matching of attack signatures for some cases.
Fix:
Fixed a bd crash. As mentioned in Conditions field, there are only two official software versions, version 15.1.5.1 and version 15.1.6, that are affected by this bug. This bug was fixed on other major release branches (17.0.x, 16.1.x, 14.1.x, and 13.1.x) before publishing any affected versions to the field, thus this bug appears as fixed with those major releases, but there are actually no affected official versions.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5
1079817-1 : Java null pointer exception when saving UCS with iAppsLX installed★
Links to More Info: BT1079817
Component: TMOS
Symptoms:
When saving a UCS the resulting archive does not contain iAppLX packages. This is because the POST to /shared/iapp/build-package gets a 400 error from restjavad.
The restjavad log files will show a null pointer exception when this occurs.
Conditions:
Saving UCS file when iAppLX packages are installed.
Impact:
When saving a UCS the resulting archive does not contain iAppLX packages.
Workaround:
None
Fix:
The RPM build completes successfully.
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1
1079769-1 : Tmm utilizing the virtio driver might crash after modifying several IPv6 virtual servers
Links to More Info: BT1079769
Component: Local Traffic Manager
Symptoms:
Tmm crash
There might be entries similar to the following in the tmm log:
notice virtio[0:7.0]: MAC filter[27]: 33:33:ff:00:10:01 - deleted
notice virtio[0:7.0]: MAC filter[27]: 33:33:ff:00:10:01 - added
Conditions:
-- The tmm is utilizing the virtio driver for network communications.
-- Many changes, of the order of at least 1900, are made to IPv6 listeners.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
A work-around would be to utilize the sock driver. However, that will not perform as well.
Fix:
A defect was fixed in the virtio driver that might trigger a tmm crash.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1079721 : OWASP 2017 A2 Category - Login enforcement link is broken
Links to More Info: BT1079721
Component: Application Security Manager
Symptoms:
Under A2 category, Broken Authentication: ‘Login Enforcement: Not fulfilled’ - if you click on the Not fulfilled link you end up with a broken link
Conditions:
1. Go to OWASP page (Security ›› Overview : OWASP Compliance)
2. Collapse Broken Authentication field
3. Click on Login Enforcement protection state link (Fulfilled or Not Fulfilled).
Impact:
Link is broken, and need to go manually to login enforcement tab in Policy Configuration page
Workaround:
Go to the related policy configuration page, click on Session and Logins tab. You will see there the Login Pages section.
Fixed Versions:
16.1.3.1
1079637-1 : Incorrect Neuron rule order
Links to More Info: BT1079637
Component: Advanced Firewall Manager
Symptoms:
The order of Neuron rules created for the virtual servers may be incorrect.
Conditions:
- Platforms with Neuron support (BIG-IP iSeries and Viprion B4450 blade) configured with a Turboflex profile other than turboflex-base.
Impact:
There are several features that rely on the Neuron rules.
In case of hardware SYN Cookie a TCP virtual server may not receive the TCP SYN packets even if the virtual server is not in SYN Cookie mode.
Some sPVA feature may behave unexpectedly.
Fix:
The order of the Neuron rules is now correct.
Fixed Versions:
17.0.0, 16.1.3, 15.1.5.1
1079441-2 : APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries
Links to More Info: BT1079441
Component: Access Policy Manager
Symptoms:
APMD memory can grow over a period of time
Conditions:
-- A BIG-IP system with the patched cyrus-sasl/krb5 libraries
Impact:
APMD memory can grow over a period of time
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1078829-1 : Login as current user fails in VMware
Links to More Info: BT1078829
Component: Access Policy Manager
Symptoms:
In VMware if user selects login as current user option, Http 500 error is being displayed.
Conditions:
1. Create vmware login as current user with kerberous AD keytab
2. Select VMware login as current user option on native client
3. Http 500 error is displayed.
Impact:
Login as current user fails in VMware
Workaround:
None
Fix:
VMware Login as current user should not provide any error.
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
1078821-1 : Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit
Links to More Info: BT1078821
Component: TMOS
Symptoms:
TMUI (the GUI) needs to be upgraded with OpenJDK 1.8 to support TLS 1.2 AES GCM ciphers for OAuth Provider Discovery
Conditions:
BIG-IP systems using the GUI
Impact:
Deployments which use Microsoft Azure AD as OAuth IDP, will start facing issues with OAuth Provider discovery after 31st Jan 2022. Microsoft is deprecating TLS1.0/1.1 and supporting TLS1.2 AES GCM ciphers only.
Fix:
Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit
Note: This results in an increase in the size of /usr. Although not an issue on its own, cumulative increases in /var, /usr, and /root might result in installation failures on iSeries devices when multiple slots contain software versions 16.1.x or later. Depending on the combination of versions, you might not be able to install/upgrade three TMOS software volumes on your iSeries device (see K41812306: The appdata volume on BIG-IP iSeries platforms is now larger :: https://support.f5.com/csp/article/K41812306 ).
Behavior Change:
Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit
Note: This results in an increase in the size of /usr. Although not an issue on its own, cumulative increases in /var, /usr, and /root might result in installation failures on iSeries devices when multiple slots contain software versions 16.1.x or later. Depending on the combination of versions, you might not be able to install/upgrade three TMOS software volumes on your iSeries device (see K41812306: The appdata volume on BIG-IP iSeries platforms is now larger :: https://support.f5.com/csp/article/K41812306 ).
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5
1078765-1 : Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer.
Links to More Info: BT1078765
Component: Application Security Manager
Symptoms:
A BD core may occur due to enforcement of 200004390 200004389 signatures with the combination of Arcsight remote logger enabled.
Conditions:
The request must contain 200004390 200004389 signatures with the combination of Arcsight remote logger attached to the virtual server.
Impact:
The enforcer may crash.
Workaround:
Disable 200004390 200004389 signatures.
Fix:
200004390 200004389 are now signatures enforced successfully.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1078741-2 : Tmm crash
Links to More Info: BT1078741
Component: Local Traffic Manager
Symptoms:
Tmm crashes while processing an iRule while handling traffic.
Conditions:
-- HTTP virtual server
-- HTTP profile with explicit proxy having default-connect-handling allowed
-- iRule with SERVER_CONNECTED event
Impact:
Traffic disrupted while tmm restarts.
Fix:
Null check to avoid null dereference.
Fixed Versions:
17.0.0, 16.1.5
1078669-2 : iRule command “RESOLVER::name_lookup” returns null for TCP resolver with TC (truncated) flag set.
Links to More Info: BT1078669
Component: Global Traffic Manager (DNS)
Symptoms:
“RESOLVER::name_lookup” returns null for TCP resolver with TC set.
Conditions:
Backend server returns very large DNS response.
Impact:
iRule command does not give any response but with TC set.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
1078625 : TMM crashes during DoS processing
Links to More Info: BT1078625
Component: Advanced Firewall Manager
Symptoms:
TMM crashes and restarts multiple times
Conditions:
-- Network Access profile attached to a virtual server
-- Bot defense profile attached to a virtual server
-- Passing network traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm crash related to DoSL7 processing
Fixed Versions:
17.1.1, 16.1.4
1078065-2 : The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA.
Links to More Info: BT1078065
Component: Application Security Manager
Symptoms:
The login page shows a blocking page instead of CAPTCHA or shows the blocking page after resolving a CAPTCHA.
Make five (configured in brute force configuration) failed login attempts and you will receive a blocking page.
Blocking Reason: Resource not qualified for injection.
In one instance, bd crashed.
Conditions:
HTML response message has an html page with a length greater than 32000 bytes.
For crashes: the problem arises when the system incorrectly handles the character encoding of HTML documents, leading to a failure during encoding transitions.
Impact:
Users are blocked after failed login attempts.
bd crash that cause BIG-IP failover in HA setup or temporarily offline in standalone setup.
Workaround:
Run tmsh modify sys db asm.cs_qualified_urls value <url value>.
For 'bd' crashes: No direct application-level changes are required. A fix needs to be implemented to address the system’s encoding handling.
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1077701-1 : GTM "require M from N" monitor rules do not report when the number of "up" responses change
Links to More Info: BT1077701
Component: Global Traffic Manager (DNS)
Symptoms:
The number of probes that are succeeding is changing in between different windows in which the "N" number of probes were sent.
Conditions:
- GTM/DNS is provisioned.
- A "require M from N" monitor rule is assigned to a gtm resource.
Impact:
The change in the number of successful monitor probes isn't available which is useful for troubleshooting.
Workaround:
None
Fix:
A logline is written to show the change in the number of successful probes.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1077553-3 : Traffic matches the wrong virtual server after modifying the port matching configuration
Links to More Info: BT1077553
Component: Local Traffic Manager
Symptoms:
Traffic matches the wrong virtual server.
Conditions:
A virtual server configured to match any port is modified to matching a specific port. Alternatively, a virtual server matching a specific port is modified to match any port.
Impact:
Traffic may be directed to the wrong backend server.
Workaround:
Restart the TMM after the config change.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1077533-1 : Status is showing INOPERATIVE after an upgrade and reboot★
Links to More Info: BT1077533
Component: TMOS
Symptoms:
Very occasionally, after mprov runs after a reboot the BIG-IP may fail to start with logs similar to the following:
bigip1 info mprov:7459:[7459]: 'admd failed to stop.'
bigip1 err mprov:7459:[7459]: 'admd failed to stop, provisioning may fail.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
...
bigip1 err mcpd[5584]: 01071392:3: Background command '/usr/bin/mprov.pl --quiet --commit asm avr host tmos ui ' failed. The command was signaled.
Conditions:
Occurs rarely after a reboot.
Impact:
The BIG-IP is unable to finish booting.
Workaround:
Reboot the BIG-IP again.
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1077405-2 : Ephemeral pool members may not be created with autopopulate enabled.
Links to More Info: BT1077405
Component: TMOS
Symptoms:
Ephemeral pool members might not be added to a pool with an FQDN pool member "autopopulate enabled".
When this issue occurs:
-- Some or all of the expected Ephemeral Pool Members will not be created for the affected pool.
-- A message will be logged in the LTM log similar to the following:
err mcpd[####]: 01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (/Common/_auto_<IP address>) has autopopulate set to disabled.
(Note that the node name here is an Ephemeral Node.)
Also note that if you attempt to create an FQDN Pool Member with autopopulate enabled while the corresponding FQDN Node has autopopulate disabled, you will see a similar error message:
01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (/Common/fred) has autopopulate set to disabled.
Conditions:
This issue can occur under the following conditions:
-- Two or more FQDN Nodes have FQDN names that resolve to the same IP address(es).
-- That is, some Ephemeral Nodes have addresses resolved by more than one FQDN name defined in FQDN Nodes.
-- At least one of these FQDN Nodes has "autopopulate enabled."
-- At least one of these FQDN Nodes does not have "autopopulate enabled."
-- That is, autopopulate is disabled for one or more of these FQDN Nodes.
-- The FQDN Pool Member(s) in the affected pool(s) has "autopopulate enabled."
Impact:
The affected LTM pool(s) are not populated with expected (or any) ephemeral pool members.
Workaround:
To allow some LTM pools to use FQDN pool members with autopopulate enabled (allowing multiple ephemeral pool members to be created) while other LTM pools use FQDN pool members with autopopulate (allowing only one ephemeral pool member to be created), configure the following:
-- Create all FQDN Nodes with FQDN names that might resolve to a common/overlapping set of IP addresses with "autopopulate enabled".
-- Create FQDN Pool Members with autopopulate enabled or disabled depending on the desired membership for each pool.
Fix:
Ephemeral pool members can now be successfully added to LTM pools regardless of the autopopulate configuration of the respective FQDN pool member.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1077281-2 : Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages
Links to More Info: BT1077281
Component: Application Security Manager
Symptoms:
When a policy contains an individual login page in session tracking, the exported xml policy fails to be imported back due to error “Malformed XML: Could not resolve foreign key dependence”.
Conditions:
The policy contains an individual login page in session tracking and the policy is exported in xml format
Impact:
Import the policy fails with an error: "Could not resolve foreign key dependence”.
Workaround:
This occurs when using XML format only, so you can use binary export/import
Fix:
XML export/import now will work also if policy contains an individual login page in session tracking
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.6.1
1076921-1 : The Hostname in BootMarker logs and /var/log/ltm logs that sourced from TMM were getting truncated.
Links to More Info: BT1076921
Component: TMOS
Symptoms:
1. Host names were truncated in BootMarker logs across all log files.
2. Host names were truncated in LTM logs sourced from TMM.
Conditions:
-- Hostname contains a period.
-- Check Hostname in BootMarker logs and /var/log/ltm in which the logs sourced from TMM get truncated.
Impact:
The hostname does not appear consistently in affected logs. Some logs contain truncated hostnames, while others contain full hostnames.
Workaround:
None
Fix:
Log files now consistently contain full hostnames.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1076909-4 : Syslog-ng truncates the hostname at the first period.
Links to More Info: BT1076909
Component: TMOS
Symptoms:
Messages that are logged to journald use the configured hostname, while sylog-ng uses the hostname (machine name) and truncates it starting at the first '.' (period). This results in hostnames being inconsistent when it contains '.'; e.g., 'my.hostname' is logged as 'my' by syslog-ng, and 'my.hostname' by journald. This can make it difficult for log analysis tools to work with the log files.
Conditions:
-- Hostname contains a period.
-- Viewing log files emitted from journald and from syslog-ng.
Impact:
The full hostname is logged for system logs while logs that go directly to syslog-ng use a truncated hostname.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1076897-4 : OSPF default-information originate command options not working properly
Links to More Info: BT1076897
Component: TMOS
Symptoms:
OSPF default-information originate command options are not working properly.
Conditions:
Using OSPF default-information originate with metric/metric-type options.
Impact:
Incorrect route advertisement.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1076825-1 : "Live Update" configuration and list of update files reverts to default after upgrade to v16.1.x and v17.1.x from earlier releases.★
Links to More Info: BT1076825
Component: Application Security Manager
Symptoms:
Upgrade to v16.1.x and v17.1.x from earlier releases reverts "Live Update" configuration to default.
Conditions:
Upgrading to v16.1.x and v17.1.x from earlier releases.
Impact:
"Live Update" configuration and list of update files reverts to default. List of update files will include only "Genesis" file. Installed signatures will be signatures from latest "Attack Signatures" ASU files installed before upgrade.
Workaround:
Any configuration that set to default after upgrade should be configured manually.
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4
1076785-2 : Virtual server may not properly exit from hardware SYN Cookie mode
Links to More Info: BT1076785
Component: TMOS
Symptoms:
Virtual servers do not exit hardware SYN Cookie mode even after the SYN flood attack stops. The TMSH 'show ltm virtual' output shows 'full hardware' mode.
Conditions:
Selected HSB platforms where TMM is attached to multiple HSB modules. This depends on platform, BIG-IP version and selected Turboflex profile where applicable.
Impact:
The affected virtual server would not receive the TCP SYN packets until a TMM restart. The limited range of MSS values in SYN Cookie mode may slightly affect performance.
Workaround:
Disable hardware SYN Cookie mode on all virtual servers.
Fix:
Virtual server is now fully exits hardware SYN Cookie mode once a SYN flood attack stops.
Fixed Versions:
17.1.0, 16.1.4, 15.1.5.1
1076577-3 : iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg'
Links to More Info: BT1076577
Component: Local Traffic Manager
Symptoms:
The 'connect' iRule command fails to resume, causing processing of traffic to halt due to 'irule_scope_msg', which causes iRule processing to proceed in a way that 'connect' does not expect.
Conditions:
- iRule using 'connect' command
- Diameter/Generic-message 'irule_scope_msg' enabled
Impact:
Traffic processing halts (no crash)
Fixed Versions:
17.1.0, 16.1.4, 15.1.7
1076573-3 : MQTT profile addition is different in GUI and TMSH
Links to More Info: BT1076573
Component: Local Traffic Manager
Symptoms:
MQTT profile selection is not supported through GUI when HTTP is enabled. In tmsh, the MQTT profile can be added in the same virtual server and contradicting the GUI configuration.
Conditions:
Simple virtual server with HTTP profile.
Impact:
Contradictory configuration validation between the GUI and tmsh.
Workaround:
None
Fix:
Validation to make sure the GUI and tmsh behave the same way for MQTT and HTTP profile in same virtual server.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1076401-5 : Memory leak in TMM (ldns) when exceeding dnssec.maxnsec3persec.
Links to More Info: BT1076401
Component: Global Traffic Manager (DNS)
Symptoms:
Memory leak leading to TMM running out of free memory.
Conditions:
-- Dnssec.maxnsec3persec set to non-default value (default 0 - unlimited).
-- Number of DNS requests leading to NSEC3 responses goes above the limit of dnssec.maxnsec3persec.
Impact:
TMM runs out of memory.
Workaround:
Set dnssec.maxnsec3persec to 0.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1076377-3 : OSPF path calculation for IA and E routes is incorrect.
Links to More Info: BT1076377
Component: TMOS
Symptoms:
--OSPF path calculation for IA and E routes is incorrect.
--E2 route might be preferred over E1 route.
--Cost calculation for IA routes is incorrect.
Conditions:
Mixing E2/E1 routes and IA routes with different cost.
Impact:
Wrong route is installed.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.9
1076253-1 : IKE library memory leak
Links to More Info: BT1076253
Component: TMOS
Symptoms:
After the tunnel is established, continuous increase in memory observed in "IKE LIB" (memory_usage_stat).
Conditions:
-- IPSEC tunnels are established.
-- DPD delay is 30 seconds.
Impact:
Continuous memory increase on the BIG-IP system.
Workaround:
None
Fix:
Fixed the IKE library memory leak.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1075849-5 : APM client hardening
Component: Access Policy Manager
Symptoms:
In certain scenarios, APM clients may not follow best security practices.
Conditions:
N/A
Impact:
N/A
Fix:
Note, the APM server will need to include a fix for 1103481 for hardening to take effect.
Fixed Versions:
17.1.0, 16.1.4, 15.1.8.2
1075713-2 : Multiple libtasn1 vulnuerabilities
Component: TMOS
Symptoms:
CVE-2017-10790 - The _asn1_check_identifier function in GNU Libtasn1 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure.
CVE-2018-6003 - It was found that indefinite string encoding is decoded via recursion in _asn1_decode_simple_ber()
CVE-2017-6891 - Two errors in the "asn1_find_node()" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility.
Conditions:
This occurs when using the libtasn1 package version before the v4.16
Impact:
CVE-2017-10790 - It may lead to a denial of service attack.
CVE-2018-6003 - It can lead to stack exhaustion when processing specially crafted strings.
CVE-2017-6891 - It may lead to a stacked-based buffer overflow.
Workaround:
None.
Fix:
Applied the upstream patches of the CVEs CVE-2017-6891, CVE-2018-6003, and CVE-2017-10790 in the BIG-IP.
Fixed Versions:
17.1.1, 16.1.4
1075681-1 : CVE-2020-17541 - Libjpeg-turbo all version have a stack-based buffer overflow in the "transform" component
Component: TMOS
Symptoms:
Libjpeg-turbo all versions contain a stack-based buffer overflow in the "transform" component. A remote attacker can exploit this vulnerability by sending a malformed jpeg file to the service, leading to arbitrary code execution or denial of service of the target service.
Conditions:
NA
Impact:
It can either lead to DOS or arbitrary code execution which will compromise the system integrity.
Workaround:
NA
Fix:
Stack-based buffer overflow in the "transform" component has been resolved.
Fixed Versions:
16.1.5
1075677-2 : Multiple GnuTLS Mend findings
Component: TMOS
Symptoms:
WS-2017-3774 - GnuTLS in versions 3_2_7 to 3_5_19 is vulnerable to heap-use-after-free in gnutls_pkcs12_simple_parse.
WS-2020-0372 - GnuTLS before 3.6.13 is vulnerable to use-of-uninitialized-value in print_crl.
Conditions:
WS-2017-3774 - when using the GnuTLS in versions 3_2_7 to 3_5_19.
WS-2020-0372 - when using the GnuTLS before 3.6.13 versions.
Impact:
WS-2017-3774 - It can lead to Heap-based buffer overflow.
WS-2020-0372 - It can lead to use of uninitialized variable
Workaround:
None.
Fix:
Upstream patches have been applied to resolve Mend findings WS-2017-3774, and WS-2020-0372.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1075205-1 : Using TCP::close after HTTP::redirect/HTTP::respond causes HTTP response not to be delivered to the client.
Links to More Info: BT1075205
Component: Local Traffic Manager
Symptoms:
Using TCP::close after HTTP::redirect/HTTP::respond causes HTTP response not to be delivered to the client.
Conditions:
iRule similar to:
ltm rule REDIRECT {
when HTTP_REQUEST {
HTTP::redirect "https://[HTTP::host][HTTP::uri]"
TCP::close
}
Impact:
Redirect/response not delivered to the client.
Workaround:
Remove TCP::close from an iRule.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2
1075073-2 : TMM Crash observed with Websocket and MQTT profile enabled
Links to More Info: BT1075073
Component: Local Traffic Manager
Symptoms:
A tmm crash occurs while passing Websockets traffic
Conditions:
Virtual server with http, Websockets, MQTT profiles
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Delete the MQTT profile.
Fix:
MQTT validation to ignore non-MQTT messages.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1075001-2 : Types 64-65 in IPS Compliance 'Unknown Resource Record Type'
Links to More Info: BT1075001
Component: Protocol Inspection
Symptoms:
Protocol Inspection compliance type 'Unknown Resource Record Type' (ID 10002) lists ranges of type ID numbers (62-98, 110-248, 259-32767, 32770-65535) that are considered 'unknown'. The hard-coded ranges include 64 (SVCB) and 65 (HTTPS), which is not accurate for some types of configurations. The inability to specify the ranges in 'Unknown Record Type' may impact some traffic because there are increasing numbers of DNS queries with Type ID of 64 - SVCB and 65 - HTTPS - (still in draft) observed with the introduction of iOS 14 and macOS 11.
Conditions:
When DNS profile in IPS 'Unknown Resource Record Type' is configured as Rejected.
Impact:
DNS request records with 64 and 65 are blocked. The severity of this impact depends on your traffic.
Workaround:
Although there is no workaround, you can install an updated Protocol Inspection IM package (pi_updates_15.1.0-20220215.0652.im or later) from the F5 Downloads site under the ProtocolInspection-LatestUpdate entry on the version-specific downloads page.
Fix:
AFM administrators can now specify a range of type codes for IPS Compliance 'Unknown Resource Record Type' from the GUI or using tmsh commands:
GUI:
1. Go to Security :: Protocol Security: Inspection Profiles.
2. Create a new profile and add the DNS service.
3. In the DNS compliance edit option, search for 10002 id compliance and open it.
4. Add the known_resource_records in the list.
5. Commit the changes.
TMSH:
1. Add the known_resource_records:
root@(test-127)(cfg-sync Standalone)(Active)(/Common)(tmos)# create security protocol-inspection profile dns_rr { services add { dns { compliance add { dns_unknown_resource_record_type { value { known_resource_records { 64 65 }}}}}}}
2. Modify known_resource_records:
root@(test-127)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify security protocol-inspection profile dns_rr { services modify { dns { compliance modify { dns_unknown_resource_record_type { value { known_resource_records { 64 65 66 }}}}}}}
3. View the result:
root@(test-127)(cfg-sync Standalone)(Active)(/Common)(tmos)# list security protocol-inspection profile dns_rr services
security protocol-inspection profile dns_rr {
services {
dns {
compliance {
dns_unknown_resource_record_type {
action accept
log yes
value "known_resource_records {64 65 66}"
}
}
config none
ports {
domain { }
}
signature none
status enabled
}
}
}
Fixed Versions:
16.1.5
1074517-1 : Tmm may core while adding/modifying traffic-class attached to a virtual server
Links to More Info: BT1074517
Component: Local Traffic Manager
Symptoms:
Tmm may core while adding/modifying traffic-class attached to a virtual server
Conditions:
-- Traffic class is attached to a virtual server.
-- Add an existing traffic class to a virtual server.
-- Afterwards, a new traffic class is attached to the virtual server, or modification of the existing traffic class is triggered.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1074505-1 : Traffic classes are not attached to virtual server at TMM start
Links to More Info: BT1074505
Component: Local Traffic Manager
Symptoms:
When tmm starts, an error message is logged in the TMM log:
"MCP message handling failed in 0xXXXX (XXXXXXXX)"
Conditions:
Virtual server with traffic class attached is being used.
Impact:
A traffic class is not being attached to the virtual server so traffic matching the traffic classes does not work.
Fix:
Traffic matching the traffic classes does match.
Fixed Versions:
17.0.0, 16.1.4, 15.1.6.1, 14.1.5.1
1074113-1 : IPsec IKEv2: Selectors incorrectly marked up after disable ike-peer
Links to More Info: BT1074113
Component: TMOS
Symptoms:
When disabling an ike-peer, sometimes the traffic-selector is not marked "down" in one or both directions.
Conditions:
All the following must be true
-- IKEv2 IPsec tunnel
-- A nonzero value for ipsec.pfkey.load, ipsec.sp.migrate and ipsec.sp.owner is set.
-- During the life of the SA the tunnel was migrated to another tmm owner.
The final point is not normally visible unless debug2 logging is enabled on ike-daemon.
Impact:
Cosmetic. The traffic selector is incorrectly reported as up for one or both directions.
Workaround:
The selector state cannot be changed unless it goes up/down again. There is no way to manually fix it.
Fix:
Disabling an ike-peer config object will correctly mark the associated traffic-selector down.
Fixed Versions:
17.0.0, 16.1.2.2
1073973-1 : Gateway HTTP/2, response payload intermittently not forwarded to client.
Links to More Info: BT1073973
Component: Local Traffic Manager
Symptoms:
Some HTTP/2 requests through a Gateway HTTP2 (HTTP2 clientside/HTTP1 serverside, no MRF) stall, with:
- the BIG-IP receives a request and forwards it to the server
- the server responds with both headers and response body
- the BIG-IP forwards the response headers back to the client
- the BIG-IP does not forward the response body to the client
Conditions:
-- BIG-IP virtual server configured with an HTTP/2 profile on both the client side and server side
-- A high number of HTTP/2 requests traverse the HTTP/2 connection
Impact:
HTTP response body is not forwarded to the client from the BIG-IP system.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2
1073677-1 : Add a db variable to enable answering DNS requests before reqInitState Ready
Links to More Info: BT1073677
Component: Global Traffic Manager (DNS)
Symptoms:
When a new GTM is added to the Sync group, it takes a significant amount of time, and the newly added GTM won't become ready.
Conditions:
-- GTMs in a cluster with a large number of persist records
-- A new GTM device is added
Impact:
Clients of the BIG-IP GTM do not receive an answer, and application failures may occur.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1073625-2 : Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled.
Links to More Info: BT1073625
Component: Application Security Manager
Symptoms:
ASM policy import is successful on Active unit and it syncs to standby device, but "Apply changes" is displayed on the standby device policies page.
Conditions:
1. XML policy with learning enabled imported via TMSH.
2. Autosync with incremental sync enabled on device-group with ASM sync enabled.
Impact:
The peer (standby) unit needs to have the policies applied manually even though everything is set to auto-sync
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1073609-4 : Tmm may core while using reject iRule command in LB_SELECTED event.
Links to More Info: BT1073609
Component: Local Traffic Manager
Symptoms:
Tmm cores with SIGFPE "packet is locked by a driver"
Conditions:
-- Fastl4 virtual server
-- iRule attached that uses reject iRule command in LB_SELECTED event
Impact:
Traffic disrupted while tmm restarts.
Fix:
Tmm does not core while using iRules attached that uses reject iRule command in LB_SELECTED event.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1072953-2 : Memory leak in traffic management interface.
Links to More Info: BT1072953
Component: Local Traffic Manager
Symptoms:
When configuration objects that use a traffic management interface are modified, they leave behind orphaned objects. The memory leak can become significant over time if there are frequent config changes.
Conditions:
Request logging profile attached to a VIP.
Impact:
TMM uses more memory than it should.
Workaround:
Restart tmm to free the memory, avoid making frequent configuration changes to virtual servers that contain request logging profiles.
Fix:
Traffic management interface no longer leaks memory.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1072733-4 : Protocol Inspection IM package hardening
Component: Protocol Inspection
Symptoms:
Protocol Inspection IM packages do not follow current best practices.
Conditions:
- Authenticated administrative user
- Protocol Inspection IM packages uploaded to BIG-IP
Impact:
Protocol Inspection IM packages do not follow current best practices.
Workaround:
N/A
Fix:
Protocol Inspection IM packages now follows current best practices.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1072377-3 : TMM crash in rare circumstances during route changes
Links to More Info: BT1072377
Component: Local Traffic Manager
Symptoms:
TMM might crash in rare circumstances when static/dynamic route changes.
Conditions:
Dynamic/static route changes.
Impact:
TMM can crash or core. Traffic processing stops during process restart.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.0, 16.1.5, 15.1.10
1072237-1 : Retrieval of policy action stats causes memory leak
Links to More Info: BT1072237
Component: TMOS
Symptoms:
When a virtual server with an L7 policy is present, the tmsh show ltm policy command triggers a memory leak.
Conditions:
The tmsh show ltm policy command is executed when a virtual server with an L7 policy attached is present.
one more condition -
Retrieving the ltm policy statistics will cause the umem_alloc_16 memory leak
Impact:
Memory leak for umem_alloc_16 cur_allocs for each request for
each request of tmsh show ltm policy
Workaround:
None
Fix:
Umem_alloc_16 cur_allocs no longer leaking memory.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1072197-1 : Issue with input normalization in WebSocket.
Links to More Info: K94142349, BT1072197
Component: Application Security Manager
Symptoms:
Under certain conditions, attack signature violations might not be triggered in WebSocket scenario.
Conditions:
- ASM handles WebSocket flow.
- Malicious WebSocket message contains specific characters.
Impact:
Attack detection is not triggered as expected.
Workaround:
N/A
Fix:
Attack detection is now triggered as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1072165-2 : Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format
Links to More Info: BT1072165
Component: Application Security Manager
Symptoms:
Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format
Conditions:
ASM remote logging in ArcSight format
Impact:
Due to the missing fields, the remote message does not tell name of threat campaign name(s) that was detected.
Workaround:
Use other message format.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1072057-1 : "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy.
Links to More Info: BT1072057
Component: Advanced Firewall Manager
Symptoms:
The GUI incorrectly displays the sources address in certain conditions.
1. If the source address of a firewall policy is not empty (that is, some specific IP addresses available to the rule), the word "Any" is displayed.
2. If the source address is empty (that is, no specific IP addresses exist), nothing (empty) is displayed.
Conditions:
Viewing a firewall policy in the GUI via Security > Firewall > policy.
Impact:
No functional impact
Workaround:
N/A
Fix:
Fixed a display issue with the source address field.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1071689-1 : SSL connection not immediately closed with HTTP2 connection and lingers until idle timeout
Links to More Info: BT1071689
Component: Local Traffic Manager
Symptoms:
SSL connections using HTTP/2 are not immediately closed and linger until the idle timeout expires.
Conditions:
This occurs during SSL handshake termination from the client to the BIG-IP system.
Impact:
SSL connection does not close.
Fix:
System will properly terminate the connection without lingering until timeout
Fixed Versions:
17.0.0, 16.1.3
1071621-1 : Increase the number of supported traffic selectors
Links to More Info: BT1071621
Component: TMOS
Symptoms:
There is an imposed limit of 30 traffic selectors that can be attached to an IPsec policy / IKEv2 ike-peer.
Conditions:
-- IKEv2
-- More than 30 traffic selectors required on one IPsec policy / ike-peer.
Impact:
No more than 30 traffic selectors can be added to a single IPsec policy / ike-peer.
Workaround:
None
Fix:
The behavior of sys db ipsec.maxtrafficselectors has changed.
- Max traffic selectors associated with an ike-peer are increased from 30 to 100.
- When the sys-db variable is non-zero, the limit is enforced.
Warning: Adding hundreds or thousands of traffic-selectors to an ipsec-policy may result in slow config-load times (for example, during startup). An excessive number of traffic selectors may also slow down IPsec tunnel negotiation. The impact will depend on the BIG-IP system's provisioning and the overall configuration.
- ipsec.maxtrafficselectors can be set to "0" to indicate there is no limit.
Behavior Change:
The behavior of sys db ipsec.maxtrafficselectors has changed.
- Max traffic selectors associated with an ike-peer are increased from 30 to 100.
- When the sys-db variable is non-zero, the limit is enforced.
- ipsec.maxtrafficselectors can be set to "0" to indicate there is no limit.
Warning: Adding hundreds or thousands of traffic-selectors to an ipsec-policy may result in slow config-load times (for example, during startup). An excessive number of traffic selectors may also slow down IPsec tunnel negotiation. The impact will depend on the BIG-IP system's provisioning and the overall configuration.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1071609-2 : IPsec IKEv1: Log Key Exchange payload in racoon.log.
Links to More Info: BT1071609
Component: TMOS
Symptoms:
The key exchange payload is not logged to the IPsec logs.
Conditions:
The issue is observed during IKEv1 tunnel establishment.
Impact:
If you are investigating the IKEv1 key calculation, the key exchange payload information will not be available.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
1071585-1 : BIG-IP system does not respond to an arp from a SelfIP configured in virtual wire mode
Links to More Info: BT1071585
Component: Local Traffic Manager
Symptoms:
BIG-IP system does not respond to an arp from a SelfIP configured in virtual wire mode in Virtual Edition platforms.
Conditions:
Configure network in virtual wire mode in VADC pltaform
Impact:
Virtual server traffic is disrupted.
Workaround:
None
Fix:
Fix for the ARP not getting resolved when BIG-IP is configured with selfip on vwire's while redirecting to a different tmm.
Fixed Versions:
17.0.0, 16.1.2.2
1071485-3 : For IP based bypass, Response Analytics sends RST.
Links to More Info: BT1071485
Component: Access Policy Manager
Symptoms:
When SSL takes a dynamic bypass action (IP based bypass decision), the Per-Request Policy agents skip execution when necessary. That is, Category Lookup exits early due to no data because of the early bypass. The same check is not present in Response Analytics and URL Filter agents so that they don't take the error path due to not seeing Category Lookup data.
Conditions:
IP based bypass (in client SSL profile) with Response Analytics or URL Filtering in the Per-Request Policy.
Impact:
Category Lookup skips execution due to IP based bypass and thus Response Analytics and URL Filtering do not have the necessary data, so they take an internal error path. This will cause an RST.
Workaround:
Do not add Response Analytics or URL Filtering agents to paths that you know will not have appropriate Category Lookup data due to bypass.
Fix:
When the SSL level filter bypasses based on client data, Per-Request Policy agents will now be appropriately bypassed as well if there is not enough data to run on. They will take the fallback branches instead of sending a RST on error.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.10
1071449-4 : The statsd memory leak on platforms with license disabled processors.
Links to More Info: BT1071449
Component: Local Traffic Manager
Symptoms:
Memory usage in statsd will continue to grow until the control-plane is out of memory.
Conditions:
This issue occurs when the license on the BIG-IP disables some of the processors.
Following are the affected platforms:
C123 = iSeries i11000 - Discovery Extreme
C124 = iSeries i11000-DS - Discovery Extreme Turbo
Impact:
The statsd may consume excessive memory causing OOM killer activity.
Workaround:
Restart statsd periodically.
Fix:
The statsd no longer leaks memory.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1071301-1 : GTM server does not get updated even when the virtual server status changes.
Links to More Info: BT1071301
Component: Global Traffic Manager (DNS)
Symptoms:
GTM Server is in an Unknown state even though the single virtual server is green.
Conditions:
-- Three-member sync group.
-- Create a large number of virtual servers.
-- Virtual servers are disabled and enabled.
Impact:
The server status does not reflect the virtual server status, and there is no obvious way to recover.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1071269 : SSL C3D enhancements introduced in BIG-IP version 16.1.3 will not be available in 17.0.0.★
Links to More Info: BT1071269
Component: Local Traffic Manager
Symptoms:
The SSL C3D enhancements and features were introduced in BIG-IP version 16.1.3. If the feature is enabled in 16.1.3 and you upgrade to version 17.0.0, all of the following SSL C3D features will not be available, and the upgrade will fail:
- SSL C3D ability to convert RDN values to PrintableString or UTF-8 encoding.
- SSL C3D ability to modify CN in forged client certificate subject.
- SSL C3D ability to add custom SAN extension to the forged client certificate.
- SSL C3D ability to add AKI extension to the forged client certificate.
Conditions:
In the following conditions:
1. The BIG-IP config in 16.1.3 uses any of the two new iRules namely 'SSL::c3d subject' and 'X509::subject <cert> commonName'.
2. Upgrading to BIG-IP version 17.0.0
Impact:
Upgrade fails. You are unable to use any SSL C3D enhancements and features.
Workaround:
Workaround 1: Remove any config that had the SSL C3D feature enabled and caused the upgrade failure.
Workaround 2: If you require C3D features, upgrade to a release that supports them.
Fix:
N/A
Fixed Versions:
16.1.3
1071233-1 : GTM Pool Members may not be updated accurately when multiple identical database monitors are configured
Links to More Info: BT1071233
Component: Global Traffic Manager (DNS)
Symptoms:
When two or more GTM database monitors (MSSQL, MySQL, PostgreSQL, and Oracle) with identical 'send' and 'recv' strings are configured and applied to different GTM pools (with at least one pool member in each), the monitor status of some GTM pool members may not be updated accurately.
Other parameters of the affected monitors that differ (such as 'recv row' or 'recv column' indicating where the specified 'recv' string should be found in the result set) may cause GTM pool members using one of the affected monitors to connect to the same database to be marked UP, while GTM pool members using another affected monitor may be marked DOWN.
As a result of this issue, GTM pool members that should be marked UP or DOWN by the configured GTM monitor may instead be marked according to another affected monitor's configuration, resulting in the affected GTM pool members being intermittently marked with an incorrect state.
After the next monitor ping interval, affected GTM pool members members may be marked with the correct state.
Conditions:
This may occur when multiple GTM database monitors (MSSQL, MySQL, PostgreSQL, and Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different pools/members which share the same IP address and Port values.
For example:
gtm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
gtm monitor mysql mysql_monitor2 {
...
recv none
send "select version();"
...
}
Impact:
Monitored GTM pool members using a database monitor (MSSQL, MySQL, PostgreSQL, and Oracle) randomly go offline/online.
Workaround:
To avoid this issue, configure each GTM database monitor with values that make the combined parameters unique by changing either the 'send' or the 'recv' parameters, or both.
For example:
gtm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
gtm monitor mysql mysql_monitor2 {
...
recv 5.7
send "select version();"
...
}
Fix:
The system updates GTM pool members correctly when multiple identical database monitors are configured.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1071181-2 : Improving Signature Detection Accuracy
Links to More Info: BT1071181
Component: Anomaly Detection Services
Symptoms:
BADOS generates signatures have up to 20% false positive if the signature covers 100% of bad traffic.
Conditions:
The attack signature generated covers all bad traffic.
Impact:
BADOS generates false positives
Workaround:
None
Fix:
This feature has been removed.
Fixed Versions:
16.1.2.2, 15.1.6.1, 14.1.5
1070833-2 : False positives on FileUpload parameters due to default signature scanning
Links to More Info: BT1070833
Component: Application Security Manager
Symptoms:
False positives on FileUpload parameters due to signature scanning by default
Conditions:
A request containing binary content is sent in "FileUpload" type parameters
Impact:
False positives and ineffective resource utilization
Workaround:
Disable signature scanning on "FileUpload" parameters manually using GUI/REST.
Fix:
Default signature scanning is disabled for FileUpload parameters created using OpenAPI to reduce false positives on binary content.
Fixed Versions:
17.1.0, 16.1.3, 15.1.6.1
1070789 : SSL fwd proxy invalidating certificate even through bundle has valid CA
Links to More Info: BT1070789
Component: Local Traffic Manager
Symptoms:
BIG-IP system rejects SSL forward proxy connections due to expired CA certificates present in ca-bundle even though other, valid CA certificates exist.
Conditions:
-- Forward proxy is enabled in client and server SSL profiles.
-- A valid CA certificate is followed by an expired CA certificate in ca-bundle.
Impact:
SSL handshakes will fail.
Workaround:
Remove all invalid trusted (i.e., expired) certificates from the certificate chain and replace them with a valid trusted certificate.
Fix:
Fixed the certificate verification issue that was leading to SSL handshake failure.
Fixed Versions:
17.1.0, 16.1.3.1
1070677-1 : Learning phase does not take traffic into account - dropping all.
Links to More Info: BT1070677
Component: Protocol Inspection
Symptoms:
Suggestions are generated every suggestion interval and every suggestion interval suggestions are overriding, so the last suggestion is considered after the staging period is completed.
Conditions:
Once the start of staging period, suggestions will override every time until the staging period completes.
Impact:
IPS learning phase, which lasts the default 7 days, sees a ton of traffic from websites hitting against signatures, but at the end of the 7 days it blocks all signatures and causes an outage.
Workaround:
N/A
Fix:
We now make the decision based on the overall suggestions that are generated during the staging period instead of the last suggestion.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1070389-4 : Tightening HTTP RFC enforcement
Links to More Info: K000132430, BT1070389
Component: Local Traffic Manager
Symptoms:
BIG-IP allows non RFC-compliant http requests to the backend which may cause backend misbehavior
Conditions:
Basic Virtual Server with http profile
Impact:
Backend server may receive unexpectedly formatted http requests
Fix:
BIG-IP more strictly enforces HTTP RFC compliance.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1070273-1 : OWASP Dashboard does not calculate Disallow DTDs in XML content profile protection properly.
Links to More Info: BT1070273
Component: Application Security Manager
Symptoms:
On OWASP dashboard, both 2021 and 2017, the Disallow DTDs in XML content profile protection is not calculated correctly on the xml-profile allowDTD field.
Conditions:
Open the OWASP page for any non-parent/child security policy, (Security ›› Overview : OWASP Compliance). For OWASP 2017, DTDs is located under A4 category, and for 2021 under A5 category.
Impact:
Actual OWASP compliance for this protection can be different from the one shown by the GUI.
Workaround:
The actual conditions that satisfy the Disallow DTDs in XML content profile protection are:
1. 'XML data does not comply with format settings' violation should be set to alarm+block.
2. 'Malformed XML data' violation should be set to alarm + block.
3. No XML content profile in the policy is set so that allowDTDs to true.
Fix:
Scoring calculation was changed: Now score will be given only if no XML content profile in the policy has allowDTDs field set as true.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
1070033-2 : Virtual server may not fully enter hardware SYN Cookie mode.
Links to More Info: BT1070033
Component: Advanced Firewall Manager
Symptoms:
The SYN Cookies Status of a virtual server shows 'full-hardware', but the 'Total Software' counter of software SYN Cookies continues to increment together with the 'Total Hardware' SYN Cookie counter during a SYN flood attack.
Conditions:
Only BIG-IP hardware platform with multiple HSB modules are affected by this issue, and whether specific devices are affected depends on the platform, the BIG-IP software version, and the selected turboflex profile.
To determine whether any given BIG-IP device has more than HSB module in operation, inspect the state of the epva_flowstat tmstat table. If more than one value is present in the mod_id (hsb module ID) column, then the device is affected by this issue
For example, the following output shows a device with two HSB modules (identified as module 1 and module 2):
$ tmctl -s tmm,mod_id,pdenum,slot_id epva_flowstat
tmm mod_id pdenum slot_id
--- ------ ------ -------
0 1 0 0
1 1 8 0
2 2 0 0
3 2 8 0
Impact:
A portion of the SYN flood attack is handled in software, which might have some performance impact.
Workaround:
N/A
Fix:
All TMMs now correctly enter hardware SYN Cookie mode.
Fixed Versions:
17.0.0, 16.1.4, 14.1.4.6
1070029-1 : GSS-SPNEGO SASL mechanism issue with AD Query to Synology Directory Service
Links to More Info: BT1070029
Component: Access Policy Manager
Symptoms:
Active Directory queries may fail.
Conditions:
-- Users/Services are configured in Synology Directory Service (Non Microsoft based Active Directory Service)
-- Active Directory Query Configuration on BIG-IP
Impact:
User authentication based on AD Query agent will be impacted.
Workaround:
None
Fix:
No fix identified yet. The comprehensive fix would be in the open source cyrus-sasl library.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1070009 : iprepd, icr_eventd and tmipsecd restarts continuously after installing FIPS 140-3 license in BIG-IP cloud platform
Links to More Info: BT1070009
Component: TMOS
Symptoms:
32 bit applications (iprepd, icr_eventd and tmipsecd) uses clock_gettime to gather the time which causes the restart of applications. This issue occurs only in Azure and Google Cloud platform when FIPS 140 license is installed.
Conditions:
- Occurs only in Azure and Google Cloud platform
-32 bit applications (iprepd, icr_eventd and tmipsecd) which uses clock_gettime to gather the time for generating entropy data
- A FIPS 140 license is installed
Impact:
Applications restart continuously.
Workaround:
None.
Fix:
32-bit applications does not restart continuously while using clock_gettime to generate entropy data when FIPS 140 license is installed.
Fixed Versions:
17.0.0, 16.1.2.2
1069809 : AFM rules with ipi-category src do not match traffic after failover.
Links to More Info: BT1069809
Component: Advanced Firewall Manager
Symptoms:
BIG-IP drops all traffic after a reboot or failover.
Conditions:
-- Create firewall rules with IPI deny-list category as source and default action as drop.
-- After reboot, the rule with IPI category as source will overlap all rules and with default action as drop, traffic will be dropped.
Impact:
Site is down, no traffic passes through the BIG-IP.
Workaround:
Workaround is to restart the pccd, as it compiles the blob again with all IPI category initialized:
tmsh restart sys service pccd
Fix:
PCCD waits for the first deny list IPI category initialized before the firewall rules are compiled.
Fixed Versions:
16.1.4, 15.1.9
1069729-3 : TMM might crash after a configuration change.
Links to More Info: BT1069729
Component: Application Security Manager
Symptoms:
After modifying a dosl7 profile, on rare cases TMM might crash.
Conditions:
Modifying DoSl7 profile attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1069501-1 : ASM may not match certain signatures
Links to More Info: K22251611, BT1069501
Component: Application Security Manager
Symptoms:
Under certain condition, ASM may not match signatures as expected.
Conditions:
- base64 violations not configured for blocking
Impact:
Signatures not matched as expected.
Workaround:
Illegal base64 value violation should be set to blocking.
This way if Base64 decoding fails the requests gets blocked.
Fix:
ASM now processes signature as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1069449-1 : ASM attack signatures may not match cookies as expected
Links to More Info: K39002226, BT1069449
Component: Application Security Manager
Symptoms:
Under certain conditions ASM attack signatures may not match cookies as expected.
Conditions:
- Specially crafted cookies
Impact:
Attack signatures are not detected as expected.
Workaround:
N/A
Fix:
ASM attack signatures now match cookies as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1069441-3 : Cookie without '=' sign does not generate rfc violation
Links to More Info: BT1069441
Component: Application Security Manager
Symptoms:
If a request includes a Cookie header that only contains the name of the cookie without an equal sign (=) and a corresponding value, it might not result in a violation as expected according to the RFC (Request for Comments) specifications.
Conditions:
-Set Cookie not RFC-compliant to 'Block'
-Request with Cookie header with name only, for example 'Cookie:a'
Impact:
The request is not blocked.
Workaround:
None
Fix:
The request is blocked and reported with "Cookie not RFC-compliant violation"
Behavior Change:
Previously, if a request included a Cookie header that contained only the name of the cookie without an equal sign (=) and a corresponding value, it might not result in a violation.
Now, such a request is blocked and reported with a "Cookie not RFC-compliant" violation as expected according to the RFC (Request for Comments) specifications.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1069337-2 : CVE-2016-1841 - Use after free in xsltDocumentFunctionLoadDocument
Component: TMOS
Symptoms:
libxslt, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
Impact:
Denial of service (memory corruption) via a crafted web site
Fix:
Fix use-after-free in xsltDocumentFunctionLoadDocument
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1069265-3 : New connections or packets from the same source IP and source port can cause unnecessary port block allocations.
Links to More Info: BT1069265
Component: Advanced Firewall Manager
Symptoms:
A client opening new TCP connections or sending new UDP packets from the same source IP and source port can cause the allocation of multiple new port blocks even if there are still existing translation endpoints in the current blocks.
Conditions:
All of the following conditions must be met:
- AFM NAT or CGNAT configured with port block allocation.
- In the port-block-allocation settings, a block-lifetime value different from zero.
- A client sending UDP packets or opening TCP connections periodically, always from the same source IP address and source port.
- A protocol profile on the virtual server with an idle timeout lower than the interval between the client packets or new connections.
Impact:
After the first allocated port block becomes zombie, a new port block is allocated for each new client packet or client connection coming from the same source IP / source port, even if there are still available translation endpoints in the allocated non-zombie blocks.
The new blocks keep piling up until the original zombie block timeout expires.
Workaround:
Increase the protocol profile idle-timeout to a value greater than the interval between UDP packets or connections from the client.
Fix:
A maximum of two blocks is allocated: the original block and an additional block when the original block becomes zombie.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1069133-4 : ASMConfig memory leak
Links to More Info: BT1069133
Component: Application Security Manager
Symptoms:
A slow leak exists for long-lived asm_config_handler processes that handle configuration updates.
Conditions:
Configuration updates are being regularly made.
Impact:
Processes slowly grow in size until they reach a limit and restart themselves.
Workaround:
N/A
Fix:
The slow leak has been fixed.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1068673-3 : SSL forward Proxy triggers CLIENTSSL_DATA event on bypass.
Links to More Info: BT1068673
Component: Local Traffic Manager
Symptoms:
The CLIENTSSL_DATA iRule event is triggered unexpectedly during SSL forward proxy bypass.
Conditions:
This issue is seen when SSL forward proxy with bypass is enabled on client & server SSL profiles.
Impact:
This can cause unexpected failure of existing iRules which only expect CLIENTSSL_DATA on intercepted (and decrypted) data.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1068561-1 : Can't create key on the second netHSM partition.
Links to More Info: BT1068561
Component: Local Traffic Manager
Symptoms:
While trying to create a key pair in a second partition, the key creation fails.
Conditions:
-- Multiple partitions are used
-- Attempt to create a key with the second partition
Impact:
Unable to use multiple netHSM partitions.
Workaround:
N/A
Fix:
Corrected session handle able to create keys in second partition.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1068445-1 : TCP duplicate acks are observed in speed tests for larger requests
Links to More Info: BT1068445
Component: Local Traffic Manager
Symptoms:
- A lot of TCP duplicate acks are observed in speed tests for larger requests
Conditions:
Below conditions are met
- Large request
- fastL4 profile with PVA acceleration set
- Below sys db variables are enabled
tm.tcpsegmentationoffload
tm.tcplargereceiveoffload
- Softpva is used
Impact:
- Reduced throughput because of duplicate ACKs and retransmissions
Workaround:
Either one of the conditions
- fastL4 profile with PVA acceleration set to NONE
- Disable below sys db variables
tm.tcpsegmentationoffload
tm.tcplargereceiveoffload
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1068353-1 : Unexpected event sequence may cause HTTP/2 flow stall during shutdown
Links to More Info: BT1068353
Component: Local Traffic Manager
Symptoms:
HTTP/2 flows may stall during shutdown, eventually being freed by expiration or reset from the TCP peer.
Conditions:
HTTP/2 configured
Impact:
Flows may be retained longer than expected and continue to consume system resources until expired or reset by the TCP peer.
Workaround:
None
Fix:
Shutdown events are now handled correctly for HTTP/2 flows.
Fixed Versions:
16.1.2.2
1068237-1 : Some attack signatures added to policies are not used.
Links to More Info: BT1068237
Component: Application Security Manager
Symptoms:
Some attack signatures added to an existing signature set may not be utilized by Policies associated with the signature set, despite the attack signatures being reported as now present in the Policies.
Conditions:
1. Have one or more policies utilizing a manual attack signature set.
2. Update the attack signature database by installing an ASU or creating a custom attack signature.
3. Update the previously created manual attack signature set with one or more attack signatures which were not updated by the ASU (if ASU installed) or are not the newly created custom attack signature (if new custom signature created).
Impact:
The additional attack signatures added to the attack signature set will show up in the Policies utilizing the signature set however the Policies will not actually use those additional attack signatures.
Workaround:
There are two workarounds:
1. When adding additional attack signatures to a Policy, place them in a new attack signature set rather than re-using an existing signature set.
2. If adding signatures to an existing set, afterwards create a new custom attack signature, add it to a new manual attack signature set, add the set to any active policy and then remove the set from the policy (the set and signature can then be deleted if desired).
Both workarounds will result in all attack signatures listed as present in all Policies being fully and properly utilized by the Policies.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1067669-1 : TCP/UDP virtual servers drop all incoming traffic.
Links to More Info: BT1067669
Component: Local Traffic Manager
Symptoms:
-- Incoming TCP/UDP traffic is not processed by virtual servers on the BIG-IP system. Instead, legitimate traffic appears to be dropped by the BIG-IP system.
-- A tcpdump taken on the BIG-IP system shows the traffic arriving on VLAN 0 instead of the actual VLAN.
-- Inspection of the dns_rapid_response_global tmstat table shows many entries in the failed_ifc column.
Conditions:
-- Using a BIG-IP 2000, 4000, or VE device.
-- Using a trunk with an untagged VLAN.
-- Using a virtual server with a dns profile configured for rapid-response.
Impact:
All TCP/UDP virtual servers fail to process incoming traffic.
Workaround:
You can work around this issue by performing any one of the following actions:
-- Avoid using an untagged VLAN with your trunks.
-- Avoid using a trunk if you cannot avoid using untagged VLANs.
-- Disable rapid-response in all dns profiles (this option is disabled by default).
Fix:
TCP/UDP traffic is no longer dropped under the conditions described in this article.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1067617-4 : BGP default route not advertised after mid-session OPEN.
Links to More Info: BT1067617
Component: TMOS
Symptoms:
After BGP peer opens a new session with BIG-IP in the middle of the existing session and the session is dropped, BIG-IP does not send default route NLRI to the peer when the new session is established.
Conditions:
Mid-session OPEN (Event 16 or Event 17 per RFC spec).
Impact:
Default route is missing on a BGP peer.
Workaround:
Clear the BGP session manually.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
1067609-2 : Static keys were used while generating UUIDs under OAuth module
Component: Access Policy Manager
Symptoms:
UUIDs generated by the OAuth module are incorrectly obfuscated.
Conditions:
N/A
Impact:
Only static keys are used during generation of UUIDs.
Workaround:
N/A
Fix:
Static keys were removed now and replaced with dynamic generation of keys for the OAuth module during UUID generation.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1067589-3 : Memory leak in nsyncd
Links to More Info: BT1067589
Component: Application Security Manager
Symptoms:
The memory usage for nsyncd increases over time, forcing the device into OOM (out of memory).
Conditions:
-- High availability (HA) environment with ASM sync failover device group.
-- ASU files are being installed by Live Update.
Impact:
OOM activity causes random process restarts and disruption.
Workaround:
Restart the nsyncd daemon.
Fix:
Added a new parameter 'maxMemory' to the nsyncd configuration file:
/usr/share/nsyncd/config/config.properties
# 450 MB
maxMemory=450000000
Nsyncd daemon will limit its memory usage to the configured value, and restart if the value is exceeded.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1067557-2 : Value masking under XML and JSON content profiles does not follow policy case sensitivity
Links to More Info: BT1067557
Component: Application Security Manager
Symptoms:
Value masking is always case sensitive regardless of policy case sensitivity.
Conditions:
- Parse Parameters is unchecked under JSON content profile.
- Value masking section contains element/attribute names under
XML and JSON content profiles.
Impact:
- Value is not masked in a case insensitive manner even when the policy is case insensitive.
Workaround:
None
Fix:
The value masking under JSON and XML content profiles is handled according to policy case sensitivity.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1067393-2 : MCP validation - incorrect config load fail on AFM NAT rule with next-hop pool.★
Links to More Info: BT1067393
Component: Advanced Firewall Manager
Symptoms:
Upgrade failure, which may lead to a rollback and delayed upgrade.
Conditions:
AFM NAT rule referencing a Next Hop pool.
Impact:
Upgrade failure, which may lead to a rollback and delayed upgrade.
Workaround:
Once in the failed state, the system can be recovered by running 'tmsh load sys config'; the config will load successfully. No changes to the configuration are needed.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.5, 15.1.5.1
1067285-1 : Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.'
Links to More Info: BT1067285
Component: Application Security Manager
Symptoms:
F5 Networks, Inc.
F5 Networks Inc.
F5 Networks appear as F5, Inc.
Conditions:
NA
Impact:
F5 Networks, Inc
F5 Networks
F5 Networks Inc will appear as F5, Inc to the end user, be it online help, or any ASM related screens.
Workaround:
NA
Fix:
F5 Networks, Inc
F5 Networks
F5 Networks Inc will appear as F5, Inc to the end user, be it online help, or any ASM related screens.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1067105-2 : Racoon logging shows incorrect SA length.
Links to More Info: BT1067105
Component: TMOS
Symptoms:
Debug2 logs incorrect "total SA" length in racoon.log.
Conditions:
-- IKEv1 tunnels in use
-- ikedaemon in debug2 mode
Impact:
Troubleshooting is confused by misleading information about the SA payload length.
Workaround:
None. This is a cosmetic / logging issue.
Fix:
Clarified the log message to indicate what the logged length actually covers.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1066829-1 : Memory leak for xml/json auto-detected parameter with signature patterns.
Links to More Info: BT1066829
Component: Application Security Manager
Symptoms:
A memory leak is observed in ASM when specific traffic arrives.
Conditions:
A request contains a JSON parameter value with the signature pattern.
Impact:
Memory leak in the system.
Workaround:
N/A
Fix:
No memory leak observed after the fix.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1066673-1 : BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions
1066377-1 : OpenAPI - Content profile is not consistent with wildcard configuration
Links to More Info: BT1066377
Component: Application Security Manager
Symptoms:
A content profile is created with an inconsistent order for wildcard content types.
Conditions:
-- Create OpenAPI policy
-- Configure any endpoint with multiple wildcard content types
Impact:
HTTP request body is not enforced properly
Workaround:
None
Fix:
Fix provided to create content profile with proper order for wild card content type
Fixed Versions:
17.0.0, 16.1.2.2
1066285-4 : Master Key decrypt failure - decrypt failure.
Links to More Info: BT1066285
Component: TMOS
Symptoms:
After MCPD restarts or the system reboots:
-- the system is inoperative and MCPD may be restarting
-- the logs report this error:
err mcpd[12444]: 01071769:3: Decryption of the field (value) for object (config.auditing.forward.sharedsecret) failed while loading configuration that is encrypted with a different master key.
-- the system may be reporting this error:
load_config_files[5635]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command.
This may occur during a system upgrade.
Conditions:
When config.auditing.forward.sharedsecret is encrypted and masterkey value is changed.
Impact:
MCPD will continuously restart, and the system will remain inoperative.
Workaround:
If a system is affected by this issue, set the DB key back to its default value. Once the configuration is loaded, set the DB key back to the correct value:
- tmsh modify /sys db config.auditing.forward.sharedsecret value '<null>'
After changing the SecureValue master key but before encountering the issue, run the following command to update the value of the DB key on-disk:
setdb config.auditing.forward.sharedsecret "$(getdb config.auditing.forward.sharedsecret)"
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1065789-1 : TMM may send duplicated alerts while processing SSL connections
Links to More Info: K000133132, BT1065789
1065585-1 : System does not halt on on FIPS/entropy error threshold for BIG-IP Virtual Edition
Links to More Info: BT1065585
Component: TMOS
Symptoms:
BIG-IP Virtual Edition keeps running even after multiple FIPS/entropy errors occur.
Conditions:
Multiple FIPS/entropy errors on BIG-IP Virtual Edition system.
Impact:
BIG-IP Virtual Edition keeps running even after multiple FIPS/entropy errors occur
Workaround:
None
Fix:
System should halt after the threshold number of FIPS/entropy errors occue
Fixed Versions:
17.0.0, 16.1.2.2
1065501-2 : [API Protection]Per request policy is getting timed out
Links to More Info: BT1065501
Component: Access Policy Manager
Symptoms:
You may see below log in /var/log/apm
notice tmm11[24761]: 01870055:5: /Common/<AP name>:Common:<SID>:Per-Request policy execution timeout (x) reached.
Conditions:
-- Per-request policy
-- Concurrent connections with same JWT
Impact:
Policy execution has timed out
Workaround:
None
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1064893-1 : Keymgmtd memory leak occurs while configuring ca-bundle-manager.
Links to More Info: BT1064893
Component: TMOS
Symptoms:
Keymgmtd leaks memory and the RES/RSS value increases over time.
Same issue can be observed using top -p `pidof keymgmtd` or tmctl proc_pid_stat proc_name=keymgmtd -s proc_name,vsize,rss monitor keymgmtd resident memory size.
Conditions:
Configure sys crypto ca-bundle-manager to periodically update the ca bundle on the system.
Impact:
If keymgmtd causes a system wide out of memory condition, this could cause a traffic disruption, if mcpd is chosen to be killed.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.5
1064753-4 : OSPF LSAs are dropped/rate limited incorrectly.
Links to More Info: BT1064753
Component: TMOS
Symptoms:
Some LSAs are dropped on BIG-IP with a log similar to:
"LSA is received recently".
Conditions:
Tuning OSPF min LSA arrival has no effect on some LSA handling.
Impact:
OSPF LSAs are dropped/rate limited incorrectly.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
16.1.5, 15.1.10
1064669-1 : Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash.
Links to More Info: BT1064669
Component: Local Traffic Manager
Symptoms:
TMM crashes if an iRule is configured that has HTTP::enable in the RULE_INIT event.
Conditions:
iRule that uses HTTP:enable command in RULE_INIT event, for example:
ltm rule example_rule {
when RULE_INIT {
# Don't do this!
HTTP::enable
}
}
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Do not use the HTTP::enable iRule command in the RULE_INIT event.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1064617-1 : DBDaemon process may write to monitor log file indefinitely
Links to More Info: BT1064617
Component: Local Traffic Manager
Symptoms:
If debug logging is enabled for a database monitor (mssql, mysql, postgresql or oracle), the DBDaemon process may write to a monitor log file indefinitely, including after the monitor log file is rotated and/or deleted.
Conditions:
This problem may occur when:
- using a database monitor (mssql, mysql, postgresql or oracle) which is configured with the "debug" value set to "yes"
- using a database monitor (mssql, mysql, postgresql or oracle) for a pool member which is configured with the "logging" set to "enabled"
Impact:
The DBDaemon process may write debug logging messages to the affected monitor log file indefinitely, including after the monitor log file has been rotated and/or deleted.
As a result, storage in the /var/log volume may be consumed to the point that other logging cannot be performed, and the BIG-IP instance may be restarted/rebooted.
Workaround:
To work around this issue, restart the DBDaemon process.
To find the PID of the DBDaemon process, observe the output of the following command:
ps -ef |grep -v grep | grep DB_monitor.jar | awk '{print($2)}'
To confirm whether the DBDaemon process is writing to a monitor log file, and if so, which file:
lsof -p $(ps -ef | grep -v grep | grep DB_monitor.jar | awk '{print($2)}') | grep -e COMMAND -e '/var/log/monitors'
To kill the DBDaemon process:
kill $(ps -ef | grep -v grep | grep DB_monitor.jar | awk '{print($2)}')
NOTE:
Killing the DBDaemon process will cause a short-term loss of database monitoring functionality, until DBDaemon is restarted by the next database monitor probe.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1064461-4 : PIM-SM will not complete RP registration over tunnel interface when floating IP address is used.
Links to More Info: BT1064461
Component: TMOS
Symptoms:
PIM-SM will not complete rendezvous point (RP) registration over the tunnel interface when a floating IP address is used (ip pim use-floating-address). Join/prune from RP gets dropped on BIG-IP when doing local-address validation.
BIG-IP never completes registration successfully.
Conditions:
RP registration over tunnel interface when floating IP address is used.
Impact:
BIG-IP never completes registration and outgoing packets are register-encapsulated.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1064357-1 : execute_post_install: EPSEC: Installation of EPSEC package failed
Links to More Info: BT1064357
Component: TMOS
Symptoms:
APM EPSEC installation fails and an error message is logged in /var/log/ltm: "execute_post_install: EPSEC: Installation of EPSEC package failed"
Conditions:
APM EPSEC package installation
Impact:
Installation fails with an error message
Fixed Versions:
17.0.0, 16.1.3, 15.1.7
1064217-1 : Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T.
Links to More Info: BT1064217
Component: Carrier-Grade NAT
Symptoms:
Port bits are not set as expected in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T.
Conditions:
This occurs in a MAP-T configuration.
Impact:
MAP-T port translation does not work as expected.
Workaround:
N/A
Fix:
Fixed an issue with the port bit not being set correctly.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1064189-1 : DoH proxy and server listeners from GUI with client-ssl profile and server-ssl profile set to None produces undefined warning
Links to More Info: BT1064189
Component: Global Traffic Manager (DNS)
Symptoms:
Dns Over HTTPS (DOH) is allowed to work without a clientssl profile on clientside. Setting it to none disables the DNS resolution via the HTTPS protocol.
Conditions:
- Selecting "None" in Client SSL Profile and Server SSL Profile in DOH Server Listener and DOH Proxy Listener from GUI
Impact:
An error occurs:
GUI: 01020036:3: The requested profile (/Common/NO_SELECTION) was not found.
TMSH: 01070734:3: Configuration error: In Virtual Server (/Common/mydohproxylistener) http2 specified activation mode requires a client ssl profile
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2
1064157-1 : Http_proxy_opaque_get should constrain search to local/spawn flows, not looped flows
Links to More Info: BT1064157
Component: Local Traffic Manager
Symptoms:
In a VIP-on-VIP (looped) situation, HTTP on one virtual server uses/reuses an existing 'http_proxy_opaque' whilst still in use by another virtual server that causes unexpected state changes in the opaque which may cause tmm to core.
Conditions:
-- Explicit Forward Proxy SSL Orchestrator, in other words an L3 Explicit Proxy which is usually deployed in a VIP on VIP configuration
-- Hostname resolution using explicit 'RESOLV::lookup' iRule in HTTP_PROXY_REQUEST on the explicit/client-facing VIP
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
1064001-1 : POST request to a virtual server with stream profile and a access policy is aborted.
Links to More Info: BT1064001
Component: Access Policy Manager
Symptoms:
POST request to virtual server fails with reset cause "Incomplete chunked response".
Conditions:
Virtual server is configured with both stream profile and access policy.
Impact:
User will be unable to send POST request to backend servers
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1063977-3 : Tmsh load sys config merge fails with "basic_string::substr" for non-existing key.
Links to More Info: BT1063977
Component: Local Traffic Manager
Symptoms:
"tmsh load sys config merge" fails with the following error.
Loading configuration...
/var/tmp/repro.txt
01070711:3: basic_string::substr
Unexpected Error: Loading configuration process failed.
Conditions:
The key referenced in the configuration of the SSL profile does not exist in the BIG-IP.
Impact:
"tmsh load sys config merge" fails which is expected, but the error is not meaningful.
Workaround:
Identify the missing SSL key used in the configuration and correct it.
Fix:
You should now be able to see the error message "The requested certificate (<Cert Name>) was not found." or "The requested certificate (<Key Name>) was not found." if a non-existing key is used in the configuration.
Fixed Versions:
17.1.0, 16.1.3
1063453-1 : FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets.
Links to More Info: BT1063453
Component: Local Traffic Manager
Symptoms:
Tmm crashes while passing IPv4-to-IPv6 traffic over FastL4.
Conditions:
-- A FastL4 virtual server translates between IPv4 and IPv6.
-- Fragment reassembly is not enabled in the FastL4 profile.
-- A feature requiring asynchronous completion is configured including: asynchronous irules on LB events (LB_SELECTED, LB_FAILED, LB_PERSIST_DOWN, LB_QUEUED, SA_PICKED), persistence, sessiondb operations, HA, virtual rate limiting.
Impact:
All traffic is disrupted while the TMM restarts.
Workaround:
Configure the FastL4 profile to always reassemble fragments.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1063345-5 : Urldbmgrd may crash while downloading the database.
Links to More Info: BT1063345
Component: Access Policy Manager
Symptoms:
Urldbmgrd may crash while downloading the database.
Conditions:
SWG or URLDB is provisioned.
Impact:
User traffic will be impacted when urldbmgrd is down.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.9
1063261-4 : TMM crash is seen due to sso_config objects.
Links to More Info: BT1063261
Component: Access Policy Manager
Symptoms:
Observed a TMM crash once which is due to unfreed sso_config objects in SAML.
Conditions:
Conditions are unknown, this was only seen once.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Freeing the sso_config objects during sso cleanup will avoid this situation.
Fixed Versions:
17.0.0, 16.1.5, 15.1.10
1063237-4 : Stats are incorrect when the management interface is not eth0
Links to More Info: BT1063237
Component: TMOS
Symptoms:
The provision.managementeth db variable can be used to change which interface the management interface is bridged to:
https://clouddocs.f5.com/cloud/public/v1/shared/change_mgmt_nic_google.html
If this is changed to something other than eth0, the management interface stats will continue to be read from eth0 and thus be incorrect.
Conditions:
When provision.managementeth is changed to something other than eth0.
Impact:
Management interface stats are incorrect.
Workaround:
Reconfigure the management interface to use eth0
Fixed Versions:
16.1.4, 15.1.9
1062953-1 : Unable to save configuration via tmsh or the GUI.
Links to More Info: BT1062953
Component: TMOS
Symptoms:
If there are hundreds of partitions and changes to the configuration are made via the GUI, the configuration save can hang. When the configuration save hangs, all subsequent configuration saves will not complete.
Conditions:
-- Hundreds of partitions with objects contained in them.
-- Changing config via the GUI.
Impact:
Subsequent attempts to save the configuration will not complete.
Workaround:
For this scenario, syscalld is the process that created
the tmsh process to save the config where the tmsh process hangs. A restart of syscalld using bigstart restart syscalld will kill the hung syscalld and tmsh processes and restore services.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.4
1062513-4 : GUI returns 'no access' error message when modifying a GTM pool property.
Links to More Info: BT1062513
Component: Global Traffic Manager (DNS)
Symptoms:
When you modify a GTM pool property and then click "Update," the next page displays the error message "No access."
When you modify GTM pool properties using the GUI, the properties do not update or display.
Conditions:
This occurs when you modify a GTM pool property using the GUI.
Impact:
You cannot change a GTM pool property using the GUI.
Workaround:
Use TMSH to change the GTM pool property.
OR
Click on "Update" a second time in the GUI.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1062493-1 : BD crash close to it's startup
Links to More Info: BT1062493
Component: Application Security Manager
Symptoms:
BD crashes shortly after startup.
Conditions:
FTP or SMTP are in use. Other causes are unknown.
Impact:
Traffic disrupted while bd restarts.
Workaround:
No workaround except removal of the FTP/SMTP protection.
Fix:
Crashes close to startup coming from SMTP or FTP were fixed.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1062385-4 : BIG-IP has an incorrect limit on the number of monitored HA-group entries.
Links to More Info: BT1062385
Component: TMOS
Symptoms:
BIG-IP has an incorrect limit on the number of monitored HA-group entries.
Conditions:
Large amount of traffic groups (over 50) with high availability (HA) Group monitoring attached.
Impact:
Not all traffic groups are properly monitored. Some traffic groups might not fail-over properly.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1062333-6 : Linux kernel vulnerability: CVE-2019-19523
Component: TMOS
Symptoms:
A flaw was found in the Linux kernel’s implementation for ADU devices from Ontrak Control Systems, where an attacker with administrative privileges and access to a local account could pre-groom the memory and physically disconnect or unload a module.
Conditions:
The attacker must be able to access either of these two events to trigger the use-after-free, and then race the access to the use-after-free, to create a situation where key USB structs can be manipulated into corrupting memory.
Impact:
An attacker could pre-groom the memory and physically disconnect or unload a module.
Workaround:
N/A
Fix:
Kernel patched to mitigate CVE-2019-19523
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1061977-3 : Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111
1061797-1 : Upgraded AWS CloudFormation Helper Scripts which now support IMDSv2
Links to More Info: BT1061797
Component: TMOS
Symptoms:
For AWS's CloudFormation to work with IMDSv2, the Helper Script module had to be upgraded.
Conditions:
Using AWS CloudFormation for IMDSv2-only instances
Impact:
The Helper scripts throw a "No Handler found" error when used to launch IMDSv2 instances
Fix:
With the latest version of BIG-IP VE, you can now launch IMDSv2 instances using AWS's CloudFormation templates.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1061617-4 : Some of the URL Attack signatures are not detected in the URL if "Handle Path Parameters" is configured "As Parameters".
Links to More Info: BT1061617
Component: Application Security Manager
Symptoms:
The following Attack Signatures are not identified if "Handle Path Parameters" = "As Parameters".
200001660, 200001663, 200007032, 200101543, 200101632, 200101635, 200101638, 200101641, 200101644
Conditions:
- Configure "Handle Path Parameters" = "As Parameters"
- Enable URL attack signatures 200001660, 200001663, 200007032, 200101543, 200101632, 200101635, 200101638, 200101641, 200101644
Impact:
Some URL attack signatures are not detected by ASM.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1061481-1 : Denied strings were found in the /var/log/ folder after an update or reboot
Links to More Info: BT1061481
Component: TMOS
Symptoms:
Denied strings error message were found in /var/log/dmesg and /var/log/messages files after update or reboot.
For example, the string "denied" was found:[ 5.704716] type=1401 audit(1636790175.688:4): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:f5_jitter_entropy_t:s0
Conditions:
After update or reboot, check the following log files:
/var/log/dmesg and /var/log/messages.
Impact:
Error strings are observed in /var/log/dmesg and /var/log/messages.
Workaround:
None.
Fix:
No error strings are observed.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3
1060989 : Improper handling of HTTP::collect
Links to More Info: BT1060989
Component: Local Traffic Manager
Symptoms:
When a complete body has been received and a new HTTP::collect is attempted, an error occurs:
TCL error: /Common/rule_vs_server_15584 <HTTP_RESPONSE_DATA> - ERR_ARG (line 1) invoked from within "HTTP::collect 256000"
Conditions:
- HTTP Virtual server
- incremental HTTP::collect irule
Impact:
iRule failure
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1
1060933-1 : Issue with input normalization.
Links to More Info: K49237345
Component: Application Security Manager
Symptoms:
Under certain conditions, attack signature violations may not be triggered.
Conditions:
- ASM provisioned with XML content profile
- Request contains XML body
Impact:
Attack detection is not triggered as expected.
Workaround:
None
Fix:
Attack detection is now triggered as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1060625-1 : Wrong INTERNAL_IP6_DNS length.
Links to More Info: BT1060625
Component: TMOS
Symptoms:
Tunnel establishment fails when an IPv6 DNS IP address is provided in the IKE_AUTH payload. As per RFC it should be 16 octets, but BIG-IP sends 17 octets(that is, it tries to provide the subnet info also).
Conditions:
Initiator requests an IPv6 DNS IP during tunnel negotiation.
Impact:
Tunnel will not establish.
Workaround:
None
Fix:
The INTERNAL_IP6_DNS payload is now filled with only the IPv6 address (the subnet is excluded).
Fixed Versions:
17.1.0, 17.0.0, 16.1.2.2
1060477-1 : iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]".
Links to More Info: BT1060477
Component: Access Policy Manager
Symptoms:
Apmd crashes after setting the userName field via an iRule.
Conditions:
1.Setting the userName field:
set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]
2.Getting the sid feild
[ACCESS::session data get session.user.sessionid]
Impact:
APM traffic disrupted while apmd restarts.
Workaround:
Check the username before setting it from iRule.
Fix:
APM no longer crashes when setting the username from an iRule
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1060409-2 : Behavioral DoS enable checkbox is wrong.
Links to More Info: BT1060409
Component: Anomaly Detection Services
Symptoms:
Behavioral DoS Enabled indicator is wrongly reported after configuration change, when no traffic is injected to the virtual server.
Conditions:
Behavioral DoS is enabled and then disabled when no traffic is injected to the virtual server.
Impact:
After server health is stabilized and constant, the BIG-IP system doesn't report the configuration changes.
Workaround:
Send 1-2 requests to the server and the configuration will be updated.
Fix:
Behavioral DoS enabled/disabled flag is now reported correctly.
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1060393-1 : Extended high CPU usage caused by JavaScript Obfuscator.
Links to More Info: K24102225, BT1060393
Component: Fraud Protection Services
Symptoms:
The Obfuscator process (compiler.jar) consumes excessive CPU for an extended period.
Conditions:
Any one of these conditions:
-- FPS is provisioned
-- ASM is provisioned and a Bot profile is attached to a virtual server
-- ASM Policy with a ClientSide feature enabled is attached to a virtual server
-- DoS profile with Captcha/CSI mitigation is attached to a virtual server
Impact:
High CPU usage on the device.
Workaround:
None
Fix:
N/A
Fixed Versions:
16.1.5
1060149-2 : BIG-IP vCMP guest data-plane failure with turboflex-adc selected on the host.
Links to More Info: BT1060149
Component: TMOS
Symptoms:
-- Interfaces in the vCMP guest may remain uninitialized.
-- 'Invalid VCMP PDE state version' log in /var/log/tmm*.
Conditions:
-- BIG-IP i5xxx/i7xxx/i10xxx/i11xxx platform.
-- vCMP provisioned.
-- turboflex-adc profile selected.
Impact:
Affected guest is non-functional.
Workaround:
Use the turboflex-base profile.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1060145-1 : Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2.
Links to More Info: BT1060145
Component: Global Traffic Manager (DNS)
Symptoms:
When secondary slot reboots and it gets the configuration from the primary blade, the secondary throws a validation error and enters into a restart loop.
The following error is logged:
Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/Common/bbt-generic-bigip 10.1.10.12 80 gtm-vs) was not found.... failed validation with error 16908342.
Conditions:
-- Change the virtual server address on the LTM (manual edit of bigip.conf and load).
-- Reboot the secondary slot.
Impact:
Mcpd enters a restart loop on the secondary slot.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1060057-2 : Enable or Disable APM dynamically with Bados generates APM error
Links to More Info: BT1060057
Component: Anomaly Detection Services
Symptoms:
When APM & Bados are configured together while APM is being enabled or disabled externally (i.e. via an iRule), an APM error occurs.
Conditions:
APM & Bados configured together while APM is being enabled/disabled externally (which is an iRule)
Impact:
Unable to apply Application DoS profile to an existing APM Network Access setup.
Workaround:
No workaround. Do not enable or disable APM with iRules if Bados configured.
Fix:
No APM errors when PM & Bados configured together and APM is being enabled or disabled externally (which is an IRule).
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1060021-1 : Using OneConnect profile with RESOLVER::name_lookup iRule might result in core.
Links to More Info: BT1060021
Component: Local Traffic Manager
Symptoms:
Tmm might core while using a OneConnect profile with iRule command RESOLVER::name_lookup.
Conditions:
1. One connect profile attached.
2. iRules with RESOLVER::name_lookup command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Don't use RESOLVER::name_lookup iRule on virtual that uses the oneconnect profile.
Fix:
N/A
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1059853 : Long loading configuration time after upgrade from 15.1.3.1 to 16.1.2.★
Links to More Info: BT1059853
Component: TMOS
Symptoms:
Tmsh load sys config/tmsh load sys config verify takes much longer (~10x).
Conditions:
While loading config tmsh load sys config verify.
Impact:
Configuration loading takes a long time (more than 8 minutes).
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2
1059621-2 : IP Exceptions feature and SSRF feature do not work as expected if both the entries are configured with the same IP/IPs.
Links to More Info: BT1059621
Component: Application Security Manager
Symptoms:
IP Exceptions/SSRF does not work as expected if the same IPs are configured in both IP Exception and SSRF.
Conditions:
- Enable XFF Header.
- Configure same IP/IPs in both SSRF and IP Exceptions.
- Send traffic with xff header and URI parameter.
Impact:
One of the IP Exceptions or SSRF features do not work as expected.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2
1059573-4 : Variation in a case insensitive value of an operand in LTM policy may fail in some rules.
Links to More Info: BT1059573
Component: Local Traffic Manager
Symptoms:
LTM policy engine compiles a policy into a state machine. If there is a variation of the same case insensitive value for an operand, the state machine may fail to properly build all rules, using this value. An example of a variation is a list of words like "Myself", "myself", "MYself", "mySElf", "MYSELF".
Conditions:
-- LTM policy is configured and attached to a virtual server.
-- The policy has variation in a case insensitive value of an operand.
Impact:
An expected rule does not apply: either a wrong rule is applied, or no rule is applied, causing incorrect traffic processing.
Workaround:
Eliminate variation in any case insensitive value of any operand. For example, replace all variations in the mentioned list with "myself".
Fix:
When there is a variation in a case insensitive value of an operand, BIG-IP will correctly handle it and compiles the policy so the rules with the variations are correctly applied to processing traffic.
Fixed Versions:
17.0.0, 16.1.5, 15.1.10
1059513-1 : Virtual servers may appear as detached from security policy when they are not.
Links to More Info: BT1059513
Component: Application Security Manager
Symptoms:
When browsing Security >> Overview: Summary page, the virtual servers may appear as detached. The larger the number of virtual servers are, the more likely you are to see all the virtual servers as detached from the security policy.
Conditions:
From a certain amount of virtual servers (20) that are attached to a security policy, the virtual servers may appear as detached from any security policy.
Impact:
Virtual servers are displayed as detached from any security policy, but this is not the case.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1059165-1 : Multiple virtual server pages fail to load.
Links to More Info: BT1059165
Component: TMOS
Symptoms:
Virtual server-related pages fail to load in the GUI.
Conditions:
This issue is observed only when the DOS module is provisioned.
Impact:
Virtual server properties do not load.
Workaround:
None
Fix:
Virtual Server pages now load successfully.
Fixed Versions:
17.0.0, 16.1.2.2
1059053-2 : Tmm crash when passing traffic over some configurations with L2 virtual wire
Links to More Info: BT1059053
Component: Local Traffic Manager
Symptoms:
In very rare cases, tmm crashes while passing traffic over some configurations with L2 virtual wire.
Conditions:
-- L2 wire setup
-- A routing error occurs
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Modified code to prevent such crashes.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1058677-2 : Not all SCTP connections are mirrored on the standby device when auto-init is enabled.
Links to More Info: BT1058677
Component: TMOS
Symptoms:
When auto-init is enabled, Not all SCTP connections are mirrored to the standby device.
Conditions:
-- SCTP Profile and Mirroring.
-- Auto initialization is enabled.
Impact:
Only half of the connections are mirrored to the standby device.
Workaround:
Disable auto initialization:
tmsh modify ltm message-routing diameter peer <affected_peer> { auto-initialization disabled }
Fix:
SCTP connections are mirrored successfully to standby device.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1058597-5 : Bd crash on first request after system recovery.
Links to More Info: BT1058597
Component: Application Security Manager
Symptoms:
Bd crashes on the first request.
Conditions:
The system is out of disk space while creating the ASM policy.
Impact:
The security configuration is incomplete with missing data.
Workaround:
-- Remove the ASM policy from the virtual server to avoid the bd crash.
-- Go to the cookie protection screen and reconfigure the secure and fast algorithm.
-- Re-attach the security policy to the virtual server.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1058469-1 : Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working.
Links to More Info: BT1058469
Component: Local Traffic Manager
Symptoms:
A virtual server which is part of an iApp service and which was previously working correctly now rejects all traffic.
Upon inspecting the log, entries similar to the following examples may be noticed:
==> /var/log/tmm <==
<13> Oct 28 23:41:36 bigip1 notice hudfilter_init: clientside matches TCP position. 0 0
==> /var/log/ltm <==
Oct 28 23:41:36 bigip1 err tmm[21251]: 01010008:3: Proxy initialization failed for /Common/my.app/my-vs. Defaulting to DENY.
Oct 28 23:41:36 bigip1 err tmm[21251]: 01010008:3: Listener config update failed for /Common/my.app/my-vs: ERR:ERR_UNKNOWN
Conditions:
This issue is known to occur when strict-updates is disabled for an iApp service which includes a non-default NTLM profile.
Impact:
Traffic outage as the affected virtual server(s) no longer passes any traffic.
Workaround:
To recover an affected system, either restart TMM (bigstart restart tmm) or delete and redeploy the iApp service.
To prevent this issue from occurring again, modify the iApp configuration to use the default NTLM profile rather than a custom one (if the iApp template involved allows this).
Fix:
Disabling strict-updates for an iApp service, which includes a non-default NTLM profile, no longer causes virtual servers associated with the profile to suddenly stop working.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1058401-1 : SSL Bypass does not work for inbound traffic
Links to More Info: BT1058401
Component: SSL Orchestrator
Symptoms:
Per-request policy's SSL Bypass Set agent does not bypass TLS traffic for inbound topology.
Conditions:
-- SSL Orchestrator is licensed and provisioned.
-- Per-request policy is attached to interception rules and SSL Bypass Set agent is used in the policy.
Impact:
BIG-IP/SSL Orchestrator does not bypass the TLS traffic for inbound topology.
Fix:
SSL Bypass Set agent in the per-request policy now bypasses TLS traffic for inbound topology.
Fixed Versions:
17.0.0, 16.1.2.2
1058297-2 : Policy history values for 'max Size Of Saved Versions' and for 'min Retained Files In Dir' is reset during upgrade★
Links to More Info: BT1058297
Component: Application Security Manager
Symptoms:
The values for "minRetainedFilesInDir" and "maxSizeOfSavedVersions" in /etc/ts/tools/policy_history.cfg
are set back to default after an upgrade.
Conditions:
-- Non-default values for "minRetainedFilesInDir" and for "maxSizeOfSavedVersions"
-- An upgrade occurs
Impact:
After upgrade, the values in the configuration file are set back to default.
Workaround:
Update the values after the upgrade is complete.
Fix:
The usage of the configuration file /etc/ts/tools/policy_history.cfg is deprecated.
New internal config items have been added:
"policy_history_min_retained_versions" and "policy_history_max_total_size"
The internal variables are preserved during the upgrade.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1057457-3 : CVE-2015-9019: libxslt vulnerability: math.random()
Component: TMOS
Symptoms:
In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.
Conditions:
where the EXSLT math.random function was called by applications.
Impact:
It could cause usage of this function to produce predictable outputs
Workaround:
Applications using libxslt that rely on non-repeatable randomness should be seeding the system PRNG (srand()) themselves, as they would if calling rand() directly.
Fix:
libxslt patched to resolve CVE-2015-9019
Fixed Versions:
17.0.0, 16.1.4, 15.1.8
1057449-3 : CVE-2015-7995 libxslt vulnerability: Type confusion may cause DoS
Component: TMOS
Symptoms:
A type confusion vulnerability was discovered in the xsltStylePreCompute() function of libxslt. A remote attacker could possibly exploit this flaw to cause an application using libxslt to crash by tricking the application into processing a specially crafted XSLT document.
Conditions:
By tricking the application into processing a specially crafted XSLT document.
Impact:
A remote attacker could possibly exploit this flaw to cause an application using libxslt to crash.
Workaround:
N/A
Fix:
libxslt patched to mitigate CVE-2015-7995
Fixed Versions:
17.0.0, 16.1.4, 15.1.8
1057441-3 : An out-of-bounds access flawb in the libxslt component
Component: TMOS
Symptoms:
If the libxslt library fails to handle namespace nodes properly, it may cause TMM to crash or expose private data.
Conditions:
In default conditions
Impact:
TMM may crash or reveal private data due to out-of-bounds access.
Workaround:
N/A
Fix:
libxslt patched to mitigate CVE-2016-1683
Fixed Versions:
17.0.0, 16.1.4, 15.1.8
1057437-3 : CVE-2019-13117 libxslt vulnerability: uninitialized read in xsltNumberFormatInsertNumbers
1057433-3 : Integer overflow in libxslt component
Component: TMOS
Symptoms:
If the libxslt library handles harmful xsl data, TMM might crash
Conditions:
Under default conditions
Impact:
TMM may crash due to integer overflow or excessive resource consumption, leading to traffic interruption and a failover event
Workaround:
N/A
Fix:
libxslt patched to mitigate CVE-2016-1684
Fixed Versions:
17.0.0, 16.1.4, 15.1.8
1056993-2 : 404 error is raised on GUI when clicking "App IQ."
Links to More Info: BT1056993
Component: TMOS
Symptoms:
When the App IQ menu option is clicked in the GUI workflow, (GUI: System ›› Configuration >> App IQ) the result is "Not Found. The requested URL was not found on this server."
Conditions:
Clicking the App IQ menu option in the GUI workflow, GUI: System ›› Configuration >> App IQ.
Impact:
Not able to access App IQ page.
Workaround:
Navigate directly to the following page on your BIG-IP (replacing <BIG-IP> with the IP/hostname of the system):
https://<BIG-IP>/tmui/tmui/system/appiq_ng/views/settings.html
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1056957-1 : An attack signature can be bypassed under some scenarios.
Links to More Info: BT1056957
Component: Application Security Manager
Symptoms:
An attack signature is not detected.
Conditions:
A specific condition.
Impact:
False negative - attack is not detected.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1
1056741-2 : ECDSA certificates signed by RSA CA are not selected based by SNI.
Links to More Info: BT1056741
Component: TMOS
Symptoms:
Attempts to select a client-ssl profile based on the certificate subject/SAN will not work for ECDSA certificates if ECDSA cert is signed by RSA CA. Even when the SNI in the client hello matches the certificate subject/SAN, BIG-IP selects the default client SSL profile.
Conditions:
-- ECDSA certificate signed by RSA CA.
-- Client SSL profile does not have "server name" option configured.
Impact:
The desired client-ssl profile is not selected for ECDSA hybrid certificates when the SNI matches the certificate subject/SAN.
Workaround:
Do not use hybrid certificates or configure the "server name" option in the client-ssl profile matching SNI.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1056401-4 : Valid clients connecting under active syncookie mode might experience latency.
Links to More Info: BT1056401
Component: Local Traffic Manager
Symptoms:
Valid clients that connect using active syncookie mode might experience latency.
Conditions:
- SYN Cookie (Hardware or Software) is enabled.
- SYN Cookies are activated (TCP Half Open) for the virtual server.
- FastL4 tcp-generate-isn option or SYN-ACK vector 'suspicious event count' options are enabled.
- SYN Cookie issue and validation with client is correct.
- SSL Client Hello packet sent by client reaches DHD right after TCP SYN packet is sent to backend server.
Impact:
Random connections might be disrupted.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1056365-1 : Bot Defense injection does not follow best SOP practice.
Links to More Info: BT1056365
Component: Application Security Manager
Symptoms:
In specific cases, Bot Defense challenge does not follow Same Origin Policy.
Conditions:
Bot Defense Profile is attached to a virtual server.
Impact:
In some cases, Bot Defense Injection does not follow Same Origin Policy.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1055361-1 : Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a tmm crash.
Links to More Info: BT1055361
Component: SSL Orchestrator
Symptoms:
Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a TMM crash.
Conditions:
Suspending iRule command in L7CHECK_CLIENT_DATA
Example:
ltm rule /Common/rule-a {
when L7CHECK_CLIENT_DATA {
after 10000
}
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use Suspending iRule command in L7CHECK_CLIENT_DATA.
Fix:
Fixed a TMM crash.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1
1055097-1 : TCP proxy with ramcache and OneConnect can result in out-of-order events, which stalls the flow.
Links to More Info: BT1055097
Component: Local Traffic Manager
Symptoms:
Because the client resends the request, the connection is not lost, but is stalled for a considerable time.
Conditions:
-- virtual server running affected version has both webacceleration and OneConnect profiles.
-- The response has 'Cache-Control: no-cache' header.
Impact:
The stalled connection causes slow response times for application users.
Workaround:
Remove the configuration for either the OneConnect or Caching profile.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2
1053741-4 : Bigd may exit and restart abnormally without logging a reason
Links to More Info: BT1053741
Component: Local Traffic Manager
Symptoms:
Certain fatal errors may cause the bigd daemon to exit abnormally and restart to recover.
For many such fatal errors, bigd logs a message in the LTM log (/var/log/ltm) indicating the fatal error that occurred.
For some causes, no message is logged to indicate what error occurred to cause big to exit abnormally and restart
Conditions:
This may occur when bigd encounters a fatal error when monitoring LTM pool members, particularly (although not exclusively) when using In-TMM monitor functionality (sys db bigd.tmm = enable).
Impact:
It may be difficult to diagnose the reason that caused bigd to exit abnormally and restart.
Workaround:
To enable logging of all fatal errors that cause bigd to exit abnormally and restart, enable bigd debug logging:
tmsh modify sys db bigd.debug value enable
With bigd debug logging enabled, bigd messages (including such fatal errors) will be logged to /var/log/bigdlog
Fixed Versions:
17.1.0, 16.1.4, 15.1.8
1053589-1 : DDoS functionality cannot be configured at a Zone level
Links to More Info: BT1053589
Component: Advanced Firewall Manager
Symptoms:
DDoS functionality is supported at the global and virtual server level.
Conditions:
DDoS functionality configured on the BIG-IP system.
Impact:
Cannot enable DDoS at the Zone level.
Workaround:
N/A
Fix:
DDoS functionality is now enabled at the Zone level.
Behavior Change:
Limited DDoS functionality is supported at the scope of a Zone, which is group of VLANs. Thus, DDoS functionality is now supported at the global, Zone, and virtual server levels.
Fixed Versions:
16.1.4, 15.1.8
1053557-2 : Support for Mellanox CX-6
Links to More Info: BT1053557
Component: TMOS
Symptoms:
The Mellanox CX-6 is not fully supported.
Conditions:
-- CX-6 network interface card is used with BIG-IP Virtual Edition.
Impact:
The BIG-IP system is unable to pass traffic through CX-6 interfaces.
Workaround:
None
Fix:
Traffic can be passed through CX-6 interfaces.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1053309-1 : Localdbmgr leaks memory while syncing data to sessiondb and mysql.
Links to More Info: BT1053309
Component: Access Policy Manager
Symptoms:
Top output shows that localdbmgr memory increases steadily.
Conditions:
Localdb auth is enabled or localdb is used for storing APM-related information like for MDM intune.
Impact:
Localdbmgr is killed by oom killer and is restarted, thereby affecting the execution of access policies.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5
1053173-1 : Support for MQTT functionality over websockets.
Links to More Info: BT1053173
Component: Local Traffic Manager
Symptoms:
MQTT does publish and receive messages for data through websockets.
Conditions:
-- Virtual server configured with an MQTT profile and a websocket profile
-- Selection of associated MQTT ports for the relevant broker
Impact:
No impact
Workaround:
None
Fix:
BIG-IP virtual servers now support MQTT configuration over websockets.
Fixed Versions:
17.0.0, 16.1.4
1053149-1 : A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received.
Links to More Info: BT1053149
Component: Local Traffic Manager
Symptoms:
Depending on the software version running on the BIG-IP system, this issue can manifest in one of two ways:
- Versions with the fix for ID1008077 will fail to forward the client's final ACK (from the TCP 3-way handshake) to the server. Eventually, once the TCP handshake timeout expires, the BIG-IP system will reset both sides of the connection.
- Versions without the fix for ID1008077 will forward the traffic correctly, but will not advance the internal FastL4 state for the connection. Given enough traffic for the same 4-tuple, the connection may never expire. Traffic for subsequent connections will appear to be forwarded correctly, but no load-balancing will occur due to the original connection not having expired yet.
Conditions:
A FastL4 TCP connection not completing the TCP handshake correctly, and the client retrying with a new (different SEQ number) SYN.
Impact:
Traffic failures (intended as either connections failing to establish, or improper load-balancing occurring).
Fix:
A FastL4 TCP connection which is yet to fully establish now correctly updates its internal SEQ space when a new SYN is received. This means the connection advances as it should through internal FastL4 states, and is removed from the connection table when the connection closes.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1052929-4 : MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized.
Links to More Info: BT1052929
Component: Local Traffic Manager
Symptoms:
When MCPD starts, it may log an error message reporting an issue communicating with the onboard FIPS HSM. If the HSM is uninitialized, this message is erroneous, and an be ignored.
Depending on the hardware platform, the message may be one of the following:
err mcpd[12345]: 01b50049:3: FIPSUserMgr Error: An internal login failure is being experienced on the FIPS card. Please issue 'FIPSutil loginreset -r' followed by 'bigstart restart' for a password reset. You will need your FIPS Security Officer password to reset the password..
err mcpd[12345]: 01b50049:3: FIPSUserMgr Error: An internal login failure is being experienced on the FIPS card. The FIPS card must be reinitialized, which will erase its contents..
Conditions:
-- BIG-IP system with an onboard FIPS HSM, or a vCMP guest running on a BIG-IP system with an onboard FIPS HSM
-- the FIPS HSM is not initialized, i.e. "fipsutil info" reports "FIPS state: -1".
Impact:
This message can be ignored when the FIPS HSM is not in-use, and is uninitialized.
Workaround:
Initialize the FIPS HSM following the instructions in the F5 Platforms : FIPS Administration manual.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1052893-4 : Configuration option to delay reboot if dataplane becomes inoperable
Links to More Info: BT1052893
Component: TMOS
Symptoms:
When certain system failures occur and the dataplane cannot continue to handle network traffic, the BIG-IP system will automatically reboot. This behavior may restore traffic management, but it may prevent diagnosis of the failure.
Conditions:
Low-level system failure, possibly in HSB SRAM or other hardware
Impact:
Diagnosis of the dataplane failure is hindered.
Workaround:
None
Fix:
A new "sys db" variable "tmm.hsb.dataplanerebootaction" is added. The default value is "enable", which retains the previous behavior of rebooting, if a failure occurs making the dataplane inoperable. The value may optionally be set to "disable", which avoids an immediate system reboot by making the HA action be "go-offline-downlinks".
Fixed Versions:
17.1.1, 16.1.2.2
1052173-1 : For wildcard SSRF hosts "Matched Disallowed Address" field is wrong in the SSRF violation.
Links to More Info: BT1052173
Component: Application Security Manager
Symptoms:
"Matched Disallowed Address" and "Actual Disallowed Address" both are shown as same "Actual Disallowed Address" only.
Conditions:
- configure wildcard SSRF host
Impact:
Misleading SSRF violation details
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2.2
1052169 : Traffic is blocked on detection of an SSRF violation even though the URI parameter is in staging mode
Links to More Info: BT1052169
Component: Application Security Manager
Symptoms:
Traffic is blocked on an SSRF violation even though the URI parameter is in staging mode.
Conditions:
-- URI parameter should be in staging mode
-- Traffic contains an SSRF deny-listed host as URI parameter value
Impact:
Traffic is blocked even though the URI parameter is in staging mode
Workaround:
None.
Fixed Versions:
16.1.2.2
1052153-2 : Signature downloads for traffic classification updates via proxy fail
Links to More Info: BT1052153
Component: Traffic Classification Engine
Symptoms:
Downloading IM package via proxy fails.
Conditions:
Downloading the IM file through a proxy.
Impact:
Auto-download IM package from f5.com will fail
Workaround:
Disable the proxy and trigger the IM package download from the management interface.
Fix:
Fixed an issue with downloading updates through a proxy.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1051213-1 : Increase default value for violation 'Check maximum number of headers'.
Links to More Info: BT1051213
Component: Application Security Manager
Symptoms:
Due to recent change in browsers, up to 7 headers are newly inserted in the request.
In ASM, there is default limit of 20 headers. So, when legitimate requests have more than 20 headers, they're blocked with violation "Maximum Number of Headers exceeded".
Conditions:
When the number of headers passed in request is greater than the value of maximum number of headers set, then this violation is raised.
Impact:
Legitimate requests are blocked with violation "Maximum Number of Headers exceeded" when number of header is greater than the value set for the policy (default 20).
Workaround:
Increase "Check maximum number of headers" to 30 under Learning and Blocking settings screen for a policy.
Fix:
Increased default value of maximum number of headers to 30.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1051209-1 : BD may not process certain HTTP payloads as expected
Links to More Info: K53593534, BT1051209
Component: Application Security Manager
Symptoms:
Under certain conditions BD may not process HTTP payloads as expected.
Conditions:
- HTTP request
Impact:
Payloads are not processed as expected, potentially leading to missed signature matches.
Workaround:
N/A
Fix:
BD now processes HTTP payloads as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1050969-1 : After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid
Links to More Info: BT1050969
Component: SSL Orchestrator
Symptoms:
Running clear-rest-storage removes all the available tokens as well as cookie files from /var/run/pamchache.
Conditions:
Run the clear-rest-storage command.
Impact:
All users are logged out of the GUI.
Workaround:
Re-login.
Fix:
Clear-rest-storage should only remove tokens not cookies.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1050697-4 : Traffic learning page counts Disabled signatures when they are ready to be enforced
Links to More Info: BT1050697
Component: Application Security Manager
Symptoms:
The traffic learning page counts Disabled signatures when they are ready to be enforced.
Conditions:
Policy has a disabled signature.
Impact:
Traffic learning page shows different counts of "ready to be enforced" signatures compared to Security ›› Application Security : Security Policies : Policies List ›› <policy name>
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1050537-1 : GTM pool member with none monitor will be part of load balancing decisions.
Links to More Info: BT1050537
Component: Global Traffic Manager (DNS)
Symptoms:
A GTM pool member containing no monitor (status=BLUE) is not included in load balancing decisions.
Conditions:
GTM pool member the monitor value set to none.
Impact:
GTM does not load balance to this pool member.
Workaround:
N/A
Fix:
Handled GTM pool with "none" monitor
Behavior Change:
GTM pool members with "none" monitor are now part of load balancing decisions
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1050273-1 : ERR_BOUNDS errors observed with HTTP service in SSL Orchestrator.
Links to More Info: BT1050273
Component: SSL Orchestrator
Symptoms:
The following similar error log messages repeated many times:
err tmm[13905]: 01c80017:3: CONNECTOR: Listener=/Common/sslo_intercept.app/sslo_intercept-in-t-4, Profile=/Common/ssloS_httpEpxy.app/ssloS_httpEpxy-t-4-connector: Error forwarding egress to return virtual server (null) - ERR_BOUNDS
err tmm8[13905]: 01c50003:3: Service : encountered error: ERR_BOUNDS File: ../modules/hudfilter/service/service_common.c Function: service_cmp_send_data, Line: 477
Conditions:
1. SSL Orchestrator with an HTTP service.
2. System is sending a large file.
Impact:
SSL Orchestrator throughput is degraded.
Workaround:
None
Fix:
After the fix, no such errors are observed and the throughput is back to normal.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.5
1050165 : APM SSO is disabled in the session of users and requires support of administrator for resolving
Links to More Info: BT1050165
Component: Access Policy Manager
Symptoms:
The SSO process is disabled for the user session when the webtop resource with APM Single Sign-On (SSO) configuration fails due to unknown reasons.
Conditions:
-- Configure Kerberos SSO
-- Configure a network resource (the mailbox of a user is configured on an exchange server or an IIS-based web service)
Impact:
The BIG-IP Administrator is required to manually release the affected session.
Workaround:
None
Fix:
SSO is no longer disabled for the entire APM session if Kerberos SSO fails.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1050009-2 : Access encountered error:ERR_NOT_FOUND. File: <file name> messages in 'acs_cmp_acp_req_handler' function in APM logs
Links to More Info: BT1050009
Component: Access Policy Manager
Symptoms:
In /var/log/apm
<Date> <time> <bigip> err tmm1[12598]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: <file name>, Function: acs_cmp_acp_req_handler, Line: 576
Conditions:
While evaluating Access Policy created by irule
ACCESS::session create -timeout <timeout> -lifetime <lifetime>
ACCESS::policy evaluate -sid <session ID> -profile <profile name>
Impact:
/var/log/apm gets filled with many 'Access encountered error:ERR_NOT_FOUND' error logs and there is no functional imapct.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1049237-1 : Restjavad may fail to cleanup ucs file handles even with ID767613 fix
Links to More Info: BT1049237
Component: Device Management
Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client (such as a BIG-IQ which is out of disk space) does not complete the download.
Since these files remain open, you may see low disk space even after deleting the associated files, and you may see items listed with '(deleted)' in lsof output.
Additionally, on a software version with ID767613 fix, you may see restjavad NullPointerException errors on /var/log/restjavad.*.log.
[SEVERE][1837][23 Sep 2021 10:18:16 UTC][RestServer] java.lang.NullPointerException
at com.f5.rest.workers.FileTransferWorker$3.run(FileTransferWorker.java:230)
at com.f5.rest.common.ScheduleTaskManager$1$1.run(ScheduleTaskManager.java:68)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:473)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1152)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:622)
at java.lang.Thread.run(Thread.java:748)
Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.
Impact:
Low disk space, items listed with '(deleted)' when listed using lsof.
Workaround:
To free the file handles, restart restjavad:
# tmsh restart sys service restjavad
Files that were deleted now have their space reclaimed.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1049229-1 : When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays.
Links to More Info: BT1049229
Component: Advanced Firewall Manager
Symptoms:
An authenticated administrative user tries to create a sub-rule under the Network Firewall rule list from the GUI and is redirected to a 'No Access' error page.
Conditions:
This error can occur when you create a sub-rule under the Network Firewall rule list in the TMOS GUI on a version of BIG-IP (including engineering hotfixes) that include the fixes for BIG-IP bugs ID1032405 and ID941649.
Impact:
The user cannot create a sub-rule under the Network Firewall rule list in the TMOS GUI.
Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.
Fix:
After the fixes for ID1032405 and ID941649 are installed, the "No Access" errors no longer occur when you create a sub-rule under the Network Firewall rule list in the TMOS GUI.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1048949-1 : TMM xdata leak on websocket connection with asm policy without websocket profile
Links to More Info: BT1048949
Component: Application Security Manager
Symptoms:
Excessive memory consumption, tmm core.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Websocket profile isn't attached to the virtual server
- Long lived websocket connection with messages
Impact:
Excessive memory consumption, tmm crash. Traffic disrupted while tmm restarts.
Workaround:
Attach the websocket profile to the virtual server
Fix:
Fix asm code to avoid buffering websocket message without websocket profile
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1048853-1 : TMM memory leak of "IKE VBUF"
Links to More Info: BT1048853
Component: TMOS
Symptoms:
The "IKE VBUF" memory increase is seen through tmctl memory_usage_stat when ipsec-sa are deleted and new ipsec-sa are created.
Conditions:
A tunnel connection exists between the BIG-IP initiator and responder.
Impact:
Memory consumption increases after every ipsec-sa delete operation when the new ipsec-sa is created.
Workaround:
N/A
Fix:
Fixed a memory leak related to ipsec-sa.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
1048709-2 : FCS errors between the switch and HSB
Links to More Info: BT1048709
Component: TMOS
Symptoms:
There are cases where FCS errors occur between the switch and HSB. This can be observed in the snmp_dot3_stat stats table, following is an example:
name fcs_errors
---- ----------
10.1 19729052
Conditions:
This requires a BIG-IP platform that has a switch and HSB.
Impact:
Networking traffic can be impacted when this condition occurs.
Workaround:
The device needs to be rebooted in order to clear the FCS errors.
Fix:
The improvement adds the ability to trigger an High Availability (HA) action when FCS errors are detected on the switch <-> HSB interfaces on the B4450 platform.
Fixed Versions:
17.1.0, 16.1.4, 15.1.8
1048685-4 : Rare TMM crash when using Bot Defense Challenge
Links to More Info: BT1048685
Component: Application Security Manager
Symptoms:
When using the Bot Defense Profile on Blocking mode, TMM could crash on rare cases with a core dump.
Conditions:
Using the Bot Defense profile on blocking mode.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM will no longer crash on rare conditions when using the Bot Defense Challenge
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
1048541-1 : Certificate Order Manager: renew requests to the Comodo (now Sectigo) CA are unsuccessful.
Links to More Info: BT1048541
Component: TMOS
Symptoms:
A BIG-IP Administrator utilizing the 'Certificate Order Manager' feature is unable to renew SSL certificates issued by the Comodo (now Sectigo) certification authority.
Conditions:
Using the 'Certificate Order Manager' feature on BIG-IP to renew SSL certificates issued by the Comodo (now Sectigo) certification authority.
Impact:
The renew requests fail.
Fix:
The renew requests now succeed.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1048445-1 : Accept Request button is clickable for unlearnable violation illegal host name
Links to More Info: BT1048445
Component: Application Security Manager
Symptoms:
For the following violations:
- VIOL_HOSTNAME (Hostname violation)
- VIOL_HOSTNAME_MISMATCH (Hostname mismatch violation)
The accept button is clickable when it should not. Accept Request button should be disabled for this violations.
Conditions:
Generate an illegal host name or hostname mismatch violation.
Impact:
Request will not be accepted even though you have elected to accept the illegal request.
Workaround:
Do not accept the request to hostname and hostname mismatch violation, no ASM config changes will be triggered.
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.6.1
1048433-1 : Improve Extract logic of thales-sync.sh to support VIPRION cluster to support 12.6.10 client installation.★
Links to More Info: BT1048433
Component: Local Traffic Manager
Symptoms:
The thales-sync.sh script tries to install on the second blade eventually The packages provided by formerly Thales now nShield/Entrust are increasing version to version, The extract logic is not compatible with to latest versions.
Conditions:
While upgrading lower versions to 12.60.
Impact:
The installation script will fail to find to extract packages.
Workaround:
N/A
Fix:
Extract all the tarballs in the target directory to resolve the issue.
Fixed Versions:
16.1.2.1, 15.1.5.1
1048425-4 : Packet tester crashes TMM when vlan external source-checking is enabled
Links to More Info: BT1048425
Component: Advanced Firewall Manager
Symptoms:
TMM SIGFPE Core Assertion "packet must already have an ethernet header".
Conditions:
Run the AFM Packet Tracer when external source-checking is enabled on the VLAN.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable source checking on the vlan.
Fix:
TMM no longer crashes when utilizing the AFM Packet Tracer tool.
Fixed Versions:
16.1.4
1048141-3 : Sorting pool members by 'Member' causes 'General database error'
Links to More Info: BT1048141
Component: TMOS
Symptoms:
The configuration utility (web UI) returns 'General database error' when sorting pool members. The pool member display does not work for the duration of the login.
Conditions:
Sorting the pool member list by member.
Impact:
A pool's pool member page cannot be displayed.
Workaround:
Clear site and cached data on browser and do not sort by pool member.
Fix:
Pool members can be sorted by member.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1048137-2 : IPsec IKEv1 intermittent but consistent tunnel setup failures
Links to More Info: BT1048137
Component: TMOS
Symptoms:
IKEv1 tunnels fail to start or re-key after an upgrade.
In the racoon.log file a clear sign of this issue is the combination of an IPsec SA being established and a buffer space error immediately after:
INFO: IPsec-SA established: ESP/Tunnel 172.16.1.6[0]->172.16.12.6[0] spi=2956426629(0xb0377d85)
ERROR: pfkey UPDATE failed: No buffer space available
Conditions:
-- IPsec IKEv1 tunnels
Impact:
IPsec tunnels will stop working after being up for an initial period of time.
Workaround:
The only workaround is to switch to IKEv2.
Fix:
Internal message handling related to IKEv2 high availability (HA) has changed, unintentionally breaking IKEv1's ability to keep tunnel states up-to-date. IKEv1 can now track tunnel state correctly.
Note: IKEv1 high availability (HA) / mirroring is still not supported and there is no plan to support it.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.9
1048077 : SELinux errors with gtmd when using internal FIPS card
Links to More Info: BT1048077
Component: Global Traffic Manager (DNS)
Symptoms:
You can observe the following avc error logs when the gtmd process tries to interact with internal FIPS card for DNSSEC key and signature creation:
type=AVC msg=audit(1662044427.707:3960): avc: denied { create } for pid=39483 comm="gtmd" scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:system_r:gtmd_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1662044427.709:3961): avc: denied { search } for pid=39483 comm="gtmd" name="gtmd" dev="dm-20" ino=188725 scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:object_r:svc_svc_t:s0 tclass=dir
type=AVC msg=audit(1662044428.113:3962): avc: denied { create } for pid=39483 comm="gtmd" scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:system_r:gtmd_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1662044428.114:3963): avc: denied { search } for pid=39483 comm="gtmd" name="gtmd" dev="dm-20" ino=188725 scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:object_r:svc_svc_t:s0 tclass=dir
Conditions:
- Internal FIPS card present with FIPS 140-3 supported devices.
- DNSSEC Key and signature creation using internal keys.
Impact:
No Impact to DNSSEC deployment but gtmd throws SELinux errors.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4
1048033-1 : Server-speaks-first traffic might not work with SSL Orchestrator
Links to More Info: BT1048033
Component: SSL Orchestrator
Symptoms:
Server-speaks-first traffic does not pass through BIG-IP SSL Orchestrator. BIG-IP does not do service chaining to the service that has port-remap enabled.
Conditions:
- Interception Rule has verified accept enabled.
- Security policy is service chaining and port-remap is enabled on one of the security services
Impact:
Connection does not succeed, client sees a reset after timeout.
Workaround:
Disable port-remap on service and redeploy.
Fix:
Fix SSL Orchestrator connector to handle server-speaks-first traffic. After fix, server speaks first traffic will work even with port-remap enabled on the service.
Fixed Versions:
17.0.0, 16.1.2.2
1047933-1 : Virtual server security policy - An error has occurred while trying to process your request
Links to More Info: BT1047933
Component: Advanced Firewall Manager
Symptoms:
While loading the security tab page in the virtual server configuration page, you see an error: "An error has occurred while trying to process your request"
Conditions:
This is encountered when clicking the security tab in the virtual server configuration page, when there are a large number of virtual servers on the BIG-IP system (~2500).
Impact:
Delay in security tab page loading times and possible page timeout.
Workaround:
None
Fix:
Updated the back-end logic to return details related to requested virtual server instead of all virtual servers.
Fixed Versions:
17.0.0, 16.1.5
1047581-3 : Ramcache can crash when serving files from the hot cache
Links to More Info: BT1047581
Component: Local Traffic Manager
Symptoms:
Under certain circumstances, TMM may crash when processing traffic for a virtual server that uses RAM Cache.
Conditions:
- RAM Cache configured
- Document served not out of the hotcache
- The server served with must-revalidate.
- The server 304 contains a 0 byte gzip payload
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1047389-4 : Bot Defense challenge hardening
Links to More Info: BT1047389
Component: Application Security Manager
Symptoms:
Under certain conditions, the Bot Defense profile does not follow current best practices.
Conditions:
Bot Defense profile used
Impact:
The Bot Defense profile does not follow current best practices.
Workaround:
None
Fix:
The Bot Defense profile now follows current best practices.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1047377-1 : "Server-speak-first" traffic might not work with SSL Orchestrator
Links to More Info: BT1047377
Component: SSL Orchestrator
Symptoms:
Server-speaks-first traffic does not pass through BIG-IP SSL Orchestrator. BIG-IP does not perform a TCP three-way handshake to the server.
Conditions:
SSL Orchestrator interception rule has an attached security policy that is service chaining and at-least one service has port-remap enabled.
Impact:
Connection does not succeed, client sees a reset after timeout.
Workaround:
Disable port-remap on service and redeploy.
Fix:
Fix SSL Orchestrator connector to handle server speaks first traffic. After fix, server-speaks-first traffic will work even with port-remap enabled on the service.
Fixed Versions:
17.0.0, 16.1.2.2
1047213-1 : VPN Client to Client communication fails when clients are connected to different TMMs.
Links to More Info: BT1047213
Component: TMOS
Symptoms:
Client-to-client communication between APM VPN clients connected to different TMMs does not work.
Conditions:
-- Clustered multiprocessing (CMP) is enabled.
Impact:
Client to client communication over the network access connection fails.
Workaround:
Demote the virtual server from CMP processing.
# tmsh modify ltm virtual <virtual> cmp-enabled no
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2
1047169-1 : GTM AAAA pool can be deleted from the configuration despite being in use by an iRule.
Links to More Info: BT1047169
Component: TMOS
Symptoms:
A BIG-IP Administrator is incorrectly able to delete a GTM AAAA pool from the configuration, despite this object being referenced in an iRule in use by an AAAA wideip.
An error similar to the following example will be visible in the /var/log/gtm file should the iRule referencing the pool run after the pool has been deleted:
err tmm[11410]: 011a7001:3: TCL error: Rule /Common/my_rule <DNS_REQUEST> - GTM Pool 'my_pool' of type 'A' not found (line 1)GTM Pool 'my_pool' of type 'A' not found (line 1) invoked from within "pool my_pool"
Note the error message incorrectly reports the pool as type A (it should report type AAAA).
Conditions:
-- Two GTM pools of type A and AAAA share the same exact name (which is legal).
-- The pool name is referenced in an iRule by the 'pool' command.
-- The iRule is in use by an AAAA wideip.
-- A BIG-IP Administrator attempts to delete the AAAA pool.
Impact:
The system incorrectly allows the deletion of the AAAA pool from the configuration.
Consequently, the next time the GTM configuration is reloaded from file, the operation will fail.
Additionally, traffic which relied on the pool being present in the configuration will fail.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1046917-4 : In-TMM monitors do not work after TMM crashes
Links to More Info: BT1046917
Component: In-tmm monitors
Symptoms:
After TMM crashes and restarts, in-TMM monitors do not run. Monitored pool members are down.
Conditions:
-- In-TMM monitors are enabled.
-- TMM exits abnormally, as a result of one of the following:
+ TMM crashing and restarting
+ TMM being sent a termination signal (i.e. using 'pkill' to kill TMM)
Note: This issue does not occur if TMM is restarted using 'bigstart' or 'tmsh sys service'.
Impact:
Monitored pool members are offline.
Workaround:
One of the following:
1. Do not use in-TMM monitors.
2. After TMM restarts, manually restart bigd:
tmsh restart sys service bigd
3. Add an entry to /config/user_alert.conf such as the following, so that the system restarts bigd when TMM starts up.
On an appliance or single-slot vCMP guest/tenant:
alert id1046917 "Tmm ready - links up." {
exec command="bigstart restart bigd"
}
On a VIPRION or multi-slot vCMP guest/tenant:
alert id1046917 "Tmm ready - links up." {
exec command="clsh --color=all bigstart restart bigd"
}
Note: This change must be made separately on each device in a ConfigSync device group.
Fixed Versions:
17.1.0, 16.1.4, 15.1.8
1046785-1 : Missing GTM probes when max synchronous probes are exceeded.
Links to More Info: BT1046785
Component: Global Traffic Manager (DNS)
Symptoms:
GTM probes are missing, resources are marked down.
When instances fail and BIG-IP is not aware of the failure, some virtual servers/pool members are marked as available and some objects are marked down on part of the sync group members.
In the /var/log/gtm file, the following message may be seen:
011ae116:4: The list processing time (x seconds) exceeded the interval value. There may be too many monitor instances configured with a y second interval
Note that this message is only logged once when gtmd is restarted, or when monitors are added or removed in the gtm configuration.
In 14.1.x and earlier the message will be slightly different:
011ae106:5: The monitor probing frequency has been adjusted because more than 130 synchronous monitors were detected
Conditions:
Max synchronous probes are exceeded. This value is controlled by the GTM global variable max-synchronous-monitor-requests.
Impact:
-- Resources are marked down.
-- Inconsistent monitor statuses across BIG-IP DNS systems in a single sync group, with some showing 'big3d: timed out' and others potentially showing a stale up or down status for the same targets.
-- Because some monitor instances don't have monitor traffic, if an instance fails, the BIG-IP DNS systems may not be aware of the failure.
Workaround:
Increase the value of Max Synchronous Monitor Requests:
tmsh modify gtm global-settings metrics max-synchronous-monitor-requests value <value - default is 20>
Fix:
All monitors are now allowed to probe without triggering a failure.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5, 13.1.5
1046693-4 : TMM with BFD confgured might crash under significant memory pressure
Links to More Info: BT1046693
Component: TMOS
Symptoms:
TMM might crash when processing BFD traffic under high memory pressure.
Conditions:
- BFD in use.
- TMM under high memory pressure.
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1046669-1 : The audit forwarders may prematurely time out waiting for TACACS responses
Links to More Info: BT1046669
Component: TMOS
Symptoms:
If a TACACS server takes longer than five seconds to respond, the audit forwarder will reset the connection.
Conditions:
-- Using remote TACACS logging.
-- TACACS server takes longer than 5 seconds to respond to logging requests.
Impact:
Misleading log messages.
Fix:
The time that a BIG-IP system will wait for a response from a TACACS server is now configurable using the DB variable config.auditing.forward.tacacs.timeout.response.
Behavior Change:
The time that a BIG-IP system will wait for a response from a TACACS server is now configurable using the DB variable config.auditing.forward.tacacs.timeout.response.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1046633-1 : Rare tmm crash when sending packets to apmd fails
Links to More Info: BT1046633
Component: Access Policy Manager
Symptoms:
Tmm crashes while passing APM traffic
Conditions:
iRules involving ACCESS::session evaluate, or presence of access per-request policies that involves apmd like ldap/saml authentication.
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1046469-1 : Memory leak during large attack
Links to More Info: BT1046469
Component: Anomaly Detection Services
Symptoms:
ADMD daemon memory consumption increases over several days until it causes OOM.
Conditions:
A large DoS attack occurs and is not mitigated.
Impact:
ADMD daemon will get killed and restarted. Due to the restart, the BADoS protection might be disabled for a couple of seconds.
Workaround:
To workaround the issue before installing the fix, ADMD could be monitored by a script and restarted as needed. This is similar to the current behavior, but it will avoid reaching OOM which might affect other daemons.
Fix:
The memory leak was found and fixed.
Fixed Versions:
16.1.5
1046401-2 : APM logs shows truncated OCSP URL path while performing OCSP Authentication.
Links to More Info: BT1046401
Component: Access Policy Manager
Symptoms:
While performing OCSP authentication, the APM log file (/var/log/apm) shows the incomplete path of the OCSP URL.
Conditions:
-- Configure OCSP Server object
-- Configure OCSP Agent in the VPE
-- Perform OCSP Authentication
Impact:
Incomplete path of the OCSP URL causes ambiguity and gives the impression that APM is not parsing the URL correctly, while LTM parses correctly at the same time.
Workaround:
N/A
Fix:
The APM deamon parses the given OCSP URL correctly but while printing it in the logs the apmd is reading it partially due to limited log buffer size.
The log buffer size is increased to print the complete OCSP URL paths.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1046317-2 : Violation details are not populated with staged URLs for some violation types
Links to More Info: BT1046317
Component: Application Security Manager
Symptoms:
The "Triggered Violations" field in the event log screen and corresponding data in remote logging is not populated.
Conditions:
- The URL is in staging
- The triggered violation is one of the following violations
VIOL_MANDATORY_REQUEST_BODY
VIOL_URL_CONTENT_TYPE
VIOL_METHOD
Impact:
Lack of details in the request log event.
Workaround:
None
Fix:
This defect is closely related to ID1036305 and both defects are fixed together
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1
1046025-3 : The iavf and ixlv drivers have incorrect VHO flag for all packets
Links to More Info: BT1046025
Component: TMOS
Symptoms:
When enabling the xnet-ixlv or iavf driver, all packets have the VHO flag set.
Conditions:
-- Using xnet-ixlv driver
-- Using iavf driver
Impact:
All packets have VHO flag set increasing the VHO counter.
All packets should not have a VHO flag set, especially when the packets are passed from an untagged interface of VLAN.
Workaround:
None
Fix:
Only appropriate packets will have the VHO flag set.
Fixed Versions:
17.1.0, 16.1.5
1045549-4 : BFD sessions remain DOWN after graceful TMM restart
Links to More Info: BT1045549
Component: TMOS
Symptoms:
BFD sessions remain DOWN after graceful TMM restart
Conditions:
TMM is gracefully restarted, for example with 'bigstart restart tmm' command.
Impact:
BFD sessions remain DOWN after graceful TMM restart
Workaround:
After restarting TMM, restart tmrouted.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1045421-1 : No Access error when performing various actions in the TMOS GUI
Links to More Info: K16107301, BT1045421
Component: TMOS
Symptoms:
An authenticated administrative user is redirected to a 'No Access' error page while performing various actions in the TMOS GUI, including when trying to:
-- Apply a policy to a virtual server
-- Import images (TMOS images / hotfixes / apmclients)
-- Export/apply an APM policy
-- Run the high availability (HA) setup wizard
-- Export a certificate/key through one of the following paths:
---- System / Certificate Management : Traffic Certificate Management : SSL Certificate List / test-renew-self-sign / Renew
---- DNS / GSLB : Pools : Pool List / Click Testpool / Click Members / Click Manage
---- System / Software Management : APM Clients / Import
---- System / Certificate Management : Traffic Certificate Management : SSL Certificate List / NewSSLCert / Certificate / Export / Click Download
Conditions:
This may occur when performing various actions in the TMOS GUI on a version of BIG-IP software (including Engineering Hotfixes) that includes fixes for ID1032405 :: https://cdn.f5.com/product/bugtracker/ID1032405.html and ID941649 :: https://cdn.f5.com/product/bugtracker/ID941649.html .
Impact:
Cannot perform various actions in the TMOS GUI.
Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.
Fix:
'No Access' errors no longer occur when performing various actions in the TMOS GUI under these conditions.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1045229-1 : APMD leaks Tcl_Objs as part of the fix made for ID 1002557
Links to More Info: BT1045229
Component: Access Policy Manager
Symptoms:
APMD memory grows over time causing OOM killer to kill apmd
Conditions:
Access policy has resource assignment agents/variable assignments
Impact:
APMD memory grows over time and OOM killer may terminate apmd thereby affecting traffic. Access traffic disrupted while apmd restarts.
If APMD is not killed by OOM killer the system may start thrashing and become unstable, generally resulting in cores from innocent processes that are no longer scheduled correctly - keymgmtd, bigd, mcpd are typical victims.
Ultimately system may restart automatically as watchdogs fail.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
1044893 : Kernel warnings from NIC driver Realtek 8139
Links to More Info: BT1044893
Component: TMOS
Symptoms:
Excessive kernel logs occur from the NIC driver Realtek 8139
Conditions:
-- Realtek 8139 driver is used
-- Packets with partial checksum and protocol IPPROTO_TCP/IPPROTO_UDP arrives
Impact:
The Realtek 8139 driver logs excessive kernel warnings.
Fix:
Updated in Realtek 8139 driver, for such a scenario the kernel logs would be triggered only at once.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1044457-3 : APM webtop VPN is no longer working for some users when CodeIntegrity is enabled.
Links to More Info: BT1044457
Component: Access Policy Manager
Symptoms:
Users are unable to use the BIG-IP VPN in Edge, Internet Explorer, Firefox, and Chrome.
Microsoft believes the issue is because the Network Access webtop is using MSXML 2.0a which is blocked by their desktop policy
Conditions:
-- Attempting to connect to Network Access VPN using Edge, Internet Explorer, Chrome and Firefox.
-- CodeIntegrity is enabled
Impact:
Users are not able to connect to F5 VPN through APM Browser.
Workaround:
Workaround is to use the BIG-IP Edge client.
Fix:
Users should be able to access Network Access VPN through APM Browser.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1044425-1 : NSEC3 record improvements for NXDOMAIN
Links to More Info: K85021277, BT1044425
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP DNSSEC NSEC3 records for NXDOMAIN responses can be improved to support current best practices.
Conditions:
- DNSSEC zone configured
Impact:
BIG-IP DNSSEC NSEC3 records for NXDOMAIN responses do not follow current best practices.
Workaround:
N/A
Fix:
BIG-IP DNSSEC NSEC3 records for NXDOMAIN responses now follow current best practices.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1044121-3 : APM logon page is not rendered if db variable "ipv6.enabled" is set to false
Links to More Info: BT1044121
Component: Access Policy Manager
Symptoms:
When accessing a Virtual Server with an access policy, users are redirected to the hangup page.
Conditions:
Db variable "ipv6.enabled" is set to false
Impact:
Users will not be able to access the virtual server and associated resources behind it.
Workaround:
Keep the value of db variable "ipv6.enabled" set to true.
# setdb "ipv6.enabled" true
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
1044089-3 : ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI.
Links to More Info: BT1044089
Component: TMOS
Symptoms:
Virtual address is reachable even when the virtual server is offline.
Conditions:
The virtual server status is updated to offline by modifying the virtual server and adding an iRule via the GUI.
Impact:
ICMP echo requests are still handled by the virtual address even though the virtual server is marked offline.
Workaround:
Use tmsh to attach the iRule to the virtual server:
tmsh modify ltm virtual <virtual_server_name> rules {<rule_name> }
Fix:
Virtual address is no longer reachable when virtual server is offline.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1043805-3 : ICMP traffic over NAT does not work properly.
Links to More Info: BT1043805
Component: Local Traffic Manager
Symptoms:
ICMP traffic hitting a NAT translation address is dropped and not sent further to the originating address.
Conditions:
-- An LTM NAT is configured.
-- ICMP traffic arrives.
Impact:
ICMP traffic fails to be forwarded over the NAT.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1
1043533-3 : Unable to pick up the properties of the parameters from audit reports.
Links to More Info: BT1043533
Component: Application Security Manager
Symptoms:
In the GUI under Security ›› Application Security : Audit : Reports, if you select "User-input parameters..." in the menu "Security Policy Audit Reports", then click on the parameter to retrieve the properties, you will see this error:
" Could not retrieve parameter; Could not get the Parameter, No matching record was found."
Conditions:
1) Create a new parameter.
2) Customize or overwrite an existing ASM signature for the parameter in question.
3) Save and apply to the policy the new changes
4) Go to:
Security ›› Application Security : Audit : Reports
Report Type : User-input parameters with overridden attacks signatures (this also happens for other "User-input parameters...")
Select the parameter to audit
Error: "Could not retrieve parameter; Could not get the Parameter, No matching record was found."
Impact:
A page error occurs.
Workaround:
1. Open in a separate tab the following screen: Security ›› Application Security : Parameters : Parameters List
2. Under "Parameter List" title, there is a filter dropdown with the "Parameter Contains" texting.
3. On the blank part (before "Go" button) type the name of the required parameter.
4. You will get the desired page with the desired parameter properties.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1043385-4 : No Signature detected If Authorization header is missing padding.
Links to More Info: BT1043385
Component: Application Security Manager
Symptoms:
If the Authentication scheme value in the Authorization header contains extra/missing padding in base64, then ASM does not detect any attack signatures.
Conditions:
HTTP request with Authorization header contains base64 value with extra/missing padding.
Impact:
Attack signature not detected.
Workaround:
N/A
Fix:
Base64 values with extra/missing padding has been handled to detect attack signature
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1043357-4 : SSL handshake may fail when using remote crypto client
Links to More Info: BT1043357
Component: Local Traffic Manager
Symptoms:
ServerSSL handshake fails when verifying ServerKeyExchange message.
Conditions:
Remote crypto client is configured and the ServerSSL profile connects using an ephemeral RSA cipher suite.
Impact:
The virtual server is unable to connect to the backend server.
Workaround:
Use non-ephemeral RSA or ECDSA cipher suite on ServerSSL.
Fix:
Fix remote crypto client.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1043217-1 : NTLM frontend auth fails with the latest Microsoft RDP client on MacOS 14.0.1 platform
Links to More Info: BT1043217
Component: Access Policy Manager
Symptoms:
NTLM frontend auth fails with the latest Microsoft RDP client on MacOS 14.0.1 platform
Conditions:
Windows Server configured as a back-end and BIG-IP is acting as an RDP gateway. After recent upgrade of MacOS Client (iOS 14.0.1), the Remote desktop starts failing.
Latest Microsoft RDP clients mandate below three flags as part of NTLM CHALLENGE message which will sent from NTLM Auth Server/Proxy
1.NTLMSSP_NEGOTIATE_KEY_EXCH
2.NTLMSSP_NEGOTIATE_VERSION
3.NTLMSSP_REQUEST_TARGET
Due to this, RDP client rejecting the NTLM challenge, and authentication is failing.
Impact:
Users won't be able to establish RDP sessions to the backend Windows Server
Fix:
Updated the ECA (NTLM frontend auth service) to include these flags as part of NTLM Challenge.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1043205-1 : SSRF Violation should be shown as a Parameter Entity Reference.
Links to More Info: BT1043205
Component: Application Security Manager
Symptoms:
SSRF Violation is shown as a URL Entity Reference instead of a Parameter Entity Reference.
Conditions:
- Create a URI data type parameter
- Add a host to the SSRF Host List
- Send traffic which contains the URI parameter with the value configured in the SSRF Host List
Impact:
Wrong Entity Reference in the SSRF violation is misleading.
Workaround:
N/A
Fix:
Corrected the Entity reference as a parameter instead of a URL in the SSRF violation.
Fixed Versions:
16.1.2.1
1043017-4 : Virtual-wire with standard-virtual fragmentation
Links to More Info: BT1043017
Component: Local Traffic Manager
Symptoms:
A standard virtual-server configured on top of a virtual-wire has unexpected handling of fragmented IP traffic.
Conditions:
Standard virtual-server configured on top of a virtual-wire handling fragmented IP traffic.
Impact:
- Fragments missing on egress.
- Packet duplication on egress.
Workaround:
Use fastl4 virtual-server instead.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6
1043009 : TMM dump capture for compression engine hang
Links to More Info: BT1043009
Component: Local Traffic Manager
Symptoms:
TMM crashes
Conditions:
The system detects a Nitrox hang and attempts to reset it.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Set Nitrox3.Compression.HangReset db variable to reset
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1042917-1 : Using 'Full Export' of security policy should result with no diffs after importing it back to device.
Links to More Info: BT1042917
Component: Application Security Manager
Symptoms:
'Declarative policy import' is adding entities into the policy according what it has in the JSON file.
When it imports the policy builder settings, some automatic changes are created in the policy, and it may override other entities which were added before.
Conditions:
Policy builder settings are added in import after other affected entities were added before.
Impact:
The resulted policy will be different from the exported policy.
Workaround:
N/A
Fix:
'Declarative Policy import' first adds the policy builder settings, and all other affected entities are imported only after it, and in this way the resulted policy is the same as the exported one.
Fixed Versions:
17.0.0, 16.1.2
1042913-2 : Pkcs11d CPU utilization jumps to 100%
Links to More Info: BT1042913
Component: Local Traffic Manager
Symptoms:
CPU utilization of pkcs11d increases to 100%.
Conditions:
This occurs when pkcs11d is disconnected from the external HSM.
Impact:
As the pkcs11d consumes most of the CPU, other processes are starved for CPU.
Workaround:
None.
Fix:
Pkcs11d no longer consumes 100% CPU when it is disconnected from the external HSM.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1042737-4 : BGP sending malformed update missing Tot-attr-len of '0.
Links to More Info: BT1042737
Component: TMOS
Symptoms:
BIG-IP might send a malformed BGP update missing Tot-attr-len of '0 when performing a soft reset out.
Conditions:
-- Multiple traffic groups configured.
-- A BGP soft reset occurs.
Impact:
BGP peering resets.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1042605-1 : ASM Critical Warnings during UCS load after upgrade to v15.1.0 or above★
Links to More Info: BT1042605
Component: Application Security Manager
Symptoms:
Following an upgrade, an error occurs:
ERROR: Failed during loading ASM configuration.
An "ASM critical warning" banner is displayed in the ASM GUI.
Conditions:
-- ASM is upgraded to v15.1.0 or above
-- The following query returns results prior to upgrading:
SELECT policy_name_crc FROM DCC.ACCOUNTS accounts WHERE policy_name NOT IN (SELECT name FROM PLC.PL_POLICIES)
Impact:
ASM upgrade is aborted due to an exception:
Can't call method "clear_traffic_data" on unblessed reference
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1042589-1 : Wrong trunk_id is associated in bcm56xxd.
Links to More Info: BT1042589
Component: TMOS
Symptoms:
When a set of interfaces are moved from one trunk to another, the now empty trunk is left with a valid association in bcm56xxd, and deleting that trunk can cause a valid trunk to be removed in the BCM hardware.
'tmsh show net trunk MY_TRUNK' shows the trunk is UP, but in fact the trunk is unconfigured in hardware.
Conditions:
Moving the interfaces across trunks.
i.e.
tmsh modify net trunk MY_OLD_TRUNK interfaces none
tmsh modify net trunk MY_NEW_TRUNK interfaces add { 1.1 1.2 }
tmsh delete net trunk MY_OLD_TRUNK
Impact:
May cause an L2 traffic loop.
Fixed Versions:
17.0.0, 16.1.5, 15.1.10
1042509-1 : On an HTTP2 gateway virtual server, TMM does not ever update the stream's window for a large POST request
Links to More Info: BT1042509
Component: Local Traffic Manager
Symptoms:
On an HTTP2 gateway virtual server (HTTP/2 on clientside, no httprouter profile), TMM does not update the stream's window (i.e. acking data at the HTTP/2 stream layer). This causes large HTTP requests with payloads (i.e. POSTs) to stall and eventually time out.
TMM does sometimes send WINDOW_UPDATE messages for the entire connection, but not for the stream. Since flow control is required at both the connection and stream levels, the client stalls out.
Conditions:
-- Virtual server with HTTP2 profile
-- Configured as HTTP2 Gateway (HTTP2 profile on clientside and no 'httprouter' profile)
-- Client sends large data transfer to the virtual server
Impact:
Client data transfer through HTTP/2 virtual server (POST / PUT / etc) fails.
Workaround:
Use an HTTP router profile (assign the 'httprouter' profile to the virtual server, or select the 'HTTP MRF Router' option in TMUI)
Fixed Versions:
17.0.0, 16.1.2.2
1042505-1 : Session variable "session.user.agent" does not get populated for edge clients
Links to More Info: BT1042505
Component: Access Policy Manager
Symptoms:
Access policy agents and iRules that depend on "session.user.agent" session variable fail to execute properly.
Conditions:
Access polices have agents that depend on the value of session variable "session.user.agent" for its execution.
Impact:
Any access policy agents that depend on this session variable will not be able to follow the rules.
Workaround:
An iRule can be used to generate a session variable. For example:
# This event fires once per session
when ACCESS_SESSION_STARTED {
log local0. "Setting User-Agent based on HTTP data - [HTTP::header User-Agent]"
ACCESS::session data set session.custom.client.useragent [HTTP::header User-Agent]
#Use this variable in the VPE to make some decision
}
Fix:
Fix now sets the session variable properly.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1042153-2 : AFM TCP connection issues when tscookie-vlans enabled on server/client side VLAN.
Links to More Info: BT1042153
Component: Advanced Firewall Manager
Symptoms:
The BIG-IP system is unable to restore the Timestamp (by replacing the TS cookie) when the packet is offloaded to hardware. This happens only when TS cookie enabled on either of the VLANS (client/server), when the TS cookie enabled on both the VLAN no issues are seen.
Conditions:
Configure TCP BADACK Flood DDoS vector to start mitigation at a given value and enable TS cookies on the server VLAN.
Impact:
The TS cookie will not be restored to its original value when the SYN packet is processed by software in BIG-IP and the SYNACK will be handled by the hardware in BIG-IP. As s result, end-hosts (client/server) RTT calculation is incorrect and causes various issues (ex : blocks the Internet access from hosts in the backend infrastructure).
Workaround:
Use fastL4 profile with EST mode i.e. change the 'pva-offload-state to EST'
Fix:
Restoring the Timestamp is fine.
Fixed Versions:
17.1.1, 17.0.0, 16.1.5, 15.1.10
1042069-1 : Some signatures are not matched under specific conditions.
Component: Application Security Manager
Symptoms:
Some signatures are not matched and attack traffic can pass through.
Conditions:
There are more than 20 signatures that have a common keyword with a signature that does not match (and has a common keyword and a new keyword).
Impact:
Attacking traffic can bypass the WAF.
Workaround:
N/A
Fix:
Attack signatures that share words with other attack signatures will be matched correctly now.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5, 13.1.5
1041985-1 : TMM memory utilization increases after upgrade★
Links to More Info: BT1041985
Component: Access Policy Manager
Symptoms:
TMM memory utilization increases after upgrading.
The keep-alive interval of the _tmm_apm_portal_tcp default profile is set to a value that is less than the Idle Timeout setting.
Conditions:
-- APM enabled and passing traffic
-- The configuration has a profile that uses or is derived from _tmm_apm_portal_tcp where the keep-alive interval was reduced to 60
Note that this can be encountered any time a tcp profile contains a keep-alive interval setting that is less than the idle timeout.
For more information about the relationship between keep-alive and idle time out, see K13004262: Understanding Idle Timeout and Keep Alive Interval settings in the TCP profile, available at https://support.f5.com/csp/article/K13004262
Impact:
TMM memory may increase while passing traffic.
Workaround:
Change the tcp keep alive interval to the default setting of 1800 seconds.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1041865-4 : Correctable machine check errors [mce] should be suppressed
Links to More Info: K16392416, BT1041865
Component: TMOS
Symptoms:
Log emerg in kern.log similar to:
emerg kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 10: cc003009000800c1
Conditions:
Correctable errors can be identified by analyzing the 16‐bit value shown in bits [31:16] of the 64‐bit error from the /var/log/kern.log message. There are many types of correctable errors that are not service impacting. Correctable errors are part of the ECC DIMM technology. The following is an example of a correctable error.
An example is shown below.
Log error matches this pattern:
Machine Check: 0 [bank number]: [cc003009][0008][00c1]
bits [31:16] = 0008
Impact:
Correctable errors are logged in kern.log and to the console. There is no functional impact.
Workaround:
If the error message matches the signature in the example above, an RMA is not needed.
If the error message does not match that signature, check the system's traffic condition and confirm there is no negative performance impact. If no performance impact is observed then it means the error is a correctable error and an RMA is not required.
F5 recommends that you upgrade to a fixed TMOS version, then check that the error message is eliminated. For more information, see K16392416: Memory errors and MCE errors
Fix:
Fixed “correctable MCE error suppressed” errors.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
1041765-2 : Racoon may crash in rare cases
Links to More Info: BT1041765
Component: TMOS
Symptoms:
Racoon may crash when NAT Traversal is on and passing IPsec traffic in IKEv1.
Conditions:
-- IKEv1 IPsec tunnel configured
-- NAT Traversal is on in ike-peer configuration.
Impact:
Racoon will crash and any IKEv1 tunnels will restart
Workaround:
Use IKEv2 only.
Fix:
This racoon crash has been stopped.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.10
1041149-1 : Staging of URL does not affect apply value signatures
Links to More Info: BT1041149
Component: Application Security Manager
Symptoms:
When a URL is staged and a value content signature is detected, the matched request is blocked.
Conditions:
-- URL is set to staging;
-- Only default ("Any") content profile is present, set to apply value signatures (all other content profiles deleted);
-- Request matches attack signature
Impact:
The request for staged URL is blocked
Workaround:
Configure relevant content profiles or leave the default content profiles configuration.
Fix:
Fixed to correctly handle URL staging in case of only "Any" content profile.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1040829-4 : Errno=(Invalid cross-device link) after SCF merge
Links to More Info: BT1040829
Component: Access Policy Manager
Symptoms:
A single config file (SCF) merge fails with the following error:
01070712:3: failed in syscall link(/var/system/tmp/tmsh/IHxlie/files_d/Common_d/customization_group_d/:Common:otters-connectivity_1_secure_access_client_customization_62552_1, /config/filestore/.trash_bin_d/.current_d/Common_d/customization_group_d/:Common:otters-connectivity_1_secure_access_client_customization_62552_1) errno=(Invalid cross-device link)
Conditions:
A customization group with the same name is present in both the SCF file and the BIG-IP device.
Impact:
SCF merge fails
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1040821-4 : Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes
Links to More Info: BT1040821
Component: TMOS
Symptoms:
Address Translation and Port Translation checkboxes are automatically checked under the virtual server's advanced configuration.
Conditions:
Virtual Server's Advanced configuration option is selected followed by adding an iRule or a pool.
Impact:
The Address and Port translation options are automatically checked when the default is to have them unchecked.
Workaround:
Manually un-check Address Translation and Port Translation checkboxes under virtual server's advanced configuration
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1040757-1 : A BD memory leak was fixed
Links to More Info: BT1040757
Component: Application Security Manager
Symptoms:
Memory leak in the bd under specific policy and traffic conditions.
Conditions:
Specific policy and traffic conditions.
Impact:
Over time, the bd process memory increases until killed by the kernel.
Workaround:
N/A
Fix:
Memory leak in the bd was fixed.
Fixed Versions:
17.0.0, 16.1.4
1040685-4 : Core file on blade slot2 after reboot (TMM SIGSEGV in pktclass_classifier)
Links to More Info: BT1040685
Component: Advanced Firewall Manager
Symptoms:
Tmm crashes after reboot.
Conditions:
This is encountered intermittently after rebooting a blade.
Impact:
Slot usable until manual intervention. Traffic disrupted while tmm restarts.
Note: this issue happened only once and no further occurrence was reported.
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
1040677 : BIG-IP D120 platform reports page allocation failures in N3FIPS driver
Links to More Info: BT1040677
Component: Local Traffic Manager
Symptoms:
Despite having free memory, the BIG-IP system logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:
swapper/6: page allocation failure: order:2, mode:0x204020
After that, a stack trace follows. The process name in the line ('swapper/16', in this example). You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This issue is known to occur on the appliance D120 (iSeries i15820-DF).
Impact:
As different processes can experience this issue, and the system may behave unpredictably. Software installation may fail.
Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.
It is recommend to increase this to 128 MB (131072 KB).
When instantiating this workaround, consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID 851785' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID851785' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on the BIG-IP appliance and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the BIG-IP appliance and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
Fix:
The BIG-IP system no longer experiences excessive kernel page allocation failures.
Fixed Versions:
17.0.0, 16.1.1
1040609-1 : RFC enforcement is bypassed when HTTP redirect irule is applied to the virtual server.
Links to More Info: K21800102, BT1040609
Component: Local Traffic Manager
Symptoms:
Specifically crafted HTTP request may lead the BIG-IP system to pass malformed HTTP requests to a target pool member web server.
Conditions:
RFC enforcement enabled from the HTTP profile or tmm.http.rfc.enforcement db variable.
HTTP redirect irule applied to virtual server.
Running a BIG-IP version that contains the fix for the issue described in K50375550: A specifically crafted HTTP request might lead the BIG-IP system to pass malformed HTTP requests to a backend server
Impact:
Specifically crafted HTTP request might lead the BIG-IP system to pass malformed HTTP requests to a target pool member web server.
Workaround:
N/A
Fix:
The issue is fixed with content-length header stripped off when both Content-Length and Transfer-Encoding present in the header.
Behavior Change:
The content-length header is removed when both content-length and Transfer-Encoding are present in the header.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1040573-4 : REST operation takes a long time when two different users perform tasks in parallel
Links to More Info: BT1040573
Component: TMOS
Symptoms:
A considerable delay is observed when different users attempt to execute multiple iControl Rest (iCR) requests in parallel.
The below restjavad error log will be observed as async context's state expired before icrd times out during delay in processing requests. This error can be observed when there is considerable delay in request processing irrespective of single user or different users.
[WARNING][7777][25 Jan 2024 16:09:47 UTC][RestOperation]
Exception in POST http://localhost:8100/mgmt/shared/appsvcs/declare failed. t: java.lang.IllegalStateException: AsyncContext completed and/or Request lifecycle recycled
Conditions:
Multiple iControl REST operations are performed by different users in parallel.
When attempting multiple requests by single or multiple users with and without bulk config, the following behaviors are observed:
5 ICRD children getting spawned successfully and same are being observed in logs and noticed that these children are serving multiple rest requests fired by multiple users
Observed expected results for all below scenarios, except the last scenario which has a caveat:
1. Verify multiple rest requests fired with single user
2. Verify multiple rest requests fired with multiple users(5 users )
3. Verify single rest request fired with multiple users (5 users)
4. Verify multiple rest requests fired from multiple users with Bulk config(5 users)
5. Verify single rest request fired from multiple users with Bulk Config(5 users)
Scenario 5 has a Caveat with the current fix, since this fix limits up to 4 concurrent requests, the connection may be refused for some of the requests if the concurrent requests are more than 4.
Impact:
BIG-IP system performance is impacted.
Workaround:
Use only one user to process the multiple requests.
OR
Send multiple requests in a single iControl Rest transaction.
Fix:
Create icrd child per user to avoid context switching. If maxNumChild threshold is reached then allocate users in round robin fashion to all available children to process the requests.
Fixed Versions:
16.1.5
1040513-5 : The counter for "FTP commands" is always 0.
Links to More Info: BT1040513
Component: Application Security Manager
Symptoms:
On the FTP Statistics page, the "FTP Commands" value is always zero.
Conditions:
FTP security is applied and "FTP commands violations" is enforced.
Impact:
The FTP security does not show violations statistics regarding the FTP commands.
Workaround:
None
Fix:
"FTP commands statistics" now shows an accurate value in the UI.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1040361-1 : TMM crashes during its startup when TMC destination port list attached/deleted to virtual server.
Links to More Info: BT1040361
Component: Local Traffic Manager
Symptoms:
-- Log message written to TMM log file:
panic: ../kern/page_alloc.c:736: Assertion "vmem_hashlist_remove not found" failed.
Conditions:
-- Virtual Server using a traffic-matching-criteria (TMC) with a destination-port-list, with multiple distinct ranges of ports.
-- Config changes to virtual server with traffic-matching criteria can cause memory corruption which can lead to delayed TMM crashes.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use Traffic Matching Criteria with destination port lists.
TMM restart is required in case the virtual server is modified with traffic-matching-criteria related config.
Fix:
TMM no longer crashes under these conditions.
Fixed Versions:
17.0.0, 16.1.2, 15.1.5, 14.1.4.5
1040117-2 : BIG-IP Virtual Edition drops UDP packets
Links to More Info: BT1040117
Component: TMOS
Symptoms:
BIG-IP Virtual Edition drops padded UDP packets when the hardware will accept and forward these same packets.
Conditions:
-- BIG-IP Virtual Edition
-- Padded UDP packets are sent
Impact:
UDP packets are dropped, potentially disrupted traffic
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1040017-5 : Final ACK validation during flow accept might fail with hardware SYN Cookie
Links to More Info: BT1040017
Component: Local Traffic Manager
Symptoms:
With hardware SYN cookie mode enabled, final ACK validation during flow accept fails and ACK packets are dropped. Such error messages are being logged in LTM logs :
"An Enforced Device DOS attack start was detected for vector TCP half-open"
Conditions:
-- Hardware SYN Cookie is enabled
-- BIG-IP is under TCP half-open attack and packet hits a CMP forwarding flow
Impact:
ACK packets are wrongly dropped, causing traffic interruption.
Workaround:
Disable hardware SYN Cookie
Fixed Versions:
17.0.0, 16.1.4, 15.1.7
1039941-3 : The webtop offers to download F5 VPN when it is already installed
Links to More Info: BT1039941
Component: Access Policy Manager
Symptoms:
A pop-up window shows up and requests to download the client component.
Conditions:
Either of these conditions can trigger this issue:
-- Network Access configured and webtop type to "Network Access"
-- VPE configured
[Machine Info (or Anti Virus Check)] -- [Resource Assignment (NA + Webtop)]
or
-- Network Access (auto-launch) and webtop configured
-- VPE configured
[Machine Info (or Anti Virus Check)] -- [Resource Assignment (NA + Webtop)]
Impact:
End users are unable to use the browser-based VPN.
Workaround:
Any one of these following workarounds will work:
-- Use Internet Explorer.
-- Do not configure Network Access auto launch or "Network Access" for the webtop type.
-- Insert the message box between Client Inspection (Machine info, etc.) and "Resource Assignment" on the VPE.
-- Ignore the message (click "Click here"), and it allows you to move on to the next step.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1039725-1 : Reverse proxy traffic fails when a per-request policy is attached to a virtual server.
Links to More Info: BT1039725
Component: Access Policy Manager
Symptoms:
Reverse proxy or inbound traffic fails during SSL renegotiation when a per-request policy is attached to the virtual server.
Conditions:
-- SSL Orchestrator is licensed and provisioned.
-- Per-request policy is attached to virtual server.
-- Client or backend server initiates SSL renegotiation.
Impact:
Reverse proxy traffic fails during SSL renegotiation.
Workaround:
If renegotiation is not required then it can be disabled on BIG-IP. The client SSL and server SSL profiles have 'Renegotiation' settings. If it is set to disabled, BIG-IP or SSL Orchestrator does not do SSL renegotiation.
Fix:
Reverse proxy or inbound traffic no longer fails during SSL renegotiation when per-req policy is attached to the virtual server.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.9
1039553-1 : Non-200 HTTP status codes fail to be matched by GTM HTTP(S) monitors
Links to More Info: BT1039553
Component: Global Traffic Manager (DNS)
Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up, depending on the monitor's configuration).
Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.
-- The monitor tries to match an HTTP status code other than 200 (for example, 301).
-- The monitor uses HTTP version 1.0 or 1.1 for the request (the default is 0.9).
Impact:
The system incorrectly considers all non-200 responses a failed monitor attempt, despite what the user specified as acceptable status codes in the monitor's configuration. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.
Workaround:
You can work around this issue in any of the following ways:
-- Use HTTP version 0.9 for the monitor requests.
-- Match on the 200 HTTP status code.
-- Do not use HTTP status matching altogether.
Fix:
GTM HTTP(S) monitors using HTTP version 1.0 or 1.1 can now successfully match status codes other than 200 in the response.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5
1039329-2 : MRF per peer mode is not working in vCMP guest.
Links to More Info: BT1039329
Component: Service Provider
Symptoms:
MRF diameter setup, in peer profile "auto-initialization" and "per peer" mode are enabled, but no connection attempts towards the pool member occur.
When the mode is switched to "per tmm" or "per blade", connections are established.
Conditions:
The peer connection mode in the peer profile is set to "per peer".
Impact:
The "per peer" setting does not work.
Workaround:
Switch the connection mode to "per tmm" or "per blade"
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
1039245-2 : Policy Properties screen does not load and display
Links to More Info: BT1039245
Component: Application Security Manager
Symptoms:
On the Security ›› Application Security : Security Policies : Policies List page, if you click one of the policies, the page gets stuck in " Loading policy general settings... "
Conditions:
This occurs if you try to view a policy that has no template associated
Impact:
Unable to use the GUI for the affected ASM policies.
Workaround:
# cp /var/ts/dms/script/dist/angular/TsuiAngularPoliciesScripts.min.js /shared/TsuiAngularPoliciesScripts.min.js.bk
# chmod 644 /var/ts/dms/script/dist/angular/TsuiAngularPoliciesScripts.min.js
# sed -i -e 's/"POLICY_TEMPLATE_GRAPHQL/p.policy.template\&\&"POLICY_TEMPLATE_GRAPHQL/' /var/ts/dms/script/dist/angular/TsuiAngularPoliciesScripts.min.js
# chmod 444 /var/ts/dms/script/dist/angular/TsuiAngularPoliciesScripts.min.js
# bigstart restart httpd
Fixed Versions:
17.0.0, 16.1.2.2
1039069-1 : Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049.★
Links to More Info: BT1039069
Component: Global Traffic Manager (DNS)
Symptoms:
For more information on the specific issues fixed, please refer to:
https://cdn.f5.com/product/bugtracker/ID1010697.html
https://cdn.f5.com/product/bugtracker/ID1037005.html
https://cdn.f5.com/product/bugtracker/ID1038921.html
Please note the only versions 15.1.3.1 and 16.1.0 are affected.
Conditions:
-- Running BIG-IP version 15.1.3.1 or 16.1.0
-- RESOLV::lookup iRule is used
Impact:
Multiple issues can occur with the RESOLV::lookup command, such as DNS resolutions failing or incorrect DNS responses being received.
Workaround:
None
Fix:
-
Fixed Versions:
17.0.0, 16.1.1, 15.1.4
1039049-2 : Installing EHF on particular platforms fails with error "RPM transaction failure"
Links to More Info: BT1039049
Component: TMOS
Symptoms:
-- Installing an EHF fails with the error "RPM transaction failure"
-- Errors similar to the following are seen in the liveinstall.log file:
info: RPM: /var/tmp/rpm-tmp.LooFVF: line 11: syntax error: unexpected end of file
info: RPM: error: %preun(fpga-tools-atlantis-15.1.3-0.0.11.i686) scriptlet failed, exit status 2
Conditions:
-- Installing an EHF that contains an updated version of the 'fpga-tools-atlantis' package
-- Using the following platforms:
+ BIG-IP i4600 / i4800
+ BIG-IP i2600 / i2800
+ BIG-IP i850
Impact:
EHF installation fails.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1039041 : Log Message: Clock advanced by <number> ticks
Links to More Info: BT1039041
Component: Local Traffic Manager
Symptoms:
<ticks> is the number of milliseconds the Traffic Management Microkernel (TMM) clock is out of sync (behind) the system clock because the TMM thread is waiting for a response.
Logs are similar to below.
bigip1 notice tmm15[46856]: 01010029:5: Clock advanced by 103 ticks
bigip1 notice tmm7[46855]: 01010029:5: Clock advanced by 106 ticks
bigip1 notice tmm10[46855]: 01010029:5: Clock advanced by 107 ticks
bigip1 notice tmm25[46856]: 01010029:5: Clock advanced by 113 ticks
bigip1 notice tmm15[46856]: 01010029:5: Clock advanced by 121 ticks
bigip1 notice tmm5[46855]: 01010029:5: Clock advanced by 106 ticks
Conditions:
These logs are seen more frequently in i15820-DF platforms with FIPS enabled, in comparison to other FIPS platforms. The messages are observed during FIPS key lookup in the HSM. These lookups occur either during TMM start/restart or during SSL profile configuration modification.
Impact:
This message may appear intermittently depending on system load and conditions mentioned above, and it does not necessarily indicate system instability or a cause for concern unless accompanied by another error message or at the time of a serious event.
In all the above conditions, clock advance ticks are in the range of 100 - 170.
Fixed Versions:
17.0.0, 16.1.2
1038913-4 : The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category
Links to More Info: BT1038913
Component: Application Visibility and Reporting
Symptoms:
In GUI "Security ›› Reporting : Application : Charts" filtering "View By" as IP Intelligence "Last Week", "Last Month" and "Last Year" reports show the "Safe" category instead of "Aggregated".
Conditions:
-- ASM is provisioned
-- The system is under heavy traffic
-- The number of stats records per report period (5 min) is higher than 10,000
Impact:
Inaccurate Last Week IPI reporting
Fixed Versions:
16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1038753-4 : OAuth Bearer with SSO does not process headers as expected
Links to More Info: K75431121, BT1038753
Component: Access Policy Manager
Symptoms:
Under certain conditions, OAuth Bearer SSO may forward HTTP headers as-is without the expected processing.
Conditions:
- APM Bearer SSO Configuration
- API Protection Profile
- OAuth token failure
Impact:
HTTP headers are forwarded without the expected processing, potentially leading to passthrough disclosure of request headers.
Workaround:
N/A
Fix:
HTTP headers are now processes as expected.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1038741-4 : NTLM type-1 message triggers "Unparsable request content" violation.
Links to More Info: BT1038741
Component: Application Security Manager
Symptoms:
When internal parameter for "authorization header decode failure" is disabled, Valid NTLM type-1 message will be blocked with "Unparsable request content" violation.
Conditions:
Disable internal parameter ignore_authorization_header_decode_failure
Impact:
Valid NTLM Type-1 message will be blocked by ASM.
Workaround:
Enable internal parameter ignore_authorization_header_decode_failure, ASM will not block the NTLM type-1 message request
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1038733-4 : Attack signature not detected for unsupported authorization types.
Links to More Info: BT1038733
Component: Application Security Manager
Symptoms:
ASM does not detect an Unsupported Bearer authorization type that contains header value in base64 format.
Conditions:
HTTP Request containing Bearer Authorization header which
contain a matching signature in base64 encoded format.
Impact:
ASM does not raise a violation and does not block the request.
Workaround:
N/A
Fix:
ASM decodes base64 value in Bearer Authorization header and perform attack signature matching, raises violation and block request if it contains attack.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1038689-3 : "Mandatory request body is missing" violation should trigger for "act as a POST" methods only
Links to More Info: BT1038689
Component: Application Security Manager
Symptoms:
If a request is configured "Body is Mandatory", any request with "act as a GET" method with no body triggers a "Mandatory request body is missing" violation
Conditions:
- Create default "/index.php" URL with "Any" method and enabled "Body is Mandatory" setting
-Request with GET or 'act as GET' method with no body
Impact:
The request is blocked with "Mandatory request body is missing" violation
Fix:
The request passes with no violations.
Fixed Versions:
17.1.1, 16.1.5
1038669-1 : Antserver keeps restarting.
Links to More Info: BT1038669
Component: SSL Orchestrator
Symptoms:
Antserver keeps restarting, as indicated in /var/log/ecm:
notice ant_server.sh[5898]: starting ant_server on 057caae1e95a11d7ecd1118861fb49f30ce1c22d
notice ant_server.sh[6311]: no ant_server process
notice ant_server.sh[6312]: check: no running ant_server
Conditions:
The Secure Web Gateway is provisioned on i15800 or i15820 platform.
Impact:
User connection will be reset if request or response analytics agent is deployed with per-request policy.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2, 15.1.5
1038629-4 : DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client
Links to More Info: BT1038629
Component: Local Traffic Manager
Symptoms:
With the DTLS virtual server, when client sends the CLOSE_NOTIFY alert, BIG-IP is simply closing the connection without sending the CLOSE_NOTIFY back to client as well as the backend server. This causes the backend server to not close/shutdown the connection completely.
Conditions:
This issue occurs with all DTLS virtual servers which has associated client-ssl and server-ssl profiles.
Impact:
Backend server and client will have a dangling connection for certain period of time (Based on the timeout implementation at the respective ends).
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
1038549-1 : TMM core when BDoS is enabled for an extended time
Links to More Info: BT1038549
Component: Advanced Firewall Manager
Symptoms:
TMM crashes when BDoS is enabled for extended time
Conditions:
1) Configure BIG-IP with AFM enabled.
2) Enabled BDoS.
3) Run some traffic (legitimate and attack) for a long time.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable BDoS.
Fix:
TMM will not core when BDoS is enabled.
Fixed Versions:
16.1.4
1038445-1 : During upgrade to 16.1, the previous FPS Engine live update remains active★
Links to More Info: BT1038445
Component: Fraud Protection Services
Symptoms:
On a BIG-IP system with FPS JS engine Live Update, after upgrade to 16.1.x , the old live update is not replaced by the engine in the build.
Conditions:
-- BIG-IP with FPS JS engine Live Update
-- Upgrade to 16.1.x
-- FPS / DataSafe / AWAF provisioned.
Impact:
In upgrade from 15.1 or older, this sometimes results in the device staying offline.
Workaround:
Installing a new, 16.1 FPS Engine update will fix the issue (where available).
Alternatively, running these commands fixes the issue, but results in the BIG-IP going offline for a few minutes.
rm -rf /var/datasync/updates/*
touch /etc/datasync/regenerate_all
tmsh -q -c 'cd datasync-global/; delete security datasync update-file update-file-versafe_js*'
bigstart restart tmm
Fixed Versions:
17.0.0, 16.1.2.2
1038057-4 : Unable to add a serverssl profile into a virtual server containing a FIX profile
Links to More Info: BT1038057
Component: Service Provider
Symptoms:
You are unable to configure a virtual server to use server SSL encryption with FIX protocol messages.
Conditions:
This is encountered when serverssl needs to be configured for FIX profiles
Impact:
You are unable to assign a server-ssl profile to the virtual server.
Workaround:
None
Fix:
A serverssl profile can now be combined with a FIX profile.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1037877-3 : OAuth Claim display order incorrect in VPE
Links to More Info: BT1037877
Component: Access Policy Manager
Symptoms:
In the visual policy editor (VPE), it is difficult to re-order custom previously created Claims in the oAuth Authorization agent.
The following error is thrown in the developer tools screen of the client browser:
common.js?m=st&ver=15.1.2.1-0.0.10.0:902 Uncaught TypeError: Cannot read property 'row' of undefined
at Object.common_class.swap (common.js?m=st&ver=15.1.2.1-0.0.10.0:902)
at multipleObjectsSelectionCBDialogue_class.swapEntries (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263)
at HTMLAnchorElement.<anonymous> (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185)
common_class.swap @ common.js?m=st&ver=15.1.2.1-0.0.10.0:902
multipleObjectsSelectionCBDialogue_class.swapEntries @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263
(anonymous) @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185
Conditions:
-- There are at least two claims in Access :: Federation : OAuth Authorization Server : Claim
-- You are attempting to reorder the claims in the visual policy editor
Impact:
It is not possible to re-order the claims
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1037457-1 : High CPU during specific dos mitigation
Links to More Info: BT1037457
Component: Application Security Manager
Symptoms:
CPU is high.
Conditions:
A dos attack with specific characteristic is active and the policy is configured in a specific way.
Impact:
While the attack is mitigated on the BIG-IP system and does not reach the server, the CPU of the BIG-IP increases and this may impact other services on the BIG-IP device.
Workaround:
N/A
Fix:
A specific high CPU scenario during dos attacks was fixed.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1037265-2 : Improper handling of multiple cookies with the same name.
Links to More Info: K11453402, BT1037265
Component: Local Traffic Manager
Symptoms:
Multiple cookies with the same name are not handled as expected
Conditions:
Create a Virtual server with an HTTP profile and cookie encryption.
Impact:
BIG-IP will not process multiple cookies with the same name as expected, possibly impacting back-end servers.
Fix:
Multiple cookies with the same name are processed as expected
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1036873-2 : Pre-shared key extension sometimes is not the last extension in ClientHello in TLS1.3
Links to More Info: BT1036873
Component: Local Traffic Manager
Symptoms:
Under some conditions, the BIG-IP's TLS 1.3 Client Hello sometimes does not have the pre-shared key extension as the last extension in the Client Hello. This is contrary to a requirement in the TLS 1.3 RFC, and causes servers to fail the connection.
A backend server may log a message such as:
SSL_do_handshake() failed (SSL: error:141B306E:SSL routines:tls_collect_extensions:bad extension)
Conditions:
-- Server SSL profile (BIG-IP operating as client) with TLS 1.3 enabled.
-- A Client Hello message size that falls between 256 and 512 bytes (without padding), which causes the BIG-IP to introduce a padding extension at the end of the Client Hello.
This issue can be seen via use of the "single-dh-use" or "session-tickets" options in the SSL profile.
Impact:
The TLS handshake fails.
Workaround:
Adjust the configuration of the Server SSL profile by either:
-- Disable Session Tickets
or
-- Disable the single-dh-use option
Fixed Versions:
17.0.0, 16.1.5
1036521-1 : TMM crash in certain cases
Links to More Info: BT1036521
Component: Application Security Manager
Symptoms:
TMM crash in certain case when dosl7 is attached
Conditions:
TMM is configured with dosl7
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1036305-5 : "Mandatory request body is missing" violation in staging but request is unexpectedly blocked
Links to More Info: BT1036305
Component: Application Security Manager
Symptoms:
Request is blocked on a staged URL for the violation "Mandatory request body is missing".
Conditions:
- "Mandatory request body is missing" violation is set for blocking
- The URL is in staging
- "Mandatory request body is missing" is enabled on the URL
Impact:
Requests are blocked unexpectedly
Workaround:
None
Fix:
This defect is closely related to ID1036305 and both defects are fixed together
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1
1036285-1 : Enforce password expiry after local user creation
Links to More Info: BT1036285
Component: TMOS
Symptoms:
When a local user is created, the password is not expired.
[root@bigip1:Active:Standalone] config # chage -l testuser
Last password change : Feb 02, 2021
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Conditions:
A local user is created
Impact:
The new user's password is not set to expired automatically.
Fix:
When the local user is created, the password is expired.
Behavior Change:
When the local user is created, the password is expired.
When the user logins for the first time, the password change prompt appears.
Fixed Versions:
17.0.0, 16.1.3
1036169-4 : VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500".
Links to More Info: BT1036169
Component: Local Traffic Manager
Symptoms:
Guestagentd will log the message "Exit flags for PID <PID>:0x500" in guest ltm log, if vcmp host rsync server current active connection is more than 4.
Conditions:
-- vCMP guest.
-- Rsync transfer frequency is 10 seconds between vCMP guest to vCMP host.
-- more than 4 vCMP guests.
Impact:
Guest LTM logs fill with "Exit flags for PID <PID>: 0x500".
Workaround:
N/A
Fix:
A software version that conmtains this fix needs to be installed and running on the vCMP host. The vCMP guest software version doesn't matter in the context of this issue.
The changes below will need to be carried out on vCMP host only, and the final step is service affecting, restarting the vCMP guests.
To set the rsync connection limit to highest number of guests that blade supports, and so avoid issue of this bug:
tmsh modify sys db vcmp.dynamic_rsync_conn_allowed value true
(from bash shell)
To change back to original default rsync connection limit of four:
tmsh modify sys db vcmp.dynamic_rsync_conn_allowed value false
The next step is service affecting, and will restart the vCMP guests. If possible failover guests to peers on another vCMP host before carrying out this step. clsh should be used on multi-blade chassis.
Restart vcmpd by running 'clsh bigstart restart vcmpd'
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1036057-1 : Add support for line folding in multipart parser.
Links to More Info: BT1036057
Component: Application Security Manager
Symptoms:
RFC 2616 allowed HTTP header field values to be extended over multiple lines by preceding each extra line with at least one space or horizontal tab. This was then deprecated by RFC 7230.
The multipart parser of ASM does not support the multiple line header, so these requests cause false positives.
Conditions:
Multiline header in multipart request
Impact:
False positives.
Workaround:
None
Fix:
Introduced a new ASM internal parameter: multipart_allow_multiline_header
Note: default value is 0 (disabled)
Note: enabling/disabling the feature requires asm restart that triggers the unit going offline for a short time period. If the unit is a part of a high availability (HA) cluster, failover to the other unit will occur. If it is a standalone unit, traffic disruption until the unit comes back to online.
- Enable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 1
# bigstart restart asm
- Disable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 0
# bigstart restart asm
Behavior Change:
Introduced a new ASM internal parameter: multipart_allow_multiline_header
Note: default value is 0 (disabled)
Note: enabling/disabling the feature requires asm restart that triggers the unit going offline for a short time period. If the unit is a part of a high availability (HA) cluster, failover to the other unit will occur. If it is a standalone unit, traffic disruption until the unit comes back to online.
- Enable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 1
# bigstart restart asm
- Disable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 0
# bigstart restart asm
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1035853-1 : Transparent DNS Cache can consume excessive resources.
Links to More Info: K41415626, BT1035853
Component: Global Traffic Manager (DNS)
Symptoms:
Under certain conditions, the Transparent DNS Cache can consume excessive resources.
Conditions:
- The BIG-IP system is licensed for DNS Services
- Transparent DNS Cache is configured on a virtual server
Impact:
Excessive resource consumption, which can lead to increased server-side load.
Workaround:
N/A
Fix:
The Transparent DNS Cache now consumes resources as expected.
Fixed Versions:
17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5
1035661-4 : REST Requests return 401 Unauthorized when using Basic Auth
Links to More Info: BT1035661
Component: TMOS
Symptoms:
REST Requests are intermittently failing with a 401 error:
{401,"message":"Authorization failed: no user authentication header or token detected"}
The restjavad-audit.*.log shows these requests are closely preceded by a 503 response from /mgmt/tm/auth/source.
Conditions:
Triggered when a REST request comes in using Basic Auth while an asynchronous task is executing on the BIG-IP.
An example of an asynchronous task is the BIG-IP processing an AS3 declaration.
Impact:
REST requests will fail with a misleading response code and for no readily apparent reason.
Workaround:
None
Fixed Versions:
16.1.5
1035361-4 : Illegal cross-origin after successful CAPTCHA
Links to More Info: BT1035361
Component: Application Security Manager
Symptoms:
After enabling CAPTCHA locally on BIG-IP with brute force, after configured login attempts, CAPTCHA appears, but after bypassing the CAPTCHA successfully the user receives a support ID with cross-origin violation.
Conditions:
- brute force with CAPTCHA mitigation enforced on login page.
- cross-origin violation is enforced on the login page.
- user fails to login until CAPTCHA appears
- user inserts the CAPTCHA correctly
Impact:
- blocking page appears.
- on the event log cross-origin violation is triggered.
Workaround:
- disable cross-origin violation enforcement.
Fix:
Fixing origin header offset in reconstruct challenge request.
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.5.1, 14.1.5
1035133-4 : Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab
Links to More Info: BT1035133
Component: Application Visibility and Reporting
Symptoms:
In various BIG-IQ GUI forms under the "Monitoring" tab (for example Monitoring -> Local Traffic -> HTTP), data for some time periods are missing.
Multiple "Unexpected end of ZLIB input stream" errors appear in BIG-IQ DCD logs under /var/log/appiq/gc_agent-manager.log
Conditions:
BIG-IP is attached to BIG-IQ, traffic volume is high
Impact:
Data in BIG-IQ are missing therefore some graphs show incorrect information
Workaround:
None
Fix:
Fixed an issue with missing statistics.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1035121-4 : Configsync syncs the node's monitor status
Links to More Info: BT1035121
Component: TMOS
Symptoms:
After config sync, nodes may be marked marked down when they are up, even if the monitor determines that the node is up.
The logs will show something similar to :
notice mcpd[8091]: 010714a0:5: Sync of device group /Common/device_trust_group to commit id 1 6986973310536375596 /Common/xxxxxxxx 1 from device /Common/yyyyyyyy
notice mcpd[8091]: 01070640:5: Node /Common/node1 address 10.10.100.1 monitor status down. [ /Common/icmp: up ] [ was up for 0hr:3mins:15sec ]
notice mcpd[8091]: 01070640:5: Node /Common/node2 address 10.10.100.2 monitor status down. [ /Common/icmp: up ] [ was up for 0hr:3mins:15sec ]
The node/pool member/pool/virtual server will be marked down.
Checking the actual monitor it will be up, tcpdump will show successful monitor transactions.
Conditions:
1. Two or more devices in a sync/failover device group
2. The config sync from-device has marked nodes down
3. A config sync occurs
This can occur on both incremental and full config sync.
Impact:
The node's monitor status is synced to the peer device. If the from-device's monitor was unable to reach the nodes and was marking the nodes as DOWN, then the node status will be set to DOWN on the other device, even if the monitor is successfully connecting to the node. This can cause a traffic disruption.
Note: the opposite can occur, where a "node up" status is sent to a device whose monitor is failing to connect to the nodes due to a network issue.
Workaround:
If a device is in this state, you can work around this issue by doing one of the following:
-- Save and reload the configuration on the device with the bad state
tmsh save sys config && tmsh load sys config
-- Perform a full-load sync from the peer device to the affected device:
(On the peer) tmsh run cm config-sync force-full-load-push to-group group-name
Fix:
Node monitor statuses are not synced between devices.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1034941-1 : Exporting and then re-importing "some" XML policy does not load the XML content-profile properly
Links to More Info: BT1034941
Component: Application Security Manager
Symptoms:
Exporting and then re-importing an existing ASM policy in XML format does not load its XML content-profile properly. An XML content-profile containing a firewall configuration shows the 'Import URL' as N/A for most .xsd files.
Conditions:
Corner case, when the second import_url value is null
Impact:
The import_url field is set as N/A for all files, except for the first one
Workaround:
None
Fix:
Fixed incorrect XML export when we've multiple import_url in content-profile
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1034617-1 : Login/Security Banner text not showing in console login.
Links to More Info: BT1034617
Component: TMOS
Symptoms:
Setting the Login/Security Banner causes the banner to appear when connecting via the management port and not when connecting via the console.
Conditions:
-- The login banner is configured.
-- You log into the command line.
Impact:
Mismatch in displaying banner text with management and console logins.
Workaround:
Configure an identical banner for ssh sessions by following https://support.f5.com/csp/article/K6068.
Fix:
The banner text now displays for both management and console logins.
Fixed Versions:
17.0.0, 16.1.2
1034589-1 : No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration.
Links to More Info: BT1034589
Component: TMOS
Symptoms:
It is possible to delete a Pool or Trunk from the configuration while one or more high availability (HA) Groups still reference it.
As a result, the configuration of affected high availability (HA) Groups is automatically and silently adjusted (i.e. the deleted object is no longer referenced by any high availability (HA) Group).
The lack of warning about this automatic change could lead to confusion.
Conditions:
A pool or trunk is deleted from the configuration while still being referenced from a high availability (HA) Group.
Impact:
The automatic and silent removal of the deleted object from all high availability (HA) Groups may go unnoticed by BIG-IP Administrators, with potential consequences on the failover behavior of the devices.
Fix:
A warning message is logged to /var/log/ltm, and is also presented in tmsh.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1034329-1 : SHA-512 checksums for BIG-IP Virtual Edition (VE) images available on downloads.f5.com
Links to More Info: BT1034329
Component: TMOS
Symptoms:
SHA-512 checksums for BIG-IP Virtual Edition images are not available on downloads.f5.com.
Conditions:
You wish to perform a SHA-512 validation of the BIG-IP Virtual Edition images.
Impact:
Cannot download the SHA-512 checksum for checksums for BIG-IP Virtual Edition images.
Workaround:
None
Fix:
Added SHA-512 checksum for ISOs and BIG-IP Virtual Edition images to downloads.f5.com.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1034217-2 : Quic_update_rtt can leave ack_delay uninitialized.
Links to More Info: BT1034217
Component: Local Traffic Manager
Symptoms:
Retransmission times become very long if there is packet loss near the beginning of the connection.
Conditions:
-- Basic QUIC configuration.
-- The first couple of packets in the connection reaches an uninitialized variable path before the connection reaches the ESTABLISHED state.
Impact:
Uninitialized ack_delay variable could be any value and cause RTT measurements to be unusually large. That could cause retransmission times to be very long if there is packet loss near the beginning of the connection.
Workaround:
N/A
Fix:
Reusing existing ack-delay variable fixes the issue.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1033837-1 : REST authentication tokens persist on reboot★
Links to More Info: K23605346, BT1033837
Component: TMOS
Symptoms:
REST authentication tokens persist across reboots. Current best practices require that they be invalidated at boot.
Conditions:
-- REST authentication token in use
-- BIG-IP restarts
Impact:
REST authentication tokens are not invalidated at boot.
Workaround:
None
Fix:
REST authentication tokens are invalidated at boot. Additionally, a new db variable is introduced: httpd.matchclient which is used to validate that the IP address of the creator of the token is the only valid user of that token.
Behavior Change:
Existing REST tokens are now invalidated on boot; new tokens will need to be generated after a reboot.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1033829-3 : Unable to load Traffic Classification package
Links to More Info: BT1033829
Component: Traffic Classification Engine
Symptoms:
After installation and initial configuration, the latest Traffic Classification IM package fails to load.
Conditions:
This type of behavior is observed when the system is configured as follows,
1. LTM provisioned
2. Create virtual servers with classification profile
3. Then provision PEM module
4. Do a Hitless upgrade
Impact:
The latest Traffic Classification IM package fails to load.
Workaround:
Once the TMM is restarted after the issue, the latest IM is loaded.
Fix:
The traffic classification package now loads successfully.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
1033017-1 : Policy changes learning mode to automatic after upload and sync
Links to More Info: BT1033017
Component: Application Security Manager
Symptoms:
When newly created policies are synchronized, the learning states of the policies are different.
Conditions:
-- Active/Active high availability (HA) setup in sync-failover device group with ASM enabled.
-- Sync a new policy configured with disabled/manual learning mode.
Impact:
Learning mode changes from disabled to automatic on peer device after sync, so learning modes differ on the peer devices.
Workaround:
1. On the peer device, change the learning mode to disabled.
2. Push sync from the originator device.
Both devices are then in sync and policies have the same learning mode (disabled), so operations complete as expected.
Fix:
The sync operation no longer attempts to keep the learning flags enabled on the receiving device.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1032949-1 : Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate.
Links to More Info: BT1032949
Component: TMOS
Symptoms:
When you configure Dynamic CRL and set the client authentication as "Request", the handshake fails when clients do not supply a certificate.
Conditions:
Clientssl profile configured with the following:
1. Dynamic CRL
2. Client Authentication enabled with "Request" option
Impact:
SSL handshake fails
Workaround:
Workaround 1:
Use Static CRL
Workaround2:
Use Client authentication with either "Require" or "Ignore"
Workaround3:
Disable TLS1.2 and below versions in the Client SSL profile.
Which means allow only TLS1.3 traffic.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5
1032821-7 : Syslog: invalid level/facility from /usr/libexec/smart_parse.pl
Links to More Info: BT1032821
Component: TMOS
Symptoms:
When the smart_parse.pl script is run and finds a disk error, it attempts to log an error with an incorrect syslog level.
Conditions:
Run smart_parse.pl on a BIG-IP platform with a disk error.
Impact:
When this script is run (usually as a cron job) the following message occurs:
syslog: invalid level/facility: error at /etc/cron.daily/pendsect line 194.
Workaround:
None.
Fix:
Smart_parse.pl now logs errors at the correct level 'err'.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1032797-1 : Tmm continuously cores when parsing custom category URLs
Links to More Info: BT1032797
Component: SSL Orchestrator
Symptoms:
Tmm crashes when trying to parse more than 256 custom category URLs.
Conditions:
-- More than 256 URLs defined in custom url-category.
Impact:
Traffic disrupted while tmm restarts.
Fix:
TMM no longer crashes and it can parse more than 256 custom category URLs.
Fixed Versions:
17.0.0, 16.1.2, 15.1.5
1032737-2 : IPsec: tmm SIGSEGV in getlocaladdr in ikev2_initiate
Links to More Info: BT1032737
Component: TMOS
Symptoms:
Tmm crashes while passing IPsec traffic
Conditions:
Wildcard selectors are used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Avoid the core dump by adding checks.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1
1032689 : UlrCat Custom db feedlist does not work for some URLs
Links to More Info: BT1032689
Component: Traffic Classification Engine
Symptoms:
The first URL getting normalized is not classified.
Conditions:
The URL contains caps or 'www' is not getting categorized in few cases.
Impact:
The 'custom' category is not displayed for all the apps available in the feedlist file.
Workaround:
None
Fix:
Starting normalized lines with \n.
Fixed Versions:
16.1.2, 15.1.4.1, 14.1.4.5
1032329-1 : A user with low privileges cannot open the Rule List editor.
Links to More Info: BT1032329
Component: Advanced Firewall Manager
Symptoms:
When a low privilege user attempts to access the Rule List editor page, they receive the error message "General database error retrieving information."
Conditions:
Attempting to access the Rule List editor as a user with a lower privilege, for example Firewall Manager.
Impact:
You cannot see the details of the Rule List via UI/tmsh
Workaround:
Use TMSH to view Rule List details
Fixed Versions:
16.1.5, 15.1.4.1
1032077-1 : TACACS authentication fails with tac_author_read: short author body
Links to More Info: BT1032077
Component: TMOS
Symptoms:
If a TACACS user is part of a group with 10s of attribute value pairs (AVPs) were the length of all the avp's combined is such that the authorization reply message from the TACACS server is segmented, the login will fail.
The error message that is logged when the login fails is
"tac_author_read: short author body, 4468 of 6920: Operation now in progress" Where the numbers 4468 and 6920 will vary.
Conditions:
- TACACS authentication
- TACACS user that is part of a group where the combined length of the AVPs is greater then the largest TCP segment the TACACS server is able to send.
Impact:
User is unable to login.
Workaround:
If possible, reduce the number of attributes of the TACACS group or user.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1031901-2 : In HTTP2 deployment, RST_STREAM sent to client if server in CLOSING state is picked
Links to More Info: BT1031901
Component: Local Traffic Manager
Symptoms:
When request from client is forwarded to server which is in CLOSING state due to server sent GOAWAY but not yet close the connection, request will be failed to be forwarded to server and RST_STREAM will be sent to client
Conditions:
-- Virtual Server with HTTP2 profile
-- There is an open connection from BIG-IP to the server.
-- The server sends a GOAWAY message to the BIG-IP and the connection is kept open.
-- The client sends a request to BIG-IP, BIG-IP picks the connection mentioned above to forward the request to
Impact:
Traffic from the specific client is interrupted
Workaround:
N/A
Fix:
In HTTP2 deployment, RST_STREAM is no longer sent to client if server in CLOSING state is picked
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1
1031609-1 : Improve nethsm-thales-install.sh and nethsm-thales-rfs-install.sh to be compatible with Entrust Client v12.60.10 package.★
Links to More Info: BT1031609
Component: Local Traffic Manager
Symptoms:
Formerly Thales now nShield/Entrust has changed the directory structure of their client package and also added new libraries. Due to this change, install script will be incompatible with v12.60.10 onwards.
Conditions:
Upgrading to PKCS11 client package v12.60.10.
Impact:
The installation script will fail while extracting the package.
Workaround:
N/A
Fix:
Extracted all the tarballs in the target directory to resolve the issue.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1
1031425-3 : Provide a configuration flag to disable BGP peer-id check.
Links to More Info: BT1031425
Component: TMOS
Symptoms:
A fix for ID 945265 (https://cdn.f5.com/product/bugtracker/ID945265.html) introduced strict checking of a peer-id. This check might be not desired in some configurations.
Conditions:
EBGP peering with two routers in the same autonomous system, configured with the same peer-id.
Impact:
BIG-IP will not pass the NLRIs between two eBGP peers. The following message can be seen in debug logs:
172.20.10.18-Outgoing [RIB] Announce Check: 0.0.0.0/0 Route Remote Router-ID is same as Remote Router-ID
Workaround:
Change peer-ids to be unique on eBGP peers.
Fix:
New, neighbor-specific, af-specific configuration option is provided to allow routes to be passed to external peers sharing the same router-id. The check is done on egress, so the configuration should be changed towards the peer that is supposed to receive a route.
router bgp 100
bgp graceful-restart restart-time 120
neighbor as200 peer-group
neighbor as200 remote-as 200
neighbor as200 disable-peerid-check
neighbor 172.20.8.16 peer-group as200
neighbor 172.20.8.16 disable-peerid-check
neighbor 172.20.10.18 peer-group as200
neighbor 172.20.10.18 disable-peerid-check
!
address-family ipv6
neighbor as200 activate
neighbor as200 disable-peerid-check
neighbor 172.20.8.16 activate
neighbor 172.20.8.16 disable-peerid-check
neighbor 172.20.10.18 activate
neighbor 172.20.10.18 disable-peerid-check
exit-address-family
When configured on a single neighbor it will cause session to be re-established.
When configured on a peer-group a manual session restart is required for changes to take effect.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1031357-2 : After reboot of standby and terminating peer, some IPsec traffic-selectors are still online
Links to More Info: BT1031357
Component: TMOS
Symptoms:
HA Standby marks traffic selectors up when they are actually down on the Active device.
Conditions:
-- High availability (HA) configured and mirroring configured
-- IPsec tunnels up on Active
-- Reboot Standby
-- Standby starts correctly and all SAs are mirrored
-- Tunnel(s) go down on Active
Impact:
-- Traffic Selector is incorrectly marked up on the Standby when it is actually down on the Active.
-- While this is cosmetic, the information is misleading.
Workaround:
None
Fix:
After Standby reboot and deleting IPsec tunnels, the
traffic selectors on the Standby are marked in down state.
Fixed Versions:
17.0.0, 16.1.2
1030881-1 : [GTM] Upgrade failure - 01070022:3: The monitor template min was not found.★
Links to More Info: BT1030881
Component: Global Traffic Manager (DNS)
Symptoms:
GTM config load fails with the following error message:
01070022:3: The monitor template min was not found.
Conditions:
Min or required feature is applied to GTM generic host and upgrade from v15.x to v16.x.
Impact:
GTM config load fails.
Workaround:
Delete the special config for the generic host server and add it back after upgrade.
Fixed Versions:
17.0.0, 16.1.2.2
1030853-1 : Route domain IP exception is being treated as trusted (for learning) after being deleted
Links to More Info: BT1030853
Component: Application Security Manager
Symptoms:
Traffic is considered trusted for learning even though a trusted IP exception was deleted.
Conditions:
Creating and deleting a route domain-specific IP exception
Impact:
Traffic learning suggestions scores are miscounted.
In automatic policy builder mode the policy can be updated by the policy builder based on the wrong score counting.
Workaround:
Stop and restart learning for the relevant policy
Fix:
When a route domain IP Exception configured for trusted learning is deleted, the upcoming suggestions scores will be calculated correctly without considering the deleted IP trusted.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1030845-1 : Time change from TMSH not logged in /var/log/audit.
Links to More Info: BT1030845
Component: TMOS
Symptoms:
Whenever time is changed, the message is not logged in /var/log/audit.
Conditions:
This occurs when the system time is changed manually using either the 'date' command or 'tmsh modify sys clock'.
Impact:
The time change is not logged to the audit log.
Workaround:
N/A
Fix:
Time changes are now logged to the audit log.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1030645-4 : BGP session resets during traffic-group failover
Links to More Info: BT1030645
Component: TMOS
Symptoms:
BGP session might be hard reset during a traffic group failover. The following log is displayed:
BGP[11111]: BGP : %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down Peer reset due to nh address change
Conditions:
Floating self-ips defined on a single vlan/subnet, with different traffic-groups configured.
Impact:
BGP session goes down during traffic-group failover.
Fix:
Soft clear is performed instead.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1030533-1 : The BIG-IP system may reject valid HTTP responses from OCSP servers.
Links to More Info: BT1030533
Component: Local Traffic Manager
Symptoms:
When this happens, the BIG-IP system can be seen closing the TCP connection to the OCSP server prematurely (for instance, as soon as the HTTP response headers are received, before the response body is transmitted).
If log.keymgmtd.level is set to debug, an error similar to the following example will be logged to the /var/log/ltm file:
Jun 22 14:40:08 bigip1.local debug tmm[9921]: 01a40004:7: OCSP validation result of certificate(/config/filestore/files_d/Common_d/certificate_d/:Common:endpoint-intermediate_69993_1): OCSP response - (connection - HTTP error), certificate status - (error), lifetime - 10.
Conditions:
The server uses a Content-Type HTTP header in its response that isn't just "application/ocsp-response" (for instance, it may include a charset specification after that string, or the string may use a mix of uppercase and lowercase letters).
Impact:
Valid HTTP responses from OCSP servers are rejected. OCSP stapling and OCSP validation are not available on the BIG-IP system.
Workaround:
If you control the OCSP server and are able to customize its HTTP response headers, setting the Content-Type to simply "application/ocsp-response" (all lowercase) is a workaround for this issue.
Otherwise, no workaround exists.
Fix:
Valid HTTP responses from OCSP servers are not longer rejected.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1030185-5 : TMM may crash when looking up a persistence record using "persist lookup" iRule commands
Links to More Info: BT1030185
Component: Local Traffic Manager
Symptoms:
Tmm may crash with a SIGSEGV when looking up a persistence record in an iRule when using the "any" flag
Conditions:
-- The persistence entry exists on a virtual server other than the virtual server the iRule is configured on.
-- The iRule contains [persist lookup source_addr "[IP::client_addr] any"]
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Discontinue the use of the "any" flag in the persist lookup iRule.
Fix:
TMM no longer crashes
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1030133-2 : BD core on XML out of memory
Links to More Info: BT1030133
Component: Application Security Manager
Symptoms:
Missing error handling in lib xml parser.
Conditions:
XML parser going out of memory.
Impact:
ASM traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1030129-4 : iHealth unnecessarily flags qkview for H701182 with mcp_module.xml
Links to More Info: BT1030129
Component: Application Security Manager
Symptoms:
iHealth unnecessarily flags the uploaded qkview for Heuristic H701182 "Non-ASCII characters removed from Qkview XML files".
Conditions:
Qkview generated from an unit with asm provisioned is uploaded to iHealth
Impact:
Inaccurate Heuristic on iHealth
Workaround:
None.
Fix:
Unintended characters have been removed from the description of a bot defense profile.
Fixed Versions:
16.1.5
1029989-6 : CORS : default port of origin header is set 80, even when the protocol in the header is https
Links to More Info: BT1029989
Component: Application Security Manager
Symptoms:
Destination port is set to 80, instead of 443, for Origin header value that has https in the schema field.
This causes unexpected "Illegal cross-origin request" violation.
Conditions:
- Using CORS enforcement where you allow HTTPS and port 443 for an origin name
- The Origin header value has https in the schema
- The Origin header value does not specify non default port number
Impact:
Unexpected "Illegal cross-origin request" violation.
Workaround:
Allow port 80 or use 'any' for the given origin name.
Fix:
When schema in the header is https, considers port 443 instead of 80.
Fixed Versions:
16.1.4, 15.1.10
1029949-2 : IPsec traffic selector state may show incorrect state on high availability (HA) standby device
Links to More Info: BT1029949
Component: TMOS
Symptoms:
IPsec traffic selector state can be viewed in the config utility or by tmsh with the "tmsh show net ipsec traffic-selector" command. On an high availability (HA) standby device, some selector states may be incorrect.
Conditions:
-- High availability (HA) environment
-- Standby reboots or in some way, such as a tmm restart, is forced to re-learn all the mirrored IPsec security associations (SAs).
Impact:
There is no functional impact. The issue is that a selector may incorrectly appear down in one or both directions.
Workaround:
When the tunnel re-keys on the high availability (HA) active device, the selector state shows the correct value.
Fix:
IPsec traffic selectors show the correct state after the high availability (HA) standby device reboots.
Fixed Versions:
17.0.0, 16.1.2
1029897-1 : Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members.
Links to More Info: K63312282, BT1029897
Component: Local Traffic Manager
Symptoms:
The BIG-IP system may pass malicious requests to server-side pool members.
Conditions:
1. The BIG-IP LTM has one or more virtual servers configured to proxy HTTP/2 requests from the client-side to HTTP/1 requests on the server-side.
2. An HTTP/2 client sends a request with one of the following issues and the BIG-IP passes it to the server-side pool members:
a. H2.TE request line injection
I. An HTTP/1 request embedded within an HTTP/2 pseudo-header value
II. Individual carriage return (CR) or line feed (LF) allowed within an HTTP/2 pseudo-header
b. Request line injection (folder traps)
c. Request line injection (rule bypass)
Impact:
Malicious HTTP/2 requests can be translated to HTTP/1 requests and sent to the pool member web server. Depending on the behavior of the pool member web server, This could result in unauthorized data injection in HTTP requests. When the affected virtual server is configured with the OneConnect profile, a malicious actor might be able to impact the responses sent to a different client.
Workaround:
You can configure the BIG-IP ASM system or Advanced WAF to block an HTTP/1 request that is embedded within an HTTP/2 pseudo header value from being sent to the backend server.
Fix:
This has been fixed so that client requests are appropriately rejected by BIG-IP.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1029869-1 : Use of ha-sync script may cause gossip communications to fail
Links to More Info: BT1029869
Component: SSL Orchestrator
Symptoms:
Using the ha-sync script on platforms in a sync-failover device group may cause gossip communications to fail.
Conditions:
This issue occurs after using the ha-sync script on devices that are in a sync-failover device-group.
Impact:
When the gossip communications fail, SSL Orchestrator will be unable to communicate iAppLX configuration from one device to the other. This can lead to deployment failures upon redeployment of SSL Orchestrator topologies.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
1029689-2 : Incosnsitent username "SYSTEM" in Audit Log
Links to More Info: BT1029689
Component: Application Security Manager
Symptoms:
The Security Policy Auto Log in ASM displays the system component that triggered the event. The component name is sometimes shown as 'SYSTEM', other times shown as 'System'
Conditions:
The value is "SYSTEM" when Apply Policy was initiated locally.
The value is "System" when Apply Policy was initiated by the peer unit
Impact:
Component name inconsistency causing confusion
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1029585-1 : Use of ha-sync script may cause platforms in a sync-failover device group to fall out of sync
Links to More Info: BT1029585
Component: SSL Orchestrator
Symptoms:
Following the use of the ha-sync script on platforms in a sync-failover device group to become out of sync.
Conditions:
This can occur following the use of the ha-sync script.
Impact:
Both platforms in the sync-failover device group to fall out of sync. Forcing the admin to perform a device-group sync operation.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
1029397-4 : Tmm may crash with SIP-ALG deployment in a particular race condition
Links to More Info: BT1029397
Component: Service Provider
Symptoms:
Tmm crashes in SIP-ALG deployment, when lsn DB callback is returned from a different tmm, and the SIP connection has been lost on tmm where the REGISTER request arrived.
Conditions:
--- SIP-ALG is deployed
--- Processing of SIP REGISTER message at server side
--- lsn DB entry is mapped to a different tmm
Impact:
Traffic disrupted while tmm restarts
Workaround:
NA
Fix:
Tmm no longer crashes in this race condition
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6
1029105-1 : Hardware SYN cookie mode state change logs bogus virtual server address
Links to More Info: BT1029105
Component: TMOS
Symptoms:
When a virtual server enters or exits hardware SYN cookie mode, a bogus IP address is logged in /var/log/ltm. For example:
Syncookie HW mode activated, server name = /Common/vs server IP = 0.0.0.3:0
Conditions:
A virtual server enters or exits hardware SYN cookie mode.
Impact:
Only the logging information is wrong, the hardware SYN cookie mode functions correctly.
Workaround:
None
Fix:
TMM now logs the correct IP address of the virtual server.
Fixed Versions:
17.1.0, 16.1.4, 15.1.4
1028969-1 : An unused traffic-selector can prevent an IKEv2 IPsec tunnel from working
Links to More Info: BT1028969
Component: TMOS
Symptoms:
If both IKEv1 and IKEv2 try to listen to the same self IP address on the BIG-IP for a local tunnel IP address, only one can win, and previously a v2 ike-peer would be blocked if a v1 listener managed to get installed first.
If a partial tunnel config exists, with no ike-peer and only ipsec-policy and traffic-selector definitoins, this is understood to be IKEv1 implicitly, by default, and will install a v1 listener for the IP address and port.
Then if a fully configured ike-peer is added using IKEv2, it can fail to establish the required listener for v2 when an existing v1 listener is squatting on that IP address.
Conditions:
Conflict between IKEv2 and IKEv1 on the same IP address when:
-- a v2 ike-peer has local tunnel IP address X
-- a v1 ike-peer, or a traffic-selector with no peer at all, has the same local IP address X
Impact:
An IKEv2 tunnel can fail to negotiate when v2 packets cannot be received on a local IP address because a listener for IPsec cannot be established on that IP address.
Workaround:
You can avoid conflict between v1 and v2 by:
-- removing a traffic-selector not in use (which is v1)
-- avoiding use of the same local IP in both v1 and v2 definitions of ike-peer
Fix:
The fix gives precedence to IKEv2, so any pre-existing IKEv1 listener is simply removed from an IP address whenever a v2 listener is desired for that IP address.
This means IKEv1 can never be negotiated on a local IP address which is also in use by an IKEv2 ike-peer.
Importantly, this fix may cause tunnels to be permanently down after an upgrade. Prior to this change it was possible to have IKEv1 and IKEv2 tunnels working on the same self IP, but in that scenario some tunnels would intermittently fail to establish and the success of the tunnel establishment depended on whether the BIG-IP was the Initiator. IKEv1 and IKEv2 tunnels on the same self IP may still work after this change, but are not considered a valid or supported config by F5.
Fixed Versions:
17.0.0, 16.1.2
1028773-1 : Support for DNS Over TLS
Links to More Info: BT1028773
Component: Global Traffic Manager (DNS)
Symptoms:
The BIG-IP system does not have support for DNS over TLS (DoT).
Conditions:
This is encountered if you wish to combine a clientssl profile with the dns profile on a virtual server.
Impact:
Performance is degraded.
Workaround:
None
Fix:
Clients can now initiate DNS over TLS requests to virtual servers that have the clientssl and dns profiles attached.
Fixed Versions:
17.0.0, 16.1.2
1028473-1 : URL sent with trailing slash might not be matched in ASM policy
Links to More Info: BT1028473
Component: Application Security Manager
Symptoms:
Request sent to a specific URL with added trailing slash may not be handled according to expected policy.
Conditions:
-- Request is sent with URL containing trailing slash.
-- Security policy contains the same URL, but without slash.
Impact:
URL enforcement is not done according to expected rules.
Workaround:
Add configuration for same URL with added trailing slash.
Fix:
URL with trailing slash is now handled as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1028269-2 : Device using CGNAT + subscriber discovery license shows unknown for pem_subscriber-id.
Links to More Info: BT1028269
Component: Carrier-Grade NAT
Symptoms:
On a BIG-IP device configured with CGNAT + subscriber discovery license, the LSN log shows "unknown" for the pem_subscriber-id field.
Conditions:
-- PEM and CGNAT enabled
-- RADIUS and CGNAT traffic are in different route domains
Impact:
LSN log shows "unknown" for the pem_subscriber-id field.
Workaround:
N/A
Fix:
Subscriber-id now shows correctly in the LSN log after it is added with CGNAT provisioned check in subscriber-discovery.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1028109-1 : Detected attack signature is reported with the wrong context.
Links to More Info: BT1028109
Component: Application Security Manager
Symptoms:
A detected attack signature on a multipart request might be reported with the wrong context.
Conditions:
Attack signature is detected in a multipart request.
Impact:
Reporting of the signature might contain the wrong context.
Workaround:
N/A
Fix:
All detected signatures on multipart requests are reported with the correct context.
Fixed Versions:
17.0.0, 16.1.2
1028081-1 : [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page
Links to More Info: BT1028081
Component: Access Policy Manager
Symptoms:
1. Users connecting with F5 Access from an Android device see string "function () {[native code]}" in the Logon Page Form 'Username' field.
2. This issue only affects the F5 Access embedded browser. It works fine when connecting from the same Android device using Chrome. F5 Access from iOS is also working fine.
Conditions:
Configure an access policy with modern customization that includes a Logon Page.
Impact:
The string "function () {[native code]}" appears in the Logon Page Form 'Username' field.
Workaround:
This solution is temporal as changes are lost after an upgrade.
steps:
1) create a copy of the original "main.js" file
# cp /var/sam/www/webtop/public/include/js/modern/main.js /var/sam/www/webtop/public/include/js/modern/main.js.origin
2) edit the file using an editor (e.g., vi).
# vi /var/sam/www/webtop/public/include/js/modern/main.js
modify
window.externalAndroidWebHost.getWebLogonUserName to window.externalAndroidWebHost.getWebLogonUserName()
and
window.externalAndroidWebHost.getWebLogonPassword to window.externalAndroidWebHost.getWebLogonPassword()
3) Restart BIG-IP
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1027805-4 : DHCP flows crossing route-domain boundaries might fail.
Links to More Info: BT1027805
Component: Local Traffic Manager
Symptoms:
DHCP flows crossing route-domain boundaries might fail.
Conditions:
Example of a configuration leading to the problem:
- route-domain RD%2 with parent defined as route-domain RD%1.
- Virtual-server in route-domain RD%2.
- Pool member configured in RD%2 (sharing IP addressing with RD1)
- DHCP client connects to the virtual-server in route-domain RD%2.
- Route lookup for a pool member ends up with connection in route-domain RD%1
Impact:
The second and subsequent DHCP clients requests will not be forwarded to the DHCP pool members.
Workaround:
When configuring a DHCP pool member, use the ID of the parent route-domain (the one that will be returned by a route-lookup for the pool member's IP address).
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1027657-4 : Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules.
Links to More Info: BT1027657
Component: Global Traffic Manager (DNS)
Symptoms:
Inconsistent monitor intervals for resource monitoring.
Conditions:
"require M from N" monitor rules configured.
Impact:
Monitor status flapping.
Workaround:
Do not use "require M from N" monitor rules.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1027217-1 : Script errors in Network Access window using browser.
Links to More Info: BT1027217
Component: Access Policy Manager
Symptoms:
1. Users may receive JavaScript errors in their browser when starting Network Access resources.
2. User resources may fail to display when accessing a Full webtop.
3. When logging out, users may be redirected to https://apm-virtual-server/vdesk/undefined and get a blank page
4. Logon Page from SWG Policies may fail to display inside a browser.
Conditions:
The issue can be observed with at least one of these conditions.
1. Accessing APM virtual server using a browser.
2. Accessing APM resources via a Full webtop.
3. Starting APM resources via a Full webtop.
4. Accessing Logon Page in SWG deployment.
Impact:
1. Users cannot start Network Access resources.
2. Users are unable to logout properly from full webtop.
3. Logon page is not rendered and users will not be able to access resources.
Workaround:
1. Log into BIG-IP.
2. mount -o remount,rw /usr/.
3. Add "response_chunking 2" to _tmm_apm_portal_http in "/usr/lib/tmm/tmm_base.tcl" Example:
profile http _tmm_apm_portal_http {
max_header_size 32768
max_header_count 64
known_methods "CONNECT DELETE GET HEAD LOCK OPTIONS POST PROPFIND PUT TRACE UNLOCK"
response_chunking 2
}
4. Restart tmm once the above param is added.
5. Garbage values in JavaScript aren't inserted after this change.
6. Remount the /usr directory as read-only.
mount -o remount,ro /usr/
-------------------------
Note: If you have configured your device to add this file to a UCS and you upgrade to a version where this bug is fixed then tmm may fail to start.
Fix:
The logon page now renders correctly, resources are properly displayed on the webtop, you can start resources without JavaScript errors, and you no longer receive blank pages when logging out.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1
1026873-7 : CVE-2020-27618: iconv hangs when converting some invalid inputs from several IBM character sets
1026605-6 : When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes
Links to More Info: BT1026605
Component: Local Traffic Manager
Symptoms:
When bigd.mgmtroutecheck is enabled and monitors are configured in a non-default route-domain, bigd may calculate the interface index incorrectly. This can result in monitor probes improperly being denied when they egress a non-mgmt VLAN. Or monitor probes might be allowed to egress the management interface
Conditions:
-- Bigd.mgmtroutecheck is enabled.
-- Monitor probes in a non-default route domain
-- More than one VLAN configured in the route-domain
Impact:
Monitor probes may be denied even thought they egress a non-mgmt VLAN.
Monitor probes may be improperly allowed out a mgmt interface.
/var/log/ltm:
err bigd.0[19431]: 01060126:3: Health check would route via mgmt port, node fc02:0:0:b::1%1. Check routing table.
bigd debug log:
:(_do_ping): probe denied; restricted egress device and route check [ tmm?=false td=true tr=false addr=fc02:0:0:b::1%1:0 srcaddr=none ]
Workaround:
Disable bigd.mgmtroutecheck, reduce the number of VLANs inside the route-domain
Fix:
The Bigd interface index is now calculated properly
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1026549-1 : Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd
Links to More Info: BT1026549
Component: TMOS
Symptoms:
For some BIG-IP Virtual Edition drivers, TMM may occasionally communicate an incorrect interface state change that might cause the interface to flap.
Conditions:
-- BIG-IP Virtual Edition using ixlv, ixvf, mlx5, or xnet drivers.
-- More TMMs and interfaces configured make this issue more likely to happen, but it happens randomly.
Impact:
In the case where the interface is part of a trunk a flap will occur when this happens.
There may be other as-yet unknown impacts for this issue.
Workaround:
Use a different VE driver than one of the ones listed above.
Fix:
BIG-IP Virtual Edition drivers no longer communicate incorrect interface states to mcpd.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1026277-6 : Apply Policy can get ignored in auto-sync setup, while importing/replacing several existing policies with policies that have Policy Builder enabled
Links to More Info: BT1026277
Component: Application Security Manager
Symptoms:
With auto-sync enabled, replacing multiple policies on Unit-A with policies having Policy Builder enabled, "Apply Policy" initiated by Policy Builder can be ignored at Unit-B that results all the policy on Unit-A appear as not-edited while a few policies on Unit-B appear as edited.
Conditions:
-- Using auto-sync
-- Multiple policies are replaced (imported as replacing method) at the same time
Note : bulk import/replace is only possible via Ansible (also, maybe scripting that utilizes REST API)
-- Those imported policies have Policy Builder enabled
Impact:
Inconsistent policy state in auto-sync members
Workaround:
Make a minor update on those affected policies, then "Apply Policy" will fix the inconsistent state.
Fix:
The particular call is now not relayed to the peer
Fixed Versions:
17.0.0, 16.1.4
1026005-1 : BIG-IP Virtual Edition (VE) does NOT preserve the order of NICs 5-10 defined in the VMware ESXi hypervisor and NSXT platforms.
Links to More Info: BT1026005
Component: Local Traffic Manager
Symptoms:
The ordering of NICs 5-10 in VMware ESXi is based on PCI coordinates for the first boot and the order is ensured based on the /etc/ethmap script written by the kernel during initialization. BIG-IP VE does not follow/maintain the NIC order defined in the VMware ESXi hypervisor.
Conditions:
Using 5-10 interfaces, swap/remove/add an interface at the hypervisor level.
Impact:
When using 5-10 NICs in VMware ESXi and NSXT platforms, automation is prohibited due to BIG-IP VE not maintaining the NIC order defined in the hypervisor.
Workaround:
None
Fix:
Enabled BIG-IP VE scripts to honor the NIC order defined by the user in the VMware ESXi hypervisor and NSXT platforms.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1025529-2 : TMM generates core when iRule executes a nexthop command and SIP traffic is sent
Links to More Info: BT1025529
Component: Service Provider
Symptoms:
If an iRule uses the 'nexthop' command to select a VLAN for a virtual server, TMM may crash.
Conditions:
-- Virtual server with SIP profile and iRule that executes a 'nexthop' command
-- SIP network traffic occurs
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Avoid using 'nexthop vlan' in an iRule in a SIP environment.
Fix:
iRule creation does not cause any TMM core.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5
1025497-1 : BIG-IP may accept and forward invalid DNS responses
Links to More Info: BT1025497
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP may forward invalid DNS responses to a client if the DNS server provides an invalid response.
Conditions:
BIG-IP configured as a proxy for a misbehaving backend DNS server.
Impact:
Invalid DNS responses are forwarded to client.
Fix:
The 'dns.responsematching' DB variable has been created to prevent forwarding invalid responses.
When the DB variable 'dns.responsematching' is enable, DNS responses will be matched by transaction ID, query name, and the client's and server's IP addresses and port numbers.
Behavior Change:
The 'dns.responsematching' DB variable has been created to prevent forwarding invalid responses.
When the DB variable 'dns.responsematching' is set to enable, DNS responses will be matched by transaction ID, query name, and the client's and server's IP addresses and port numbers.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1025261-3 : Restjavad uses more resident memory in control plane after software upgrade
Links to More Info: BT1025261
Component: TMOS
Symptoms:
The restjavad process immediately reserves more memory and the process size (as shown by RSS) increases as the starting heap size has been made to be the same as maximum heap size for performance reasons.
(Note the process name displays as 'java', but there are multiple independent Java processes on the system. The parent process of restjavad is 'runsv restjavad', and the command line arguments may have 'logging' in them.)
For restjavad with the default size, the increase is usually 200 MB-300 MB.
The increase is particularly apparent where restjavad.useextramb is set to the value 'true' and provision.extramb is set to a high value but restjavad had not required that much extra memory previously.
Conditions:
After upgrading to a BIG-IP software version with the fix for ID 776393 ( https://cdn.f5.com/product/bugtracker/ID776393.html ), where more memory has been allocated for restjavad.
Impact:
The memory Resident Set Size (RSS) of the restjavad process will be larger than needed, possibly constricting other processes in the control plane.
Workaround:
If restjavad.useextramb is set to value true you may find that if only a small amount of extra restjavad memory was required (~192 MB or less extra) that it can be set to false.
This is because the default size of restjavad has increased by 192 MB to 384MB.
Restart restjavad after the change.
Fix:
A new sys DB variable, provision.restjavad.extramb has been introduced to allow finer-grained control of restjavad memory.
It takes effect only if sys db restjavad.useextramb is true. It can be used to set restjavad heap size both above and below the default heap size of 384 MB.
Note: Since the introduction of ID 1153865 (from v15.1.9, v16.1.4, v17.1.0) restjavad.useextramb is removed and provision.restjavad.extramb is set automatically on upgrade based on existing settings to a value that should be sensible. Now, only provision.restjavad.extramb is used to set restjavad heap size within constraints set by provision.extramb.
Behavior Change:
A new sys DB variable, provision.restjavad.extramb has been introduced to allow finer-grained control of restjavad memory.
The variable is particularly useful when you need restjavad to be slightly bigger and also need a much larger provision.extramb without most of that being taken by restjavad.
Since the introduction of ID 1153865 (from v15.1.9, v16.1.4, v17.1.0) restjavad.useextramb is removed and provision.restjavad.extramb is set automatically on upgrade based on existing settings to a value that should be sensible. The information below is for upgrades to the few interim versions where current behaviour didn't apply.
For the variable to take effect, sys db restjavad.useextramb must be set to 'true'; otherwise, default memory values are used.
The variable sets the heap size, and defaults to and has a minimum value of 192 MB.
If the value of provision.restjavad.extramb is set above a certain cap value, the heap size will be set to the cap value. In this release, the cap value 384 MB + 80% of provision.extramb.
So with restjavad.useextramb set to 'true', you can set the restjavad heap size from 192 MB to 384 MB + 80% of provision.extramb using the provision.restjavad.extramb variable.
After changing value of provision.restjavad.extramb, restart restjavad to enable the change in memory size:
bigstart restart restjavad
Or on multi-blade systems:
clsh bigstart restart restjavad
If using a sys db restjavad.useextramb value of true and needing to restore your previous restjavad memory setting ( based on maximum heap size) please look at advice below.
Before upgrade - if you set sys db restjavad.useextramb to value false before install of new version you will have more restjavad memory, the default 384MB, after upgrade.
tmsh modify sys db restjavad.useextramb value false
If you restart restjavad you can see if that value works before upgrade. If you don't restart then it will come into effect after reboot.
If that no longer has issues after update then leave that setting at false. Otherwise set back to true (no restart) and increase provision.restjavad.extramb as in After upgrade section below.
After upgrade:
Set sys db provision.restjavad.extramb to an appropriate value and restart restjavad.
Run the following command:
tmsh modify sys db provision.restjavad.extramb value X
bigstart restart restjavad
Iterate as necessary.
The value of X is derived by using one of the following formulae:
- When updating from versions before 14.1.4 and 15.1.3, to affected versions, a value that preserves the maximum previous restjavad heap size is:
192MB + 80% of MIN(provision.extramb|2500)
the minimum possible heap size was:
192MB + 20% of MIN(provision.extramb|2500)
The actual restjavad heap size would be between those extremes. SSLO systems would typically need a higher amount towards the maximum.
Example 1: If provision.restjavad was 1000 MB on previous version, the possible range of restjavad heap size would have been between (20% of 1000 + 192) = 392 MB and (80% of 1000 + 192) = 992 MB.
Example 2: If provision.extramb was 4000 MB, the possible range would be between (20 % of 2500 + 192) = 692 MB and (80% of 2500 + 192) = 2192 MB.
- When updating from 14.1.4-14.1.5, from 15.1.3-15.1.6.1 or from 16.0.x to affected versions:
384MB + 80% of MIN(provision.extramb|2500)
Example 3: If provision.extramb was 500 MB, the restjavad heap size on the previous version would have been 80% of 500 + 384 = 784 MB.
- When updating from 16.1.0-16.1.3 or from 17.0.0.0 to affected versions:
384MB + 90% of MIN(provision.extramb|4000)
Example 4: If provision.extramb was 2000 MB, the restjavad heap size on the previous version would have been 90% of 2000 + 384 = 2184 MB.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1025089-1 : Pool members marked DOWN by database monitor under heavy load and/or unstable connections
Links to More Info: BT1025089
Component: Local Traffic Manager
Symptoms:
BIG-IP database monitors (mssql, mysql, oracle, postgresql) may exhibit one of the following symptoms:
- Under heavy, sustained load, the database monitoring subsystem may become unresponsive, causing pool members to be marked DOWN and eventually causing the database monitoring daemon (DBDaemon) to restart unexpectedly.
- If the network connection to a monitored database server is unstable (experiences intermittent interruptions, drops, or latency), pool members may be marked DOWN as the result of a momentary loss of connectivity. This is more likely to occur when a database monitor is used to monitor a GTM pool member instead of an LTM pool member, due to differences between how monitors are configured for GTM versus LTM.
- Under certain conditions, DBDaemon CPU use may increase indefinitely.
Conditions:
These symptoms may occur under the following conditions:
- The database monitoring subsystem may become unresponsive, and the database monitoring daemon (DBDaemon) may restart unexpectedly, if a large number of LTM or GTM pool members are being monitored by database monitors, and/or with short polling intervals ("interval" of 10 seconds or less), or when GTM pool members are monitored by database monitors with a short "probe-timeout" value (10 seconds or less).
- The GTM pool members may be marked DOWN after a single interrupted connection if they are monitored by a database monitor, configured with a short "probe-timeout" value (10 seconds or less) and "ignore-down-response" configured as "disabled" (default).
Impact:
-- High CPU utilization is observed on control plane cores.
-- The database monitoring daemon (DBDaemon) may restart unexpectedly, causing GTM or LTM pool members monitored by a database monitor to be marked DOWN temporarily.
-- GTM or LTM pool members monitored by a database monitor may be marked DOWN temporarily if the network connection to the database server is dropped or times out.
Workaround:
Perform one of the following actions:
-- Configure the database (mssql, mysql, oracle, postgresql) monitor with a "count" value of "1". This prevents the caching or reuse of network connections to the database server between probes. Thus there is no cached connection to time out or get dropped. However, the overhead of establishing the network connection to the database server will be incurred for each probe and will result in generally higher (but more consistent) CPU usage by the database monitoring daemon (DBDaemon).
-- Configure the database monitor "interval" and "timeout" values (for an LTM monitor), or the "interval", "timeout", "probe-attempts", "probe-interval" and "probe-timeout" values (for a GTM monitor) such that multiple failed monitor probes are required before the monitored member is marked DOWN, and with a minimum value of 10 seconds or greater.
Note: A restart of bigd (and consequently the DBDaemon) might be necessary to properly clear any currently stale/stuck database connections.
Fix:
The BIG-IP LTM and GTM database monitoring subsystem achieves generally higher performance with less overall CPU usage and without severe performance degradation over time with a heavy load of monitored pool members.
The BIG-IP LTM and GTM database monitoring subsystem silently retries momentarily-dropped connections to database servers, reducing instances of pool members being temporarily marked DOWN due to intermittent interruptions or latency in network connectivity.
Fixed Versions:
16.1.5
1024841-2 : SSL connection mirroring with ocsp connection failure on standby
Links to More Info: BT1024841
Component: Local Traffic Manager
Symptoms:
SSL connection mirroring with ocsp stapling connection failure on standby, active completes handshake with delay.
Conditions:
SSL connection mirroring with ocsp stapling
Impact:
Handshake delay on active
Workaround:
Disable ocsp stapling or ssl connection mirroring
Fix:
SSL connection mirroring handshake with ocsp stapling completes normally.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1024761-1 : HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body
Links to More Info: BT1024761
Component: Local Traffic Manager
Symptoms:
When rechunking is requested, HTTP responses with methods or status codes indicating that no body be present (like HEAD or 304) are receiving a Transfer-Encoding header and a terminating chunk. These responses should not have a body of any sort.
Conditions:
HTTP virtual server with rewrite profile present with the server that does HTTP caching.
Impact:
HTTP clients are unable to connect.
Workaround:
Remove the rewrite profile.
Possibly change http profile response-chunking from sustain to unchunk. This resolves the issue for the 304, but means that all other requests are changed from either chunking or unchunked with Content-Length header to unchunked without Content-Length and with "Connection: Close".
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5
1024661-3 : SCTP forwarding flows based on VTAG for bigproto
Links to More Info: BT1024661
Component: TMOS
Symptoms:
Sometimes SCTP traffic is unidirectionally dropped on one link after an SCTP link down occurs.
Conditions:
-- SCTP configured and BIG-IP is passing traffic
-- A link goes down
Impact:
Flow creation on the wrong TMM and some traffic is dropped.
Workaround:
Disable SCTP flow redirection.
tmm.sctp.redirect_packets == disable
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1024621-4 : Re-establishing BFD session might take longer than expected.
Links to More Info: BT1024621
Component: TMOS
Symptoms:
It might take a few minutes for a BFD session to come up. During this time you will notice session state transition multiple times between 'Admin Down' <-> 'Down'.
Conditions:
BFD peer trying to re-establish a session with BIG-IP, choosing ephemeral ports dis-aggregating to different TMMs.
Impact:
It might take a few minutes for a BFD session to come up.
Workaround:
Increasing Tx/Rx timers will minimize a chance of hitting the problem (For example 1000 TX/RX)
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1024437-6 : Urldb index building fails to open index temp file
Links to More Info: BT1024437
Component: Access Policy Manager
Symptoms:
The following error message shows up in /var/log/urldbmgr-trace.log:
THREAD: 2CDD4700; ERROR; WsFileOpen: Could not open file /var/urldb/staging/current/host.6417.byte.dat.003
THREAD: 2CDD4700; ERROR; WsIndexBuilderOpenFile: Failed to open index file /var/urldb/staging/current/host.6417.byte.dat.003.
THREAD: 2CDD4700; ERROR; WsHostIndexV7OpenFile: Failed to open Host index file /var/urldb/staging/current/host.6417.byte.dat.003.
THREAD: 2CDD4700; ERROR; WsHostIndexV7BuildProcessTempFiles: Failed to open host index temp file
As a result of this error, some requested URL category lookups return "Uncategorized".
Conditions:
The error can happen during index building after a new primary URLDB is downloaded.
Impact:
Some websites are categorized as "Uncategorized"
Workaround:
1) Stop urldbmgrd:
bigstart stop urldb urldbmgrd
2) Delete databases:
rm -rf /var/urldb/master/
rm -rf /var/urldb/rtu/
3) Start urldbmgrd:
bigstart start urldb urldbmgrd
4) Force database download:
- tmsh command: "modify sys url-db download-schedule urldb download-now true", or
- Admin GUI: Access >> Secure Web Gateway >> Database Settings >> Database Download >> Download Now
Databases will re-download and index.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.9
1024241-1 : Empty TLS records from client to BIG-IP results in SSL session termination
Links to More Info: BT1024241
Component: Local Traffic Manager
Symptoms:
After client completes TLS handshake with BIG-IP, when it sends an empty TLS record (zero-length cleartext), the client BIG-IP SSL connection is terminated.
Conditions:
This is reported on i7800 which has Intel QAT crypto device
The issue was not reported on Nitrox crypto based BIG-IP platforms. Issue is not seen when hardware crypto is disabled.
Impact:
SSL connection termination is seen in TLS clients.
Workaround:
Disable hardware crypto acceleration.
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1024225-3 : BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request
Links to More Info: BT1024225
Component: Local Traffic Manager
Symptoms:
BIG-IP proxying http2 -> http1.1. In response to a HEAD request, pool member sends response with "Transfer-Encoding: chunked" header without chunked payload. BIG-IP sends "Transfer-Encoding: chunked" header back to http2 client which generates RST_STREAM, PROTOCOL_ERROR. According to RFC 7450 a proxy SHOULD remove such headers.
Conditions:
1) H2 <-> H1 is configured on virtual server
2) HEAD request over http2->http1.1 gateway getting chunked response.
Impact:
Http2 connection is reset
Workaround:
iRule to remove "Transfer-Encoding: Chunked" header from response.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1024101-1 : SWG as a Service license improvements
Links to More Info: BT1024101
Component: Access Policy Manager
Symptoms:
SWG sessions maxed out and the SWG license is not released until the APM session is ended.
Conditions:
SWG and APM are in use.
Impact:
SWG sessions are tied to APM sessions and can reach the limit and not be recycled even if the APM session is not actively using SWG.
Workaround:
None
Fix:
Fixed an issue with SWG session tracking.
Fixed Versions:
17.0.0, 16.1.3, 16.1.1
1023993-4 : Brute Force is not blocking requests, even when auth failure happens multiple times
Links to More Info: BT1023993
Component: Application Security Manager
Symptoms:
Send traffic with multiple Authorization headers in the request after configuring the brute force. The traffic will not be blocked, when it is supposed to be.
Conditions:
When there is more than one Authorization header present in the requests.
Impact:
Brute force is possible with specially crafted requests having multiple Authorization headers and will be able to bypass brute force checks.
Workaround:
Enable "Illegal repeated header violation" and configure Authorization header repeated occurrence to disallow.
Fix:
ASM detects the brute force attempt with multiple Authorization headers in the request.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1023889-3 : HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message
Links to More Info: BT1023889
Component: Application Security Manager
Symptoms:
Protocol filter does not suppress WS/WSS server->client message.
Conditions:
- protocol filter is set to HTTP, HTTPS or HTTP/HTTPS
- response logging is set to For All Requests
Impact:
Remote log server receives unexpected messages
Workaround:
None
Fix:
Protocol filter suppresses WS server->client message.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1023829-2 : Security->Policies in Virtual Server web page spins mcpd 100%, which later cores
Links to More Info: BT1023829
Component: TMOS
Symptoms:
With a large number of VLANs (3000+) and virtual servers (2000+), the virtual server list page consumes excessive resources, eventually leading to a mcpd crash.
Conditions:
-- A huge number of VLANs and virtual servers exist.
-- The virtual server list page is displayed
Impact:
Page becomes inaccessible. Mcpd may crash. Traffic and control plane disrupted while mcpd restarts.
Fix:
Listing of virtual servers on the webpage will work as expected.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1023721 : iapp_restricted_key not available on fresh installation and overwrites the peer device's master key during config sync
Links to More Info: BT1023721
Component: iApp Technology
Symptoms:
Config sync of a deployment fails for SSL Orchestrator or Application Guided Config applications.
There is an error in /var/log/restjavad.0.log:
java.lang.Exception: Failed to find key com.f5.rest.common.RestRequestSender$HttpException: java.net.ProtocolException: status:404, body:{"code":404,"message":"Object not found - /Common/iappKey","errorStack":[],...
Conditions:
-- Recently formed device service cluster
-- Deploying SSL Orchestrator or AGC and triggering a config sync for the first time
Impact:
Secure Storage will not secure restricted_properties with the correct master key which will raise issues with encryption/decryption of data.
Workaround:
None
Fix:
iapp_restricted_key object should be synced properly during config sync
Fixed Versions:
17.0.0, 16.1.3
1023437-1 : Buffer overflow during attack with large HTTP Headers
Component: Anomaly Detection Services
Symptoms:
When the HTTP Headers are larger than 1024 characters and one of the anomalous textual headers is located after 1024, a buffer overflow might occur.
Conditions:
HTTP or TLS Signature protection is activated and during attack anomalous request arrives.
Impact:
Most of the time results in bad characters in the signature name, more rarely results in Memory Access Violation which could be exploited as buffer overflow attack.
Fix:
Enforce HTTP metadata size limit to be within the first 1024 characters of the HTTP Headers payload.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
1023365-2 : SSL server response could be dropped on immediate client shutdown.
Links to More Info: BT1023365
Component: Local Traffic Manager
Symptoms:
SSL server response might be dropped if peer shutdown arrives before the server response.
Conditions:
-- the virtual server is using a Server SSL profile
-- the client sends FIN/ACK before the server responds
Impact:
The response from the pool member may be dropped.
Workaround:
N/A.
Fix:
Serverssl response now received after peer shutdown
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1
1023341-1 : HSM hardening
Component: Local Traffic Manager
Symptoms:
Under certain conditions, HSM interactions do not follow current best practices.
Conditions:
- HSM in use
Impact:
Certain HSM interactions do not follow current best practices.
Workaround:
N/A
Fix:
HSM interactions now follow current best practices.
Fixed Versions:
17.0.0, 16.1.1, 15.1.5.1, 14.1.4.6, 13.1.5
1022757-2 : Tmm core due to corrupt list of ike-sa instances for a connection
Links to More Info: BT1022757
Component: TMOS
Symptoms:
Tmm generates a core when a corrupt list of ike-sa instances is processed.
Conditions:
Deletion of an expired ike-sa.
Impact:
Restart of tmm and re-negotiation of IPsec tunnels. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
The internal list data structure has been reorganized to use fewer entities in less-complex relationships. This makes it less likely for a corrupted list to occur, so this issue is less likely to occur.
Fixed Versions:
17.0.0, 16.1.2, 15.1.9
1022637-1 : A partition other than /Common may fail to save the configuration to disk
Links to More Info: BT1022637
Component: TMOS
Symptoms:
A mismatch between the running-configuration (i.e. what is returned by "tmsh list ...") and the saved-configuration (i.e. what is stored in the flat configuration files) for a partition other than /Common, despite a "tmsh save config" operation was just performed (either by the user or as a result of a config-sync).
Conditions:
- One or more partitions other than /Common exist on the system.
- One or more of said partitions have no more configuration objects defined in them (i.e. are empty).
- A config save operation similar to "tmsh save sys config partitions { Common part1 [...] }" occurs, either manually initiated by an Administrator or as a result of a config-sync operation (in which case the device-group must be configured for manual synchronization).
Impact:
Should a BIG-IP Administrator notice the mismatch, the only immediate impact is confusion as to why the config save operation was not effective.
However, as the flat config files are now out-of-date, performing a config load operation on a unit in this state will resurrect old configuration objects that had been previously deleted.
On an Active unit, this may affect traffic handling. On a redundant pair, there is the risk that the resurrected objects may make it to the Active unit after a future config-sync operation.
Workaround:
If you notice the mismatch, you can resolve it by performing a config save operation for all partitions (i.e. "tmsh save sys config").
Fix:
Non /Common partitions now get saved to disk as intended.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5
1022625-2 : Profile type 'swg-transparent' should be selected on create page when 'create-new' is selected for SwgAsService in SSL Orchestrator
Links to More Info: BT1022625
Component: Access Policy Manager
Symptoms:
When creating a new service, certain default access profiles are not automatically selected.
Conditions:
1. SSL Orchestrator + APM + SWG provisioned
2. Select 'create-new' for access profile drop-down when adding a SwgAsService in SSL Orchestrator
A new tab opens with the profile creation page, but the access profile type drop-down does not have any type selected.
Impact:
When adding a SwgAsService in SSL Orchestrator, the only supported access profile type is SWG-Transparent, hence it should be automatically selected.
Workaround:
None
Fix:
Fixed an issue with automatic profile selection.
Fixed Versions:
17.0.0, 16.1.1
1022493-4 : Slow file descriptor leak in urldbmgrd (sockets open over time)
Links to More Info: BT1022493
Component: Access Policy Manager
Symptoms:
Unix domain sockets are opened and never closed in urldbmgrd. This is a very slow leak over time.
Conditions:
SWG or URLDB is provisioned.
Impact:
Urldbmgrd may hit a limit of open file descriptors, and may eventually core and restart. When urldbmgrd restarts, urldb also restarts. This may result in a momentary instant where URL categorization is not available.
Workaround:
Restarting urldbmgrd will clear the open file descriptors. Performing a forced restart during a time of no traffic will mitigate the risk of urldbmgrd restarting at an inconvenient time if there are too many sockets open.
"bigstart restart urldbmgrd" will restart the daemon.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.10
1022453-4 : IPv6 fragments are dropped when packet filtering is enabled.
Links to More Info: BT1022453
Component: Local Traffic Manager
Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.
Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.
Impact:
Some or all of the fragments of an IPv6 packet are lost.
Workaround:
Disable packet filtering
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1022417-1 : Ike stops with error ikev2_send_request: [WINDOW] full window
Links to More Info: BT1022417
Component: TMOS
Symptoms:
IKE SAs will be lost.
Conditions:
A failover occurs while IKE is sending DPD to the peer, and the reply is received by the newly active BIG-IP.
Multiple failovers can increase the likelihood that this occurs.
Impact:
IKE SAs may be deleted and there will be traffic loss.
Workaround:
Increase in DPD interval to reduce the probability of occurrence of the issue.
Fix:
Fixed an issue where IKE SAs were being lost during failover events.
Fixed Versions:
17.0.0, 16.1.2, 15.1.9
1022269-1 : False positive RFC compliant violation
Links to More Info: BT1022269
Component: Application Security Manager
Symptoms:
False positive RFC compliant violation.
Conditions:
Authorization header with specific types.
Impact:
False positive violations.
Workaround:
Turn on an internal parameter:
/usr/share/ts/bin/add_del_internal add ignore_authorization_header_decode_failure 1
Fix:
Added tolerance to the authorization headers parser.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4, 14.1.4.4, 13.1.5
1021773-1 : Mcpd core.
Links to More Info: BT1021773
Component: TMOS
Symptoms:
Mcpd crashes and leaves a core file.
Conditions:
This issue can occur if BIG-IP fails to allocate huge pages, which can occur during module provisioning.
Impact:
Mcpd crashes and the system goes into an inoperative state.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2, 15.1.7
1021637-4 : In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs
Links to More Info: BT1021637
Component: Application Security Manager
Symptoms:
CSRF is sometimes enforced on URLs that do not match the CSRF URLs list
Conditions:
ASM policy with CSRF settings
Impact:
URLs that do not match the CSRF URLs list can be blocked due to CSRF violation.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.6.1
1021521-1 : JSON Schema is not enforced if OpenAPI media-type is wild card.
Links to More Info: BT1021521
Component: Application Security Manager
Symptoms:
If the openAPI configuration contains a wildcard media type for an endpoint, ASM does not enforce the JSON schema for requests with a JSON payload.
Conditions:
Create an OpenAPI policy with media type set to wildcard.
Impact:
ASM does not enforce JSON schema validation for HTTP requests containing a JSON payload.
Workaround:
N/A
Fix:
Provided fix and verified
Fixed Versions:
17.0.0, 16.1.2.2
1021485-3 : VDI desktops and apps freeze with Vmware and Citrix intermittently
Links to More Info: BT1021485
Component: Access Policy Manager
Symptoms:
VMware VDI:
Blank screen is seen while opening remote desktop when VDI is configured with VMware.
Citrix:
Desktop freezes immediately after opening remote desktop when VDI is configured with Citrix.
Conditions:
VMware VDI:
-- VDI is configured with VMware
-- Desktop or App is launched using native client from Webtop.
wait till 2X inactivity timeout if inactivity timeout
Citrix:
-- VDI is configured with Citrix
-- Desktop or App is launched using native client from Webtop.
-- Configure Inactivity timeout to 0.
Impact:
VDI desktops freeze while opening or immediately after opening.
The following error is seen in APM logs:
"Session stats update failed: ERR_NOT_FOUND"
Workaround:
No
Fix:
Users should not experience any intermittent desktop freeze.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1021481-1 : 'http-tunnel' and 'socks-tunnel' (which are internal interfaces) should be hidden.
Links to More Info: BT1021481
Component: Local Traffic Manager
Symptoms:
The Linux command 'ifconfig' or 'ip a' shows two devices 'http-tunnel' and 'socks-tunnel' that are for TMM internal use only.
Conditions:
These interfaces show up regardless of the BIG-IP configuration.
Impact:
As long as these devices are not used there is no impact aside from possibly causing confusion. Any attempt to use those devices from a host process fails or produces unpredictable results. These devices should not be exposed on the Linux host.
Workaround:
N/A
Fix:
The devices 'http-tunnel' and 'sock-tunnel' no longer show up on the Linux host.
Fixed Versions:
17.0.0, 16.1.2
1021417-1 : Modifying GTM pool members with replace-all-with results in pool members with order 0
Links to More Info: BT1021417
Component: Global Traffic Manager (DNS)
Symptoms:
GTMpool has multiple members with order 0.
Conditions:
There is an overlap for the pool members for the command replace-all-with and the pool members to be replaced.
Impact:
Multiple pool members have the same order.
Workaround:
Perform this procedure:
1. Delete all pool members from the GTM pool.
2. Use replace-all-with.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1021061-4 : Config fails to load for large config on platform with Platform FIPS license enabled
Links to More Info: BT1021061
Component: Global Traffic Manager (DNS)
Symptoms:
Config fails to load.
Conditions:
-- Platforms with Platform FIPS license enabled.
-- There are several ways to encounter this. One is with a large GTM (DNS) configuration that requires extending the gtmd stats file.
Impact:
Config file fails to load. For the gtmd configuration, gtmd repeatedly logs error messages similar to:
err gtmd[14954]: 011af002:3: TMSTAT error 'Invalid argument' creating row '/Common/vs_45_53' in table 'gtm_vs_stat'
For merged daemon, reports messages similar to:
err merged[9166]: 011b0900:3: TMSTAT error tmstat_row_create: Invalid argument.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
1020957-1 : HTTP response may be truncated by the BIG-IP system
Links to More Info: BT1020957
Component: Local Traffic Manager
Symptoms:
Web pages are not rendered properly; HTTP responses are truncated when traversing the BIG-IP system.
Conditions:
-- Virtual server with an HTTP profile
-- HTTP server generates a compressed response
-- BIG-IP system determines that it must decompress the payload, e.g., a rewrite profile attached to the virtual server
Impact:
HTTP responses are truncated when passing through the BIG-IP system.
Workaround:
One of the following:
-- Add an HTTP Compression profile to the virtual server, and ensure that 'Keep Accept-Encoding' is not selected.
-- Use an iRule to remove the Accept-Encoding header from requests, e.g.:
ltm rule workaround {
when HTTP_REQUEST {
HTTP::header remove Accept-Encoding
}
}
Fixed Versions:
17.0.0, 16.1.2
1020881-1 : TMM crashes while passing APM traffic.
Links to More Info: BT1020881
Component: Access Policy Manager
Symptoms:
TMM crashes while passing APM traffic.
Conditions:
-- LTM + APM deployment.
-- Allow list in use.
-- iRules in use.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
#--- logout_irule starts
when HTTP_REQUEST {
if { ([string tolower [HTTP::uri]] contains "closeconnection.aspx"
|| [string tolower [HTTP::uri]] contains "signout.aspx")
&& [ACCESS::session exists -state_allow -sid [HTTP::cookie MRHSession]] } {
HTTP::respond 200 content {<html><body><h1>You are now logged out.</h1></body></html>}\
"Set-Cookie" "F5_ST=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"\
"Set-Cookie" "MRHSHint=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"\
"Set-Cookie" "F5_HT_shrinked=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"\
"Set-Cookie" "F5_fullWT=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"\
"Set-Cookie" "LastMRH_Session=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"\
"Set-Cookie" "MRHSession=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"
ACCESS::session remove
log local0. "iRule logout triggered: Removing access session for [ACCESS::session sid]"
# disable HTTP_REQUEST events for all other iRules
event disable
}
}
#--- logout_irule ends
Fix:
Fixed a TMM crash that can occur while processing iRules.
Fixed Versions:
16.1.5
1020789-4 : Cannot deploy a four-core vCMP guest if the remaining cores are in use.
Links to More Info: BT1020789
Component: TMOS
Symptoms:
When trying to deploy a vCMP guest on an i11800 vCMP host using four or more cores while all of the other cores are in use, the following error message may be seen:
err mcpd[<pid>]: 0107131f:3: Could not allocate vCMP guest (<guest_name>) because fragmented resources
--------------------------------------------------
one more similar issue has raised for 8 guests allocation failure
When trying to deploy a eight core guest on an i11800 vCMP host where four 2 cores are in use, the following error message may be seen:
0107131f:3: Could not allocate vCMP guest (guest-8cores-A) because fragmented resources
Conditions:
-- VCMP provisioned and all or most cores are in use.
-- Attempt to deploy a guest.
This is more likely to occur with vCMP guests that use four or more cores.
Impact:
All of the available cores cannot be used.
Workaround:
You may be able to work around this by deploying the largest guests first, then any remaining 2-core guests.
There is currently no other fix.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5
1020717-4 : Policy versions cleanup process sometimes removes newer versions
Links to More Info: BT1020717
Component: Application Security Manager
Symptoms:
The policy versions cleanup process sometimes removes versions in incorrect order. Newer versions are removed while older versions are preserved.
Conditions:
"maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg" has very low value.
Impact:
Newer versions are removed.
Workaround:
increase value of "maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg"
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1020705-2 : tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name
Links to More Info: BT1020705
Component: Application Visibility and Reporting
Symptoms:
Output of "tmsh show analytics dos-l3 report view-by attack-id" command has changed from version 13.x to 15.x. "Attack type" was removed from the system, so it was automatically replaced by the first metric "allowed-requests-per-second". For DOS L3 "Attack type" was replaced by "Vector Name" but it currently is not shown in the report along wit "Attack ID"
Conditions:
AFM is provisioned
Impact:
This change might cause scripts to fail if they use the name of the field.
Workaround:
1) edit /etc/avr/monpd/monp_dosl3_entities.cfg file. Change [dosl3_attack_id] section the following way: add 'vector_name' to measures list and add an additional parameter 'default_measure' as specified below :
[dosl3_attack_id]
...
measures=allowed_requests_per_sec,count,drop_per_sec,drop_count,total_per_sec,total_count,attacks_count,attack_type_name,category_name,vip_name,period,vector_name
default_measure=vector_name
...
2) edit /etc/avr/monpd/monp_dosl3_measures.cfg file. Add in the end the following section:
[vector_name]
id=vector_crc
formula=IF(count(distinct FACT.vector_crc)>1,'Aggregated',attack_vector_str)
merge_formula=IF(count(distinct vector_name)>1,'Aggregated',vector_name)
dim=AVR_DIM_DOS_VIS_ATTACKS_VECTOR
dim_id=attack_vector_crc
tmsh_display_name=vector-name
display_name=Vector
comulative=false
priority=65
3) restart the BIG-IP system: bigstart restart
After the system is up you can apply the same tmsh command: "tmsh show analytics dos-l3 report view-by attack-id"
You will get a result similar to 13.x. Note that "attack_type_name" is replaced by "vector-name"
Fix:
Workaround applied as fix.
Fixed Versions:
17.0.0, 16.1.2, 15.1.3.1, 14.1.4.4
1020645 : When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered
Links to More Info: BT1020645
Component: Local Traffic Manager
Symptoms:
In an explicit proxy configuration when an HTTP request is sent to an HTTPS destination server via proxy, the HTTP CONNECT method is sent, but the iRule event HTTP_RESPONSE_RELEASE is not fired.
Conditions:
- Simple HTTP explicit proxy virtual server
- An HTTP request from the client is sent to an 'https://' destination server
Impact:
iRule event HTTP_RESPONSE_RELEASE does not get triggered.
Workaround:
None
Fix:
When HTTP CONNECT is sent, the iRule event HTTP_RESPONSE_RELEASE is now triggered.
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.4.1
1020549-1 : Server-side connections stall with zero window with OneConnect profile
Links to More Info: BT1020549
Component: Local Traffic Manager
Symptoms:
Serverside connections from pool member to BIG-IP hang, with the BIG-IP advertising a TCP zero window.
Conditions:
-- Virtual server with OneConnect profile
-- The BIG-IP applies flow-control to the serverside connection (e.g. the server's response to the BIG-IP is faster than the BIG-IP's forwarding the response to the client)
-- The serverside connection is subsequently re-used
Impact:
Serverside connections hang in the middle of data transfer, and will eventually time out.
Workaround:
If possible, remove the OneConnect profile from the virtual server.
Note: removing a OneConnect profile may cause problems with persistence, as described in
K7964: The BIG-IP system may appear to ignore persistence information for Keep-Alive connections (https://support.f5.com/csp/article/K7964)
Fixed Versions:
17.0.0, 16.1.2.2
1020377-1 : Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon
Links to More Info: BT1020377
Component: TMOS
Symptoms:
If an IKEv2 tunnel terminates with an error condition, afterward it is possible for IKE packets to be received by the IKEv1 racoon daemon, which is listening to local host (i.e 127.0.0.1) on ports 500 and 4500.
Conditions:
To get the problem to occur, you may need these details:
-- an IKEv2 config where traffic selector narrowing happens
-- termination of an IKEv2 tunnel with an error condition
-- some other BIG-IP service using the same local self IP
Packets can reach the IKEv1 racoon daemon only when some BIG-IP service uses bigself as the proxy, which forwards packets to localhost (127.0.0.1) with the same port number. So even if no IKEv1 config is present for a local self IP, if some other BIG-IP service also uses bigself as a proxy, this can forward IKE packets to localhost as well.
Impact:
The IKEv2 tunnel does not get renegotiated, because IKE packets reach the IKEv1 daemon, which ignores them, because the proper listener to handle IKEv2 is missing. As a result, tunnel service is interrupted.
Workaround:
Deleting and re-adding the problematic ike-peer and traffic-selector should bring back IPsec support for that tunnel.
If the initiating and responding sides of the tunnel have identical traffic-selector proposals, then narrowing should not happen, and this would also prevent the problem in the first place.
Fix:
BIG-IP systems now manage and handle multiple references to the same listener in a more rigorous way, so the IKEv2 listener cannot go away while it is still needed.
Fixed Versions:
17.0.0, 16.1.2
1020337-2 : DNS msg_ObjType can cause buffer overrun due to lack of NUL terminator
Links to More Info: BT1020337
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm cores with umem debug enabled.
Conditions:
A string operation is performed against DNS resource records (RRs) from DNSMSG::section in an iRule.
Impact:
Tmm memory corruption. In some situations, tmm might crash. Traffic disrupted while tmm restarts.
Workaround:
Do not use string operations against DNS RRs returned from DNSMSG::section.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1020129-2 : Turboflex page in GUI reports 'profile.Features is undefined' error★
Links to More Info: BT1020129
Component: TMOS
Symptoms:
The System :: Resource Provisioning : TurboFlex page is unusable, and the BIG-IP GUI reports an error:
An error occurred: profile.Features is undefined.
Conditions:
-- BIG-IP iSeries appliance
-- Upgrade to:
--- v15.1.3 or later within v15.1.x
--- v16.0.1.2 or later within v16.0.x
--- v16.1.0 or later
-- Accessing the System :: Resource Provisioning : TurboFlex page in the BIG-IP GUI
Impact:
Unable to manage TurboFlex profile via the BIG-IP GUI.
Workaround:
Use tmsh or iControl REST to manage TurboFlex profile configuration.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1020061-3 : Nested address lists can increase configuration load time
Links to More Info: BT1020061
Component: Advanced Firewall Manager
Symptoms:
Whenever there are a number of nested address lists configured, the 'load sys config' command takes a long time to complete.
Conditions:
-- Several nested Address Lists are configured.
-- The 'load sys config' command is run.
Impact:
Upgrading (load sys config) takes a lot of time of time to complete, which sometimes causes Packet Correlation Classification Daemon (pccd) to fail.
If pccd fails, the system is unable to detect and compile firewall configuration changes, meaning that changes made to the firewall configuration are not enforced.
Note: The firewall configuration that was running before pccd goes down continues to be enforced; only changes are not enforced.
Workaround:
None
Fix:
Fixed an issue with config load time when nested address lists are used.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1020041-3 : "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs
Links to More Info: BT1020041
Component: Policy Enforcement Manager
Symptoms:
The following message may be logged to /var/log/tmm*
Can't process event 16, err: ERR_NOT_FOUND
Conditions:
Applying a PEM policy to an existing session that already has that policy (eg, through an irule using 'PEM::subscriber config policy referential set xxxx'
Impact:
Since the PEM policy is already applied to the session, the failure message is essentially cosmetic, but it can cause the tmm logs to grow in size if this is happening frequently.
Workaround:
--
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1019853-1 : Some signatures are not matched under specific conditions
Links to More Info: K30911244, BT1019853
Component: Application Security Manager
Symptoms:
Some signatures are not matched, attacking traffic may pass through.
Conditions:
- Undisclosed signature conditions
Impact:
Attacking traffic can bypass the WAF.
Workaround:
N/A
Fix:
Signatures are now matched as expected.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1019829-2 : Configsync.copyonswitch variable is not functioning on reboot
Links to More Info: BT1019829
Component: TMOS
Symptoms:
Configsync.copyonswitch variable is not functioning properly during reboot to another partition
Conditions:
-- db variable configsync.copyonswitch modified
-- hostname is changed in global-settings
-- reboot to another partition
Impact:
The hostname will be changed back to the default hostname after reboot
Fixed Versions:
16.1.1
1019721-1 : Wrong representation of JSON/XML validation files in template based (minimal) JSON policy export
Links to More Info: BT1019721
Component: Application Security Manager
Symptoms:
When exporting template-based (minimal) JSON policy with profiles and associated validation files, the resulting configuration is wrong.
- Configuration for the JSON validation file is missing from the exported policy
- The JSON profile associated validation file has the name but no content
Conditions:
Export a minimal JSON policy with JSON/XML validation files associated to the JSON/XML profile.
Impact:
Error due to wrong configuration of the validation file during import.
Fixed Versions:
17.0.0, 16.1.2.2
1019613-5 : Unknown subscriber in PBA deployment may cause CPU spike
Links to More Info: BT1019613
Component: Carrier-Grade NAT
Symptoms:
in PBA deployment, a CPU spike may be observed if the subscriber-id log is enabled and the subscriber-id is unknown.
Conditions:
-- PBA configuration
-- Address translation persistent is enabled
-- Subscriber-id log is enabled
-- There is an unknown subscriber
Impact:
Overall system capacity reduces.
Workaround:
Disable subscriber-id logging.
Fix:
Unknown subscriber in PBA deployment no longer causes a CPU spike.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1019609-1 : No Error logging when BIG-IP device's IP address is not added in client list on netHSM.★
Links to More Info: BT1019609
Component: Local Traffic Manager
Symptoms:
"Ensure BIG-IP's IP address is added to the client list"
error log is not displayed, despite the BIG-IP not being added to the client list in Thales/nShield/Entrust HSM.
Conditions:
BIG-IP is not added to the client list in Thales/nShield/Entrust HSM.
Impact:
Difficult to debug the error condition to due lack of error message
Workaround:
None
Fix:
Grep error text information on stderror stream now works.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1
1019557-1 : Bdosd does not create /var/bdosd/*.json
Links to More Info: BT1019557
Component: Advanced Firewall Manager
Symptoms:
JSON files for historical data are not created for each virtual server in /var/bdosd.
BDOS for DDoS works on current data in memory but cannot to depend on the historical data for all virtual servers
Conditions:
BDOS is configured for any virtual server
Impact:
Custom signature or BDDoS-generated signature for the virtual server does not work correctly.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.5
1019429-1 : CMP Forwarded flows do not get syncache counter decremented when only server-side is PVA accelerated
Links to More Info: BT1019429
Component: TMOS
Symptoms:
Virtuals with CMP forwarded flows and PVA acceleration may see a higher than expected syncache counter which can lead to permanent syncookie activation.
Also, under certain conditions the internal listeners used for config-sync may have syncookies activated. Logs will show the syncookie counter increasing after every activation.
bigip1 warning tmm1[18356]: 01010038:4: Syncookie counter 9830 exceeded vip threshold 2496 for virtual = 192.168.1.1:4353
bigip1 warning tmm1[18356]: 01010038:4: Syncookie counter 9834 exceeded vip threshold 2497 for virtual = 192.168.1.1:4353
Conditions:
-- Virtual servers with CMP forwarded flows - commonly occurring when the FTP profile is in use.
-- A platform with PVA acceleration enabled.
-- Only the server-side flow of a connection is offloaded to hardware.
Impact:
Elevated syncache_curr, epva_connstat.embryonic_hw_conns, epva_connstat, embryonic_hw_tcp_conns stas. Improper syncooke activation. Syncookie activation on the config-sync listener may cause config-sync to fail.
Workaround:
Remove the ftp profile or disable PVA acceleration:
modify sys db pva.acceleration value none
Fix:
Counters are now correctly decremented.
Fixed Versions:
17.0.0, 16.1.5, 15.1.4.1
1019357-2 : Active fails to resend ipsec ikev2_message_id_sync if no response received
Links to More Info: BT1019357
Component: TMOS
Symptoms:
In high availability (HA) setup, after failover, the newly active BIG-IP device, will send ikev2_message_id_sync messages to the other device.
If the BIG-IP device did not receive a response, it has to retransmit the packet. Some of the IKE tunnels are trying to retransmitting the packet, but its not going out of BIG-IP due to wrong state of relation between IKE tunnel and connection flow.
After 5 retries, it marks the peer as down, and the IKE tunnel is deleted.
Conditions:
-- High availability (HA) environment
-- IKE tunnels configured
-- A failover occurs
Impact:
Traffic loss.
Workaround:
None
Fix:
Fetch latest connection flow during retransmission of IKE/IPSEC packet.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
1018877-2 : Subsession variable values mixing between sessions
Links to More Info: BT1018877
Component: Access Policy Manager
Symptoms:
Subsession variable lookup internally assumes that a complete session DB lookup name (Session ID + Subsession key) is used. However, when using the lookup table, only the subsession key is passed in.
Conditions:
Subsession variables are referenced in the Per-Request Policy outside of the Subsession without the Session ID.
Impact:
A Per-Request Policy execution may get the value of the subsession variable from a different APM session.
Workaround:
Add the session ID to the reference to the subsession variables used in Per-Request Policies.
Fix:
Fixed an issue with subsession variable lookup.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1018613-1 : Modify wideip pools with replace-all-with results pools with same order 0
Links to More Info: BT1018613
Component: Global Traffic Manager (DNS)
Symptoms:
Multiple wideip pools have the order 0.
Conditions:
There are overlap for the pools for command replace-all-with and the pools to be replaced.
Impact:
iQuery flapping between GTMs.
Workaround:
First delete all pools from the wideip and then use replace-all-with.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1018577-4 : SASP monitor does not mark pool member with same IP Address but different Port from another pool member
Links to More Info: BT1018577
Component: Local Traffic Manager
Symptoms:
When the LTM SASP monitor is applied to a pool with multiple members having the same IP Address but different Ports, only one of the pool members with the duplicated IP Address will be monitored (marked UP or DOWN as appropriate). Other pool members sharing the same IP Address will remain in a 'checking' state.
Conditions:
This occurs when using the SASP monitor in a pool with multiple members having the same IP Address but different Ports.
For example:
ltm pool sasp_test_pool {
members {
sasp_1:80 {
address 10.10.10.1
}
sasp_1:8080 {
address 10.10.10.1
}
sasp_2:80 {
address 10.10.10.2
}
sasp_2:8080 {
address 10.10.10.2
}
}
monitor sasp_test
}
In this case, only one pool member with a given IP Address will be correctly monitored by the sasp monitor.
Any additional pool members with the same IP Address but different port will not be monitored by the SASP monitor and will remain in a 'checking' state.
Impact:
Not all pool members may be effectively/accurately monitored by the SASP monitor.
Fix:
The ltm sasp monitor correctly monitors members of a pool which share the same IP Address but different Ports.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1018493-1 : Response code 304 from TMM Cache always closes TCP connection.
Links to More Info: BT1018493
Component: Local Traffic Manager
Symptoms:
When a virtual server is configured to accelerate HTTP traffic, it caches responses with 200 and 304 response codes. Serving a response with "304 Not Modified" code, TMM may close a connection to a client.
Conditions:
-- A virtual server has a web-acceleration profile (without a web application for versions prior 16.0.0).
-- A response with code 304, stored in TMM cache, is served to a request.
Impact:
A client needs to open a new TCP connection every time when a response with "304 Not Modified" code is served.
Fix:
TMM correctly serves a response with "304 Not Modified" code, allowing to correctly handle TCP connection status.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5
1018309-5 : Loading config file with imish removes the last character
Links to More Info: BT1018309
Component: TMOS
Symptoms:
While loading a configuration from the file with IMISH ('imish -f <f_name>'),truncating the last line.
printf 'log file /var/log/zebos.log1' >/shared/tmp/new.cfg
Running imish -r 0 -f /shared/tmp/new.cfg have the last character missing like below:
log file /var/log/zebos.log
Conditions:
Loading a config with 'imish -f <f_name>' commands.
Note: This command is used with the bigip_imish_config Ansible module.
Impact:
Configuration commands cannot be created properly.
Workaround:
For CLI, use extra control char at the end or \n.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4.1
1018285-2 : MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction
Links to More Info: BT1018285
Component: Service Provider
Symptoms:
MRF DIAMETER is not DIAMETER-application aware. It does not have application-specific business logic. When creating a DIAMETER solution, BIG-IP operators often need to write iRule scripts that remove a session persistence entry at the end of a transaction.
Conditions:
Some applications require removal of the persistence entry upon successful and unsuccessful completion of a transaction.
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm rule log_dia_error
ltm rule log_dia_error {
when DIAMETER_INGRESS {
set cmd_code [DIAMETER::command]
if { $cmd_code == 272 } {
set cc_req_type [DIAMETER::avp data get 416 integer32]
if {[DIAMETER::is_response] && $cc_req_type == 3 } {
log local0. "Persistence record delete-on-any"
DIAMETER::persist delete-on-any
}
}
}
Impact:
iRule script is required.
Fix:
DIAMETER::persist irule are supported to remove a persistence entry based on the result status of a answer message.
below irule commands are supported.
DIAMETER::persist delete-on-any
DIAMETER::persist delete-on-success
DIAMETER::persist delete-on-failure
DIAMETER::persist delete-none
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1
1018145 : Firewall Manager user role is not allowed to configure/view protocol inspection profiles
Links to More Info: BT1018145
Component: Protocol Inspection
Symptoms:
A user account with the "firewall-manager" role that is assigned permissions only to custom partitions will not be able to configure protocol inspection profiles.
Conditions:
-- A user account is created with the role firewall-manager.
-- A custom partition is created.
-- The newly created user is given access to the newly created partition.
Impact:
Any user account without access to "/Common" partition is not allowed to configure protocol inspection profiles.
Workaround:
- If the user account is provided access to "/Common" partition as well, the user should be able to configure protocol-inspection profiles in the newly created custom partitions.
Fix:
The permissions are granted for any non-admin user to configure protocol inspection profiles in a custom partition as long as they have access to "/Common" partition as well.
Fixed Versions:
16.1.1, 15.1.4
1017721-5 : WebSocket does not close cleanly when SSL enabled.
Links to More Info: BT1017721
Component: Local Traffic Manager
Symptoms:
After sending a close frame to the WebSocket server, the WebSocket client receives 1006 response.
Conditions:
Virtual server with the following profiles:
-- WebSocket
-- HTTP over SSL (at least server side SSL)
and connection closure is initiated by the client.
Impact:
Client side applications experience errors in the form of WebSocket abnormally closing connections with error code 1006.
Workaround:
Avoid using SSL on WebSocket server context.
Fix:
WebSocket connections close without any error.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5.1
1017557-1 : ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN
Links to More Info: BT1017557
Component: Application Security Manager
Symptoms:
ASM BD sends a reset back to the client when the backend server sends a response without proper terminating 0 chunk followed by FIN.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Backed server sends a bad chunked response
Impact:
Valid requests can be reset.
Workaround:
Any one of the following workarounds can be applied.
-- Fix backed server behavior.
-- Fix bad response using iRule, appending proper terminating 0 chunk
-- Change ASM internal /usr/share/ts/bin/add_del_internal update bypass_upon_load 1
Fix:
Fix ASM to properly handle bad chunked response followed by FIN
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1017533-3 : Using TMC might cause virtual server vlans-enabled configuration to be ignored
Links to More Info: BT1017533
Component: Local Traffic Manager
Symptoms:
When switching between traffic-matching-criteria (TMC) and regular virtual-server configuration, the vlans-enabled option might be ignored, causing unexpected traffic handling.
Conditions:
Changing virtual-server configuration when using traffic-matching-criteria.
Impact:
Unexpected traffic handling and disruption
Workaround:
Avoid using TMC (port lists and address lists). When in a 'faulty' state you can try changing vlan-enabled on and changing it back on the virtual server, you might need to clear existing connections afterwards.
Follow below articles.
K53851362: Displaying and deleting BIG-IP connection table entries from the command line
K52091701: Handling Connections that have been matched to the wrong Virtual Server.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6
1017513-5 : Config sync fails with error Invalid monitor rule instance identifier or monitors are in a bad state such as checking
Links to More Info: BT1017513
Component: Local Traffic Manager
Symptoms:
If you remove or attach a different monitor to an fqdn pool, then perform a full config-sync, an error occurs:
Load failed from /Common/bigip1 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 58.
This error can occur on FQDN nodes or regular nodes. It's the use of fqdn nodes that allows this issue to occur.
Conditions:
-- BIG-IP device is configured with fqdn nodes/pools with monitors.
-- Modify an fqdn pool to remove or attach a different monitor.
-- Run the command:
run cm config-sync to-group Failover
-- Perform a full config-sync.
Impact:
You might experience the following:
-- Sync to the peer devices fails.
-- Monitors may be stuck in an unexpected state such as down (even with a good reply) or checking even though an up or down response is received.
Workaround:
Use incremental-sync.
If incremental sync fails to correct the issue it can sometimes be recovered by running the following command:
bigstart restart mcpd
Note: Traffic disrupted while the system restarts.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5
1017421-4 : SASP Monitor does not log significant error conditions at default logging level
Links to More Info: BT1017421
Component: Local Traffic Manager
Symptoms:
Most error conditions encountered by the SASP monitor are not logged at the default logging level ("error"). Most of the meaningful error conditions, including Exceptions, are logged at "info" or "debug" levels. Obtaining details to diagnose the SASP monitor issues requires reconfiguring sys db saspd.loglevel for a value of "info" or "debug".
Conditions:
-- Using the SASP monitor to monitor LTM pool members
-- Leaving the saspd.loglevel system DB variable configured at the default value of "error"
Impact:
Errors which occur intermittently or once while monitoring LTM pool members using the SASP monitor may not be diagnosable.
Workaround:
Configure the saspd.loglevel system DB variable with a value of "info" (for normal operations) or "debug" (if problems are occurring repeatedly).
Fixed Versions:
16.1.5
1017233-2 : APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption
Links to More Info: BT1017233
Component: Access Policy Manager
Symptoms:
A corrupted password is sent as part of the "Authorization" header to the backend device and as a result, http 404 is returned
Conditions:
-- iRule for ActiveSync is used
-- The BIG-IP system has multiple tmms running
Impact:
User Authentication is failed by the backed server
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1
1017153-4 : Asmlogd suddenly deletes all request log protobuf files and records from the database.
Links to More Info: BT1017153
Component: Application Security Manager
Symptoms:
Asmlogd suddenly deletes all request log protobuf files and records from the database.
Additionally, after the deletion happens, newly generated event logs seen in database do not show up in TMUI.
Conditions:
-- ASM provisioned
-- Config-sync setup, with frequent sync recovery and/or with a manual-sync device-group with ASM sync enabled.
Impact:
Sudden loss of request logs.
Workaround:
Delete all empty partitions and restart asmlogd.
1) View all the partitions:
# perl -MF5::Db::Partition -MData::Dumper -MF5::DbUtils -e 'print Dumper(F5::Db::Partition::retrieve_partitions_info(dbh => F5::DbUtils::get_dbh(), table_name => "PRX.REQUEST_LOG"))'
Take note of the 'PARTITION_NAME' and 'TABLE_ROWS' for each partition.
2) For every partition_X (in PARTITION_NAME) with '0' in TABLE_ROWS, delete it by:
# perl -MF5::Db::Partition -MF5::DbUtils -e 'F5::Db::Partition::delete_partition(dbh => F5::DbUtils::get_dbh(), table_name => "PRX.REQUEST_LOG", partition_name => "partition_X")'
3) restart asmlogd if and after done all deletes:
# pkill -f asmlogd
NOTE: this workaround is temporary. Meaning, that the number of empty partitions will again accumulate and the same issue will happen again. The MAX number of partitions is - 100. Thus, it is advised to monitor the total number of *empty* partitions and repeat the workaround periodically. A cron script should work well. Normally, empty partitions should NOT accumulate. Thus, it is safe to run this script once an hour and remove all empty partitions.
Optionally, if you are having TMUI issue with newly generated event logs, perform the additional command below to delete rows from PRX.REQUEST_LOG_PROPERTIES for which no corresponding rows exist in PRX.REQUEST_LOG.
# mysql -t -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e 'delete from PRX.REQUEST_LOG_PROPERTIES where request_log_id > (select id from PRX.REQUEST_LOG order by id desc limit 1)'
Fix:
Upgrading to a fixed software version will not delete accumulated partitions and will not clear the symptom away. The fix will prevent ASM from accumulating partitions unnecessarily in the scenarios.
If your ASM system is experiencing this and partitions are accumulated, perform the workaround to clear the symptom. Using a fixed software version, you only need to perform the workaround once. You no longer have to perform it periodically.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1016449-3 : After certain configuration tasks are performed, TMM may run with stale Self IP parameters.
Links to More Info: BT1016449
Component: Local Traffic Manager
Symptoms:
A Self IP instantiated by performing specific configuration tasks (see Conditions) does not work (e.g. the system does not respond to ARP requests for it).
On the contrary, the system continues to use (e.g. respond to ARP requests for) an old version of the Self IP specifying a different address.
Conditions:
This issue is known to occur when one of the following operations is performed:
- Restoring a UCS or SCF archive in which a Self IP with a specific name specifies a different address.
- Performing a config-sync between redundant units in which the sender changes a Self IP with a specific name to use a different address. For example:
tmsh delete net self <name>
tmsh create net self <name> address <new_address> ...
tmsh run cm config-sync to_group ...
- Performing specific tmsh CLI transactions involving Self IP modifications.
Impact:
The system does not utilise the configured Self IP address. Traffic will be impacted as a result (for example, in connections to the unit, in snat automap, etc.).
Workaround:
Restart TMM (bigstart restart tmm) on affected units.
Fix:
TMM now correctly handles supported Self IP address modifications.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1016441-4 : RFC Enforcement Hardening
Links to More Info: K11342432, BT1016441
Component: Local Traffic Manager
Symptoms:
When the HTTP profile RFC Enforcement Flag is enabled, certain non-RFC compliant headers are still allowed.
Conditions:
- Virtual Server with HTTP profile.
- RFC Enforcement Flag enabled.
- HTTP request with non-RFC compliant headers.
Impact:
Non-RFC compliant headers passed to server.
Workaround:
N/A
Fix:
BIG-IP will drop non-RFC compliant HTTP requests when the RFC compliance flag is ON.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1016113-1 : HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile.
Links to More Info: BT1016113
Component: Local Traffic Manager
Symptoms:
Configurations containing HTTP response-chunking 'sustain' and a Web Acceleration profile do not rechunk payload regardless of whether the web server responds with a chunked response.
Conditions:
-- Incoming response payload to the BIG-IP system is chunked.
-- HTTP profile is configured with response-chunking 'sustain'.
-- Web Acceleration profile also configured on the same virtual server.
Impact:
The BIG-IP response is not chunked, regardless of whether the associated web server responds with a chunked payload when the Web Acceleration is utilized.
Workaround:
For a chunked response to be delivered to the client, apply the iRule command 'HTTP::rechunk' to responses when a Web Acceleration profile is used.
Fix:
The BIG-IP response is chunked appropriately when a Web Acceleration profile is used.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4
1016049-6 : EDNS query with CSUBNET dropped by protocol inspection
Links to More Info: BT1016049
Component: Local Traffic Manager
Symptoms:
EDNS query might be dropped by protocol inspection with an error log in /var/log/ltm similar to:
info tmm[21575]: 23003139 SECURITYLOG Drop sip:192.168.0.0 sport:64869 dip:1.1.1.1 dport:53 query:test.f5.com qtype:malformed attack:malformed
Conditions:
Query containing CSUBNET option.
Impact:
Some queries might fail.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1016045-4 : OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows.
Links to More Info: BT1016045
Component: Carrier-Grade NAT
Symptoms:
OOPS logging may appear in /var/log/ltm and /var/log/tmm
Conditions:
1. Active ftp connection.
2. Sending the port command immediately followed by a quit.
Impact:
Log pollution and potential for performance degradation.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
16.1.4, 15.1.9
1016033-4 : Remote logging of WS/WSS shows date_time equal to Unix epoch start time
Links to More Info: BT1016033
Component: Application Security Manager
Symptoms:
Enable the BD_MISC log and notice the REMOTE_LOG buffer printed in the bd logs. The date_time field will be set as closer to epoch time, for eg: "1969-12-31 16:27:00", instead of the current date. The same will be reflected in the remote logs as well.
Conditions:
Remote logging is enabled and the WS/WSS requests are sent to the BIG-IP
Impact:
The date_time information in WS traffic logged to a remote destination is incorrect. This makes correlating data difficult or impossible depending on the traffic.
Fixed Versions:
17.0.0, 16.1.5, 15.1.5
1015881-4 : TMM might crash after configuration failure
Links to More Info: BT1015881
Component: Application Security Manager
Symptoms:
TMM crashes after DoSL7 application configuration failure
Conditions:
DoSL7 configuration is changed, and the configuration change fails in TMM.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.7
1015645-2 : IPSec SA's missing after reboot
Links to More Info: BT1015645
Component: TMOS
Symptoms:
Some IPSec SA's created after Tunnel migration may be missing after a reboot.
Conditions:
- IPSec tunnels
- Load balancing continues through tunnel migration
- The active BIG-IP system is rebooted
Impact:
Some IPSec SA's may be missing after the reboot
Workaround:
None
Fix:
During reboot, Load balancing information is loaded based on creation time instead of arrival time.
Fixed Versions:
17.0.0, 16.1.2
1015133-5 : Tail loss can cause TCP TLP to retransmit slowly.
Links to More Info: BT1015133
Component: Local Traffic Manager
Symptoms:
If a long tail loss occurs during transmission, TCP might be slow to recover.
Conditions:
-- A virtual server is configured with the TCP profile attached.
-- SACK and TLP are enabled.
-- A tail loss of multiple packets sent by the BIG-IP occurs.
Impact:
BIG-IP retransmits one packet per RTT, causing a long recovery. The impact is more pronounced if an entire window is lost.
Workaround:
Disabling TLP may improve performance in this particular case, but may degrade performance in other situations.
Fix:
A new sys db key was added: tm.tcpaggressivepartialack (disabled by default). When enabled, more data is retransmitted every RTT, similar to slow-start.
Behavior Change:
A new sys db key was added: tm.tcpaggressivepartialack (disabled by default). When enabled, more data is retransmitted every RTT, similar to slow-start.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
1014973-5 : ASM changed cookie value.
Links to More Info: BT1014973
Component: Application Security Manager
Symptoms:
ASM changes the value of a cookie going to the server.
Conditions:
Specific conditions.
Impact:
Domain cookie will reach the server with a wrong value. Can cause different malfunctions depending on the application.
Workaround:
Change the following db variable:
tmsh modify sys db asm.strip_asm_cookies (https://support.f5.com/csp/article/K30023210) value false.
There is no need to restart asm.
Add an iRule without the use of strip_asm_cookies:
https://support.f5.com/csp/article/K13693.
Fix:
Original cookies not being deleted/modified after the removing of TS cookies in ASM.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1014573-1 : Several large arrays/objects in JSON payload may core the enforcer
Links to More Info: BT1014573
Component: Application Security Manager
Symptoms:
Requests with JSON payload that consists of more than one object with elements, such as a couple of large arrays, may cause the enforcer to crash.
Conditions:
Each of the objects/arrays in JSON payload has to consist lesser amount of elements than defined in the "Maximum Array Length" JSON profile attribute.
Impact:
Large enough arrays may cause performance decrease, in addition, the enforcer may crash.
Workaround:
Set "Maximum Array Length" to a lower value than the requests array length.
Fix:
Added internal param "count_overall_child_elements_in_json" to control "Maximum Array/Object Elements" behaviour:
0 (default) - retain current behaviour (check max elements in each array/object separately);
1 - count overall elements in all arrays/objects.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1013729-2 : Changing User login password using VMware View Horizon client results in “HTTP error 500”
Links to More Info: BT1013729
Component: Access Policy Manager
Symptoms:
“HTTP error 500" is shown when user changes the password using VMware view horizon client.
Conditions:
User tries to change user password using the VMware native client.
Impact:
Users can't login to the VMware VDI.
Workaround:
None
Fix:
Users can now modify their password via the VMware native client and are able to login to VMware vdi.
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
1013629-4 : URLCAT: Scan finds many Group/User Read/Write (666/664/662) files
Links to More Info: BT1013629
Component: Traffic Classification Engine
Symptoms:
Shared memory files in relation with URLCAT have file permissions set to (-rwxrwxrwx), which is not necessary and needs to be restricted to (-rw-rw-r--).
Conditions:
Policy Enforcement Manager is provisioned
Impact:
Full permission can result in unintentional/unauthorized access, which could result in unexpected behavior of the URLCAT feature.
Workaround:
Manually change permissions from (-rwxrwxrwx) to (-rw-rw-r--) using the chmod command.
Fix:
Shared Memory file permissions are now set to (-rw-rw-r--).
Fixed Versions:
17.0.0, 16.1.2, 15.1.9
1013353-1 : ICMP flood or ICMP/IP/IPv6 fragment vectors are not hardware mitigated when configured on VS
Links to More Info: BT1013353
Component: Advanced Firewall Manager
Symptoms:
Hardware drops are not seen for the vectors ICMP flood or ICMP/IP/IPv6 fragment.
Conditions:
In the case of a virtual server configured with ICMP flood or ICMP/IP/IPv6 fragment vectors, will see only attack mitigation and drops at the software level.
Impact:
Hardware mitigation is not happening when ICMP flood and ICMP/IP/IPv6 fragment vectors are configured on a VS.
Workaround:
None
Fix:
This was due to a known limitation in one of the hardware modules. Added the required changes to use SPVA for these vectors to fix the issue.
Fixed Versions:
16.1.4
1012813-1 : Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file"
Links to More Info: BT1012813
Component: Local Traffic Manager
Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.
You may see errors similar to:
-- err statsd[4908]: 011b0600:3: Error ''/var/rrd/access' is not an RRD file' during rrd_update for rrd file '/var/rrd/access'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/access'.
Conditions:
Corruption of a binary file in /var/rrd.
Impact:
Stats are no longer collected. Statsd and rrdshim deadlock, resulting in the issues noted in the Symptoms section.
Workaround:
Remove the corrupted file and restart statsd:
bigstart restart statsd
Fixed Versions:
17.1.1, 16.1.4
1012721-4 : Tmm may crash with SIP-ALG deployment in a particular race condition
Links to More Info: BT1012721
Component: Service Provider
Symptoms:
Tmm crashes in SIP-ALG deployment
Conditions:
--- SIP-ALG is deployed
--- While processing first SIP REGISTER at server-side
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Tmm no longer crashes in this race condition
Fixed Versions:
17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4, 13.1.5
1012581-1 : Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered
Links to More Info: BT1012581
Component: Advanced Firewall Manager
Symptoms:
As soon as global syncookie enabled stats counts starts decrementing and when attack_detection_common callback function calls, the stats range is always under the configured packets per-second threshold, resulting in some tmms not being able to detect the attack but syncookies are already enabled on these tmms, and no statistics are gathered.
Conditions:
A SYN flood attack or similar SYN attack where SYNs are flooded into the BIG-IP system.
Impact:
SYN cookies may still be sent after traffic goes below the attack detection threshold.
Workaround:
Restart tmm
Fix:
Now, global syncookie state changing from full-hardware to non-activated when attack ends.
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5
1012221-1 : The childInheritanceStatus is not compatible with parentInheritanceStatus★
Links to More Info: BT1012221
Component: Application Security Manager
Symptoms:
The BIG-IP system is unable to deploy a revision of upgraded child policies and you see an error:
Failed pushing changed objects to device <device>: Could not update the Section 'Threat Campaigns'. childInheritanceStatus is not compatible with parentInheritanceStatus.
Conditions:
-- An ASM Child Policy is present on the BIG-IP device in a version earlier than BIG-IP 14.0.0.
-- The BIG-IP system is upgraded to BIG-IP 14.0.0 or later.
Impact:
This corruption impacts BIG-IQ interactions with the Child Policy and causes exported Child Policies to be incorrect.
Workaround:
After upgrading to BIG-IP 14.0.0 or later, perform the following:
1. Log in to the BIG-IP Configuration Utility.
2. Go to Security :: Application Security :: Security Policies :: Policies List.
3. Select the first Parent Policy.
4. Go to Inheritance settings and change Threat Campaigns from None to Optional.
5. Click Save Changes.
6. Change Threat Campaigns from Optional back to None.
7. Click Save Changes.
8. Click Apply.
9. Repeat steps 3 to 8 for each additional Parent Policy.
Fix:
Made childInheritanceStatus compatible with
parentInheritanceStatus after the upgrade.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1011433-1 : TMM may crash under memory pressure when performing DNS resolution
Links to More Info: BT1011433
Component: Global Traffic Manager (DNS)
Symptoms:
When running low on free memory, TMM may crash when performing DNS resolution.
Conditions:
-- TMM is under memory pressure.
-- TMM is performing DNS resolution via one of the following mechanisms:
--+ iRule using the "RESOLV::lookup" command
--+ AFM firewall rules that reference hostnames
--+ APM
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
1011217-5 : TurboFlex Profile setting reverts to turboflex-base after upgrade★
Links to More Info: BT1011217
Component: TMOS
Symptoms:
Custom TurboFlex Profile settings revert to the default turboflex-base profile after an upgrade.
Conditions:
-- iSeries platform with ix800 performance license
-- A non-default TurboFlex Profile is applied
-- The BIG-IP device is upgraded
Impact:
Some features of the previously selected TurboFlex Profile that are not part of the turboflex-base profile, are missing after upgrade. The TurboFlex Profile must be reconfigured after upgrade.
Workaround:
Reconfigure the TurboFlex Profile after upgrade.
Fix:
TurboFlex Profile settings are now preserved after the upgrade.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
1011069-1 : Group/User R/W permissions should be changed for .pid and .cfg files.
Links to More Info: BT1011069
Component: Application Security Manager
Symptoms:
The following files should be set with lower permissions:
/etc/ts/dcc/dcc.cfg (-rw-rw--w-)
/run/asmcsd.pid (-rw-rw--w-)
/run/bd.pid (-rw-rw--w-)
/run/dcc.pid (-rw-rw--w-)
/run/pabnagd.pid (-rw-rw--w-)
Conditions:
Always
Impact:
Incorrect file permissions.
Workaround:
Chmod 664 <files_list>
Fix:
The corrected permissions 664 are applied to the given list of files.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1011065-1 : Certain attack signatures may not match in multipart content
Links to More Info: K39002226, BT1011065
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM may not correctly detect attack signatures.
Conditions:
- ASM provisioned
- Request contains multipart body that matches specific attack signatures.
Impact:
Attack detection is not triggered as expected.
Workaround:
None
Fix:
Attack detection is now triggered as expected.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1
1011061-4 : Certain attack signatures may not match in multipart content
Links to More Info: K39002226, BT1011061
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM may not correctly detect attack signatures.
Conditions:
- ASM provisioned
- Request contains a specially-crafted multipart body
Impact:
Attack detection is not triggered as expected.
Workaround:
None
Fix:
Attack detection is now triggered as expected.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1010961-1 : Redirect fails when accessing SAML Resource more than once in SAML IDP initiated Flow
Links to More Info: BT1010961
Component: Access Policy Manager
Symptoms:
In SAML idp initiated Flow, redirects fails on accessing SAML Resource second time as multiple assertions are posted to the SP on same access session
Conditions:
1. BIG-IP SAML SP and IDP configured for IDP initiated Flow
2. Access SAML Resource first time is successful but fails second time for same access session
Impact:
Multiple assertions are sent to SP on same access session and fails to render the backend application second time.
Workaround:
For Access policy contains an allow ending:
when HTTP_REQUEST {
if { [HTTP::uri] eq "/saml/sp/profile/post/acs" && [ACCESS::session exists -state_allow -sid [ACCESS::session sid]] } {
HTTP::redirect "/"
}
}
For access policy contains a redirect ending:
when HTTP_REQUEST {
if { [HTTP::uri] eq "/saml/sp/profile/post/acs" && [ACCESS::session exists -state_redirect -sid [ACCESS::session sid]] } {
HTTP::redirect "/"
}
}
If relay-state implemented, edit the iRule's redirect uri to match that configured in the relay-state.
Fix:
BIG-IP as SP processes all of the assertions received on a single access session and successfully renders the backend application.
Fixed Versions:
17.1.0, 16.1.4
1010809-3 : Connection is reset when sending a HTTP HEAD request to APM Virtual Server
Links to More Info: BT1010809
Component: Access Policy Manager
Symptoms:
Connection is reset when sending a HTTP HEAD request to APM Virtual Server
Conditions:
-- A virtual server with APM implemented
-- A HTTP HEAD request is sent to the virtual server
Impact:
Connection is reset
Workaround:
To work around this issue, implement the following iRule on the virtual server:
when HTTP_REQUEST priority 500 {
if {[HTTP::method] equals "HEAD"
&& [HTTP::path] equals "/"} {
HTTP::respond 404
}
}
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1010617-1 : String operation against DNS resource records cause tmm memory corruption
Links to More Info: BT1010617
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm cores with umem debug enabled.
Conditions:
A string operation is performed against DNS resource records (RRs) in an iRule.
Impact:
Tmm memory corruption. In some situations, tmm could crash. Traffic disrupted while tmm restarts.
Workaround:
Do not use string operation against DNS RRs.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1010597-1 : Traffic disruption when virtual server is assigned to a non-default route domain★
Links to More Info: BT1010597
Component: Access Policy Manager
Symptoms:
Assigning a virtual server to a non-default route domain might cause a traffic disruption.
Conditions:
-- An APM virtual server is assigned to a route domain other than 0 (zero, the default).
-- An access policy has an agent that results in tmm communicating to the renderer (e.g., Logon agent, HTTP 401 Response agent, and others).
Impact:
Access policy fails.
Workaround:
1. Log in to the Configuration utility.
2. Go to Network > Route Domains > affected route domain.
3. In the section Parent Name select '0 (Partition Default Route Domain)'.
4. Select Update.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1009949-4 : High CPU usage when upgrading from previous version★
Links to More Info: BT1009949
Component: TMOS
Symptoms:
When upgrading version from 12.x to 14.1.4, ospfd has high cpu utilization.
Conditions:
-- OSPF is enabled.
-- The BIG-IP system is upgraded from 12.x to 14.1.4.
Impact:
Performance Impact.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
1009793-2 : Tmm crash when using ipsec
Links to More Info: BT1009793
Component: TMOS
Symptoms:
Tmm crashes.
Conditions:
Set sys db variable IPsec.RemoveRedundantSA to enable.
set sys db variable ipsec.removeredundantsa.delay to one.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Set sys db variable IPsec.RemoveRedundantSA to disable.
set sys db variable ipsec.removeredundantsa.delay to zero.
Fix:
Redundant timer will be added only once per IKE SA and check validity of sec head data structure.
Fixed Versions:
16.1.5
1009093-2 : GUI widgets pages are not functioning correctly
Links to More Info: BT1009093
Component: Application Visibility and Reporting
Symptoms:
Some links and drop-down fields are not available for 'pressing/clicking' on AVR-GUI widgets pages
Conditions:
AVR/ASM is provisioned
Impact:
Cannot use AVR GUI pages correctly
Workaround:
1. Back up the following file, and then edit it:
/var/ts/dms/amm/templates/overview.tpl
1.a. Remove the following line:
<script type="text/javascript" src="script/analytics_stats.js{{BIGIP_BUILD_VERSION_JS}}"></script>
1.b. Add the following lines after the 'var _default_smtp = '{{smtp_mailer}}';' line:
$(document).ready(function() {
if(!window.AVR_LOCALIZATION) return;
$('.need-localization-avr').each(function() {
var item = $(this);
if (item.is("input")) {
var key = "avr." + item.val().replace(/\s/g, '');
item.val(window.AVR_LOCALIZATION[key] || item.val());
} else {
var key = "avr." + item.text().replace(/\s/g, '');
item.text(window.AVR_LOCALIZATION[key] || item.text());
}
}).removeClass('need-localization-avr');
});
1.c. Save and exit (might require the 'force' save with root user).
2. Log out of the GUI.
3. Log back in.
Fix:
GUI widgets pages now function correctly.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5
1009037-1 : Tcl resume on invalid connection flow can cause tmm crash
Links to More Info: BT1009037
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm crashes.
Tmm logs contain a line that looks like: "Oops @ 0x2bbd463:139: Unallocated flow while polling for rule work. Skipping."
Conditions:
1) iRule uses a function that may suspend iRule processing (see https://support.f5.com/csp/article/K12962 for more about this).
2) The connflow associated with the iRule is being torn down by tmm.
3) Depending upon the exact timing there is a rare chance that the iRule will resume on the wrong connflow which can cause a core.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1008849-4 : OWASP "A4 XML External Entities (XXE)" is not reflecting the XXE signatures configuration.
Links to More Info: BT1008849
Component: Application Security Manager
Symptoms:
To fulfill "A4 XML External Entities (XXE)", some required signatures need to be enforced.
Due to an update in some of those attack signatures names, this section does not find the signatures and by mistake it shows that the signatures are not enforced.
Also, when you choose to enforce the required signatures, this section tries to enforce the signatures, but looks for them via the old name, so it does not find them, and can't enforce them.
Conditions:
The attack signatures file is updated with the new names for the XXE signatures.
The old names are in use while trying to find and enforce the signatures, but it does not find them and can't enforce them and also can't see if they are already enforced.
Impact:
"A4 XML External Entities (XXE)" Compliance can't be fully compliant.
Workaround:
N/A
Fix:
The signature ID is being used instead of signature name, and now it can find them and enforce them if needed.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1008837-1 : Control plane is sluggish when mcpd processes a query for virtual server and address statistics
Links to More Info: BT1008837
Component: TMOS
Symptoms:
When there are thousands of rows in the virtual_server_stat table and mcpd receives a query for for all virtual server or virtual address statistics, mcpd can take a long time to process the request.
There might be thousands of rows if thousands of virtual servers server are configured.
There could also be thousands of rows if there are virtual servers configured for source or destination address lists, where those lists contain tens or hundreds of addresses.
Conditions:
-- Thousands of virtual_server_stat rows.
-- mcpd processes a query_stats request for the virtual_server_stat table.
Impact:
When mcpd is processing a query for virtual server statistics:
-- TMSH and GUI access is very slow or non-responsive.
-- SNMP requests timeout.
-- mcpd CPU usage is high.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.4, 14.1.4.4
1008501-1 : TMM core
Links to More Info: BT1008501
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
Transparent monitors monitoring a virtual server's IP address.
Note: Although this is the current understanding of the issue, it is not clear whether this is an true requirement for the issue to occur.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1008269-1 : Error: out of stack space
Links to More Info: BT1008269
Component: TMOS
Symptoms:
When polling for profile statistics via iControl REST, the BIG-IP system returns an error:
Error: out of stack space
Conditions:
Polling stats via iControl REST.
Impact:
You are intermittently unable to get stats via iControl REST.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1008265-1 : DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond★
Links to More Info: K92306170, BT1008265
Component: Advanced Firewall Manager
Symptoms:
DoS Flood and Sweep vector states are disabled after upgrade.
Conditions:
DoS Flood and Sweep vectors are enabled prior to an upgrade to software release 14.x and beyond.
Impact:
DoS Flood and Sweep vector states are disabled. System is susceptible to a DoS attack.
Workaround:
Reset the DoS Flood and Sweep vectors to their previous state.
Fix:
Removed default disabled state from upgrade scripts so that both vectors were restored to previous configured state
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1008017-2 : Validation failure on Enforce TLS Requirements and TLS Renegotiation
Links to More Info: BT1008017
Component: Local Traffic Manager
Symptoms:
The configuration load fails with an error:
err mcpd[4182]: 0107186b:3: Invalid "enforce-tls-requirements" value for profile /prod/my_profile. In Virtual Server (/common/my_virtual_server) an http2 profile with enforce-tls-requirements enabled is incompatible with client-ssl/server-ssl profile with renegotiation enabled. Value must be disabled.
Conditions:
BIG-IP system allows this configuration and fails later:
-- Virtual server with HTTP/2, HTTP, and client SSL profiles (with renegotiation disabled).
1. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile (by default it is enabled).
2. Add server SSL profile with 'TLS Renegotiation' enabled.
3. Save the configuration.
4. Load the configuration.
Impact:
The configuration will not load if saved.
Workaround:
If enabling 'Enforce TLS Requirements' in a HTTP/2 profile configured on a virtual server, ensure that 'TLS Renegotiation' is disabled in the Server SSL profiles on that virtual server.
Fix:
There is now a validation check to prevent this configuration, which is the correct functionality.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1008009-3 : SSL mirroring null hs during session sync state
Links to More Info: BT1008009
Component: Local Traffic Manager
Symptoms:
Tmm crashes.
Conditions:
-- SSL connection mirroring enabled
-- Running a version where ID 760406 is fixed (https://cdn.f5.com/product/bugtracker/ID760406.html)
-- A handshake failure occurs during session sync
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable connection mirroring
Fix:
The system now protects for dropped SSL handshakes during connection mirror session sync.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
1007901-1 : Support for FIPS 140-3 Module identifier service.
Links to More Info: BT1007901
Component: TMOS
Symptoms:
The module provides a service to output module name/identifier and version that can be mapped to the validation records.
The 'tmsh show sys version' command shows a version, but it does not show a module name, where the "module name" is the name on the FIPS certificate.
Conditions:
Running 'tmsh show sys version' while the system is running in FIPS mode
Impact:
The module does not provide a service to output module name/identifier and version that can be mapped to the validation records.
Workaround:
N/A
Fix:
Added the FIPS module information to output of command "show sys version". FIPS module information is now appended after "Project" field info of the "show sys version"
The syntax of the new field is "FIPS Module <FIPS_module_name>"
In the GUI, FIPS module info shall be appended to existing "Version" information shown under system(tab)→Device→Version
The syntax will be "Version: <Existing Info> <FIPS_module_name>
Fixed Versions:
17.0.0, 16.1.2.2
1007821-3 : SIP message routing may cause tmm crash
Links to More Info: BT1007821
Component: Service Provider
Symptoms:
In very rare circumstances, tmm may core while performing SIP message routing.
Conditions:
This can occur while passing traffic when SIP message routing is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
SIP message routing no longer results in a core due to internal memory errors in message parsing.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4
1007749-2 : URI TCL parse functions fail when there are interior segments with periods and semi-colons
Links to More Info: BT1007749
Component: Local Traffic Manager
Symptoms:
URI::path, URI::basename, etc., return the wrong strings, e.g., URI::path can return a subset of what it should return.
Conditions:
This happens for URIs like these:
/alpha/beta/Sample.text;param/trailer/
/alpha/beta/Sample.text;param/file.txt
Impact:
iRules fail to work as expected for these types of URIs.
This occurs because the combination of the period and semi-colon in 'Some.thing;param' confuses the BIG-IP system parser, causing incorrect results to be returned.
Workaround:
If this is happening for known URIs, then it should be possible to process those URIs in a special way within iRules to do things like temporarily replacing interior periods with another character, like a plus sign.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5
1007677-2 : Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector'
Links to More Info: BT1007677
Component: Access Policy Manager
Symptoms:
SAML fails on APM SAML IdP after receiving the SAML ArtifactResolve Request, and needs to extract Artifact data from sessionDB to build the assertion. An error is logged:
-- err tmm[24421]: 014d1211:3: ::ee23458f:SAML SSO: Cannot find SP connector (/Common/example_idp)
-- err tmm[24421]: 014d0002:3: SSOv2 plugin error(12) in sso/saml.c:11864
Conditions:
The 'session-key' in the sessiondb includes a colon ':' in its value.
Impact:
SAML may fail on APM SAML IdP using artifact binding.
Fix:
The system now handles this occurrence of 'session-key'.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.4.1
1007113-3 : Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds
Links to More Info: BT1007113
Component: Service Provider
Symptoms:
In case of diameter over SCTP, while aborting the connection of the pool member, if SCTP INIT is sent by the BIG-IP system before the SCTP ABORT is processed, the pool member is marked UP (provided the SCTP connection is established successfully), and then goes down later, immediately after ABORT is fully processed.
Conditions:
The time difference between SCTP ABORT and SCTP INIT is very small, i.e., 2 seconds or less
Impact:
Pool member is marked DOWN even though it is active
Workaround:
If the watchdog is configured in the diameter session profile (i.e., watchdog-timeout is greater than 0), the pool member is marked UP after DWA is received from the pool member.
Fix:
The system now marks the pool member as UP if DWA is received from the pool member.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1006893-4 : Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core
Links to More Info: BT1006893
Component: Access Policy Manager
Symptoms:
When ACCESS::oauth is used after ACCESS::session create/delete in an iRule event, TMM may core.
Conditions:
ACCESS::oauth is used after ACCESS::session create/delete in an iRule event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround
Fix:
TMM does not core and functionality works as expected.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1006781-2 : Server SYN is sent on VLAN 0 when destination MAC is multicast
Links to More Info: BT1006781
Component: Local Traffic Manager
Symptoms:
TCP connections cannot be established when a multicast destination MAC is used. Traffic outage occurs.
Conditions:
Virtual wire with multicast destination MAC used while establishing TCP connections.
Impact:
Traffic outage.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.4.1
1006509-1 : TMM memory leak★
Links to More Info: BT1006509
Component: Access Policy Manager
Symptoms:
After upgrading to 15.1.0.4, tmm memory grows and tmm may restart or the BIG-IP system may reboot.
Conditions:
-- APM provisioned
-- Other conditions are unknown but it linked to single sign-on functionality
Impact:
Tmm memory grows and tmm may restart. Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm memory leak.
Fixed Versions:
16.1.5, 15.1.7
1006157-3 : FQDN nodes not repopulated immediately after 'load sys config'
Links to More Info: BT1006157
Component: Local Traffic Manager
Symptoms:
A DNS query is not sent for configured FQDN nodes until the TTL value expires.
Conditions:
This occurs when 'load sys config' is executed.
Impact:
Name addresses do not resolve to IP addresses until the TTL expires.
Workaround:
You can use either of the following workarounds:
-- Change the default TTL value to be fewer than 300 seconds (the default value is 3600 seconds).
-- Restart dynconfd daemon:
tmsh restart sys service dynconfd
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1005109-4 : TMM crashes when changing traffic-group on IPv6 link-local address
Links to More Info: BT1005109
Component: Local Traffic Manager
Symptoms:
TMM crashes when changing the traffic-group on an IPv6 link-local address.
Conditions:
Changing the traffic-group on an IPv6 link-local address.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
1005105-3 : Requests are missing on traffic event logging
Links to More Info: BT1005105
Component: Application Security Manager
Symptoms:
Some traffic requests are missing in Security :: Event Logs.
Conditions:
-- Local logging enabled
-- Two or more virtual servers passing heavy traffic
Impact:
High CPU load prevents the Policy Builder from analyzing and sending all traffic requests to the request log.
Workaround:
None
Fix:
The Policy Builder now attempts to send traffic requests to the request log, even when learning analysis is limited due to high CPU load.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.5
1004929-1 : During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid.
Links to More Info: BT1004929
Component: TMOS
Symptoms:
While receiving a config sync operation, mcpd on a secondary blade may restart, logging:
err mcpd[6383]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020012:3: A unsigned four-byte integer message item is invalid.... failed validation with error 16908306
Conditions:
-- A VIPRION system (or cluster-based vCMP guest) with more than one blade processes a full configuration load, i.e. as a result of running "tmsh load sys config" or receiving a full-load config sync from peer BIG-IP.
-- The system generates a large number of warning messages during a configuration load, whose total length is larger than 65,535 bytes.
These warnings can be seen in the output of "tmsh load sys config" or "tmsh load sys config verify", or are logged under message ID 01071859
An example of such a warning is:
SSLv2 is no longer supported and has been removed. The 'sslv2' keyword in the cipher string of the ssl profile (/Common/ssl-profile-1) has been ignored.
Impact:
MCPD on secondary blades restart. Those blades are inoperative while services restart.
Workaround:
Address the warnings reported by the system.
Fixed Versions:
17.0.0, 16.1.5, 15.1.5, 14.1.4.5, 13.1.5
1004897-5 : 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason
Links to More Info: BT1004897
Component: Local Traffic Manager
Symptoms:
In HTTP2 setup, when the header count from the client request exceeds max-header-count value in the HTTP profile , COMPRESSION_ERROR(0x09) is seen in GoAway frame instead of FRAME_SIZE_ERROR(0x06)
Conditions:
- Virtual server with HTTP2 enabled
- A http2 request has a header count that exceeds 'Maximum Header Count' in the HTTP profile (default value is 64)
Impact:
Wrong GoAway Reason is logged
Fix:
When header count in client request exceeds max-header-count value in HTTP profile
1) FRAME_SIZE_ERROR(0x06) error code sent with GoAway frame
2) In http2 profile stats (tmsh show ltm profile http2 all) 'Max Headers Exceeded' is logged as GoAway reason
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.4
1004833 : NIST SP800-90B compliance
Links to More Info: BT1004833
Component: TMOS
Symptoms:
Common Criteria and FIPS 140-2 certifications require compliance with NIST SP800-90B; this completes that compliance.
Conditions:
This applies to systems requiring Common Criteria and/or FIPS 140-2 compliance.
Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 14.1.4.2 or BIG-IP 15.1.2.1) will not be running a Common Criteria and/or FIPS 140-2 certified configuration.
Workaround:
None
Fix:
Apply this fix to ensure that the system is compliant with NIST SP800-90B.
Fixed Versions:
17.0.0, 16.1.3, 15.1.4, 14.1.4.2
1004793-1 : If there is an additional CSRT token, it triggers a No Max Parameter Protocol Compliance violation .
Links to More Info: BT1004793
Component: Application Security Manager
Symptoms:
No Max Parameter Protocol Compliance violation is triggered when the CSRF is enabled.
Conditions:
CSRF and Max Parameter Protocol Compliance violations are enabled.
Impact:
False-negative
Workaround:
None
Fix:
BIG-IP now checks to see if CSRF is enabled, and performs the necessary update on the internal data structure so that the enforcer can detect a Max Parameter Protocol Compliance violation.
Fixed Versions:
17.0.0, 16.1.5
1004697-3 : Saving UCS files can fail if /var runs out of space
Links to More Info: BT1004697
Component: iApp Technology
Symptoms:
When saving a UCS, /var can fill up leading to UCS failure and the following log message:
err diskmonitor[1441]: 011d0004:3: Disk partition /var has only 0% free
Conditions:
-- iApps LX installed.
-- Multiple iApps LX applications.
-- A /var partition of 1.5 GB.
Impact:
UCS archives can not be created.
Workaround:
You can use either of the following Workarounds:
-- Manually remove the /var/config/rest/node/tmp/BUILD and /var/config/rest/node/tmp/BUILDROOT directories.
-- Increase the size of /var/. For information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952
Fixed Versions:
16.1.4, 15.1.10
1004689-4 : TMM might crash when pool routes with recursive nexthops and reselect option are used.
Links to More Info: BT1004689
Component: Local Traffic Manager
Symptoms:
When re-selecting to the non-directly-connected pool route member for which the route was withdrawn, TMM might experience a crash.
Conditions:
- Pool routes with non-directly-connected or recursive nexthops (pool members).
- Reselect option enabled.
- Pool members go down/up so that the re-select is triggered.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Do not use non-directly-connected/recursive nexthops (pool members) in pool routes.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1004665 : Secure iAppsLX Restricted Storage issues.
Links to More Info: BT1004665
Component: iApp Technology
Symptoms:
iAppLX restricted storage needs hardening.
Conditions:
iAppLX applications (such as SSL Orchestrator) that contain configuration objects that use restricted parameters like password or passphrase.
Impact:
Stronger encryption needed for sensitive data.
Workaround:
None
Fix:
The iAppLX master key is now stored in mcpd's secure vault as a new secure config object name "iapp_restricted_key".
Fixed Versions:
17.0.0, 16.1.3
1004537-2 : Traffic Learning: Accept actions for multiple suggestions not localized
Links to More Info: BT1004537
Component: Application Security Manager
Symptoms:
When you open the accept suggestions actions list, the actions are not localized. Labels are shown instead of text, for example asm.button.Accept instead of Accept.
Conditions:
This occurs after selecting several suggestions and opening the Accept suggestions actions list.
Impact:
Actions not localized.
Workaround:
None
Fix:
Fixed localization for Accept suggestions actions list.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4
1004069-4 : Brute force attack is detected too soon
Links to More Info: BT1004069
Component: Application Security Manager
Symptoms:
A Brute force attack is detected too soon.
Conditions:
The login page has the expected header validation criteria.
Impact:
The attack is detected earlier than the setpoint.
Workaround:
N/A
Fixed Versions:
17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5
1003765-2 : Authorization header signature triggered even when explicitly disabled
Links to More Info: BT1003765
Component: Application Security Manager
Symptoms:
Requests with base64 encoded Authorization header with disabled signatures might result in a blocking page even though the specific signature is disabled.
Conditions:
Base64 encoded Authorization header is included in the request.
Impact:
A signature violation is detected, even though the signature is disabled.
Workaround:
None
Fix:
No violation for disabled signatures.
Fixed Versions:
17.1.0, 16.1.4, 15.1.4.1
1003633-1 : There might be wrong memory handling when message routing feature is used
Links to More Info: BT1003633
Component: Service Provider
Symptoms:
The following log is observed from /var/log/ltm
Oops @ 0x28c3060:232: buf->ref == 0
Conditions:
Message routing is used either by
- Generic message (ltm message-routing generic) or
- HTTP2 with Message router option enabled
Impact:
For most cases, this kind of incorrect memory handling may only generate warning log message. In rare case, it might lead to a tmm crash.
Workaround:
N/A
Fix:
Wrong memory handling in message routing is fixed.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1003377-3 : Disabling DoS TCP SYN-ACK does not clear suspicious event count option
Links to More Info: BT1003377
Component: Advanced Firewall Manager
Symptoms:
When the 'Only Count Suspicious Events' option is turned on for the TCP SYN ACK Flood vector and the vector gets disabled, TMM continues operating as if 'Only Count Suspicious Events' is still configured.
Conditions:
Disabling TCP SYN ACK Flood vector with 'Only Count Suspicious Events' enabled.
Impact:
BIG-IP system might continue altering TCP initial sequence numbers for SYN-ACK cookie validations.
Workaround:
Disable the 'Only Count Suspicious Events' option first, and then disable TCP SYN ACK Flood vector.
Fixed Versions:
16.1.4, 15.1.9
1003257-6 : ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected
Links to More Info: BT1003257
Component: TMOS
Symptoms:
ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' commands are not working properly. The address is always set to interface-configured global/local addresses respectively.
Conditions:
Using BGPv4 with IPv6 capability extension and a route-map with 'set ipv6 next-hop' and/or 'set ipv6 next-hop local' configuration.
Impact:
Wrong next-hop is advertised.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1003081-3 : GRE/TB-encapsulated fragments are not forwarded.
Links to More Info: BT1003081
Component: TMOS
Symptoms:
IP fragments that arrive over a GRE/TB tunnel are not reassembled, and are not forwarded through the BIG-IP system.
Conditions:
This occurs if all of the following conditions are true:
-- BIG-IP system with more than one TMM instance running.
-- Running a version or Engineering Hotfix that contains a fix for ID997541 (https://cdn.f5.com/product/bugtracker/ID997541.html).
-- GRE Round Robin DAG (the DB variable dag.roundrobin.gre) is enabled.
-- IP fragments arrive over GRE tunnel.
Impact:
BIG-IP system fails to process fragmented IP datagrams.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1002945-4 : Some connections are dropped on chained IPv6 to IPv4 virtual servers.
Links to More Info: BT1002945
Component: Local Traffic Manager
Symptoms:
IPv6 virtual servers targeting IPv4 virtual servers (for example, using the 'virtual' iRule command) might drop traffic coming from some clients unexpectedly.
Conditions:
- IPv6 to IPv4 virtual server chaining.
Impact:
Traffic is dropped.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1002809-4 : OSPF vertex-threshold should be at least 100
Links to More Info: BT1002809
Component: TMOS
Symptoms:
OSPF vertex-threshold should be at least 100, but you are able to set it to any number between 0 and 10000000.
Conditions:
-- Using OSPFv2/OSPFv3
-- Configuring the vertex-threshold setting
Impact:
When the setting is less than the default of 100, routes may not be installed properly.
Workaround:
Ensure that vertex-threshold is set to 100 (default) or above.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1002413-2 : Websso puts quotation marks around non-string claim type 'custom' values
Links to More Info: BT1002413
Component: Access Policy Manager
Symptoms:
When you define a claim to use with OAuth bearer SSO, and the claim-type setting is set to custom, the claim value is treated as a string and encapsulated in quotation marks.
Conditions:
-- OAuth bearer SSO is configured.
-- The OAuth claim value being used is of type 'custom'.
Impact:
The claim value is encapsulated in quotation marks and processed as a string and OAuth does not work properly.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.4
1002385-1 : Fixing issue with input normalization
Links to More Info: K67397230, BT1002385
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM does not follow current best practices.
Conditions:
- ASM provisioned
Impact:
Attack detection is not triggered as expected
Workaround:
N/A
Fix:
Attack detection is now triggered as expected
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6
1001069-5 : VE CPU usage higher after upgrade, given same throughput
Links to More Info: BT1001069
Component: TMOS
Symptoms:
Significant increase in CPU usage post-upgrade.
Conditions:
- Upgrading from version 13.x to a later version.
- Configured BIG-IP Virtual Edition (VE) that uses the sock driver.
Impact:
Significant increase in CPU usage, leading to potential degradation or disruption of traffic.
Workaround:
Create the following overrides:
- In '/config/tmm_init.tcl' add or append the following:
ndal mtu 1500 1137:0043
device driver vendor_dev 1137:0043 xnet
- In '/config/xnet_init.tcl' add or append the following:
device driver vendor_dev 1137:0043 dpdk
Note: These overrides must be re-applied every time an upgrade is done.
Fix:
Changed configuration to use DPDK-XNet as the default driver for Cisco eNIC.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1000789-1 : ASM-related iRule keywords may not work as expected
Links to More Info: BT1000789
Component: Application Security Manager
Symptoms:
Some ASM-related iRule keywords may not work as expected when DoSL7 is used.
Conditions:
ASM iRule keywords are used in a bot defense- or DoSL7-related event, and DoSL7 is used.
Impact:
ASM-related iRule keywords may not work as expected.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1000741-1 : Fixing issue with input normalization
Links to More Info: K67397230, BT1000741
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM does not follow current best practices.
Conditions:
- ASM provisioned
Impact:
Attack detection is not triggered as expected
Workaround:
N/A
Fix:
Attack detection is now triggered as expected
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4
1000669-4 : Tmm memory leak 'string cache' leading to SIGFPE
Links to More Info: BT1000669
Component: Access Policy Manager
Symptoms:
SIGFPE core on tmm. The tmm string cache leaks aggressively and memory reaches 100% and triggers a core.
In /var/log/tmm you see an error:
Access encountered error: ERR_OK. File: ../modules/hudfilter/access/access_session.c, Function: access_session_delete_callback, Line: 2123
Conditions:
This can be encountered while APM is configured and passing traffic. Specific conditions are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed mishandled error code path
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1000561-5 : HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side
Links to More Info: BT1000561
Component: Local Traffic Manager
Symptoms:
HTTP/2 virtual servers pass the chunk size bytes from the server-side (HTTP/1.1) to the client-side (HTTP/2) when OneConnect and request-logging profiles are applied.
This results in a malformed HTTP response.
Conditions:
-- BIG-IP configured with a HTTP/2 virtual server using OneConnect and request-logging profiles.
-- The pool member sends a chunked response.
Impact:
The HTTP response passed to the client-side includes chunk size header values when it should not, resulting in a malformed HTTP response.
Workaround:
Change HTTP response-chunking to either 'unchunk' or 'rechunk' in the HTTP profile for the virtual server.
Fix:
The HTTP response egressing the client-side no longer includes chunk size bytes.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1000405-1 : VLAN/Tunnels not listed when creating a new rule via GUI
Links to More Info: BT1000405
Component: Advanced Firewall Manager
Symptoms:
Available tunnels are not displayed on the AFM rules-creation page in the GUI.
Conditions:
-- Navigate to the firewall network rules creation page in the GUI.
-- In the rules source section, under the VLAN/Tunnel dropdown, select the 'specify' option.
Impact:
Available tunnels do not display in the select box. Cannot specify tunnels for firewall rules from the GUI.
Workaround:
Use tmsh to specify tunnels for firewall rules.
Fix:
The available tunnels now display in the VLAN/Tunnels dropdown.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4
1000069-3 : Virtual server does not create the listener
Links to More Info: BT1000069
Component: Local Traffic Manager
Symptoms:
A virtual-address is in an offline state.
Conditions:
An address-list is used on a virtual server in a non-default route domain.
Impact:
The virtual IP address remains in an offline state.
Workaround:
Using tmsh, create the traffic-matching-criteria. Specify the route domain, and attach it to the virtual server.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
Known Issues in BIG-IP v16.1.x
TMOS Issues
ID Number | Severity | Links to More Info | Description |
934133-3 | 1-Blocking | BT934133 | Unable to Create/delete ltm virtual server via CLI transaction when destination is not specified on the ltm virtual object |
913713-3 | 1-Blocking | BT913713 | Rebooting a blade causes MCPd to core as it rejoins the cluster |
1322009-2 | 1-Blocking | BT1322009 | UCS restore fails with ifile not found error |
1226585-2 | 1-Blocking | BT1226585 | Some SSL Orchestrator rest endpoints not loading on startup after BIG-IP is rebooted when it is set to CC/STIP mode |
1190777-2 | 1-Blocking | Unable to add a device to a device trust when the BigDB variable icontrol.basic_auth is set to disable on target device | |
1049085-3 | 1-Blocking | BT1049085 | Booting into a newly installed hotfix volume may stall on RAID-capable platforms★ |
990853-1 | 2-Critical | BT990853 | Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway. |
988645-4 | 2-Critical | BT988645 | Traffic may be affected after tmm is aborted and restarted |
979045-1 | 2-Critical | BT979045 | The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms |
967769-1 | 2-Critical | BT967769 | During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks |
967573-3 | 2-Critical | BT967573 | Qkview generation from Configuration Utility fails |
937481-5 | 2-Critical | BT937481 | Tomcat restarts with error java.lang.OutOfMemoryError |
929133-6 | 2-Critical | BT929133 | TMM continually restarts with errors 'invalid index from net device' and 'device_init failed' |
865653-1 | 2-Critical | BT865653 | Wrong FDB table entries with same MAC and wrong VLAN combination |
858877-5 | 2-Critical | BT858877 | SSL Orchestrator config sync issues between HA-pair devices |
842669-6 | 2-Critical | BT842669 | Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log |
780437-8 | 2-Critical | BT780437 | Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration. |
777389-7 | 2-Critical | BT777389 | In rare occurrences related to PostgreSQL monitor, the mcpd process restarts |
767473-2 | 2-Critical | BT767473 | SMTP Error: Could not authenticate |
758929-7 | 2-Critical | BT758929 | Bcm56xxd MIIM bus access failure |
756830-6 | 2-Critical | BT756830 | BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict' |
721591-2 | 2-Critical | BT721591 | Java crashes with core during with high load on REST API |
712925-3 | 2-Critical | BT712925 | Unable to query a monitor status through iControl REST if the monitor is in a non-default partition |
652877-7 | 2-Critical | BT652877 | Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades |
382363-8 | 2-Critical | K30588577 | min-up-members and using gateway-failsafe-device on the same pool. |
1598465-3 | 2-Critical | Tmm core while modifying traffic selector | |
1580229-3 | 2-Critical | Tmm tunnel failed to respond to ISAKMP | |
1571817-2 | 2-Critical | BT1571817 | FQDN pool member status down event is not synced to the peer device |
1409537-3 | 2-Critical | BT1409537 | The chmand fails to fully start on multi-slot F5OS tenants when the cluster members have addresses or alternate addresses |
1330213-3 | 2-Critical | BT1330213 | SIGABRT is sent when single quotes are not closed/balanced in TMSH commands |
1327649 | 2-Critical | BT1327649 | Invalid certificate order within cert-chain associated to JWK configuration |
1321029-2 | 2-Critical | BIG-IP tenant or VE fails to load the config files because the hypervisor supplied hostname is not a FQDN | |
1093717-1 | 2-Critical | BT1093717 | BGP4 SNMP traps are not working. |
1077789-4 | 2-Critical | BT1077789 | System might become unresponsive after upgrading.★ |
1067857-7 | 2-Critical | BT1067857 | HSB completion time out causes unexpected reboot |
1039609-1 | 2-Critical | BT1039609 | Unable to poll Dynamic routing protocols SNMP OID's on non-default route domain |
1027961-2 | 2-Critical | BT1027961 | Changes to an admin user's account properties may result in MCPD crash and failover |
1024269-1 | 2-Critical | BT1024269 | Forcing a file system check on the next system reboot does not check all filesystems. |
1014361-2 | 2-Critical | BT1014361 | Config sync fails after provisioning APM or changing BIG-IP license |
1012493-5 | 2-Critical | BT1012493 | Systemauth.primaryadminuser set to anything but 'admin' causes internal error for mcp-state check |
1004517-1 | 2-Critical | BT1004517 | BIG-IP tenants on VELOS cannot install EHFs |
998649-1 | 3-Major | BT998649 | Hostnames that contain a period are logged incorrectly |
997541-5 | 3-Major | BT997541 | Round-robin GRE Disaggregator for hardware and software |
996145-1 | 3-Major | BT996145 | After UCS restore on HA pair, one of the devices is missing folder /var/config/rest/iapps/f5-iappslx-ssl-orchestrator |
995605-2 | 3-Major | BT995605 | PVA accelerated traffic does not update route domain stats |
994365-1 | 3-Major | BT994365 | Inconsistency in tmsh 'object mode' for some configurations |
994361-2 | 3-Major | BT994361 | Updatecheck script hangs/Multiple updatecheck processes |
992449-1 | 3-Major | BT992449 | The vCMP host does not report the correct number of guest CPUs on the guest page of the GUI |
992253-4 | 3-Major | BT992253 | Cannot specify IPv6 management IP addresses using GUI |
992113-2 | 3-Major | BT992113 | Page allocation failures on VIPRION B2250 blades |
992053-4 | 3-Major | BT992053 | Pva_stats for server side connections do not update for redirected flows |
988745-4 | 3-Major | BT988745 | On reboot, 'could not find platform object' errors may be seen in /var/log/ltm |
987949-2 | 3-Major | BT987949 | Error messages erroneously generated during boot up★ |
987081-1 | 3-Major | BT987081 | Alarm LED remains active on Secondary blades even after LCD alerts are cleared |
981485-6 | 3-Major | BT981485 | Neurond enters a restart loop after FPGA update. |
977953-3 | 3-Major | BT977953 | Show running config interface CLI could not fetch the interface info and crashes the imi |
967557-1 | 3-Major | BT967557 | Improve apm logging when loading sys config fails due to corruption of epsec rpm database |
962477-2 | 3-Major | BT962477 | REST calls that modify GTM objects as a user other than admin may take longer than expected |
959241-1 | 3-Major | BT959241 | Fix for ID871561 might not work as expected on the VCMP host |
959057-5 | 3-Major | BT959057 | Unable to create additional login tokens for the default admin user account |
958601-4 | 3-Major | BT958601 | In the GUI, searching for virtual server addresses does not match address lists |
957993-4 | 3-Major | BT957993 | Unable to set a port list in the GUI for an IPv6 address for a virtual server |
955897-4 | 3-Major | BT955897 | Configuration may fail to load with named virtual-address for 0.0.0.0 in a non-zero route domain★ |
953477-1 | 3-Major | BT953477 | Syncookie HW mode not cleared when modifying VLAN config. |
948601-1 | 3-Major | BT948601 | File object checksum attribute is not updated when an external data-group file or external monitor file is edited from GU |
945413-2 | 3-Major | BT945413 | Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync |
939249-1 | 3-Major | BT939249 | iSeries LCD changes to secure mode after multiple reboots |
938145-3 | 3-Major | BT938145 | DAG redirects packets to non-existent tmm |
935485-4 | 3-Major | BT935485 | BWC: flows might stall when using dynamic BWC policy |
931797-3 | 3-Major | BT931797 | LTM virtual address netmask does not persist after a reboot |
931629-5 | 3-Major | BT931629 | External trunk fdb entries might end up with internal MAC addresses. |
928389-6 | 3-Major | BT928389 | GUI becomes inaccessible after importing certificate under import type 'certificate' |
928353-4 | 3-Major | BT928353 | Error logged installing Engineering Hotfix: Argument isn't numeric★ |
927025-1 | 3-Major | BT927025 | Sod restarts continuously |
924297-4 | 3-Major | BT924297 | Ltm policy MCP objects are not being synced over to the peer device |
922613-6 | 3-Major | BT922613 | Tunnels using autolasthop might drop traffic with ICMP route unreachable |
922153-5 | 3-Major | BT922153 | Tcpdump is failing on tmm 0.x interfaces |
922053-1 | 3-Major | BT922053 | inaccurate number of trunk members reported by bcm56xxd/bcmLINK |
921069-3 | 3-Major | BT921069 | Neurond cores while adding or deleting rules |
915493-6 | 3-Major | BT915493 | imish command hangs when ospfd is enabled |
913013-1 | 3-Major | BT913013 | Racoon daemon may crash once at startup |
908753-5 | 3-Major | BT908753 | Password memory not effective even when password policy is configured |
908453-5 | 3-Major | BT908453 | Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly |
904713-2 | 3-Major | BT904713 | FailoverState device status and CM device status do not match shortly after triggering failover |
904401-5 | 3-Major | BT904401 | Guestagentd core |
894593-2 | 3-Major | BT894593 | High CPU usage caused by the restjavad daemon continually crashing and restarting |
891333-2 | 3-Major | K32545132, BT891333 | The HSB on BIG-IP platforms can get into a bad state resulting in packet corruption. |
888081-6 | 3-Major | BT888081 | BIG-IP VE Migration feature fails for 1NIC |
884729-1 | 3-Major | BT884729 | The vCMP CPU usage stats are incorrect |
883149-7 | 3-Major | BT883149 | The fix for ID 439539 can cause mcpd to core. |
882609-7 | 3-Major | BT882609 | ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back |
880689-1 | 3-Major | Update oprofile tools for compatibility with current architecture | |
879969-8 | 3-Major | BT879969 | FQDN node resolution fails if DNS response latency >5 seconds |
872165-4 | 3-Major | BT872165 | LDAP remote authentication for REST API calls may fail during authorization |
867549-1 | 3-Major | BT867549 | LCD touch panel reports "Firmware update in progress" indefinitely★ |
867253-4 | 3-Major | BT867253 | Systemd not deleting user journals |
851837-1 | 3-Major | BT851837 | Mcpd fails to start for single NIC VE devices configured in a trust domain |
844925-5 | 3-Major | BT844925 | Command 'tmsh save /sys config' fails to save the configuration and hangs |
838597-5 | 3-Major | BT838597 | Unable to load license/dossier when going down for vCMP |
838337-8 | 3-Major | BT838337 | The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST. |
814273-6 | 3-Major | BT814273 | Multicast route entries are not populating to tmm after failover |
809089-4 | 3-Major | BT809089 | TMM crash after sessiondb ref_cnt overflow |
803157-4 | 3-Major | BT803157 | LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots |
798885-6 | 3-Major | BT798885 | SNMP response times may be long when processing requests |
796985-4 | 3-Major | BT796985 | Default IPv4 IP address is assigned to Alt-Address in isolated vCMP guest; vCMP host or guest are upgraded and guest is 'Inoperative'★ |
780745-5 | 3-Major | BT780745 | TMSH allows creation of duplicate community strings for SNMP v1/v2 access |
778513-3 | 3-Major | BT778513 | APM intermittently drops log messages for per-request policies |
778225-6 | 3-Major | BT778225 | vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host |
775845-6 | 3-Major | BT775845 | Httpd fails to start after restarting the service using the iControl REST API |
775797-5 | 3-Major | BT775797 | Previously deleted user account might get authenticated |
762097-5 | 3-Major | BT762097 | No swap memory available after upgrading to v14.1.0 and above★ |
760400-1 | 3-Major | BT760400 | High number of vcmp guests on clusters and discovery appliances may result in retries for guest deployment |
760354-7 | 3-Major | BT760354 | Continual mcpd process restarts after removing big logs when /var/log is full |
759258-7 | 3-Major | BT759258 | Instances shows incorrect pools if the same members are used in other pools |
757787-5 | 3-Major | BT757787 | Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI. |
755207-3 | 3-Major | BT755207 | Large packets silently dropped on VE mlxvf5 devices |
749757-4 | 3-Major | BT749757 | -s option in qkview help does not indicate maximum size |
739820-9 | 3-Major | BT739820 | Validation does not reject IPv6 address for TACACS auth configuration |
721892-2 | 3-Major | BT721892 | Pfmand on vCMP guests does not recover after service interruption |
718291-4 | 3-Major | BT718291 | iHealth upload error does not clear |
711747-2 | 3-Major | BT711747 | Vcmp_pde_state_memcpy core during http traffic and pfmand resets. |
708991-1 | 3-Major | BT708991 | Newly entered password is not remembered. |
703226-3 | 3-Major | BT703226 | Failure when using transactions to create and publish policies |
698594-4 | 3-Major | K53752362, BT698594 | Cave Creek Crypto hardware reports a false positive of a stuck queue state |
691219-3 | 3-Major | BT691219 | Hardware syncookie mode is used when global auto last hop is disabled. |
690928-6 | 3-Major | BT690928 | System posts error message: 01010054:3: tmrouted connection closed |
658850-6 | 3-Major | BT658850 | Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP |
637827-2 | 3-Major | BT637827 | VADC: after re-deploying a single-nic VM with multiple nics, a load can fail due to stp member 1.0 |
612083-3 | 3-Major | BT612083 | The System Event Log may list correctable hardware, PCIe or DMI errors. |
554506-3 | 3-Major | K47835034, BT554506 | PMTU discovery from the management interface does not work |
538283-6 | 3-Major | BT538283 | iControl REST asynchronous tasks may block other tasks from running |
528314-2 | 3-Major | K16816, BT528314 | Generating new default certificate and key pairs for BIG-IP ssl profiles via CLI will not be reflected in GUI or in tmsh |
499348-14 | 3-Major | BT499348 | System statistics may fail to update, or report negative deltas due to delayed stats merging. |
493740-4 | 3-Major | BT493740 | tmsh allows cipher group creation with non-existent "require" or "exclude" cipher rule. |
431503-11 | 3-Major | K14838, BT431503 | TMSH crashes in rare initial tunnel configurations |
342319-1 | 3-Major | BIND forwarder server list and the recursion and forward options. | |
1670465-2 | 3-Major | BT1670465 | TMMs might not agree on session ownership when multiple cluster geometry changes occur. |
1644497-2 | 3-Major | BT1644497 | TMM retains old Certificate Revocation List (CRL) data in memory until the existing connections are closed |
1633925-2 | 3-Major | BT1633925 | Neurond is crashing intermittently during the creation/deletion of Neuron rules. |
1632925-2 | 3-Major | BT1632925 | Sod does not update the value for sys DB failover.crcvalues |
1629693-2 | 3-Major | BT1629693 | Continuous rise in DHCP pool current connections statistics |
1629465-2 | 3-Major | BT1629465 | Configuration synchronization fails when there is large number of user partitions (characters in user partition names exceeds sixty five thousand) |
1620725-2 | 3-Major | BT1620725 | IPsec traffic-selector modification can leak memory |
1617229-2 | 3-Major | BT1617229 | The tmsh ipsec ike command causes mcp memory leak |
1615081-2 | 3-Major | BT1615081 | Remove SHA and AES Constraint Checks in SNMPv3 |
1603445-2 | 3-Major | BT1603445 | Wccpd can have high CPU when transitioning from active to standby |
1602209-1 | 3-Major | BT1602209 | The bigipTrafficMgmt.conf file is not copied from UCS to /config/snmp★ |
1602033-2 | 3-Major | BT1602033 | Delays in REST API Calls post upgrade to 17.1.1.x★ |
1600617-2 | 3-Major | BT1600617 | Few virtio driver configurations may result in excessive memory usage |
1593621-3 | 3-Major | TMM core on IPSEC config load/sync stats★ | |
1589753-2 | 3-Major | BT1589753 | [BGP] IPv6 routes not installed/pushed after graceful restart when IPv6 peer-groups are configured. |
1588841-3 | 3-Major | BT1588841 | SA Delete is not send to other end |
1581001-2 | 3-Major | BT1581001 | Memory leak in ipsec code |
1580369-2 | 3-Major | BT1580369 | MCPD thrown exception when syncing from active device to standby device. |
1573577 | 3-Major | BT1573577 | Insufficient input validation for object name fields in BIG-IP Management GUI |
1562833-2 | 3-Major | BT1562833 | Qkview truncates log files without notification |
1549661-2 | 3-Major | BT1549661 | Logs sent to syslog-ng on VIPRION devices utilize truncated hostname instead of FQDN |
1492337-2 | 3-Major | BT1492337 | TMM fails to start up using Xnet-DPDK-virtio due to out of bounds MTU |
1490861-2 | 3-Major | BT1490861 | "Virtual Server (/Common/xxx yyy)" was not found" error while deleting a virtual server in GTM |
1489817-2 | 3-Major | BT1489817 | Fix crash due to number of VLANs |
1475041-2 | 3-Major | BT1475041 | Token is getting deleted in 10 mins instead of 20 minutes. |
1469897-3 | 3-Major | BT1469897 | Memory leak is observed in IMI when it is invoked via icall script |
1469229-2 | 3-Major | BT1469229 | Enabling ssh-rsa and ecdsa keys support to switch between slots |
1469221-1 | 3-Major | BT1469221 | SSH access issues due to line wrapping in known_hosts file |
1462421-2 | 3-Major | BT1462421 | PVA connections are not re-accelerated after a failover. |
1447389-3 | 3-Major | BT1447389 | Dag context may not match the current cluster state |
1408229-2 | 3-Major | BT1408229 | VCMP guest deployment may fail on newly installed blade |
1403869-3 | 3-Major | BT1403869 | CONNFLOW_FLAG_DOUBLE_LB flows might route traffic to a stale next hop |
1401569-2 | 3-Major | BT1401569 | Engineering Hotfix readme file refers to non-applicable "full_box_reboot" command★ |
1400001-3 | 3-Major | BT1400001 | PVA dedicated mode does not accelerate all connections |
1399741-1 | 3-Major | BT1399741 | [REST][APM]command 'restcurl /tm/access/session/kill-sessions' output on APM is empty |
1398809-2 | 3-Major | BT1398809 | TMM can not process traffic on Cisco ENIC |
1395257-3 | 3-Major | BT1395257 | Processes that are using libcrypto during their startup are causing high CPU usage |
1389401-2 | 3-Major | BT1389401 | Peer unit incorrectly shows the pool status as unknown after merging the configuration |
1348061-2 | 3-Major | BT1348061 | [Dual Stack MGMT] - Upgrade of BIG-IP in HA with Dual stacked mgmt IP causes deletion of peers failover IPv4 unicast address★ |
1347861-2 | 3-Major | BT1347861 | Monitor status update logs unclear for FQDN template pool member |
1347825-2 | 3-Major | BT1347825 | Traffic group becomes active on more than one BIG-IP after a long uptime and long HA disconnection time |
1340513-2 | 3-Major | BT1340513 | The "max-depth exceeds 6" message in TMM logs |
1332473-2 | 3-Major | BT1332473 | Configuring SNAT Origin IPv6 address through GUI in non RD0 incorectly expands subnet mask to '/32' causes error during configuration load |
1332401-2 | 3-Major | BT1332401 | Errors after config sync with FIPS keys |
1325561 | 3-Major | BT1325561 | Reboot should be prohibited in the middle of Terraform onboarding and the f5-bigip-runtime-init is not finished |
1324197-3 | 3-Major | BT1324197 | The action value in a profile which is in different partition cannot be changed from accept/reject/drop to Don't Inspect in UI |
1322413-2 | 3-Major | BT1322413 | FQDN node status changes to Unknown/Unchecked on peer device after config sync |
1319385-2 | 3-Major | BT1319385 | Syncookies may always show as enabled if a listener address is changed while syncookies is on |
1318041-2 | 3-Major | BT1318041 | Some OIDs using type as counter instead of expected type as gauge |
1316481-2 | 3-Major | BT1316481 | Large CRL file update fails with memory allocation failure |
1316113-2 | 3-Major | 1nic VE reloads on every reboot | |
1311613-2 | 3-Major | BT1311613 | UCS obtained from F5OS tenant with FPGA causes continuous TMM restarts when loaded to BIG-IP |
1304849-1 | 3-Major | BT1304849 | iSeries LCD displays "Host inaccessible or in diagnostic mode" |
1302101-3 | 3-Major | BT1302101 | Sflow receiver flows are not established at TMM startup on sDAG platforms due to sDAG delay |
1301897-3 | 3-Major | BT1301897 | DAG transition does not complete when TMM starts in FORCED_OFFLINE mode |
1295353-2 | 3-Major | BT1295353 | The vCMP guest is not sending HTTP flow samples to sFlow receiver |
1288009-3 | 3-Major | BT1288009 | Vxlan tunnel end point routed through the tunnel will cause a tmm crash |
1283721-2 | 3-Major | BT1283721 | Vmtoolsd memory leak |
1253449-3 | 3-Major | BT1253449 | After publishing, the draft LTM policy configuration might not be updated (intermittently) into the bigip.conf |
1252093-1 | 3-Major | BT1252093 | BIG-IP OpenSSL now supports Extended Master Secret |
1217473-2 | 3-Major | BT1217473 | All the UDP traffic is sent to a single TMM |
1215613-2 | 3-Major | BT1215613 | ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address |
1211797-3 | 3-Major | BT1211797 | MCPD CPU usage is 100% on updating long address-list through GUI |
1211089-3 | 3-Major | BT1211089 | Traffic to IPv6 all nodes address not received by TMM on VE with ixlv driver |
1209465 | 3-Major | BT1209465 | When vCMP host is rebooted, oldEngineID is not restored on guest |
1194409-2 | 3-Major | BT1194409 | Dropped messages seen in auditforwarder logging |
1185605-3 | 3-Major | BT1185605 | The iCall EventTriggeredHandler in non-common partition break after scriptd daemon restart |
1182993 | 3-Major | BT1182993 | MCPD returns dossier error 01 after reboot |
1182729-2 | 3-Major | BT1182729 | Java connection establishes from BIG-IP to BIG-IQ Management |
1169141-3 | 3-Major | BT1169141 | Bash tab-completion Issue |
1155861-2 | 3-Major | BT1155861 | 'Unlicensed objects' error message appears despite there being no unlicensed configuration |
1153853-4 | 3-Major | BT1153853 | Revision of default value for provision.restjavad.extramb to avoid OOM errors in restjavad |
1145749-4 | 3-Major | BT1145749 | Locally defined BIG-IP users can be lost during a failed config-sync |
1143809-1 | 3-Major | BT1143809 | Unable to modify SNMP monitors from webUI |
1137269-4 | 3-Major | BT1137269 | MCPD fails to reply if a request is proxied to another daemon and the connection to that daemon closes |
1136781-2 | 3-Major | BT1136781 | Incorrect parsing of 'bfd notification' CLI in IMI Shell (imish) |
1135393-1 | 3-Major | BT1135393 | The pfmand support is not available on i15820-DF (D120) |
1132957-1 | 3-Major | BT1132957 | Modifying IPsec tunnels tunnel object may result in TMM core |
1132949-4 | 3-Major | BT1132949 | GUI reported error when changing password after mgmt port was changed |
1127881-2 | 3-Major | BT1127881 | Deprecate sysClientsslStatFullyHwAcceleratedConns, sysClientsslStatPartiallyHwAcceleratedConns and sysClientsslStatNonHwAcceleratedConns |
1126181-2 | 3-Major | BT1126181 | ZebOS "no log syslog" configuration is not surviving reboot |
1124733-1 | 3-Major | BT1124733 | Unnecessary internal traffic is observed on the internal tmm_bp vlan |
1122021-3 | 3-Major | BT1122021 | Killall command might create corrupted core files |
1120345-6 | 3-Major | BT1120345 | Running tmsh load sys config verify can trigger high availability (HA) failover |
1114137-4 | 3-Major | BT1114137 | LibUV library for latest bind 9.16 |
1112649 | 3-Major | FIPS 140-2/FIPS 140-3 compliant mode is incorrect after upgrade to 16.1.2.2★ | |
1103953-1 | 3-Major | BT1103953 | SSMTP errors in logs every 20 minutes |
1093553-4 | 3-Major | BT1093553 | OSPF "default-information originate" injects a new link-state advertisement |
1093313-2 | 3-Major | BT1093313 | CLIENTSSL_CLIENTCERT iRule event is not triggered for TLS1.3 when the client sends an empty certificate response |
1090313-3 | 3-Major | BT1090313 | Virtual server may remain in hardware SYN cookie mode longer than expected |
1082133-3 | 3-Major | iSeries LCD displays "Host inaccessible or in diagnostic mode" | |
1080925-3 | 3-Major | BT1080925 | Changed 'ssh-session-limit' value is not reflected after restarting mcpd |
1076801-4 | 3-Major | Loaded system increases CPU usage when using CS features | |
1074841-1 | 3-Major | BT1074841 | Invalid syslog configuration kills syslog-ng after restarting syslog-ng. |
1074053-1 | 3-Major | BT1074053 | Delay in displaying the "Now Halting..." message while performing halt from LCD. |
1073429-1 | 3-Major | BT1073429 | Auth partition definition is incorrectly synchronized to peer and then altered. |
1072081-1 | 3-Major | BT1072081 | Imish segmentation fault when running 'ip pim sparse-mode ?' on interface config. |
1070393-1 | 3-Major | BT1070393 | The f5_api_com.crt certificate file may be removed by the load sys config command |
1064257-2 | 3-Major | BT1064257 | Bundled SSL certificates may not get revalidated successfully over OCSP after stapling parameters have been modified. |
1063597-1 | 3-Major | BT1063597 | Memory leak in rewrite in some cases when no pool is selected on virtual server |
1062901-1 | 3-Major | BT1062901 | The 'trap-source' and 'network' SNMP properties are ineffective, and SNMP traps may be sent from an unintended interface. |
1062857-3 | 3-Major | BT1062857 | Non-tmm source logs stop populating after a system time change. |
1061905-3 | 3-Major | BT1061905 | Adding peer unit into device trust changes the failover address family. |
1060181-3 | 3-Major | BT1060181 | SSL handshakes fail when using CRL certificate validator. |
1059293-1 | 3-Major | BT1059293 | During DPD config changes, the IKEv2 tunnel may not start. |
1058789-2 | 3-Major | BT1058789 | Virtual addresses are not created from an address list that includes an IP address range. |
1058765-2 | 3-Major | BT1058765 | Virtual Addresses created from an address list with prefix all say Offline (enabled) |
1057709-4 | 3-Major | BT1057709 | Invalid Certificate for all BIG-IP VE OVA images on vCenter 7.0U2. |
1057501-4 | 3-Major | BT1057501 | Expired DST Root CA X3 resulting in http agent request failing. |
1057305-1 | 3-Major | BT1057305 | On deployments that use DPDK, "-c" may be logged as the TMM process/thread name. |
1050457-1 | 3-Major | BT1050457 | The "Permitted Versions" field of "tmsh show sys license" only shows on first boot |
1046261-1 | 3-Major | BT1046261 | Asynchronous REST task IDs do not persist across process restarts |
1045277-4 | 3-Major | BT1045277 | The /var partition may become 100% full requiring manual intervention to clear space |
1044281-1 | 3-Major | BT1044281 | In some cases, cpcfg does not trigger selinux relabel, leaving files unlabeled |
1044021-2 | 3-Major | BT1044021 | Searching for IPv4 strings in statistics module does not work. |
1043141-1 | 3-Major | BT1043141 | Misleading error 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IP |
1041317-1 | 3-Major | BT1041317 | MCPD delay in processing a query_all message if the update_status bit is set |
1040277-4 | 3-Major | BT1040277 | Syslog-ng issue may cause logging to stop and possible reboot of a system |
1036613-3 | 3-Major | BT1036613 | Client flow might not get offloaded to PVA in embryonic state |
1036557-1 | 3-Major | BT1036557 | Monitor information not seen in GUI |
1036541-4 | 3-Major | BT1036541 | Inherited-traffic-group setting of floating IP does not sync on incremental sync |
1036461-4 | 3-Major | K81113851, BT1036461 | icrd_child may core with high numbers of open file descriptors. |
1036097-4 | 3-Major | BT1036097 | VLAN failsafe does not trigger on guest |
1033689-1 | 3-Major | BT1033689 | BGP route map community value cannot be set to the required range when using AA::NN notation |
1033333-4 | 3-Major | FIPS: importing a stub SSL key file results in 2 keys that share the same FIPS device | |
1032257-1 | 3-Major | BT1032257 | Forwarded PVA offload requests fail on platforms with multiple PDE/TMM |
1032001-2 | 3-Major | BT1032001 | Statemirror address can be configured on management network or clusterd restarting |
1031117-1 | 3-Major | BT1031117 | The mcpd error for virtual server profiles incompatible needs to have more details |
1031025-3 | 3-Major | BT1031025 | Nitrox 3 FIPS: Upgrade from v12.1.x to v14.1.x results in new .key.exp files for the FIPS keys created before upgrade.★ |
1027481-3 | 3-Major | BT1027481 | The log messages 'error: /bin/haloptns unexpected error -- 768' generated on A110 and D112 platforms |
1027477-3 | 3-Major | BT1027477 | Virtual server created with address-list in custom partition non-RD0 does not create listener |
1027237-1 | 3-Major | BT1027237 | Cannot edit virtual server in GUI after loading config with traffic-matching-criteria |
1026989-1 | 3-Major | BT1026989 | More specific dynamic or static routes created for application traffic processing can erroneously replace the route to the management subnet. |
1026973-1 | 3-Major | BT1026973 | Static routes created for application traffic processing can erroneously replace the route to the management subnet. |
1026861-3 | 3-Major | BT1026861 | Live Update of Browser Challenges and Anti-Fraud are not cleaned up |
1026581-4 | 3-Major | BT1026581 | NETFLOW/IPFIX observationTimeMilliseconds Information Element value is not populated correctly. |
1026273-4 | 3-Major | BT1026273 | HA failover connectivity using the cluster management address does not work on VIPRION platforms★ |
1025513-1 | 3-Major | BT1025513 | PAM Authenticator can cause authorization failure if it fails to lock /var/log/tallylog |
1024421-2 | 3-Major | BT1024421 | At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log |
1022997-1 | 3-Major | BT1022997 | TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC) |
1021925-4 | 3-Major | BT1021925 | During bootup AWS BIG-IP endpoint was not licensed when custom gateway configured over management interface |
1021873-1 | 3-Major | BT1021873 | TMM crash in IPIP tunnel creation with a pool route |
1021109-4 | 3-Major | BT1021109 | The cmp-hash VLAN setting does not apply to trunked interfaces. |
1020277-1 | 3-Major | BT1020277 | Mcpd may run out of memory when build image is missing★ |
1020089-1 | 3-Major | BT1020089 | MCP validation should prevent defining multiple virtual servers with the same virtual address but with different subnet masks |
1020005-1 | 3-Major | BT1020005 | OOM errors after upgrade and VE instance unresponsive★ |
1019793-2 | 3-Major | BT1019793 | Image2disk does not work on F5OS BIG-IP tenant.★ |
1019749-2 | 3-Major | BT1019749 | Enabling DHCP for management should not be allowed on vCMP guest |
1019709-1 | 3-Major | BT1019709 | Modifying mgmt-dhcp options should not be allowed on VCMP guest |
1019285-1 | 3-Major | BT1019285 | Systemd hangs and is unresponsive |
1019129-4 | 3-Major | BT1019129 | Changing syslog remote port requires syslog-ng restart to take effect |
1018673-1 | 3-Major | BT1018673 | Virtual Edition systems replicate host traffic to all TMMs when a multicast MAC address is the traffic's nexthop |
1018165-1 | 3-Major | BT1018165 | GUI display of DHCPv6 profile not correct for virtual server in non-default route-domain |
1017897-1 | 3-Major | BT1017897 | Self IP address creation fails with 'ioctl failed: No such device' |
1017857-1 | 3-Major | BT1017857 | Restore of UCS leads to incorrect UID on authorized_keys★ |
1015453-1 | 3-Major | BT1015453 | In few circumstances, the Local Traffic menu in System > Configuration is inaccessible in the GUI |
1015093-1 | 3-Major | BT1015093 | The "iq" column is missing from the ndal_tx_stats table |
1014285-5 | 3-Major | BT1014285 | Set auto-failback-enabled moved to false after upgrade★ |
1012601-4 | 3-Major | BT1012601 | Alarm LED and LCD alert cleared prematurely on startup for missing PSU input |
1012449-1 | 3-Major | BT1012449 | Unable to edit custom inband monitor in the GUI |
1012049-1 | 3-Major | BT1012049 | Incorrect virtual server list returned in response to status request |
1011265-3 | 3-Major | BT1011265 | Failover script cannot read /config/partitions/ after upgrade★ |
1010341-4 | 3-Major | BT1010341 | Slower REST calls after update for CVE-2021-22986 |
1009337-2 | 3-Major | BT1009337 | LACP trunk down due to bcm56xxd send failure |
1007909-1 | 3-Major | BT1007909 | Tcpdump with :p (peer flow) flag does not capture forwarded between TMMs |
1006345-4 | 3-Major | BT1006345 | Static mac entry on trunk is not programmed on CPU-only blades |
1004469-1 | 3-Major | BT1004469 | SNMP OID ltmSipsessionProfileStatVsName and ltmSiprouterProfileStatVsName returns empty string |
1003629 | 3-Major | BT1003629 | PAYG license becomes invalid when swapping associated NICs for instances in both Azure and AWS. |
1003225-2 | 3-Major | BT1003225 | 'snmpget F5-BIGIP-LOCAL-MIB::ltmWebAccelerationProfileStat* returns zeroes |
1002417-2 | 3-Major | BT1002417 | Switch L2 forwarding entries learnt on multi-blade trunk in one blade needs to be synchronized to other blades of that trunk |
1001129-1 | 3-Major | Maximum Login Failures lockout for root and admin | |
1000325-1 | 3-Major | BT1000325 | UCS load with 'reset-trust' may not work properly if base configuration fails to load★ |
992241-3 | 4-Minor | BT992241 | Unable to change initial admin password from GUI after root password change |
986821-1 | 4-Minor | BT986821 | Command 'run util bash' event is not captured in log when initially executed |
977681-3 | 4-Minor | BT977681 | Incorrect error message when changing password using passwd |
976517-2 | 4-Minor | BT976517 | Tmsh run sys failover standby with a device specified but no traffic group fails |
933597-5 | 4-Minor | BT933597 | Mandatory arguments missing in tmsh security protocol-inspection profile help |
929173-3 | 4-Minor | BT929173 | Watchdog reset due to CPU stall detected by rcu_sched |
928665-4 | 4-Minor | BT928665 | Kernel nf_conntrack table might get full with large configurations. |
927441-5 | 4-Minor | BT927441 | Guest user not able to see virtual server details when ASM policy attached |
915473-4 | 4-Minor | BT915473 | Accessing Dashboard page with AVR provisioned causes continuous audit logs |
915141-5 | 4-Minor | BT915141 | Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown' |
908005-5 | 4-Minor | BT908005 | Limit on log framework configuration size |
895669-3 | 4-Minor | BT895669 | VCMP host does not validate when an unsupported TurboFlex profile is configured |
868801-2 | 4-Minor | BT868801 | BIG-IP still sends STARTTLS if the 'No encryption' SNMP option is enabled |
860573-6 | 4-Minor | BT860573 | LTM iRule validation performance improvement by tracking procedure/event that have been validated |
843293-1 | 4-Minor | BT843293 | When L7 performance FPGA is loaded, "tmsh show sys fpga" shows standard-balanced-fpga. |
808481-6 | 4-Minor | BT808481 | Hertfordshire county missing from GTM Region list |
807309-5 | 4-Minor | BT807309 | Incorrect Active/Standby status in CLI Prompt after failover test |
803773-3 | 4-Minor | BT803773 | BGP Peer-group route-maps are not applied to newly configured address-family ipv6 peers |
753712-4 | 4-Minor | BT753712 | Incorrect warning: Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family. |
745125-2 | 4-Minor | BT745125 | Network Map page Virtual Servers with associated Address/Port List have a blank address. |
714705-8 | 4-Minor | BT714705 | Excessive 'The Service Check Date check was skipped' log messages. |
713183-7 | 4-Minor | BT713183 | Malformed JSON files may be present on vCMP host |
712241-8 | 4-Minor | BT712241 | A vCMP guest may not provide guest health stats to the vCMP host |
696363-7 | 4-Minor | BT696363 | Unable to create SNMP trap in the GUI |
694765-7 | 4-Minor | BT694765 | Changing the system's admin user causes vCMP host guest health info to be unavailable |
690781-4 | 4-Minor | BT690781 | VIPRION systems with B2100 or B2150 blades cannot run certain combinations of vCMP guest sizes |
689147-6 | 4-Minor | BT689147 | Confusing log messages on certain user/role/partition misconfiguration when using remote role groups |
673573-8 | 4-Minor | BT673573 | tmsh logs boost assertion when running child process and reaches idle-timeout |
659579-6 | 4-Minor | BT659579 | Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time |
658943-5 | 4-Minor | BT658943 | Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants |
646768-6 | 4-Minor | K71255118, BT646768 | VCMP Guest CM device name not set to hostname when deployed |
550526-3 | 4-Minor | K84370515, BT550526 | Some time zones prevent configuring trust with a peer device using the GUI. |
539648-4 | 4-Minor | K45138318, BT539648 | Disabled db var Watchdog.State prevents vCMP guest activation. |
447522-1 | 4-Minor | BT447522 | GUI: SNMPV3 Incorrectly requires "OID" when creating an SNMP user. |
1635013-1 | 4-Minor | BT1635013 | The "show sys service" command works only for users with Administrator role |
1629221 | 4-Minor | BT1629221 | BWC menu is not available in UI when licensing DHD |
1623597 | 4-Minor | BT1623597 | Nat46/64 hardware connection re-offload is not optimal. |
1621481-2 | 4-Minor | BT1621481 | Tmrouted in a restart loop when large number of route-domains is configured. |
1612561-2 | 4-Minor | BT1612561 | The "Source Address" field on the Virtual Server configuration page does not accept IPv4-mapped IPv6 addresses |
1600669-2 | 4-Minor | BT1600669 | Inconsistency in iRule parsing for iControl REST and tmsh/WebUI |
1600333-2 | 4-Minor | BT1600333 | When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install |
1590689-3 | 4-Minor | BT1590689 | Loss of kernel routes occurs on 1NIC Virtual Edition when the DHCP lease expires. |
1589293-2 | 4-Minor | BT1589293 | Mcpd "IP::idle_timeout 0" warning generated in /var/log/ltm |
1584089 | 4-Minor | BT1584089 | The trunk name length must not exceed 64 characters. |
1582257 | 4-Minor | BT1582257 | Bcm56xxd crashes when executing qkview if the length of the trunk name exceeds 78 characters. |
1579637-2 | 4-Minor | BT1579637 | Incorrect statistics for LTM. Rewrite profile with rewrite_uri_translation mode |
1576593-2 | 4-Minor | BT1576593 | Unable to tcpdump on interface name with length = 64. |
1560853-2 | 4-Minor | BT1560853 | [GUI] error while updating the rewrite profile uri-rules name have both leading and trailing "/" |
1550933-2 | 4-Minor | BT1550933 | Gtm virtual server query_all related SNMP query could get wrong result |
1497989-2 | 4-Minor | BT1497989 | Community list might get truncated |
1493869-2 | 4-Minor | BT1493869 | 'Duplicate OID index found' warning observed while running snmpwalk for F5-BIGIP-SYSTEM-MIB::sysProcPidStatProcName periodically |
1471681 | 4-Minor | BT1471681 | SELinux module 'nfast' is missing after an upgrade.★ |
1462337-2 | 4-Minor | BT1462337 | Intermittent false PSU status (not present) through SNMP |
1355309-2 | 4-Minor | BT1355309 | VLANs and VLAN groups are not automatically saved to bigip_base.conf on first boot or modification of a tenants VLANs or virtual wire |
1354309-3 | 4-Minor | BT1354309 | IKEv1 over IPv6 does not work on VE |
1352445-2 | 4-Minor | BT1352445 | Executing 'tmsh load sys config verify', changes Last Configuration Load Status value to 'config-load-in-progress' |
1331037-3 | 4-Minor | BT1331037 | The message MCP message handling failed logs in TMM with FQDN nodes/pool members |
1324681-3 | 4-Minor | BT1324681 | Virtual-server might stop responding when traffic-matching-criteria is removed. |
1314769-2 | 4-Minor | BT1314769 | The error "No Access" is displayed when trying to remove Bundle Manager object from list |
1311977-4 | 4-Minor | BT1311977 | IPsec interface mode tunnel not sending icmp unreachable fragmentation needed |
1302353 | 4-Minor | BT1302353 | Duplicate OID index warnings observed in /var/log/ltm |
1301865-3 | 4-Minor | BT1301865 | OSPF summary might have incorrect cost when advertised by Standby unit. |
1301317-2 | 4-Minor | BT1301317 | Update Check request using a proxy will fail if the proxy inserts a custom header |
1283749-2 | 4-Minor | BT1283749 | Systemctl start and restart fail to start the vmtoolsd service |
1282421-3 | 4-Minor | BT1282421 | IS-IS protocol may discard Multi-Topology Reachable IPv6 Prefixes |
1270989-3 | 4-Minor | BT1270989 | REST MemcachedClient uses fixed TMM address 127.1.1.2 to connect to memcached |
1229325-3 | 4-Minor | BT1229325 | Unable to configure IP OSPF retransmit-interval as intended |
1223589-3 | 4-Minor | BT1223589 | Network Map page is unresponsive when a node name has the form "<IPv4>:<port>" |
1217077-2 | 4-Minor | BT1217077 | Race condition processing network failover heartbeats with timeout of 1 second |
1213277 | 4-Minor | BT1213277 | Certificate order manager configuration using DigiCert URL fails in the BIG-IP |
1209589-4 | 4-Minor | BT1209589 | BFD multihop does not work with ECMP routes |
1144817-2 | 4-Minor | BT1144817 | Traffic processing interrupted by PF reset |
1144729-4 | 4-Minor | BT1144729 | PVA stats may be incorrect when PVA offloaded flows have their nexthops changed to a different VLAN |
1142445-4 | 4-Minor | BT1142445 | Multicast handling on wildcard virtual servers leads to TMM memory leak |
1141213-2 | 4-Minor | BT1141213 | Peer is aborting the connection when PEM client runs diameter traffic over SCTP |
1121169-3 | 4-Minor | BT1121169 | Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use |
1114253-4 | 4-Minor | BT1114253 | Weighted static routes do not recover from BFD link failures |
1105757-3 | 4-Minor | BT1105757 | Creating CSR with invalid parameters for basic-constraints, tmsh does not generate meaningful errors |
1101741-2 | 4-Minor | BT1101741 | Virtual server with default pool down and iRule pool up will flap for a second during a full config-sync. |
1096461-5 | 4-Minor | BT1096461 | TACACS system-auth Accounting setting has no effect when set to send-to-all-servers/send-to-first-server |
1095973-3 | 4-Minor | BT1095973 | Config load failure when Trusted CA Bundle is missing and URL is present in the Bundle Manager |
1095205-4 | 4-Minor | BT1095205 | Config.auditing.forward.multiple db Variable with value "none" is not working as expected with multiple destination addresses in audit_forwarder. |
1082193-3 | 4-Minor | BT1082193 | TMSH: Need to update the version info for SERVER_INIT in help page |
1077293-2 | 4-Minor | BT1077293 | APPIQ option still showing in BIG-IP GUI even though its functionality migrated to BIG-IQ. |
1074513-3 | 4-Minor | BT1074513 | Traffic class validation does not detect/prevent attempts to add duplicate traffic classes to virtual |
1073965-1 | 4-Minor | BT1073965 | IPsec IKEv2 tunnel may report huge "life" for IKE SA. |
1067653-2 | 4-Minor | BT1067653 | Ndisc6 is not working with non-default route domain. |
1065821-4 | 4-Minor | BT1065821 | Cannot create an iRule with a newline between event and opening brace. |
1063609 | 4-Minor | BT1063609 | "Failed to start Jitterentropy Gatherer Daemon" encountered during boot |
1060769-1 | 4-Minor | BT1060769 | The /mgmt/tm/sys/performance/all-stats and /mgmt/tm/sys/performance/throughput iControl REST endpoints cannot be successfully parsed by common JSON libraries. |
1060721-2 | 4-Minor | BT1060721 | Unable to disable auto renew in Certificate order manager via GUI. |
1057925-4 | 4-Minor | BT1057925 | GTP iRule generates a warning. |
1055053-4 | 4-Minor | BT1055053 | "tmsh load sys config default" does not clear Zebos config files. |
1054497-1 | 4-Minor | BT1054497 | Tmsh command "show sys fpga" does not report firmware for all blades. |
1053037-7 | 4-Minor | BT1053037 | MCP error on loading a UCS archive with a global flow eviction policy |
1050413-4 | 4-Minor | BT1050413 | Drive model HGST HUS722T1TALA604 must be added to pendsect drives.xml |
1036265-4 | 4-Minor | BT1036265 | Overlapping summary routes might not be advertised after ospf process restart. |
1035017-6 | 4-Minor | Remove unused CA-bundles | |
1034509-6 | 4-Minor | BT1034509 | Sensor read errors on VIPRION C2200 chassis |
1033969-4 | 4-Minor | BT1033969 | MPLS label stripping needs next protocol indicator |
1032921-4 | 4-Minor | BT1032921 | VCMP Guest CPU usage shows abnormal values at the Host |
1029173-4 | 4-Minor | BT1029173 | MCPD fails to reply and does not log a valid message if there are problems replicating a transaction to PostgreSQL |
1025965-1 | 4-Minor | BT1025965 | Audit role users cannot see folder properties under sys-folder |
1024301-1 | 4-Minor | BT1024301 | Missing required logs for "tmsh modify disk directory" command |
1023817-2 | 4-Minor | BT1023817 | Misleading "Enabling NAT64 for virtual server with security NAT policy configured is redundant/not required." warning |
1022297-4 | 4-Minor | BT1022297 | In BIG-IP GUI using "Select All" with filters is not working appropriately for policies |
1020109-1 | 4-Minor | BT1020109 | Subnet mask property of virtual addresses not displayed in management GUI |
1011081-3 | 4-Minor | BT1011081 | Connection lost to the Postgres client during the BIG-IP bootup process |
1010785-3 | 4-Minor | BT1010785 | Online help is missing for CRL in client SSL profile and server SSL profile |
1010761-3 | 4-Minor | BT1010761 | Missing TMSH help description for client-ssl profile 'CRL' |
1006449-1 | 4-Minor | BT1006449 | The default size of the subagent object cache may lead to slow SNMP response time and high mcpd CPU use★ |
1003469-1 | 4-Minor | BT1003469 | The BIG-IP GUI fails to reset the statistics for an IPv6 pool member and returns an error. |
989937-2 | 5-Cosmetic | BT989937 | Device Trust Certificates Expiring after 2038-01-19 show date of 1969 or 1970 |
1377301 | 5-Cosmetic | BT1377301 | Shutdown logs while reboot not shown |
1361021-2 | 5-Cosmetic | BT1361021 | The management interface media on a BIG-IP Tenant on F5OS systems does not match the chassis |
1323081 | 5-Cosmetic | BT1323081 | Wrong Licensed Date is displayed after license activation |
1189949-2 | 5-Cosmetic | BT1189949 | The TMSH sys core is not displaying help and tab complete behavior |
1099621-3 | 5-Cosmetic | BT1099621 | DAG context synchronization debug instrumentation |
1072173-1 | 5-Cosmetic | BT1072173 | The BIG-IP system incorrectly presents legacy ways of defining mirroring properties |
1022421-4 | 5-Cosmetic | BT1022421 | Pendsec utility incorrectly starts on i2x00/i4x00 platform with NON WD disk |
Local Traffic Manager Issues
ID Number | Severity | Links to More Info | Description |
1168309-2 | 1-Blocking | BT1168309 | Virtual Wire traffic over trunk interface sometimes fail in Tenant based platforms |
1136081-5 | 1-Blocking | BT1136081 | HSM sync issue in high availability (HA) setups |
999669-1 | 2-Critical | BT999669 | Some HTTPS monitors are failing after upgrade when config has different SSL option★ |
949137-1 | 2-Critical | BT949137 | Clusterd crash and vCMP guest failover |
939989-3 | 2-Critical | BT939989 | TMM may be killed by sod when shutting down |
938545-1 | 2-Critical | BT938545 | Oversize plugin Tcl object results can result in 0-length messages and plugin crash |
851385-8 | 2-Critical | BT851385 | Failover takes too long when traffic blade failure occurs |
797573-1 | 2-Critical | BT797573 | TMM assert crash with resulting in core generation in multi-blade chassis |
758491-5 | 2-Critical | BT758491 | When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys |
599135-4 | 2-Critical | BT599135 | B2250 blades may suffer from high TMM CPU utilisation with tcpdump |
1598405-2 | 2-Critical | BT1598405 | Intermittent TCP RST with error 'HTTP internal error (bad state transition)' moreover with larger files for Explicit Proxy virtual server when HTTP_REQUEST_SEND iRule event in use. |
1586765-1 | 2-Critical | In r2k/4k platforms vlan tagged to multiple interfaces, packets forwarded to all interfaces irrespective of destination is reachable. | |
1579533-2 | 2-Critical | BT1579533 | Jitterentropy read is restricted to FIPS mode or TMM usage only, for performance reasons |
1519001-2 | 2-Critical | BT1519001 | After a crash, tmm may experience memory corruption |
1481889-2 | 2-Critical | BT1481889 | High CPU utilization or crash when CACHE_REQUEST iRule parks. |
1388753-2 | 2-Critical | BT1388753 | FIPS device unable to provision full accelerator cores for FIPS partitions |
1134257-2 | 2-Critical | BT1134257 | TMM cores when pingaccess profile is modified multiple times and configuration is loaded |
1127725-1 | 2-Critical | BT1127725 | Performance drop with the AES_CCM 128 cipher★ |
1100721-2 | 2-Critical | BT1100721 | IPv6 link-local floating self-IP breaks IPv6 query to BIND |
1100249-2 | 2-Critical | BT1100249 | SNAT with FLOW_INIT firewall rule may core TMM due to wrong type of underlying flow structure |
1091021-2 | 2-Critical | BT1091021 | The BIG-IP system may not take a fail-safe action when the bigd daemon becomes unresponsive. |
1087981-2 | 2-Critical | BT1087981 | Tmm crash on "new serverside" assert |
1073897-2 | 2-Critical | BT1073897 | TMM core due to memory corruption |
1070181-3 | 2-Critical | BT1070181 | Secondary MCPD crashes with Configuration error |
1064649-2 | 2-Critical | BT1064649 | Tmm crash after upgrade.★ |
1060369-1 | 2-Critical | BT1060369 | HTTP MRF Router will not change serverside load balancing method |
1039145-1 | 2-Critical | BT1039145 | Tenant mirroring channel disconnects with peer and never reconnects after failover. |
998253-4 | 3-Major | BT998253 | SNI configuration is not sent via HTTPS when in-tmm monitors are disabled |
994081-1 | 3-Major | BT994081 | Traffic may be dropped with an Immediate idle timeout setting |
991265-3 | 3-Major | BT991265 | Persistence entries point to the wrong servers for longer periods of time |
985749-1 | 3-Major | BT985749 | TCP exponential backoff algorithm does not comply with RFC 6298 |
985401-1 | 3-Major | BT985401 | ProxySSL virtual servers should work with web acceleration (ramcache) profiles attached |
984897-1 | 3-Major | BT984897 | Some connections performing SSL mirroring are not handled correctly by the Standby unit. |
978953-3 | 3-Major | BT978953 | The value of the sys db variable vlan.backplane.mtu intermittently out-of-sync with the value of the MTU of the kernel interface tmm_bp during the initial boot up |
975725-5 | 3-Major | BT975725 | Wildcard virtual servers do not forward L3 unicast traffic sent to L2 broadcast |
975657-1 | 3-Major | BT975657 | With HTTP2 enabled, only partial sorry contents (< 32KB) can be sent to the client via HTTP::respond |
968949-7 | 3-Major | BT968949 | Keepalives aren't sent in FIN_WAIT_2 when using a TCP profile |
967353-1 | 3-Major | BT967353 | HTTP proxy should trim spaces between a header field-name and colon in its downstream responses. |
966785-1 | 3-Major | BT966785 | Rate Shaping stops TCP retransmission |
963393-2 | 3-Major | BT963393 | Key handle 0 is treated as invalid for NetHSM devices |
961653-3 | 3-Major | BT961653 | Unable to retrieve DNS link statistics via SNMP OID gtmLinkStatRate |
961001-5 | 3-Major | BT961001 | Arp requests not resolved for snatpool members when primary blade goes offline |
958785-8 | 3-Major | BT958785 | FTP data transfer does not complete after QUIT signal |
945189-5 | 3-Major | BT945189 | HTTPS monitor fails due to missing ECDHE-RSA-AES256-CBC-SHA★ |
944173-4 | 3-Major | BT944173 | SSL monitor stuck does not change TLS version |
937573-1 | 3-Major | BT937573 | Connections drop in virtual server with Immediate Action On Service Down set to Drop |
932461-5 | 3-Major | BT932461 | Certificate update on the SSL profile server for the HTTPS monitor: BIG-IP does not use the updated certificate. |
928445-5 | 3-Major | BT928445 | HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2 |
927589-1 | 3-Major | BT927589 | ILX::call command response get truncated |
922641-6 | 3-Major | BT922641 | Any iRules that park in a clientside or serverside command leave the iRule attached to the wrong flow |
912293-5 | 3-Major | BT912293 | Persistence might not work properly on virtual servers that utilize address lists |
907177-5 | 3-Major | BT907177 | Priority of embedded APM iRules is ignored |
906653-1 | 3-Major | BT906653 | Server side UDP immediate idle-timeout drops datagrams |
905477-6 | 3-Major | BT905477 | The sdmd daemon cores during config sync when multiple devices configured for iRules LX |
901569-4 | 3-Major | BT901569 | Loopback traffic might get dropped when VLAN filter is enabled for a virtual server. |
891565-1 | 3-Major | BT891565 | The Subject Alternative Name (SAN) field in Certificates and Certificate Signing Requests is limited to 4095 bytes |
891145-7 | 3-Major | BT891145 | TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal |
888885-3 | 3-Major | BT888885 | BIG-IP Virtual Edition TMM restarts frequently without core |
887265-4 | 3-Major | BT887265 | BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration★ |
887045-7 | 3-Major | BT887045 | The session key does not get mirrored to standby. |
882725-6 | 3-Major | BT882725 | Mirroring not working properly when default route vlan names not match. |
881937-2 | 3-Major | BT881937 | TMM and the kernel choose different VLANs as source IPs when using IPv6. |
881065-5 | 3-Major | BT881065 | Adding port-list to Virtual Server changes the route domain to 0 |
878253-5 | 3-Major | BT878253 | LB::down no longer sends an immediate monitor probe |
867985-6 | 3-Major | BT867985 | LTM policy with a 'shutdown' action incorrectly allows iRule execution |
862001-6 | 3-Major | BT862001 | Improperly configured NTP server can result in an undisciplined clock stanza |
857769-1 | 3-Major | BT857769 | FastL4+HTTP or FastL4+Hash-Persistence virtual servers do not work correctly in DSR mode. |
846977-7 | 3-Major | BT846977 | TCP:collect validation changed in 12.0.0: the first argument can no longer be zero★ |
842137-6 | 3-Major | BT842137 | Keys cannot be created on module protected partitions when strict FIPS mode is set |
812693-5 | 3-Major | BT812693 | Connection in FIN_WAIT_2 state may fail to be removed |
805561-1 | 3-Major | BT805561 | Change of pool configuration in OneConnect environment can impact active traffic |
783077-2 | 3-Major | BT783077 | IPv6 host defined via static route unreachable after BIG-IP reboot |
779137-7 | 3-Major | BT779137 | Using a source address list for a virtual server does not preserve the destination address prefix |
778501-5 | 3-Major | BT778501 | LB_FAILED does not fire on failure of HTTP/2 server connection establishment |
751451-4 | 3-Major | BT751451 | When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles |
743444-2 | 3-Major | BT743444 | Changing monitor config with SASP monitor causes Virtual to flap |
740274-2 | 3-Major | BT740274 | TMM stall during startup when syslog is not listening to tmm.pipe |
739475-6 | 3-Major | BT739475 | Site-Local IPv6 Unicast Addresses support. |
722657-5 | 3-Major | BT722657 | Mcpd and bigd monitor states are intermittently out-of-sync |
679316-8 | 3-Major | BT679316 | iQuery connections reset during SSL renegotiation |
369640-8 | 3-Major | K17195 | iRules might return incorrect data when multiple partitions and/or folders contain objects with the same name |
1637797-2 | 3-Major | BT1637797 | Memory leak in TMM of TCL memory when a procedure is called with too few arguments |
1637477-2 | 3-Major | BT1637477 | Negotiated Window scaling by HW SYN cookie not accounted by TMM |
1624557-2 | 3-Major | BT1624557 | HTTP/2 with RAM cache enabled could cause BIG-IP to return HTTP 304 with content |
1623921-1 | 3-Major | BT1623921 | IPencap monitor probes from bigd are prone to connection re-use. |
1602641-3 | 3-Major | BT1602641 | Configuring verified-accept and SSL mirroring on the same virtual results in stalled connections. |
1599597-2 | 3-Major | BT1599597 | BD start failure |
1581685-2 | 3-Major | BT1581685 | iRule 'members' command counts FQDN pool members. |
1580313-3 | 3-Major | BT1580313 | The server_connected event related logs in policy attached to a FastL4 virtual server is not logged to the LTM log |
1572545-2 | 3-Major | BT1572545 | Upgrade from version 14.X to version 15.X may encounter problems with L2 forwarding for some of the flows.★ |
1567173-2 | 3-Major | Http2 virtual server removes header with empty value on the server side | |
1561537-2 | 3-Major | SSL sending duplicate certificates | |
1559961-2 | 3-Major | BT1559961 | PVA FastL4 accelerated flows might not honor configured keep-alive-interval. |
1558869-2 | 3-Major | BT1558869 | Tmsh generated config file which fails to load for VLAN specific non-default route-domain IPv6 |
1558857-1 | 3-Major | BT1558857 | Pool command support functionality to be implemented in WS_REQUEST event |
1555525-1 | 3-Major | BT1555525 | WCCP traffic may have its source port changed |
1555461-2 | 3-Major | BT1555461 | TCP filter is not setting packet priority on keep-alive tx packets |
1555437-2 | 3-Major | BT1555437 | QUIC virtual server with drop in CLIENT_ACCEPTED crashes TMM |
1554029-2 | 3-Major | BT1554029 | HTML::disable not taking effect in HTTP_REQUEST event |
1553761-2 | 3-Major | BT1553761 | Incorrect packet statistics counting upon connection reject/closure. |
1553169-2 | 3-Major | BT1553169 | Parsing tcp payload using iRules can be inaccurate because of binary to string conversion |
1550869-2 | 3-Major | Tmm leak on request-logging or response logging on FTP virtual server | |
1549397-2 | 3-Major | BT1549397 | Pool member from statically-configured node deleted along with ephemeral pool member using same IP address |
1538241-2 | 3-Major | BT1538241 | HTTP may not forward POST with large headers and parking HTTP_REQUEST_RELEASE iRule |
1517469-2 | 3-Major | BT1517469 | Database monitor daemon process memory and CPU consumption increases over time |
1505081-2 | 3-Major | BT1505081 | Each device in the HA pair is showing different log messages when a pool member is forced offline |
1498361-3 | 3-Major | BT1498361 | Custom HTTP::respond does not fire as part of custom connect-error-message in HTTP explicit proxy profile. |
1497633-2 | 3-Major | BT1497633 | TMC incorrectly set /32 mask for virtual-address 0.0.0.0/0 when attached to a VS |
1497369-2 | 3-Major | HTTP::respond will not always be executed when rate limit on all pool members is reached. | |
1494397-3 | 3-Major | Virtual wire is not working on r5000 and r10000 platform, traffic is not forwarded on correct egress | |
1494217-2 | 3-Major | BT1494217 | Server response does not pass through after replacing the profile. |
1492769-2 | 3-Major | BT1492769 | SPVA stats-related may cause memory leak |
1455953-2 | 3-Major | BT1455953 | The iRule "string first" command might fail to find the search string |
1440409-3 | 3-Major | BT1440409 | TMM might crash or leak memory with certain logging configurations |
1398925-2 | 3-Major | BT1398925 | Virtual Server status change log message fails to report actual status |
1380009-2 | 3-Major | BT1380009 | TLS 1.3 server-side resumption resulting in TMM crash due to NULL session |
1365701-1 | 3-Major | BT1365701 | Core when flow with looped nexthop is torn down |
1353809-1 | 3-Major | BT1353809 | HTTP/2 erroneously expects the body length to match the Content-Length in response to HEAD request |
1352213-3 | 3-Major | Handshake fails with FFDHE key share extension | |
1344925-2 | 3-Major | BT1344925 | TLS1.3 does not fall back to full handshake when Client Hello is missing the pre_shared_key |
1330249-3 | 3-Major | BT1330249 | Fastl4 can queue up too many packets |
1326721-1 | 3-Major | BT1326721 | Tmm crash in Google Cloud during a live migration |
1325649-2 | 3-Major | BT1325649 | POST request with "Expect: 100-Continue" and HTTP::collect + HTTP::release is not being passed to pool member |
1322937-2 | 3-Major | BT1322937 | Tmm crash in Google Cloud during a live migration: Assertion `empty xfrag' failed. |
1319265-3 | 3-Major | BT1319265 | Tmm crash observed in GCP after a migration |
1316821-2 | 3-Major | HTTP::disable not allowed after HTTP::respond | |
1305609-3 | 3-Major | BT1305609 | Missing cluster hearbeart packets in clusterd process and the blades temporarily leave the cluster |
1284897-2 | 3-Major | BT1284897 | TMM can crash when it exits while still processing traffic |
1273161-3 | 3-Major | BT1273161 | Secondary blades are unavailable, clusterd is reporting shutdown, and waiting for other blades |
1271341 | 3-Major | BT1271341 | Unable to use DTLS without TMM crashing |
1251173-1 | 3-Major | BT1251173 | SNI based redirection using LTM policies is not working in BIG-IP |
1216053-4 | 3-Major | BT1216053 | Regular monitors do not use options from SSL profiles |
1215165-1 | 3-Major | BT1215165 | Support added for Microsoft Azure Managed HSM |
1205045-4 | 3-Major | BT1205045 | WMI monitor does not put pool members into an offline/unchecked state when BIG-IP receives HTTP responses other than 200 |
1188837 | 3-Major | BT1188837 | Server side timewait close state causes long establishment under port reuse on i15820DF |
1185929-2 | 3-Major | BT1185929 | Under rare circumstances, the TCL interpreter can crash TMM after a long time |
1166481-3 | 3-Major | BT1166481 | The vip-targeting-vip fastL4 may core |
1166261-2 | 3-Major | BT1166261 | HTTP/2 should not translate "Host" header to ":authority" pseudo-header in response |
1148181 | 3-Major | BT1148181 | SSL TLS1.3 connection terminates with "empty persist key" error when SSL persistence is enabled and session tickets are disabled |
1148113-2 | 3-Major | BT1148113 | The websocket_ep_send_down_ws_message does an extra websockets_frame release |
1148065-2 | 3-Major | BT1148065 | HTTP::header exists and value iRule commands will not return successful even if the header is present |
1144845-4 | 3-Major | BT1144845 | GARPs from a newly active unit may be bridged for a brief time while the peer chassis transitions to standby |
1143833-2 | 3-Major | BT1143833 | ILX (iRules LX) may corrupt tmstat (profile statistics) memory |
1128033-3 | 3-Major | BT1128033 | Neuron client constantly logs errors when TCAM database is full |
1125381-2 | 3-Major | BT1125381 | Extraneous warnings recorded in when using only intermediate certificates |
1112205-3 | 3-Major | BT1112205 | HTTP/2 may garble responses if the client-side stream aborts while response headers are on the wire |
1110949-2 | 3-Major | BT1110949 | Updating certKeyChain of parent SSL profile using iControl does not change the cert and key outside certKeyChain of the child profile |
1110485-3 | 3-Major | BT1110485 | SSL handshake failures with invalid profile error |
1110165-3 | 3-Major | BT1110165 | Fasthttp connections infrequently fail |
1107605-1 | 3-Major | BT1107605 | TMM crash reported with specific policy settings |
1106673-3 | 3-Major | BT1106673 | Tmm crash with FastL4 virtual servers and CMP disabled |
1105969-1 | 3-Major | BT1105969 | Gratuitous ARP not issued for self-IP on clicking "Update" via the GUI |
1104553-2 | 3-Major | BT1104553 | HTTP_REJECT processing can lead to zombie SPAWN flows piling up |
1099373-2 | 3-Major | BT1099373 | Virtual Servers may reply with a three-way handshake when disabled or when processing iRules |
1093061-2 | 3-Major | BT1093061 | MCPD restart on secondary blade during hot-swap of another blade |
1091785-2 | 3-Major | BT1091785 | DBDaemon restarts unexpectedly and/or fails to restart under heavy load |
1087569-4 | 3-Major | BT1087569 | Changing max header table size according HTTP2 profile value may cause stream/connection to terminate |
1086473-3 | 3-Major | BT1086473 | BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake |
1083589-3 | 3-Major | BT1083589 | Some connections are dropped on chained IPv6 to IPv4 virtual servers. |
1080985-1 | 3-Major | Route Domain ID specified in Address list does not take effect on virtual server IP via TMC. | |
1079237-1 | 3-Major | BT1079237 | After certain configuration tasks are performed, TMM may run with stale SNAT translation parameters. |
1078357-2 | 3-Major | BT1078357 | HTTP_REJECT processing can lead to zombie SPAWN flows |
1075045-1 | 3-Major | BT1075045 | Proxy initialization failed, Defaulting to DENY, after applying additional profile to a virtual server |
1072397-1 | 3-Major | BT1072397 | VLAN failsafe failover does not occur in three-node device group |
1071385-3 | 3-Major | BT1071385 | SSL session resumption is incorrectly logging handshake failure messages |
1070957-1 | 3-Major | BT1070957 | Database monitor log file backups cannot be rotated normally. |
1069001 | 3-Major | BT1069001 | TMM crash in TLS/SSL processing |
1067469-4 | 3-Major | Discrepancy in virtual server stats with LRO enabled. | |
1065353-1 | 3-Major | BT1065353 | Disabling ciphers does not work due to the order of cipher suite. |
1065013-4 | 3-Major | BT1065013 | Tmm crash with iRuleLX plugin in use |
1063865-7 | 3-Major | BT1063865 | Blade remains in an INOPERATIVE state after being moved to new chassis. |
1060541-1 | 3-Major | BT1060541 | Increase in bigd CPU utilization from 13.x when SSL/TLS session resumption is not utilized by HTTPS pool members due to Open SSL upgrade |
1057561 | 3-Major | BT1057561 | Occasional Nitrox5 zip engine hang. |
1057121-3 | 3-Major | BT1057121 | MQTT Over Websockets in Websocket Termination mode is not working |
1056941-2 | 3-Major | BT1056941 | HTTPS monitor continues using cached TLS version after receiving fatal alert. |
1051153-4 | 3-Major | BT1051153 | DHCP fails intermittently when the connection is through BIG-IP. |
1043985-1 | 3-Major | BT1043985 | After editing an iRule, the execution order might change. |
1040957-1 | 3-Major | BT1040957 | The ipother profile can be used with incompatible profiles in a virtual server |
1040465-3 | 3-Major | BT1040465 | Incorrect SNAT pool is selected |
1040045-3 | 3-Major | BT1040045 | Unable to delete trunk member on a VCMP guest |
1039349-1 | 3-Major | BT1039349 | HTTP statistics not updated |
1037645-4 | 3-Major | BT1037645 | TMM may crash under memory pressure when using iRule 'AES::key' command |
1037257-2 | 3-Major | BT1037257 | SSL::verify_result showing wrong output for revoked cert during Dynamic CRL check |
1036093-4 | 3-Major | BT1036093 | Tmm sends out neighbor advertisements for the link local addresses even if IPv6 is disabled |
1036013-3 | 3-Major | BT1036013 | BIG-IP systems may terminate connections prematurely when a TLS close-notify alert is received |
1034953-3 | 3-Major | BT1034953 | In explicit proxy, HTTP_STATCODE missing from syslog |
1033937-1 | 3-Major | BT1033937 | HTTP message router stats do not increment for virtual servers and pools |
1029069-2 | 3-Major | BT1029069 | Non-ASCII characters are not displayed correctly. |
1026781-3 | 3-Major | BT1026781 | Standard HTTP monitor send strings have double CRLF appended |
1023529-2 | 3-Major | BT1023529 | FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory. |
1021837-3 | 3-Major | BT1021837 | When a virtual server has an inline service profile configured, connections will be reset with cause "No server selected" |
1020069-1 | 3-Major | BT1020069 | Equinix SmartKey HSM is not working with nethsm-partition 'fortanix' |
1019641-3 | 3-Major | SCTP INIT_ACK not forwarded | |
1018765-1 | 3-Major | BT1018765 | Changing the sshd port breaks some BIG-IP utilities on a multi-bladed system |
1017885-5 | 3-Major | BT1017885 | Wildcard server-name does not match multiple labels in FQDN |
1017801-1 | 3-Major | BT1017801 | Internal listeners (cgc, ftp data, etc) all share the same listener_key stats |
1017029-5 | 3-Major | BT1017029 | SASP monitor does not identify specific cause of failed SASP Registration attempt |
1016921-3 | 3-Major | BT1016921 | SSL Connection mirroring - session resumption does not occur on standby when the session ticket is enabled |
1016909-1 | 3-Major | BT1016909 | BIG-IP iRule commands FLOW::this or FLOW::peer can create zombie flows. |
1016589-1 | 3-Major | BT1016589 | Incorrect expression in STREAM::expression might cause a tmm crash |
1016433-2 | 3-Major | BT1016433 | URI rewriting is incorrect for "data:" and "javascript:" |
1015817-1 | 3-Major | BT1015817 | Flows rejected due to no return route do not increment rejection stats |
1014633-4 | 3-Major | BT1014633 | Transparent / gateway monitors may fail if there is no route to a node |
1013597-2 | 3-Major | BT1013597 | `HTTP2::disable serverside` can reset flows |
1013209-5 | 3-Major | BT1013209 | BIG-IP components relying on ca-bundle.crt may stop working after upgrade★ |
1012009-3 | 3-Major | BT1012009 | MQTT Message Routing virtual may result in TMM crash |
1010209-1 | 3-Major | BT1010209 | BIG-IP configuration allows literal CR and LF characters in LTM monitor send and recv strings |
1009921-3 | 3-Major | BT1009921 | 'SSL::verify_result' iRule command may return incorrect value when combined with dynamic CRL check |
1006857-1 | 3-Major | BT1006857 | Adding a source address list to a virtual server in a partition with a non-default route domain fails. |
1004609-6 | 3-Major | BT1004609 | SSL forward proxy virtual server may set empty SSL session_id in server hello. |
1004445-5 | 3-Major | BT1004445 | Warning not generated when maximum prefix limit is exceeded. |
1002969-4 | 3-Major | BT1002969 | Csyncd can consume excessive CPU time★ |
999709-6 | 4-Minor | BT999709 | iRule 'pool'/'virtual' commands not triggered in CLIENT_ACCEPTED with HTTP/2. |
997357-1 | 4-Minor | BT997357 | iRule command "SSL:session invalidate" not working as expected |
990173-1 | 4-Minor | BT990173 | Dynconfd repeatedly sends the same mcp message to mcpd |
987401-1 | 4-Minor | BT987401 | Increased TMM memory usage on standby unit after pool flap |
947745-3 | 4-Minor | BT947745 | Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error |
940837-4 | 4-Minor | BT940837 | The iRule command node is not triggered in CLIENT_ACCEPTED with HTTP/2. |
932553-6 | 4-Minor | BT932553 | An HTTP request is not served when a remote logging server is down |
921993-1 | 4-Minor | BT921993 | LTM policy with a 'contains' operator does not work as expected when using an external data group. |
904537-1 | 4-Minor | BT904537 | The csyncd process may keep trying to sync the GeoIP database to a secondary blade |
896565-2 | 4-Minor | BT896565 | Clusterd.peermembertimeout to set peer member timeout does not work all the time |
829021-1 | 4-Minor | BT829021 | BIG-IP does not account a presence of http2 profile when response payload is modified |
804089-2 | 4-Minor | BT804089 | iRules LX Streaming Extension dies with Uncaught, unspecified error event |
683534-2 | 4-Minor | BT683534 | 'tmsh show sys connection' command prompt displaying 4 billion connections is misleading |
669934-2 | 4-Minor | BT669934 | Session commands may not work correctly in FLOW_INIT event. |
1670225-2 | 4-Minor | BT1670225 | 'Last Error' field remains empty after initial monitor Down status post-reboot |
1620785-2 | 4-Minor | BT1620785 | F5 cache mechanism relies only on Last-Modified/If-Modified-Since headers and ignores the etag/If-None-Match headers |
1617329-2 | 4-Minor | BT1617329 | GTM LDAP may incorrectly mark a pool member as DOWN when chase-referrals is enabled |
1601581-2 | 4-Minor | BT1601581 | Virtual-address settings are not restored properly when overlapping NAT policy with proxy-arp is removed. |
1589813-1 | 4-Minor | BT1589813 | Change in behaviour when setting value HTTP::payload to 0 in irule from v16 onwards★ |
1589629-2 | 4-Minor | BT1589629 | An ICMPv6 Neighbor Solicitation sent to the last address on an IPv6 subnet is using the wrong Destination MAC address |
1567013-2 | 4-Minor | BT1567013 | Pool member stats are not reported for 2 of 10 pool-members in MRF diameter pool |
1538285-2 | 4-Minor | BIG-IP splits the PUBLISH message when the MQTT profile is applied | |
1473913-2 | 4-Minor | Proxy Connections drop due to wrong counting | |
1469337-1 | 4-Minor | BT1469337 | iRule cycle count statistics may be incorrect |
1455781-2 | 4-Minor | BT1455781 | Virtual to virtual SNAT might fail to work after an upgrade. |
1400161-2 | 4-Minor | BT1400161 | Enhance HTTP2 receive-window to maximum |
1377353 | 4-Minor | BT1377353 | TMM crashes when iRule uses persistance lookup and attached to Virtual with no pool member |
1366765-2 | 4-Minor | BT1366765 | Monitor SEND string parsing "\\r\\n" |
1350921-2 | 4-Minor | BT1350921 | SOCKS profile may not immediately expire connections |
1348869-1 | 4-Minor | BT1348869 | Hourly spike in the CPU usage and lasts for fraction of second causing delay in TLS connections |
1341093-2 | 4-Minor | BT1341093 | MCPD returns configuration error when attaching a client SSL profile containing TLS 1.3 to a virtual server with HTTP/2 profile |
1329509-2 | 4-Minor | BT1329509 | TCL error 'ERR_VAL (line 1) invoked from within "HTTP::path"'. |
1326797-3 | 4-Minor | BT1326797 | The Pool State of an offline pool with one or more user-disabled pool members depends on which pool member was marked down last by its monitor (non-deterministic behaviour) |
1325045 | 4-Minor | BT1325045 | Nexthop of mirrored flow is not updated when standby becomes active |
1322117-3 | 4-Minor | BT1322117 | FastL4 TCP PVA accelerated connection might not be cleared until idle timeout. |
1320773-2 | 4-Minor | BT1320773 | Virtual server name caused buffer overflow |
1318377-3 | 4-Minor | BT1318377 | TMM memory leak when using http+fastl4 profile with 'rtt-from-client/rtt-from-server' enabled. |
1314597-2 | 4-Minor | BT1314597 | Connection on standby may stay until idle timeout when receiving ICMP error |
1297521-2 | 4-Minor | BT1297521 | Full sync failure for traffic-matching-criteria with port list update on existing object in certain conditions |
1281405 | 4-Minor | BT1281405 | "fipsutil fwcheck -f" command may not correct result |
1238897-3 | 4-Minor | BT1238897 | TMM TCL interpreter's non-TMM "compat" memcasechr broken in 64-bit build |
1167609-2 | 4-Minor | BT1167609 | The messages msg->ref > 0 are seen in TMM logs with websockets/ASM plugin |
1142225-2 | 4-Minor | BT1142225 | Regular and In-TMM HTTPS monitors advertise different cipher suites with SSL profile is set to None |
1138101-2 | 4-Minor | BT1138101 | Tunnel connections might not come up when using pool routes |
1124085-4 | 4-Minor | BT1124085 | iRules command [info hostname] does not reflect modified hostname |
1107453 | 4-Minor | BT1107453 | Performance drop observed in some Ramcache::HTTP tests on BIG-IP i10800 platform |
1093545-4 | 4-Minor | BT1093545 | Attempts to create illegal virtual-server may lead to mcpd crash. |
1070141-1 | 4-Minor | BT1070141 | The SNAT Automap and self IP address selection. |
1067025-4 | 4-Minor | BT1067025 | Rate-shaping + immediate timeout causing connection to stall. |
1064725-4 | 4-Minor | BT1064725 | CHMAN request for tag:19 as failed. |
1037153-1 | 4-Minor | BT1037153 | iRule "log" command to remote destinations may cause TMM to leak memory |
1035757-4 | 4-Minor | BT1035757 | iRulesLX restart leaves stale files in /var/tmstat/blade/tmplugin_ilx_* |
1034865-1 | 4-Minor | BT1034865 | CACHE::enable failed on private/no-store content |
1030093-1 | 4-Minor | BT1030093 | An http2 to http2 virtual connection with translate-address disabled might only use one stream on the server side. |
1015793-1 | 4-Minor | BT1015793 | Length value returned by TCP::payload is signed and can appear negative |
1015117-5 | 4-Minor | BT1015117 | Headers are corrupted during modification/insertion if a mix of end-of-line markers <CRLF> and <LF> are used |
1013937-1 | 4-Minor | BT1013937 | In-TMM HTTP and HTTPS monitors require RFC-compliant send strings to work. |
1011889-6 | 4-Minor | BT1011889 | The BIG-IP system does not handle DHCPv6 fragmented traffic properly |
1004953-5 | 4-Minor | BT1004953 | HTTP does not fall back to HTTP/1.1★ |
926085-2 | 5-Cosmetic | BT926085 | In WebUI node or port monitor test is not possible, but it works in TMSH |
897437-7 | 5-Cosmetic | BT897437 | First retransmission might happen after syn-rto-base instead of minimum-rto. |
860277-6 | 5-Cosmetic | BT860277 | Default value of TCP Profile Proxy Buffer High Low changed in 14.1 |
490139-7 | 5-Cosmetic | BT490139 | Loading iRules from file deletes the last few comment lines |
1208813 | 5-Cosmetic | BT1208813 | Active connections graph in performance reports in GUI shows only client connections |
1035741-1 | 5-Cosmetic | BT1035741 | Wrong default value for lacp-port-priority. |
Performance Issues
ID Number | Severity | Links to More Info | Description |
908001-2 | 2-Critical | BT908001 | vCMP guest CPU usage may increase 4-5% after upgrade of vCMP host to v16.1.x★ |
1063173-2 | 2-Critical | BT1063173 | Blob size consistency after changes to pktclass. |
1037617-1 | 2-Critical | BT1037617 | Switching between bare-metal and vCMP modes can leave HSM with poorly deployed accelerator engine counts |
Global Traffic Manager (DNS) Issues
ID Number | Severity | Links to More Info | Description |
940733-5 | 2-Critical | K29290121, BT940733 | Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt★ |
931149-3 | 2-Critical | BT931149 | Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings |
887681-4 | 2-Critical | BT887681 | Tmm SIGSEGV in rrset_array_lock,services/cache/rrset.c |
705869-1 | 2-Critical | BT705869 | TMM crashes as a result of repeated loads of the GeoIP database |
1399253-3 | 2-Critical | BT1399253 | Tmm restarts due to mcpd disconnect when memory runs out with high tmm CPU and memory xdata use |
1318625-2 | 2-Critical | BT1318625 | The gtm_add sync configuration is in the unintended direction with large GTM configuration |
1267845-3 | 2-Critical | BT1267845 | ISC's internal_current function asserted because ifa_name was NULL |
1127241-1 | 2-Critical | BT1127241 | AS3 tenants don't sync reliably in GTM sync groups. |
1103833-2 | 2-Critical | BT1103833 | Tmm core with SIGSEGV in gtmpoolmbr_UpdateStringProc |
1073273-1 | 2-Critical | BT1073273 | RESOLVER::name_lookup not returning truncated responses |
1031945-4 | 2-Critical | BT1031945 | DNS cache configured and TMM is unresponsive in 'not ready' state indefinitely after TMM restart or reboot★ |
994221-1 | 3-Major | BT994221 | ZoneRunner returns error 'Resolver returned no such record' |
990929-2 | 3-Major | BT990929 | Status of GTM monitor instance is constantly flapping |
987709-6 | 3-Major | BT987709 | Static target string as CNAME pool member might cause config load failure if wide IP with same name exists in another partition |
977625-1 | 3-Major | BT977625 | GTM persistence records linger in tmm |
973341-1 | 3-Major | BT973341 | Customized device certs will break scripts relying on /config/httpd/conf/ssl.crt/server.crt |
969553-1 | 3-Major | BT969553 | A DNS Cache (or Network DNS Resolver) returns SERVFAIL to some queries. |
967737-3 | 3-Major | BT967737 | DNS Express: SOA stops showing up in statistics from second zone transfer |
965053-4 | 3-Major | BT965053 | [Regression of ID787881 & ID761032] DNSX fails to sign zone transfer using tsig key after failure |
958157-4 | 3-Major | BT958157 | Hash collisions in DNS rapid-response packet processing |
936777-1 | 3-Major | BT936777 | Old local config is synced to other devices in the sync group. |
936361-2 | 3-Major | BT936361 | IPv6-based bind (named) views do not work |
920817-7 | 3-Major | BT920817 | Wide IP operations performed in quick succession result in missing resource records and out of sync journals. |
918693-5 | 3-Major | BT918693 | Wide IP alias validation error during sync or config load |
913917-1 | 3-Major | BT913917 | Unable to save UCS |
911497-1 | 3-Major | BT911497 | Unbound's backoff algorithm interacts badly with net resolver iRules |
911241-8 | 3-Major | BT911241 | The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug |
908829-2 | 3-Major | BT908829 | The iqsyncer utility may not write the core file for system signals |
908801-2 | 3-Major | BT908801 | SELinux policies may prevent from iqsh/iqsyncer dumping core |
899253-1 | 3-Major | BT899253 | [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist |
862949-4 | 3-Major | BT862949 | ZoneRunner GUI is unable to display CAA records |
795633-1 | 3-Major | BT795633 | GUI and REST API unable to add virtual servers containing a space in the name to a pool |
779185-1 | 3-Major | BT779185 | Forward zone deleted when wideip updated |
766593-7 | 3-Major | BT766593 | RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20 |
222220-8 | 3-Major | K11931 | Distributed application statistics are not passed correctly. |
1671545-2 | 3-Major | BT1671545 | BIND no longer follows CNAME to populate A records in the reply |
1641421-2 | 3-Major | BT1641421 | Folders in the GTM synchronized group does not have same value as the inherited traffic group |
1612201-2 | 3-Major | BT1612201 | Malformed certificates found in local /config/httpd/conf/ssl.crt/server.crt |
1606813-2 | 3-Major | BT1606813 | Zone transfer fails for large zones when using TSIG key |
1602345-2 | 3-Major | BT1602345 | Resource records are not always created when wideips are created in a bundle |
1592209-2 | 3-Major | BT1592209 | Monitored objects stays "Offline (Enabled)" even after manually enabling the server object after reboot |
1583345 | 3-Major | BT1583345 | Zonerunner GUI can become unresponsive when managing large number of records |
1579805-2 | 3-Major | BT1579805 | GTM load balancing decision logs contain truncated pool member details. |
1573593 | 3-Major | BT1573593 | Sometimes GTM topology pool-member-traversal ignores matching topology records |
1496205-3 | 3-Major | BT1496205 | Static CNAME pool members may get deleted when corresponding WideIPs are deleted |
1464201-3 | 3-Major | BT1464201 | GTM rule created with wildcard * from GUI results in configuration load error |
1379649-2 | 3-Major | BT1379649 | GTM iRule not verifying WideIP type while getting pool from TCL command |
1378069-2 | 3-Major | BT1378069 | DNS profile RPS spike every time when there is change in configuration of DNS profile |
1328857-2 | 3-Major | BT1328857 | GUI error when accessing hyperlink for associated gtm link object on a virtual server |
1289313-3 | 3-Major | BT1289313 | Creation of wideip with alias would cause inconsistent zone data across GTM sync group |
1281433-2 | 3-Major | BT1281433 | Missing GTM probes on GTM server when an external monitor is attached to an additional pool |
1269601-2 | 3-Major | BT1269601 | Unable to delete monitor while updating DNS virtual server monitor through transaction |
1250077-4 | 3-Major | BT1250077 | TMM memory leak |
1205509-2 | 3-Major | BT1205509 | Region cache fails to update appropriately after referenced region update |
1205061-2 | 3-Major | BT1205061 | DNSSEC keys removed from the configuration before expiration date when iQuery connection goes down |
1191349-2 | 3-Major | BT1191349 | The dns_cache_derived_stat show corrupted values. |
1189877-4 | 3-Major | BT1189877 | The option /dev/random is depreciated from rndc-confgen with the latest BIND 9.16 |
1162221-2 | 3-Major | BT1162221 | Probing decision will skip local GTM upon reboot if net interface is not brought up soon enough |
1161241-5 | 3-Major | BT1161241 | BIND default behavior changed from 9.11 to 9.16 |
1154313-2 | 3-Major | BT1154313 | TMM crash due to rrsets structure corruption |
1142153-2 | 3-Major | BT1142153 | DNS Resource Records for Wide IPs are potentially misleading when creating or deleting a large number of Wide IPs |
1127805-2 | 3-Major | BT1127805 | Server.crt containing "<" will cause frequent reconnects between local gtmd and big3d |
1124217-1 | 3-Major | BT1124217 | Big3d cores on CTCPSocket::TCPReceive and connector |
1116513-1 | 3-Major | BT1116513 | Route-domains should not be allowed on name server addresses via the GUI. |
1112089-1 | 3-Major | BT1112089 | Prevent zrd from rolling back named.conf file in wrong situations |
1111361-3 | 3-Major | BT1111361 | Refreshing DNS wide IP pool statistics returns an error |
1108557-1 | 3-Major | BT1108557 | DNS NOTIFY with TSIG is failing due to un-matched TSIG name |
1103477-3 | 3-Major | BT1103477 | Refreshing pool member statistics results in error while processing requests |
1096165-4 | 3-Major | BT1096165 | Tmm cored for accessing the pool after the gtm_add or updating topology record |
1086865-2 | 3-Major | BT1086865 | GTM sync fails when trying to create/sync a previously deleted partition. |
1083405-3 | 3-Major | BT1083405 | "Error connecting to named socket" from zrd |
1082197-1 | 3-Major | BT1082197 | RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response |
1075469-1 | 3-Major | BT1075469 | DNS GUI: Refreshing a DNS Express record sometimes fails to populate the server. |
1073673-1 | 3-Major | BT1073673 | Prevent possible early exit from persist sync |
1070953-4 | 3-Major | BT1070953 | Dnssec zone transfer could cause numerous gtm sync events. |
1067309-1 | 3-Major | BT1067309 | GTMD cored followed by TMM core SIGSEGV due to illegal GTM server reference. |
1066397-1 | 3-Major | BT1066397 | GTM persists to last resort pool members even when primary pool members become available. |
1064205-1 | 3-Major | BT1064205 | GSLB virtual server's status can't be changed from the drop-down selection box on its properties page. |
1063829-1 | 3-Major | BT1063829 | Zxfrd could run out of memory because zone db files are not efficiently recycled. |
1055077-1 | 3-Major | BT1055077 | Modifying the datacenter does not check GTM server configuration for prober-pool. |
1051125-1 | 3-Major | BT1051125 | GTM marks virtual servers offline even when LTM virtual servers are available. |
1050661-1 | 3-Major | BT1050661 | Warning message with UDP on DOH server side. |
1044873-1 | 3-Major | BT1044873 | Deleted GTM link is not removed from virtual server object and causes load failure. |
1041889-2 | 3-Major | BT1041889 | RRSIG missing for CNAME with RDATA in different zone |
1041657-1 | 3-Major | BT1041657 | PEM and Analytics tabs are displayed when accessing DoH Proxy/Server profiles. |
1041625-5 | 3-Major | BT1041625 | Virtual server flapping when the active and standby devices have different configuration. |
1040153-1 | 3-Major | BT1040153 | Topology region returns narrowest scope netmask without matching |
1030237-1 | 3-Major | BT1030237 | Zxfrd core and continual restart when out of configured space |
1026621-1 | 3-Major | BT1026621 | DNS cache resolver could not connect to remote DNS server with snatpool if multiple routes exist |
1024905-1 | 3-Major | BT1024905 | GTM monitor times out if monitoring a virtual server with translation address |
1024553-1 | 3-Major | BT1024553 | GTM Pool member set to monitor type "none" results in big3d: timed out |
1012061-1 | 3-Major | BT1012061 | Link Controller auto-discovery does not remove deleted virtual servers |
1003233-2 | 3-Major | BT1003233 | SNMP Polling can cause inconsistencies in gtm link stats. |
1001101-1 | 3-Major | BT1001101 | Cannot update/display GTM/DNS listener route advertisement correctly |
996261-1 | 4-Minor | BT996261 | Zrd in restart loop with empty named.conf |
995369-1 | 4-Minor | BT995369 | DNSSEC manual key created with other algorithms ends up using RSA/SHA1 algorithm |
959613-1 | 4-Minor | BT959613 | Double-monitoring a generic-host virtual server might show blank 'Reason' |
947217-6 | 4-Minor | BT947217 | Fix of ID722682 prevents GTM config load when the virtual server name contains a colon★ |
886145-1 | 4-Minor | BT886145 | The 'Reconnect' and 'Reconnect All' buttons do not work if reached via a particular section of the DNS GUI. |
882933-1 | 4-Minor | BT882933 | Nslookup might generate a core during system restart |
839361-7 | 4-Minor | BT839361 | iRule 'drop' command does not drop packets when used in DNS_RESPONSE |
782373-1 | 4-Minor | BT782373 | GTM fails to log MCPD error in GTM log and logs it in LTM log instead. |
708680-4 | 4-Minor | BT708680 | TMUI is unable to change the Alias Address of DNS/GTM Monitors |
464708-3 | 4-Minor | BT464708 | DNS logging does not support Splunk format log |
1642301-2 | 4-Minor | BT1642301 | Loading single large Pulse GeoIP RPM can cause TMM core |
1468473-3 | 4-Minor | BT1468473 | Statistics for DNS validating resolver not showing properly for Client hits and misses |
1436221-2 | 4-Minor | Modify b.root-servers.net IPv4 address to 170.247.170.2 and IPv6 address to 2801:1b8:10::b | |
1128405-3 | 4-Minor | BT1128405 | DNS overall Request/Second counter can be inaccurate |
1125161-2 | 4-Minor | BT1125161 | Wideip fails to display or delete in the Link Controller GUI. |
1121937-4 | 4-Minor | BT1121937 | ZoneRunner GUI is unable to display CAA records with "Property Value" set to ";" |
1067821-1 | 4-Minor | BT1067821 | Stats allocated_used for region inside zxfrd is overflowed |
1026813-7 | 4-Minor | BT1026813 | LCD IP address is missing from /etc/hosts on iSeries |
1014761-2 | 4-Minor | BT1014761 | [DNS][GUI] Not able to enable/disable pool member from pool member property page |
1008233-1 | 4-Minor | BT1008233 | The gtm_add command fails but reports no error |
1274385-3 | 5-Cosmetic | BT1274385 | BIGIP-DNS GUI delivery summary stats shows incorrect count for "Disabled" GTM listeners |
1225941-2 | 5-Cosmetic | BT1225941 | OLH Default Values on Notification and Early Retransmit Settings |
1122153-4 | 5-Cosmetic | BT1122153 | Zonerunner GUI displaying incorrect error string "RRSig Covers Unsupported Record Type" |
1053605-2 | 5-Cosmetic | BT1053605 | When you use NAT, the iQuery status displays 'BIGIP' instead of 'BIGIP-DNS'. |
Application Security Manager Issues
ID Number | Severity | Links to More Info | Description |
887621-4 | 2-Critical | BT887621 | ASM virtual server names configuration CRC collision is possible |
1365629-2 | 2-Critical | FPS signature and engine update fail to access sys db key proxy.password | |
1217549-3 | 2-Critical | BT1217549 | Missed ASM Sync on startup |
1050089-5 | 2-Critical | TMM crash in certain cases | |
991929-3 | 3-Major | BT991929 | AJAX Blocking Page causes an AJAX response callback to be called twice |
987453-3 | 3-Major | Bot Defense browser verification fails upon iframes of different top-level domains | |
974513-7 | 3-Major | BT974513 | Dropped requests are reported as blocked in Reporting/charts |
966613-6 | 3-Major | BT966613 | Cannot create XML profile based on WSDL when wsdl contains empty soap:address – getting error ‘Column 'object_uri' cannot be null’ |
959965-1 | 3-Major | Asmlogd stops deleting old protobufs | |
959957-1 | 3-Major | BT959957 | Asmlogd stops deleting old protobufs |
943441-4 | 3-Major | BT943441 | Issues in verification of Bot Defense with F5 Anti-Bot Mobile SDK |
932193-1 | 3-Major | BT932193 | Improper handling of multiple cookie headers results in security bypass |
919917-5 | 3-Major | BT919917 | File permission errors during bot-signature installation |
902445-3 | 3-Major | BT902445 | ASM Policy Event Logging stops working after 'No space in shmem' error disconnection mitigation |
580715-3 | 3-Major | BT580715 | ASM is not sending 64 KB remote logs over UDP |
1644569-2 | 3-Major | BT1644569 | Header signature override cache mechanism |
1633573-2 | 3-Major | BT1633573 | Active/Active Deployment Leads to DCC corruption due to duplicate sync files |
1624625-2 | 3-Major | BT1624625 | L7 policy for bot defense enable without profile name causes issues. |
1617101-2 | 3-Major | Bd crash and generate core | |
1599213-6 | 3-Major | Deleting a signature takes more time | |
1596481-3 | 3-Major | BT1596481 | Staged signature IDs and name are not logged in remote logger for websocket traffic |
1590085-2 | 3-Major | BT1590085 | DoSL7D ICC errors are observed during higher throughput with DoS profile on Active-Active setup |
1589213-1 | 3-Major | BT1589213 | Content signatures are triggered for FileUploads even though check attack signature is disabled |
1584217-2 | 3-Major | BT1584217 | Captcha prompt not presented |
1572505-1 | 3-Major | BT1572505 | BD crash with specific iRule |
1561713-2 | 3-Major | BD total_max_mem is initialized with a low (default) value resulting in many issues with long request buffers and traffic failing | |
1561077-2 | 3-Major | Page gets redirected before Captcha is displayed | |
1558581-1 | 3-Major | BT1558581 | Host authority sub component not parsed properly |
1555021-2 | 3-Major | Mysql error after roll forward upgrade when uploading base version's csv over upgraded version.★ | |
1553533-2 | 3-Major | BT1553533 | Negative frame number might result in bd crash. |
1552441-2 | 3-Major | Error message for bot-signature update failure. | |
1549429 | 3-Major | BT1549429 | Google-InspectionTool classified as Suspicious Browser. |
1496353-2 | 3-Major | Violation details for "HTTP protocol compliance failed - Multiple host headers" violation are not available in the event log | |
1494281 | 3-Major | BT1494281 | "XML data does not comply with schema or WSDL document" violation always points to the last Attribute name |
1482769-2 | 3-Major | BT1482769 | JSON schema failing after upgrade to 15.1.10.2★ |
1474749-1 | 3-Major | ASM policy IP Address Exceptions list entry shows incorrect route_domain | |
1469889-2 | 3-Major | URI should not raise violation when the SSRF violation is turned off | |
1466325-2 | 3-Major | BT1466325 | Live Update installation window does not disappear when an installation error occurs |
1429813-4 | 3-Major | BT1429813 | ASM introduce huge delay from time to time |
1410285-2 | 3-Major | BT1410285 | Genesis bot signature file does not install after upgrade |
1408281 | 3-Major | BT1408281 | GUI allows to modify source '/any' in bot-defence white list |
1407997-3 | 3-Major | Enforcer crash due to the ASM parameter configuration | |
1366153-3 | 3-Major | BT1366153 | "Illegal repeated header violation" is added with blocking enabled, after upgrading to v16+ from earlier versions★ |
1360997-2 | 3-Major | Attack Signature not detected when signature is overridden on first header | |
1360129-2 | 3-Major | BT1360129 | Tcpdump filter by dosl7d_attack_monitor has no netmask |
1354305 | 3-Major | BT1354305 | MultiByte in Unicode is not decoded properly |
1329557-2 | 3-Major | BT1329557 | The Attack Types and Violations reported in the incident do not match the incident subtype |
1328573 | 3-Major | BT1328573 | Illegal repeated header violation is not enforced for cookie header |
1324777-1 | 3-Major | BT1324777 | The get_file_from_link in F5::Utils::File should support HTTPS links also when proxy.host DB key is configured |
1306557-2 | 3-Major | Incorrect counting of non basic latin characters for min/maxLength | |
1302925-2 | 3-Major | BT1302925 | Failed to load detected bots list , when you clicked on Bot Category |
1300909-2 | 3-Major | Violation details for "HTTP protocol compliance failed" violation are not available if the Block flag is only enabled | |
1300645-2 | 3-Major | Wrong violation attribute is reported on a request. | |
1293829-3 | 3-Major | BT1293829 | The violation "Illegal cross-origin request" is raised when it is not enabled under learning-blocking settings |
1280857-1 | 3-Major | Illegal file type is enabled in Rapid Deployment Template. | |
1280813-1 | 3-Major | Illegal URL violation triggered for after upgrade due to due to missing content-profiles in DB | |
1271469-3 | 3-Major | BT1271469 | Failed to install ASU file scheduled for install |
1245221-1 | 3-Major | BT1245221 | ASM Policy IP Intelligence configuration does not seem to synchronize when the device group is set to automatic sync |
1239297-2 | 3-Major | BT1239297 | TMM URL web scraping limit not synced to secondary slot 2 in VIPRION chassis |
1235337-1 | 3-Major | BT1235337 | The 'JSON profile' with 'JSON schema validation' was not created for the body parameter in the OpenAPI URL |
1231697 | 3-Major | BT1231697 | Configuration to ignore “URI Parameters” in the A10 category is not retained during upgrade from 16.1.x to higher versions. |
1226537-2 | 3-Major | Duplicated details are shown in files preview. | |
1224329-1 | 3-Major | No learning suggestion for URL "Override policy allowed methods" attribute | |
1136833-2 | 3-Major | BT1136833 | Unparseable request content subviolation override cannot be configured on microservices |
1134441-2 | 3-Major | BT1134441 | Inactive policy synced to peer results ASM removed from virtual server only for sync-only DG |
1123157-3 | 3-Major | Single-page application AJAX does not work properly with page's navigation | |
1069137-2 | 3-Major | BT1069137 | Missing AWAF sync diagnostics |
1069113-1 | 3-Major | BT1069113 | ASM process watchdog should be less aggressive |
1065681-1 | 3-Major | BT1065681 | Sensitive data is not masked under certain conditions. |
1062105-3 | 3-Major | BT1062105 | For specific configurations (Auto-Added Signature Accuracy and Case Sensitive parent policy), child security policy fails to create. |
1059849-3 | 3-Major | BT1059849 | ASM hostname headers have the route domain incorrectly appended |
1057557-5 | 3-Major | BT1057557 | Exported policy has greater-than sign '>' not escaped to '>' with response_html_code tag. |
1051589-1 | 3-Major | Missing configuration after upgrade★ | |
1039361-1 | 3-Major | BT1039361 | [GraphQL] In case of more than one malformed violation, the first is reported multiple times |
1036969-1 | 3-Major | BT1036969 | Chrome sometimes ignores cross-site bot-defense cookies |
1033025-4 | 3-Major | BT1033025 | TMM might crash when unsupported bot iRule is used |
1031461-2 | 3-Major | Session awareness entries aren't mirrored to both sides of an active-active deployment. | |
1029373-4 | 3-Major | BT1029373 | Firefox 88+ raising Suspicious browser violations with bot defense |
1028493-1 | 3-Major | BT1028493 | Live Update genesis file for Server Technologies installation fails |
1023229-1 | 3-Major | BT1023229 | False negative on specific authentication header issue |
1021609-1 | 3-Major | BT1021609 | Improve matching of URLs with specific characters to a policy. |
1020149-4 | 3-Major | BT1020149 | Bot Defense does not support iOS's WKWebView framework |
1017261-7 | 3-Major | BT1017261 | Configuraton update triggers from MCP to ASM are ignored |
994013-1 | 4-Minor | BT994013 | Modifying bot defense allow list via replace-all-with fails with match-order error |
991765-3 | 4-Minor | BT991765 | Inheritance of staging_period_in_days from policy template |
984521-4 | 4-Minor | BT984521 | Accept-Encoding header is stripped by Bot Defense profile in case of incompatible file extension and a dot in the file name |
984449-2 | 4-Minor | BT984449 | Unnecessary swagger validation violation may raise due to behavioral WAF parameter traps that have identical name |
950953-3 | 4-Minor | BT950953 | Browser Challenges update file cannot be installed after upgrade★ |
882729-5 | 4-Minor | BT882729 | Applied Blocking Masks discrepancy between local/remote event log |
807569-3 | 4-Minor | BT807569 | Requests fail to load when backend server overrides request cookies and Bot Defense is used |
757486-2 | 4-Minor | BT757486 | Errors in IE11 console appearing with Bot Defense profile |
1635829-2 | 4-Minor | BT1635829 | Sint Maarten (SX) and Curacao (CW) are unavailable in Geolocation enforcement and event log filter |
1629329-1 | 4-Minor | BT1629329 | A webpage can be stuck after opening a dropdown list |
1617041-2 | 4-Minor | BT1617041 | Latest installed update missing on secondary device GUI |
1600265-1 | 4-Minor | BT1600265 | Request_status is alerted in remote logging while local logging shows blocked |
1591197-2 | 4-Minor | BT1591197 | Specific JSON enforcement is not working |
1577773-2 | 4-Minor | BT1577773 | Fix for ID1168157 does not work for some non-basic latin characters. |
1505137 | 4-Minor | BT1505137 | While provisioning both ASM and AFM modules, getting configuration error in DoS Profile with Accelerated signature/TLS signature and Http allow list is enabled. |
1468769-2 | 4-Minor | Signature Compile error for bot-signature emitted in asm control plane | |
1382141-3 | 4-Minor | BT1382141 | Query string gets stripped when bot defense redirects request via Location header, with versions that have the fix for ID890169★ |
1348945 | 4-Minor | BT1348945 | BD core is seen while setting "likely_false_positive_mode" |
1308393-2 | 4-Minor | BT1308393 | Export security policy XML format fail with "too large and cannot be exported" message |
1300665-3 | 4-Minor | BT1300665 | ASMCSD memory leak if tsconfd.loglevel is set for debug level |
1293261-3 | 4-Minor | Subviolations (e.g., IP in host header violation) are not reported to the policy builder | |
1232649-1 | 4-Minor | Unterminated POST requests never close and consume UMU buffers | |
1230833-2 | 4-Minor | In the signature advanced mode, the Update button is kept disabled even after some changes in the rule | |
1225677-2 | 4-Minor | BT1225677 | Challenge Failure Reason is not functioning in ASM remote logging |
1211437-2 | 4-Minor | When mobile cookie is too long, Anti-Bot SDK is failing | |
1210569-3 | 4-Minor | User defined signature rule disappears when using high ASCII in rule | |
1210053-1 | 4-Minor | The cred_stuffing_fail_open Internal Parameter does not cause Leaked Credential violation in case of expiration or error | |
1154725-4 | 4-Minor | Custom or predefined method is not changing the behavior while changing from GET to POST method | |
1144013-2 | 4-Minor | BT1144013 | Policy import fails with Lock wait timeout exceeded ASM subsystem error |
1135425-2 | 4-Minor | BT1135425 | Created ASM policy does not appear in bigip.conf on the standby |
1132705-3 | 4-Minor | Failed on insert entry to DCC.ACCOUNT_LOGIN_OBJECT_ATTRIBUTES | |
1120529-1 | 4-Minor | BT1120529 | Illegal internal request in multipart batch request |
1097853-1 | 4-Minor | BT1097853 | Session Tracking screen may be missing the scroll bar after saving the configuration |
1087005-2 | 4-Minor | BT1087005 | Application charset may be ignored when using Bot Defense Browser Verification |
1076165-1 | 4-Minor | BT1076165 | GRPC traffic does not work with DoSL7. |
1067917-1 | 4-Minor | BT1067917 | Attaching iRule DOSL7::enable when mitigation is not enabled at dosl7 profile, it is not showing warning in GUI. |
1059421-4 | 4-Minor | Bot Signature is not updated when the signature rule is updated. | |
1058665-1 | 4-Minor | Bot signature with a semicolon followed by a space is not detected. | |
1057713-2 | 4-Minor | "South Sudan" is missing from the ASM Geolocation Enforcement list. | |
1048617-3 | 4-Minor | Nice level BigDB paramter is not applied for BD | |
1017149-1 | 4-Minor | User-defined bot sigs that are created in tmsh don't overlap staged factory bot sigs | |
1005309-4 | 4-Minor | BT1005309 | Additional Tcl variables showing information from the AntiBot Mobile SDK |
1005181-4 | 4-Minor | BT1005181 | Bot Defense Logs indicate the mobile debugger is used even when it is not |
1004801-2 | 4-Minor | BT1004801 | In the violation details for Max Parameter Protocol Compliance, the incorrect number of parameters is shown. |
1229861-2 | 5-Cosmetic | BT1229861 | Signature rule : regex "i" modifier should be translated into "nocase", instead of prepending "(?i)" |
1048989-2 | 5-Cosmetic | BT1048989 | Slight correction of button titles in the Data Guard Protection Enforcement |
Application Visibility and Reporting Issues
ID Number | Severity | Links to More Info | Description |
949593-5 | 3-Major | BT949593 | Unable to load config if AVR widgets were created under '[All]' partition★ |
939933-7 | 3-Major | BT939933 | Monpd restarts every few seconds due to missing of AVR database |
933777-5 | 3-Major | BT933777 | Context use and syntax changes clarification |
932189-1 | 3-Major | BT932189 | Incorrect BD Swap Size units on ASM Resources chart |
869049-7 | 3-Major | BT869049 | Charts discrepancy in AVR reports |
830073-7 | 3-Major | BT830073 | AVRD may core when restarting due to data collection device connection timeout |
808801-6 | 3-Major | BT808801 | AVRD crash when configured to send data externally |
743826-7 | 3-Major | BT743826 | Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0) |
1294141-3 | 3-Major | BT1294141 | ASM Resources Reporting graph displays over 1000% CPU usage |
1211817 | 3-Major | BT1211817 | AVRD may crash while modifying the global settings |
1110373-2 | 3-Major | BT1110373 | Nitrox device error logs in /var/log/ltm |
1040477-1 | 3-Major | BT1040477 | Drop-Down menu shows white blank items in Reporting : DoS : URL Latencies |
950305-5 | 4-Minor | BT950305 | Analytics data not displayed for Pool Names |
910777-1 | 4-Minor | BT910777 | Sending ASM report via AWS SES failed duo to wrong content type |
1312045 | 4-Minor | BT1312045 | The graph lines do not match the source translation request value |
1311997 | 4-Minor | BT1311997 | Disable the f5_cspm and f5_p words from the AVR cookie disclosure. |
1299085 | 4-Minor | BT1299085 | AVR shows Server Latency as 0 for http2 virtual with MRF enabled |
1298225 | 4-Minor | BT1298225 | Avrd generates core when dcd becomes unavailable due to some reason |
1294113-2 | 4-Minor | BT1294113 | During a DNS attack, summary log shows no attack ID |
930217-1 | 5-Cosmetic | BT930217 | Zone colors in ASM swap usage graph are incorrect |
Access Policy Manager Issues
ID Number | Severity | Links to More Info | Description |
349706-4 | 0-Unspecified | NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN | |
1429717-2 | 1-Blocking | BT1429717 | APM as oAuth AS intermittently returning HTTP/1.1 400 Bad Request |
971065-2 | 2-Critical | BT971065 | Using ACCESS::log iRule command in RULE_INIT event makes TMM crash |
930625-1 | 2-Critical | BT930625 | TMM crash is seen due to double free in SAML flow |
1598345 | 2-Critical | BT1598345 | [APM] Unable to access virtual IP when address-list configured |
1561697-2 | 2-Critical | Applying mutliple policies causes apmd to use a lot of CPU causes failure in sessiondb related operations | |
1552705 | 2-Critical | BT1552705 | New subsession reads access_token from per-session policy instead of per-request policy. |
1496841 | 2-Critical | BT1496841 | CRLDP Lookup fails for lower update-interval value |
1400257-1 | 2-Critical | Citrix Autodetect fails when STA is configured in Storefront | |
1325721-3 | 2-Critical | BT1325721 | Oauth not allowed for old tokens after upgrade to 15.1.9 |
1282769-2 | 2-Critical | Localdb user can change the password of other user | |
1083053-2 | 2-Critical | BT1083053 | Apmd memory grows over time in AD auth scenarios |
1007869-1 | 2-Critical | BT1007869 | Upgrade from v14.1.x to v15.1.2.1 or later fails for app-tunnel, RDP and config migration★ |
984765-2 | 3-Major | BT984765 | APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)★ |
981777-1 | 3-Major | BT981777 | APM can sometimes reset client connections with POST body greater than 64k bytes |
976553-1 | 3-Major | BT976553 | Portal Access: Chrome/Edge browser: cookie transport: sync XMLHttpRequests should not be used in onbeforeunload handlers |
958773-2 | 3-Major | BT958773 | [SAML SP] Assertion canonicalization fails if <AttributeValue> contains spaces. |
949477-4 | 3-Major | BT949477 | NTLM RPC exception: Failed to verify checksum of the packet |
947613-2 | 3-Major | BT947613 | APM reset after upgrade and modify of LDAP Group Lookup★ |
942729-3 | 3-Major | Export of big Access Policy config from GUI can fail | |
934825-2 | 3-Major | BT934825 | Restarting MCPD via command line may not restart the aced process |
903573-3 | 3-Major | BT903573 | AD group cache query performance |
903501-3 | 3-Major | BT903501 | VPN Tunnel establishment fails with some ipv6 address |
898381-3 | 3-Major | BT898381 | Changing the setting of apm-forwarding-fastl4 profile does not take effect |
893801-2 | 3-Major | BT893801 | Launching resources that are published on an APM Webtop from multiple VMware servers will fail when the Native View client is selected |
868557-1 | 3-Major | BT868557 | Unable to initiate SWG database download from Admin UI when management network has no direct internet connectivity. |
666845-4 | 3-Major | K08684622, BT666845 | Rewrite plugin can accumulate memory used for patching very large files |
648946 | 3-Major | BT648946 | Oauth server is not registered in the map for HA addresses |
527119-9 | 3-Major | BT527119 | An iframe document body might be null after iframe creation in rewritten document. |
1627261 | 3-Major | BT1627261 | Restoration of crldp aaa requires manual intervention after a network outage |
1626273 | 3-Major | BT1626273 | [SAML][APM] BIG-IP as SP fails to validate IdP signature with cert bundle |
1621949-2 | 3-Major | BT1621949 | [PA]Applications break when specific host is in rewrite control list of rewrite profile |
1621317-2 | 3-Major | BT1621317 | Uncaught (in promise) TypeError: Failed to construct 'MouseEvent': Please use the 'new' operator, this DOM object constructor cannot be called as a function. |
1602777 | 3-Major | BT1602777 | "411 Length required" during NTLM negotiation |
1583701-2 | 3-Major | BT1583701 | Access Policy Export does not write OCSP profile correctly to ng_export.conf |
1581085 | 3-Major | BT1581085 | In APM, TMM Core event triggered a Failover |
1579857 | 3-Major | BT1579857 | [APM][Address-space]apm resource address-space input validation missing for ipv6 |
1579841 | 3-Major | BT1579841 | [APM][Address-space]apm resource address-space input validation missing for ipv4 |
1576565-2 | 3-Major | BT1576565 | Expect header is not forwarded to pool when PingAccess profile is applied to VS |
1566893-2 | 3-Major | BT1566893 | Config fails to load while upgrading from 14.0.x to 15.1.10.3★ |
1566269 | 3-Major | BT1566269 | Cookie SameSite attribute is removed by sesstimeout.js |
1561069 | 3-Major | BT1561069 | Initial policy sync of any address space fails |
1550737 | 3-Major | BT1550737 | Error "Access encountered error: ERR_ARG" was logged repeatedly after an upgrade |
1490977-3 | 3-Major | BT1490977 | Websense URLDB download fails with IPv6 sys DNS |
1470085 | 3-Major | BT1470085 | MDM has wrong links for Microsoft GCC High and DoD environments |
1411061-2 | 3-Major | BT1411061 | API Protection rate limiting can cause cores with high traffic |
1404205-1 | 3-Major | BT1404205 | [Standard Customization]Web VPN cannot connect with Chinese Language |
1400533 | 3-Major | BT1400533 | TMM core dump include SIGABRT multiple times, on the Standby device. |
1396369 | 3-Major | BT1396369 | APM[Saml IdP] - Support for metadata containing multiple entities |
1377421-2 | 3-Major | BT1377421 | APMD processing of MCP messages is inefficient |
1360005-2 | 3-Major | BT1360005 | If service times out, the PINGACCESS filter may not release context in ping_access_agent |
1350985 | 3-Major | BT1350985 | APM policy sync fails after deleting macro ending |
1327961-1 | 3-Major | BT1327961 | EAM plugin crashes |
1327933-1 | 3-Major | BT1327933 | 'tmsh show sys ip-address' command throws 'Syntax Error: Invalid IP address' error when address space is added |
1318653 | 3-Major | BT1318653 | Upgrading or failover of APM with lot of access policies takes long time to become "really" active |
1312125 | 3-Major | BT1312125 | MCPD crash on the changes of Device trust sync only group modification |
1296409-2 | 3-Major | BT1296409 | TMM cored in ping access hudfilter due to ctx pointed to invalid address |
1290937 | 3-Major | BT1290937 | 'contentWindow' of a dynamically genereated iframe becomes null |
1289009-2 | 3-Major | BT1289009 | PA based Hosted content does not add implicit allowed ACL |
1281693 | 3-Major | BT1281693 | Icons displayed on webtop are different from Storefront server when modified |
1251061-1 | 3-Major | BT1251061 | apmd core caused by accessing null issuer from JWT |
1224377-2 | 3-Major | BT1224377 | [APM] Policy sync is not compatible with Network Acesss address spaces |
1217365-3 | 3-Major | BT1217365 | OIDC: larger id_token encoded incorrectly by APM |
1211369-1 | 3-Major | BT1211369 | [Validation] Do not allow AD/LDAP object pointing to the same IP:PORT |
1211361-1 | 3-Major | BT1211361 | Validate AD/LDAP object names |
1210025-1 | 3-Major | BT1210025 | Address list discovery task does not trigger apply access policy automatically |
1200941-2 | 3-Major | BT1200941 | PA version check causes page reloads |
1169105-1 | 3-Major | BT1169105 | Provide download links on BIG-IP for Linux ARM64 VPN Client |
1144353 | 3-Major | BT1144353 | After creating a "Dynamic Exclude Address Spaces" or "Dynamic LAN Address Spaces" from inside a Network Access List object fails to redirect back to Network Access List object page |
1136905-1 | 3-Major | BT1136905 | Request for Portal Access Hosted Content are RST with "No available SNAT addr" |
1124793-1 | 3-Major | BT1124793 | Space inserted for variable assigned in a custom expression in the GUI |
1100081-1 | 3-Major | BT1100081 | Error message "http_process_state_prepend - Invalid action:0x10a091" for version 15 and "http_process_state_prepend - Invalid action:0x107061" for versions 16 and 17 appears in the LTM log★ |
1095909-1 | 3-Major | BT1095909 | MAX_F5_ERROR_STR macro truncating log messages of size more than 1024 macro truncating log messages of size more than 1024 |
1091509-3 | 3-Major | BT1091509 | SAML Artifact resolution service fails to resolve artifacts on same IP after reboot |
1089685-1 | 3-Major | BT1089685 | [APM]Webtop loading issue when 'oneconnect' profile is attached to a virtual server |
1089293 | 3-Major | BT1089293 | Backend password reset is not working in Webtop when sso is disabled. |
1071021-1 | 3-Major | BT1071021 | Some URLs such as *cdn.onenote.net configured in the Office 365 dynamic address space are not processed by APM |
1058873-2 | 3-Major | BT1058873 | Configuring source address as "address list" in a virtual server causes APMD to restart |
1054677-1 | 3-Major | BT1054677 | Ng_export fails for users with the 'pager' option enabled in their 'cli preference' configuration. |
1041989-4 | 3-Major | BT1041989 | APM Portal Access does not add automatically the / after the URL encoded (after the '$$'), Redirect breaks |
1022877-3 | 3-Major | BT1022877 | Ping missing from list of Types for OAuth Client |
996985-1 | 4-Minor | BT996985 | No IP address format validation while adding IP addresses in IPv4 LAN Address Space or IPv4 Exclude Address Space when configuring Network Access Resource. |
996977-1 | 4-Minor | BT996977 | No IP address format validation while adding IP addresses in IPv6 LAN Address Space or IPv6 Exclude Address Space when configuring Network Access Resource. |
963129-3 | 4-Minor | BT963129 | RADIUS Accounting Stop message fails via layered virtual server |
937665-1 | 4-Minor | BT937665 | Relaystate in SLO request results in two Relaystates in SLO Response |
936061-3 | 4-Minor | BT936061 | Variable session.user.agent missing for Edge Client & F5 Access clients |
869541-3 | 4-Minor | BT869541 | Series of unexpected <aborted> requests to same URL |
869121-2 | 4-Minor | BT869121 | Logon Page configured after OAuth client in access policy VPE, get error message Access policy evaluation is already in progress for your current session |
811829 | 4-Minor | BT811829 | BIG-IP as Authorization server: OAuth Report GUI display expired token as active |
547947-2 | 4-Minor | BT547947 | Feeding empty username and password to the Logon Page followed by RadiusAuthAgent shows the session as Logged out |
1578597-1 | 4-Minor | BT1578597 | Religion URL Categories not found on SWG database download |
1472589 | 4-Minor | BT1472589 | Support for disabling ACCESS for OAuth-RS Profile Type virtual server |
1399517-1 | 4-Minor | BT1399517 | FrameElement Wrappers occasionaly returns 'Undefined' instead of original Window object failing to load frame/iframes |
1354145 | 4-Minor | BT1354145 | Max session timeout countdown timer on webtop is reset when refreshing the Modern Webtop |
1350417-1 | 4-Minor | BT1350417 | "Per IP in-progress sessions limit (xxx) exceeded" message occurs before number of "In-Progress session" reaches the limit |
1050153 | 4-Minor | BT1050153 | Unknown browscap value sent by the client. |
1022973-2 | 4-Minor | BT1022973 | Sessiondb entries related to Oauth module not cleaned up in certain conditions |
1004845-1 | 4-Minor | BT1004845 | Accessing attribute using attributeNode value does not work with Portal Access |
WebAccelerator Issues
ID Number | Severity | Links to More Info | Description |
941961-4 | 3-Major | BT941961 | Upgrading system using WAM TCP profiles may prevent the configuration from loading |
Wan Optimization Manager Issues
ID Number | Severity | Links to More Info | Description |
863601-5 | 2-Critical | BT863601 | Panic in TMM due to internal mirroring interactions |
Service Provider Issues
ID Number | Severity | Links to More Info | Description |
1268373-4 | 2-Critical | BT1268373 | MRF flow tear down can fill up the hudq causing leaks |
917637-5 | 3-Major | BT917637 | Tmm crash with ICAP filter |
1581653-2 | 3-Major | BT1581653 | Unbounded GENERICMESSAGE queue growth |
1578637-2 | 3-Major | BT1578637 | TMM may drop MRF messages after a failover. |
1566721-2 | 3-Major | BT1566721 | The SIP MRF virtual servers with mirroring enabled can lead to a connflow leak on standby |
1474401-2 | 3-Major | [HA failover resulting in connections on new Active not being maintained via mirroring on Standby] | |
1399193-2 | 3-Major | BT1399193 | SIP parser not parsing response when ;; in the to: or from: |
1156149-1 | 3-Major | BT1156149 | Early responses on standby may cause TMM to crash |
1008169-1 | 3-Major | BT1008169 | BIG-IP systems disconnect the DIAMETER transport connection if it receives an answer message without a Result-Code AVP |
1294301 | 4-Minor | BT1294301 | Tmm core when freeing pool name |
1249929-3 | 4-Minor | BT1249929 | Diameter MRF sends CER to pool-member even after peer sent DPR and force-offline the pool member |
Advanced Firewall Manager Issues
ID Number | Severity | Links to More Info | Description |
964989-4 | 2-Critical | BT964989 | AFM DOS half-open does not handle wildcard virtual servers properly. |
609878-6 | 2-Critical | BT609878 | Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server |
1671149-2 | 2-Critical | BT1671149 | Timestamp cookies might cause problem for PVA-accelerated connections. |
1605125-3 | 2-Critical | BT1605125 | TMM might crash when AFM is used on the Virtual Edition of BIG-IP |
1410441 | 2-Critical | BT1410441 | Large file transfer over SFTP/SSH proxy failure |
1215161-2 | 2-Critical | BT1215161 | A new CLI option introduced to display rule-number for policy, rules and rule-lists |
1084133-1 | 2-Critical | BT1084133 | At device level ICMP frags are not counting for BA and BD |
1080957-4 | 2-Critical | BT1080957 | TMM Seg fault while Offloading virtual server DOS attack to HW |
1067405-3 | 2-Critical | BT1067405 | TMM crash while offloading / programming bad actor connections to hardware. |
1061929-2 | 2-Critical | BT1061929 | Unable to perform IPI update (through proxy) after upgrade to 15.1.4.★ |
1060833-2 | 2-Critical | BT1060833 | After handling a large number of connections with firewall rules that log or report translation fields or server side statistics, TMM may crash. |
1058645-2 | 2-Critical | BT1058645 | ipsecalg blocks Sophos ISAKMP negotiation during tunnel setup. |
997169-2 | 3-Major | BT997169 | AFM rule not triggered |
992233-1 | 3-Major | BT992233 | DNS DoS profile (Error Vector) does not mitigate/detect at the virtual server level. |
987637-3 | 3-Major | BT987637 | DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware |
987605-3 | 3-Major | BT987605 | DDoS: ICMP attacks are not hardware-mitigated |
977449-1 | 3-Major | BT977449 | Total address and Total endpoints is shown as '0' in nat stats |
968953-1 | 3-Major | BT968953 | Unnecessary authorization header added in the response for an IP intelligence feed list request |
965849-1 | 3-Major | BT965849 | Displayed 'Route Domain ID' value is confusing if it is set to None |
955773-3 | 3-Major | BT955773 | Fw_lsn_pool_pba_stat: excessively high active_port_blocks stat for IPv4 |
935769-5 | 3-Major | BT935769 | Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time★ |
926549-3 | 3-Major | BT926549 | AFM rule loops when 'Send to Virtual' is used with Virtual Server iRule 'LB::reselect' |
926417-3 | 3-Major | BT926417 | AFM not using the proper FQDN address information |
1635209-1 | 3-Major | BT1635209 | FW NAT policy with automap does not work with ALG protocols in active mode |
1616629-2 | 3-Major | BT1616629 | Memory leaks in SPVA allow list |
1596445-3 | 3-Major | BT1596445 | TMM crashes when firewall NAT policy uses automap and SIP/RTSP/FTP ALG. |
1573601-2 | 3-Major | BT1573601 | MCP query for fw_rule_stat takes ~23s to complete |
1510477-2 | 3-Major | BT1510477 | RD rule containing zones does not match expected traffic on the Network firewall policy |
1384509-3 | 3-Major | BT1384509 | The ePVA syncookie protection stays activated in hardware |
1325681-2 | 3-Major | K000136894, BT1325681 | VLAN tscookies with fastl4 timestamp preserve and PVA acceleration cause connection problems.★ |
1307697-1 | 3-Major | BT1307697 | IPI not working on a new device - 401 invalid device error from BrightCloud |
1199025-2 | 3-Major | BT1199025 | DNS vectors auto-threshold events are not seen in webUI |
1167949-3 | 3-Major | BT1167949 | Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware |
1137133-2 | 3-Major | BT1137133 | Stats rate is showing incorrect data for broadcast, multicast and arp flood vectors |
1132449-2 | 3-Major | BT1132449 | Incomplete or missing IPv6 IP Intelligence database results to connection reset and/or high TMM CPU usage |
1101653-2 | 3-Major | BT1101653 | Query Type Filter in DNS Security Profile blocks allowed query types |
1079985-3 | 3-Major | BT1079985 | int_drops_rate shows an incorrect value |
1079053-1 | 3-Major | BT1079053 | SSH Proxy feature is not working in FIPS Licensed platforms |
1076477-2 | 3-Major | BT1076477 | AFM allows deletion of a firewall policy even if it's being used in a route domain. |
1057061-2 | 3-Major | BT1057061 | BIG-IP Virtual Edition + security-log-profile (HSL) performance issue with Log Translation Fields. |
1053949-3 | 3-Major | BT1053949 | AFM SSH proxy offering weak ciphers, the ciphers must be removed |
1045065-3 | 3-Major | BT1045065 | Enable traffic group modification in source-translation object |
1031909-2 | 3-Major | BT1031909 | NAT policies page unusable due to the page load time |
1022613-1 | 3-Major | BT1022613 | Cannot modify Security "global-network" Logging Profile |
1019453-1 | 3-Major | BT1019453 | Core generated for autodosd daemon when synchronization process is terminated |
1012413-1 | 3-Major | BT1012413 | Tmm performance impact for DDoS vector on virtual server when hardware mitigation is enabled |
981145-1 | 4-Minor | BT981145 | DoS events do not include the attack name for "tcp syn ack flood" |
967245-1 | 4-Minor | Incorrect SPVA counter incremented during Sweep attack on profile | |
926425-4 | 4-Minor | BT926425 | Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts |
1465621-2 | 4-Minor | BT1465621 | Destination and Service fields are empty on virtual server Security policies tab |
1404253-2 | 4-Minor | BT1404253 | [NAT-LOGS] PBA Lease Duration suffers from a 32-bit rollover after 50 days |
1366413 | 4-Minor | BT1366413 | Traffic-type for Protected Object was changed from "other" in version 14 to "unresolved" in version 16★ |
1366269-3 | 4-Minor | BT1366269 | NAT connections might not work properly when subscriber-id is confiured. |
1307605-1 | 4-Minor | AFM does not detect NXdomain attack (for DNS express) | |
1277641-1 | 4-Minor | BT1277641 | DoS | i-series | After mitigation of bad destination at profile level, bd_hit is not incrementing for host unreachable vector. |
1273225 | 4-Minor | BT1273225 | Remove DNS Malformed vector at virtual server Level |
1251105-2 | 4-Minor | BT1251105 | DoS Overview (non-HTTP) - A null pointer was passed into a function |
1167953-2 | 4-Minor | BT1167953 | Issue with UI, while opening rule name in Packet Tester to check the rule for the drop reason |
1162661-3 | 4-Minor | BT1162661 | The Bad Actor (BA) hit counter is not updating for ICMP vector during hardware mitigation |
1162149-2 | 4-Minor | BT1162149 | TCP 3WHS being reset due to "No flow found for ACK" while client have received SYN/ACK |
1144417 | 4-Minor | BT1144417 | DoS WL allowed in BIG-IP version 16.1.x if it was configured in a previous version 15.1.x |
1123189-2 | 4-Minor | BT1123189 | De-Provisioning AFM does not disable SYN-ACK cookie generation |
1084901-1 | 4-Minor | BT1084901 | Updating the firewall rule list for IPv6 with route domain throws an error in the GUI, works from tmsh |
1063681-2 | 4-Minor | BT1063681 | PCCD cored, SIGSEGV in pc::cfg::CMessageProcessor::modify_fqdn. |
1052317-3 | 4-Minor | BT1052317 | The BIG-IP system does not output the show security nat source-translation command. |
1038117-2 | 4-Minor | BT1038117 | TMM SIGSEGV with BDoS attack signature |
1033021-2 | 4-Minor | BT1033021 | UI: Partition does not work when clicking through security zones |
1022213-4 | 4-Minor | DDOS: BDOS: Warning messages related to high availability (HA) watchdog seen on system bring up | |
1014609-1 | 4-Minor | BT1014609 | Tunnel_src_ip support for dslite event log for type field list |
Policy Enforcement Manager Issues
ID Number | Severity | Links to More Info | Description |
829657-5 | 2-Critical | BT829657 | Possible TMM crash with a multi-IP PEM subscriber configured with more than 16 IP addresses |
1399017-4 | 2-Critical | PEM iRule commands lead to TMM crash | |
1019481-1 | 2-Critical | BT1019481 | Unable to provision PEM on VELOS platform |
924589-3 | 3-Major | BT924589 | PEM ephemeral listeners with source-address-translation may not count subscriber data |
1584297-1 | 3-Major | BT1584297 | PEM fastl4 offload with fastl4 leaks memory |
1379825 | 3-Major | PEM does not block sites defined to be blocked when webroot DB is not ready and urlcat query lookups has status "Skipped - Webroot License Absent/Expired" | |
1378869-1 | 3-Major | BT1378869 | tmm core assert on pemdb_session_attr_key_deserialize: Session Rule key len is too short |
1267269-1 | 3-Major | BT1267269 | The wr_urldbd crashes and generates a core file |
1067449-2 | 3-Major | BT1067449 | PEM Bandwidth Controller policies applied to a user session get stuck with the lowest precedence rule |
1015501-3 | 3-Major | BT1015501 | Changes to DHCP Profile are not used by tmm |
Carrier-Grade NAT Issues
ID Number | Severity | Links to More Info | Description |
751719-5 | 2-Critical | BT751719 | UDP::hold/UDP::release does not work correctly |
1496313-2 | 2-Critical | Use of XLAT:: iRule command can lead to the TMM crash | |
994985-3 | 3-Major | BT994985 | CGNAT GUI shows blank page when applying SIP profile |
1183877-2 | 3-Major | BT1183877 | CGNAT related links are unavailable in Statistics section |
1096317-4 | 3-Major | BT1096317 | SIP msg alg zombie flows |
1023461-2 | 3-Major | BT1023461 | Multiple entries for CGNAT when PBA pools allocation is defined: for each request, a new entry is created |
1317773-3 | 4-Minor | BT1317773 | CGNAT / AFM NAT: "Clients Using Max Port Blocks" counter might be inaccurate |
1128429-5 | 4-Minor | BT1128429 | Rebooting one or more blades at different times may cause traffic imbalance results High CPU |
1034009-4 | 4-Minor | BT1034009 | CGNAT+Subscriber Discovery - NAT IP with wrong route domain on the CGNAT Log |
Fraud Protection Services Issues
ID Number | Severity | Links to More Info | Description |
1075545 | 3-Major | BT1075545 | Changing the datasyncd activation-epoch results in high CPU usage for 24 hours |
1016481-1 | 3-Major | BT1016481 | Special JSON characters in Dom Signatures breaks configuration |
Anomaly Detection Services Issues
ID Number | Severity | Links to More Info | Description |
1481929-2 | 2-Critical | BT1481929 | Possible TMM crash on a race of BADOS and DOSL7 mitigations |
1628065 | 3-Major | BT1628065 | TMM crash upon replacing L7 DOS policy |
1589045-2 | 3-Major | BT1589045 | When the ADMD process becomes unresponsive during the attack, TMM continues to mitigate bad traffic after the attack |
1566921-2 | 3-Major | BT1566921 | Client connection gets reset after upgrade to 17.1.1★ |
1010717-1 | 3-Major | BT1010717 | Default DoS profile creation from tmsh is incorrectly interpreted by DoS profile GUI |
Traffic Classification Engine Issues
ID Number | Severity | Links to More Info | Description |
901041 | 2-Critical | BT901041 | CEC update using incorrect method of determining number of blades in VIPRION chassis★ |
1598421-2 | 3-Major | When uri is added with / at the end and category in a feedlist then the uri is not categorized as expected | |
1581057-3 | 3-Major | BT1581057 | Wr_urldbd IPC memory leak |
1573629-1 | 3-Major | wr_urldbd cloud lookup is not optimal using a connection | |
1184853-3 | 3-Major | YouTube video not classified in the BIG-IP version 16.1.0 | |
1058349-3 | 3-Major | Requirement of new signatures to detect IMO and Google Duo service. | |
941773-1 | 4-Minor | BT941773 | Video resolution mis-prediction |
941765-1 | 4-Minor | BT941765 | Video resolution mis-predictions |
1604377-3 | 4-Minor | BT1604377 | When feed list has multiple URLs with multiple subdomains then url cat-query is not working as expected |
1604021-1 | 4-Minor | BT1604021 | Using CLI, the creation of urlcat-id TMSH command with values 28671 and 65536 must fail, but it is getting created. |
1144329-4 | 4-Minor | BT1144329 | Traffic Intel does not classify Microsoft app properly |
1136893-2 | 4-Minor | BT1136893 | Youtube classification fails |
1103245 | 4-Minor | Policies not being applied |
Device Management Issues
ID Number | Severity | Links to More Info | Description |
718796-7 | 2-Critical | BT718796 | iControl REST token issue after upgrade★ |
663754-1 | 2-Critical | BT663754 | Modifying the default management port can break internal functionality |
996129-3 | 3-Major | BT996129 | The /var partition is full as cleanup of files on secondary is not executing |
880565-5 | 3-Major | BT880565 | Audit Log: "cmd_data=list cm device recursive" is been generated continuously |
717174-5 | 3-Major | BT717174 | WebUI shows error: Error getting auth token from login provider★ |
563144-2 | 3-Major | BT563144 | Changing the system's admin user causes many errors in the REST framework. |
999085-1 | 4-Minor | BT999085 | REST endpoint registration errors in restjavad logs |
1041113 | 4-Minor | BT1041113 | BIG-IP Admin role credentials are not usable for getting device discovered by BIG-IQ |
1474125-2 | 5-Cosmetic | BT1474125 | iControl LX extension packages wrongly tagged as "IAPP" when synced to the HA peer unit |
iApp Technology Issues
ID Number | Severity | Links to More Info | Description |
842193-6 | 3-Major | BT842193 | Scriptd coring while running f5.automated_backup script |
1091505 | 3-Major | BT1091505 | In AGC 8.0 you cannot choose from existing SSL profiles |
Protocol Inspection Issues
ID Number | Severity | Links to More Info | Description |
1307385-2 | 3-Major | BT1307385 | When blade replacement happens, signature config is lost in bigip.conf when IM is loading on a new blade |
1256809-2 | 3-Major | BT1256809 | The tmctl statistics for IPS library table shows unloaded. |
1013777-4 | 3-Major | BT1013777 | An error is encountered when enabling reset-learning to all the signatures of a protocol inspection profile in the GUI. |
1011133 | 3-Major | BT1011133 | Protocol Inspection compliance check 10208 gtp_disallowed_message_types does not take GTP version into account |
1182305-2 | 4-Minor | BT1182305 | Descriptions requested for IPS IDs |
Guided Configuration Issues
ID Number | Severity | Links to More Info | Description |
991829-1 | 3-Major | BT991829 | Continuous connection refused errors in restjavad |
982801-2 | 3-Major | BT982801 | AGC hardening |
In-tmm monitors Issues
ID Number | Severity | Links to More Info | Description |
1481969-3 | 3-Major | BT1481969 | In-tmm monitor marks all pool members down suddenly |
1019261-1 | 3-Major | BT1019261 | In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile. |
1002345-4 | 3-Major | BT1002345 | Transparent monitor does not work after upgrade★ |
788257-5 | 4-Minor | BT788257 | Bigd.mgmtroutecheck setting ignored by in-tmm monitors after bigstart restart |
SSL Orchestrator Issues
ID Number | Severity | Links to More Info | Description |
1253621-1 | 2-Critical | BT1253621 | Remote logging SSL Orchestrator Audit logs when running in the Appliance mode |
1589269-1 | 3-Major | BT1589269 | The maximum value of sys db provision.extramb was reduced from 8192 to 4096 MB★ |
1497665-2 | 3-Major | BT1497665 | Certain urldb glob-match patterns are now slower to match |
1294709-1 | 4-Minor | BT1294709 | SSL Orchestrator ICAP service changes do not propagate to the GUI/CLI |
1270849 | 5-Cosmetic | BT1270849 | SSL Orchestrator enables "Bypass on Handshake Alert" and "Bypass on Client Certificate Failure" for Client SSL profiles |
Known Issue details for BIG-IP v16.1.x
999709-6 : iRule 'pool'/'virtual' commands not triggered in CLIENT_ACCEPTED with HTTP/2.
Links to More Info: BT999709
Component: Local Traffic Manager
Symptoms:
The 'pool'/'virtual' iRule commands cause the specified pool to be used directly. However, with HTTP/2, the 'pool'/'virtual' command may fail to execute within the CLIENT_ACCEPTED event. This results in no traffic being sent.
Conditions:
-- A 'pool'/'virtual' command is used under CLIENT_ACCEPTED event.
-- An HTTP/2 profile applied to virtual server.
-- The HTTP/2 protocol in use.
-- HTTP/2 Message Routing is disabled.
Impact:
With HTTP/2 configured, the iRule 'pool'/'virtual' commands fail to execute within the CLIENT_ACCEPTED event, causing no traffic to be sent to the desired pool/virtual.
Workaround:
As a workaround, you may use HTTP_REQUEST event instead of CLIENT_ACCEPTED in iRule syntax.
999669-1 : Some HTTPS monitors are failing after upgrade when config has different SSL option★
Links to More Info: BT999669
Component: Local Traffic Manager
Symptoms:
Some HTTPS monitors are failing after upgrade when the config has different SSL option properties for different monitors.
Conditions:
-- Individual SSL profiles exist for different HTTPS monitors with SSL parameters.
-- A unique server SSL profile is configured for each HTTP monitor (one with cert/key, one without).
Impact:
Some HTTPS monitors fail. Pool is down. Virtual server is down.
Workaround:
None
999085-1 : REST endpoint registration errors in restjavad logs
Links to More Info: BT999085
Component: Device Management
Symptoms:
Errors are logged to /var/log/restjavad.0.log at the SEVERE log level:
[SEVERE]... [IcrWorker] Unable to register iControl endpoint "/xxxx/xxxx". Error: uriPath '/tm/xxxx/xxxx' already registered
Conditions:
The system reports these errors during startup of the restjavad service because of multiple registrations of the same endpoint.
Impact:
There is no functional impact and these errors can be ignored.
Workaround:
None
998649-1 : Hostnames that contain a period are logged incorrectly
Links to More Info: BT998649
Component: TMOS
Symptoms:
Sylog-ng uses the hostname (machine name) and truncates it starting at the first '.' (period). This results in hostnames that contain a period being logged incorrectly (for example, 'my.hostname' is logged as 'my' by syslog-ng).
Additionally, hostnames are being truncated in bootmarker logs and the ltm, apm, apm, ipsec, saas, and fw_log that are sourced from TMM.
Three sub-bugs BZ1076909, BZ1076921, BZ1080317 are created and BZ998649 is the base bug for tracking the above three issues.
Conditions:
Hostname contains a period '.' (For example 'my.hostname').
Impact:
Some logs that go directly to syslog-ng use a truncated hostname. Logs sourced from TMM uses truncated hostname.
Workaround:
None.
998253-4 : SNI configuration is not sent via HTTPS when in-tmm monitors are disabled
Links to More Info: BT998253
Component: Local Traffic Manager
Symptoms:
The Server Name Indication (SNI) extension is missing on the HTTPS handshake.
Conditions:
-- Global in-tmm monitors are disabled
-- HTTPS monitor traffic
Impact:
The HTTPS client-server handshake occurs without a TLS SNI.
Workaround:
None
997541-5 : Round-robin GRE Disaggregator for hardware and software
Links to More Info: BT997541
Component: TMOS
Symptoms:
GRE tunnel traffic is pinned to one CPU.
Conditions:
GRE traffic is passed through BIG-IP system.
Impact:
Traffic is pinned to one CPU and overall performance is degraded.
Workaround:
None
997357-1 : iRule command "SSL:session invalidate" not working as expected
Links to More Info: BT997357
Component: Local Traffic Manager
Symptoms:
The iRule command "SSL:session invalidate" allows session resumption to happen. Session resumption not supposed to occur when this iRule command is used in an iRule.
Conditions:
"SSL:session invalidate" is used in the iRule event HTTP_REQUEST
Impact:
Session resumption would happen where the iRule is used with "SSL:session invalidate" included which is not supposed to occur
Workaround:
Session resumption should be disabled in SSL profiles
997169-2 : AFM rule not triggered
Links to More Info: BT997169
Component: Advanced Firewall Manager
Symptoms:
An AFM rule is not triggered when it should be.
Conditions:
-- Source and destination zone configured
-- A gateway pool is used in the route
Impact:
A firewall rule is not triggered and the default deny rule is used.
Workaround:
Alter the route to use an IP address and not a pool.
996985-1 : No IP address format validation while adding IP addresses in IPv4 LAN Address Space or IPv4 Exclude Address Space when configuring Network Access Resource.
Links to More Info: BT996985
Component: Access Policy Manager
Symptoms:
IP address format is not properly validated for IPv4 LAN Address Space and IPv4 Exclude Address Space fields which may lead to misconfiguration when IPv6 addresses are configured in this fields.
Conditions:
This can occur if you misconfigure the IPv4 LAN Address Space or IPv4 Exclude Address Space fields by adding IPv6 addresses while configuring Network Access Resource.
Impact:
This may cause the split tunnel to malfunction.
Workaround:
Correct the configuration by removing IPv6 Addresses in IPv4 LAN Address Space or IPv4 Exclude Address Space.
996977-1 : No IP address format validation while adding IP addresses in IPv6 LAN Address Space or IPv6 Exclude Address Space when configuring Network Access Resource.
Links to More Info: BT996977
Component: Access Policy Manager
Symptoms:
IP address format is not properly validated for IPv6 LAN Address Space and IPv6 Exclude Address Space fields which may lead to misconfiguration when IPv4 addresses are configured in this fields.
Conditions:
This can occur if you misconfigure the IPv6 LAN Address Space or IPv6 Exclude Address Space fields by adding IPv4 addresses while configuring Network Access Resource.
Impact:
This may cause the split tunnel to misfunction.
Workaround:
Correct the configuration by removing IPv4 Addresses in IPv6 LAN Address Space or IPv6 Exclude Address Space.
996261-1 : Zrd in restart loop with empty named.conf
Links to More Info: BT996261
Component: Global Traffic Manager (DNS)
Symptoms:
The zrd process enters a restart loop:
logger[20015]: Re-starting zrd
Conditions:
This occurs when /var/named/config/named.conf is empty.
Impact:
The zrd process enters a restart loop. If the device is in a sync group, zrd enters a restart loop on all devices.
Workaround:
Restore content to the named.conf file.
996145-1 : After UCS restore on HA pair, one of the devices is missing folder /var/config/rest/iapps/f5-iappslx-ssl-orchestrator
Links to More Info: BT996145
Component: TMOS
Symptoms:
After restoring via UCS file, the SSL Orchestrator page reads:
Not Found
The requested URL was not found on this server
Conditions:
-- Devices are in a high availability (HA) pair
-- SSL Orchestrator deployed
-- A UCS file is loaded
Impact:
SSL Orchestrator is not available.
/var/config/rest/iapps/f5-iappslx-ssl-orchestrator is not restored correctly during UCS load.
Workaround:
Restore the UCS file again
996129-3 : The /var partition is full as cleanup of files on secondary is not executing
Links to More Info: BT996129
Component: Device Management
Symptoms:
The system does not boot because the /var partition is full.
Conditions:
This may be observed on multi-blade vCMP guests and hosts, as well as on multi-blade tenants.
Impact:
The partition housing /var/config/ may become 100% full, impacting future disk IO operation and it may cause unexpected traffic disruption.
Workaround:
None
995605-2 : PVA accelerated traffic does not update route domain stats
Links to More Info: BT995605
Component: TMOS
Symptoms:
PVA accelerated traffic does not update route domain stats
Conditions:
-- PVA accelerated traffic.
-- Viewing the route domain stats.
Impact:
The route domain stats may be inaccurate
Workaround:
Use the virtual server stats or ifc_stats instead.
995369-1 : DNSSEC manual key created with other algorithms ends up using RSA/SHA1 algorithm
Links to More Info: BT995369
Component: Global Traffic Manager (DNS)
Symptoms:
Generated DNSSEC keys always use RSA/SHA1 algorithm.
Conditions:
DNSSEC keys are generated with manual key management method.
Impact:
You are unable to create DNSSEC keys with other algorithms.
Workaround:
Choose automatic key management method.
994985-3 : CGNAT GUI shows blank page when applying SIP profile
Links to More Info: BT994985
Component: Carrier-Grade NAT
Symptoms:
The virtual server properties GUI page shows blank when a SIP profile is applied to the virtual server.
Conditions:
-- Create virtual server and attach a SIP profile.
-- Navigate to virtual server properties page.
Impact:
The virtual server properties page does not display the configuration.
Workaround:
None.
994365-1 : Inconsistency in tmsh 'object mode' for some configurations
Links to More Info: BT994365
Component: TMOS
Symptoms:
Tmsh does not support object mode when modifying certain configurations, such as the node configuration. This results in misleading error 'not found' even though the configuration is available.
Conditions:
Modify node config results in error, even though the config is present.
# Node Object 'example' is created successfully
(tmos)# create ltm node example address 1.2.3.4
# On modifying the node 'example', tmsh gives error
(tmos)# modify ltm node example
Data Input Error: node "example" not found
The modify command does work when a property is specified:
(tmos)# modify ltm node example description "Node 1234"
Impact:
Inconsistent tmsh syntax when using 'object mode' for modifying the configuration.
Workaround:
Use 'tmsh modify' commands, or the GUI, to make the required changes without 'entering' the object in tmsh.
994361-2 : Updatecheck script hangs/Multiple updatecheck processes
Links to More Info: BT994361
Component: TMOS
Symptoms:
Multiple updatecheck and 'rpm -qf' processes running simultaneously.
Updatecheck is not functional
Conditions:
Updatecheck is run periodically via a cronjob. Updatecheck runs 'rpm -qf' command.
Impact:
Due to that 'rpm -qf' command hangs. This causes multiple updatecheck and 'rpm -qf' processes. High CPU and memory usage.
The most likely explanation is that rpmdb has gotten corrupted.
Workaround:
To rebuild rpmdb:
1. Halt all running updatecheck and 'rpm -qf' processes.
2. Run these commands:
rm /var/lib/rpm/__db*
rpm --rebuilddb
994221-1 : ZoneRunner returns error 'Resolver returned no such record'
Links to More Info: BT994221
Component: Global Traffic Manager (DNS)
Symptoms:
ZoneRunner returns error 'Resolver returned no such record'.
Conditions:
When trying to retrieve TXT records with single backslash.
Impact:
Not able to manage TXT record.
Workaround:
Use double backslashes to retrieve TXT records.
994081-1 : Traffic may be dropped with an Immediate idle timeout setting
Links to More Info: BT994081
Component: Local Traffic Manager
Symptoms:
When the idle timeout is set to Immediate, flows may be expired while packets are buffered. Buffered packets are dropped. This can impact iRules and non-standard L4 virtual servers.
Conditions:
-- idle timeout set to Immediate.
-- iRules are configured
-- performance l4, ip forwarding, l2 forwarding virtual servers are used.
-- debug tmm is in use
Impact:
Traffic is dropped.
Workaround:
You can use either workaround:
-- Configure a standard L4 virtual server.
-- Consider removing iRules.
994013-1 : Modifying bot defense allow list via replace-all-with fails with match-order error
Links to More Info: BT994013
Component: Application Security Manager
Symptoms:
An error occurs when modifying the allow list (or in case of 'load sys config verify' with similar configuration):
01b90026:3: Bot defense profile (/Common/bot-defense-device-id-generate-before-access) error: match-order should be unique.
Conditions:
-- Either modification via replace-all-with:
tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist replace-all-with { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 { match-order 2 source-address ::/32 url /bar } }
-- Or delete all, add, save and load-verify:
tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist delete { all }
tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist add { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 {match-order 2 source-address ::/32 url /bar}}
tmsh save sys config
load sys config verify
Impact:
You are unable to add-replace the bot defense allow list configuration
Workaround:
You can use either of the following workarounds:
-- Change match-order of defaults in profile_base.conf to use match-order 3 and up (and load config).
-- Change match-order of custom modify command (to continue with match-order 3 and up).
992449-1 : The vCMP host does not report the correct number of guest CPUs on the guest page of the GUI
Links to More Info: BT992449
Component: TMOS
Symptoms:
The total number of cores for a multi-slot vCMP guest is not shown correctly on the GUI page for a vCMP guest.
Conditions:
-- vCMP Host on VIPRION platforms with multiple blades.
-- vCMP guest spanning two or more blades.
Impact:
Incorrect number of cores listed.
-- The vCMP :: Guest List page shows all cores for all slots.
-- The vCMP -> Guest List specific_guest page shows only cores for that guest's slot.
Workaround:
View the Guest List page to see a graphical representation of the number of cores per guest.
992253-4 : Cannot specify IPv6 management IP addresses using GUI
Links to More Info: BT992253
Component: TMOS
Symptoms:
You are unable to set the IPv6 mgmt IP address using the GUI, even if the IPv6 address format is a not a short address. When you submit the change, the field is empty.
Conditions:
Attempt to set up IPv6 management address using the GUI
Impact:
You are unable to configure IPv6 management addresses using the GUI.
Workaround:
Use tmsh:
tmsh create sys management-ip <address>/<netmask>
tmsh create sys management-route default-inet6 <address>
992241-3 : Unable to change initial admin password from GUI after root password change
Links to More Info: BT992241
Component: TMOS
Symptoms:
While trying to change the admin password from GUI, an error occurs:
-- Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.
Conditions:
-- Change the password for the root user the first time, before the admin password has been changed. This action sets both the root and admin password at the same time.
-- Navigate to the GUI and attempt to update the admin password.
Impact:
GUI password change fails.
Workaround:
You can use either of the following workarounds:
-- Change the password admin via the GUI before changing the root admin via ssh.
-- After changing the root password, use tmsh to set the admin password using the command:
modify auth user admin password.
992233-1 : DNS DoS profile (Error Vector) does not mitigate/detect at the virtual server level.
Links to More Info: BT992233
Component: Advanced Firewall Manager
Symptoms:
The GUI makes it appear as if the DNS malformed vector can be configured at the virtual server level when it cannot be.
Conditions:
Using the GUI to configure DoS vectors in the virtual server context.
Impact:
The GUI allows you configure something that does not actually work.
Workaround:
None
992113-2 : Page allocation failures on VIPRION B2250 blades
Links to More Info: BT992113
Component: TMOS
Symptoms:
Page allocation failure warnings in kern.log similar to the following example:
kswapd0: page allocation failure: order:2, mode:0x104020
Conditions:
This issue is known to occur on the following VIPRION blade models:
- B2250 (A112)
but its other triggering conditions are not yet understood.
Impact:
The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
992053-4 : Pva_stats for server side connections do not update for redirected flows
Links to More Info: BT992053
Component: TMOS
Symptoms:
Pva_stats for server side connections do not update for the re-directed flows
Conditions:
-- Flows that are redirected to TMM.
-- Server flows are offloaded to PVA.
Impact:
PVA stats do not reflect the offloaded flow.
Workaround:
None
991929-3 : AJAX Blocking Page causes an AJAX response callback to be called twice
Links to More Info: BT991929
Component: Application Security Manager
Symptoms:
A single page application functions incorrectly after enabling Single page application in a Bot Defense profile.
Conditions:
-- ASM provisioned
-- ASM policy and Bot Defense profile attached to a virtual server
-- Single page application enabled in Bot Defense profile
-- AJAX blocking page enabled in an ASM policy
Impact:
Single page application AJAX request does not make it to the backend server.
Workaround:
Disable AJAX blocking page in the ASM policy.
991829-1 : Continuous connection refused errors in restjavad
Links to More Info: BT991829
Component: Guided Configuration
Symptoms:
Continuous connection refused errors observed in restjavad.
[com.f5.rest.workers..AsmConfigWorker] nanoTime:[879945045679087] threadId:[63] Exception:[org.apache.thrift.transport.TTransportException: java.net.ConnectException: Connection refused (Connection refused)
[8100/tm/asm/owasp/task OWASPTaskScheduleWorker] Unexpected exception in getting all the polcies: org.apache.thrift.transport.TTransportException: java.net.ConnectException: Connection refused (Connection refused)
Conditions:
The errors are observed regardless of ASM provisioning.
Impact:
-- This issue causes a noisy log file of restjavad.
-- This issue may cause the restart of restjavad due to out of memory error if the restjavad heap size is very low, such as 192MB.
Workaround:
None
991765-3 : Inheritance of staging_period_in_days from policy template
Links to More Info: BT991765
Component: Application Security Manager
Symptoms:
Enforcement readiness period of newly created Policy does not get its value from Policy Template.
Conditions:
Creating new ASM Policy from a template with an Enforcement readiness period different from the default (default is 7).
Impact:
Newly created policy has an incorrect configuration.
Workaround:
Create the Policy using tmsh or REST API.
991265-3 : Persistence entries point to the wrong servers for longer periods of time
Links to More Info: BT991265
Component: Local Traffic Manager
Symptoms:
Persistence entries point to the wrong servers for a longer than expected.
Conditions:
A pool member goes down, causing the persistence entry to change to a new pool member. Then, the pool member comes back up.
Impact:
The persistence entry does not change to the pool member that came back up. It does not expire as client requests using this cookie continue to refresh the persistence entry that goes to the wrong server.
This can delay recovery of the pool members when they are marked down for regular maintenance, or if all pool members are cycled up/down periodically, it causes persistence entries to point to the wrong servers for longer periods of time than necessary.
Workaround:
None.
990929-2 : Status of GTM monitor instance is constantly flapping
Links to More Info: BT990929
Component: Global Traffic Manager (DNS)
Symptoms:
Status of GTM monitor instance is constantly flapping.
Conditions:
GTM devices in a GTM sync group configured with IP addresses that can not communicate with each other.
Impact:
Resources are marked offline constantly.
Workaround:
Remove from the GTM server object definition the IP addresses that do not communicate with each other.
990853-1 : Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway.
Links to More Info: BT990853
Component: TMOS
Symptoms:
The mcpd daemon restarts on all secondary VIPRION blades after logging error messages similar to the following example to the /var/log/ltm file:
-- err mcpd[6250]: 0107098a:3: The ip address (10.10.10.3%1) for a VCMP Mgmt IP in partition () references a route domain (1) in a different partition (part1). Objects may only reference objects in the same or the 'Common' partition
-- err mcpd[6250]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107098a:3: The ip address (10.10.10.3%1) for a VCMP Mgmt IP in partition () references a route domain (1) in a different partition (part1). Objects may only reference objects in the same or the 'Common' partition... failed validation with error 17238410.
Conditions:
-- Multi-blade VIPRION system provisioned as vCMP host.
-- The system is configured with partitions using non-default route-domains.
-- Using the GUI, an Administrator attempts to modify the management IP address or management gateway of a vCMP guest.
-- A non-Common partition is selected in the GUI Partition drop-down menu when making the change.
Impact:
MCPD restarts, causing all other daemons on the blade to restart as well. The vCMP guests running on the affected blades suffer an outage and are unable to process traffic while the daemons restart.
Workaround:
Ensure that when you make management IP address or gateway changes to a vCMP guest, you do so while the Common partition is selected in the GUI.
990173-1 : Dynconfd repeatedly sends the same mcp message to mcpd
Links to More Info: BT990173
Component: Local Traffic Manager
Symptoms:
If dynconfd sends a single message to mcpd containing two or more operations, and one of the operations fails mcpd validation, dynconfd repeatedly sends same message to mcpd.
An example of two operations in one mcp message would be an ephemeral node creation and an ephemeral pool member creation in a single mcp message.
Once one such message fails, dynconfd repeatedly attempts to resend the same message. In addition, at the next DNS query interval, dynconfd may create one or more new instances of such messages, which may each be retried if they fail. The result can cause an increasing accumulation of MCP messages sent by dynconfd which must be processed by mcpd.
Conditions:
This can occur when:
-- Using FQDN nodes and FQDN pool members.
-- There is an additional issue where the message from dynconfd fails validation within mcpd (e.g., a misconfiguration in which the monitor assigned to the pool is configured with a wildcard destination and the pool member is added to the pool with a port of '0' or 'any'.
Impact:
MCP messages from dynconfd which fail due to an error might cause the population of ephemeral nodes and pool members to fail and become out of sync with what the DNS server is resolving.
By repeatedly resending the same messages, which fail repeatedly, dynconfd causes increased mcpd CPU utilization.
Eventually, the load caused by processing an increasing accumulation of MCP messages may cause increasing and excessive memory usage by mcpd and a possible mcpd core, or may cause mcpd to become busy and unresponsive and be killed/restarted by SOD.
Workaround:
Examine the LTM logs for mcpd error messages indicating failed attempts to create ephemeral nodes or ephemeral pool members, and resolve the cause of the failed node or pool-member creation.
989937-2 : Device Trust Certificates Expiring after 2038-01-19 show date of 1969 or 1970
Links to More Info: BT989937
Component: TMOS
Symptoms:
If you import a Certificate into the Device Trust Certificates that expires after 2038-01-19, the system GUI shows an expiration date of 1969 or 1970 depending on timezone setting.
Conditions:
Certificate expiring on/after 2038-01-19T03:14:08Z.
Impact:
The expiration date in the GUI shows 1969 or 1970. This does not impact iquery or device function.
Workaround:
You can use the command line interface to view the certificate:
$ cd /config/big3d
$ openssl crl2pkcs7 -nocrl -certfile client.crt | openssl pkcs7 -print_certs -noout -text | grep "Issuer:\|Subject:\|Not Before:\|Not After :"
988745-4 : On reboot, 'could not find platform object' errors may be seen in /var/log/ltm
Links to More Info: BT988745
Component: TMOS
Symptoms:
During a reboot, several error messages are logged in /var/log/ltm:
-- err mcpd[9401]: 01070710:3: Database error (0), get_platform_obj: could not find platform object - sys/validation/Platform.cpp, line 188.
-- err chmand[6578]: 012a0003:3: hal_mcp_process_error: result_code=0x1070710 for result_operation=eom result_type=eom
Conditions:
This occurs when either of the following conditions is met:
-- A fresh installation of a BIG-IP system.
-- A reboot after forcing the mcpd process to reload the BIG-IP configuration,
Impact:
There is no functional impact to these error messages.
Workaround:
None.
988645-4 : Traffic may be affected after tmm is aborted and restarted
Links to More Info: BT988645
Component: TMOS
Symptoms:
Traffic may be affected after tmm is aborted and restarted.
/var/log/tmm contains a lot of "DAG Proxy failed" messages.
Conditions:
-- A BIG-IP device is deployed in a VELOS tenant
-- Tmm aborts and restarts for some reason.
Impact:
Traffic disrupted while tmm restarts. Traffic may be disrupted even after tmm has restarted.
Workaround:
Reboot the tenant
987949-2 : Error messages erroneously generated during boot up★
Links to More Info: BT987949
Component: TMOS
Symptoms:
During boot up, error messages are found in /var/log/ltm:
Could not retrieve DB variable for (provision.datastor): status 0xff00
Write F5 license shared memory device failed err = -5
Dossier data not available from hypervisor.
Database error (0), get_platform_obj: could not find platform object -
hal_mcp_process_error: result_code= for result_operation=eom result_type=eom
Setting /sys/kernel/debug/x86/ibpb_enabled failed. Request ibpb=0 ignored
Blade 2 turned RED: Quorum: perfect time sync, high availability (HA) TABLE offline
Device error: init Cannot get pci config register data for device 00:0e:00
Conditions:
Upgrade BIG-IP software to version 14.1.4.
Impact:
There is no impact on functionality and the error message can be ignored.
Workaround:
None
987709-6 : Static target string as CNAME pool member might cause config load failure if wide IP with same name exists in another partition
Links to More Info: BT987709
Component: Global Traffic Manager (DNS)
Symptoms:
GTM config fails to load with errors similar to this:
01070726:3: Pool 5 /Common/cnamepool1 in partition Common cannot reference GTM wideip pool member 5 /Common/cnamepool1 gslb.mycompany.com /App2/gslb.mycompany.com 1 in partition App2
Unexpected Error: Loading configuration process failed
Conditions:
There is a wide IP with the same name in another partition as the static target CNAME pool member.
Impact:
Gtm config fails to load.
Workaround:
Create the wide IP first and then add the static target CNAME pool member.
987637-3 : DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware
Links to More Info: BT987637
Component: Advanced Firewall Manager
Symptoms:
BIG-IP systems mitigate traffic on all of the IP addresses in an address list when certain DoS vectors are detected on a virtual server.
Conditions:
-- BIG-IP hardware platform equipped with Neuron (BIG-IP iSeries)
-- Virtual server configured with a DoS profile
-- Flood traffic reaches the virtual server
Impact:
For Neuron-supported hardware, virtual servers with subnet destinations are not properly mitigated when flood vectors are detected.
Workaround:
None
987605-3 : DDoS: ICMP attacks are not hardware-mitigated
Links to More Info: BT987605
Component: Advanced Firewall Manager
Symptoms:
ICMP/Fragments attacks against a virtual server with a DOS profile are not mitigated by hardware.
Conditions:
ICMP/Fragments attacks mitigation/detection is configured on a virtual system with neuron-capable hardware.
Impact:
ICMP/Fragments attacks mitigation/detection is handled in software. A large volume of attack traffic can spike the tmm CPU.
Workaround:
None
987453-3 : Bot Defense browser verification fails upon iframes of different top-level domains
Component: Application Security Manager
Symptoms:
When using Bot Defense on a page which has an iframe to a different top-level domain, the iframe may fail to load.
Conditions:
Page has an iframe on a different top-level domain than that of the main page. Note that iframes with different sub-domains are not impacted.
Impact:
Page resources may fail to load.
Workaround:
None
987401-1 : Increased TMM memory usage on standby unit after pool flap
Links to More Info: BT987401
Component: Local Traffic Manager
Symptoms:
TMM memory usage on a BIG-IP standby device might be substantially higher than an active device.
Conditions:
Standby device with UDP mirroring traffic and datagram-load-balancing disabled.
Impact:
The standby device may not be able to take over traffic when failover happens.
Workaround:
None.
987081-1 : Alarm LED remains active on Secondary blades even after LCD alerts are cleared
Links to More Info: BT987081
Component: TMOS
Symptoms:
When a condition occurs which causes an alert message to be logged to the LCD display for a VIPRION chassis, the Alarm LED on the blade where the condition was reported may be set (to solid or flashing amber or red) according to the severity of the reported condition.
When the LCD alert messages are cleared, the Alarm LED on the Primary blade in the chassis will be cleared (or set according to remaining alert messages if only a subset of messages are cleared).
However, the Alarm LED on the Secondary blades in the chassis will not be cleared, and will continue to indicate the highest severity of the previously reported alert messages.
Conditions:
This occurs when:
-- A condition is reported by a Secondary blade in the chassis which causes its Alarm LED to be set (to solid or flashing amber or red) and a message logged to the chassis LCD display.
-- The LCD alert messages are cleared, such as by issuing the 'tmsh reset-stats sys alert lcd' command.
Impact:
The Alarm LED on one or more Secondary blades in the chassis continues to indicate an alert condition even after the previously reported alert messages have been cleared.
Workaround:
To restore the Secondary blade LEDs to their proper state, restart the fpdd daemon on each affected blade.
For example, if the Alarm LED is not reset on the blade in slot 4, issue one of the following commands from the console of the Primary blade in the chassis:
-- clsh --slot=4 "bigstart restart fpdd"
-- ssh slot4 "bigstart restart fpdd"
Alternately, you may log in to the console of the affected blade and issue the 'bigstart restart fpdd' command directly.
Note, restarting fpdd daemon on a secondary blade will leave Secondary and Status LED uninitialized. After restarts are completed on secondary blades it is recommended to perform fpdd restart on a primary blade.
986821-1 : Command 'run util bash' event is not captured in log when initially executed
Links to More Info: BT986821
Component: TMOS
Symptoms:
The initiation of 'run util bash' is not captured in the audit log (/var/log/audit)
Conditions:
Run 'run util bash' command in tmsh mode.
Impact:
The timestamp for a 'run util bash' command will occur when the subshell exits, not when the subshell is first executed. It is difficult to determine when the bash subshell started.
Workaround:
None
985749-1 : TCP exponential backoff algorithm does not comply with RFC 6298
Links to More Info: BT985749
Component: Local Traffic Manager
Symptoms:
The algorithms used for TCP exponential backoff are different for SYN and non-SYN packets.
Conditions:
Using TCP.
Impact:
Retransmission timeout interval depends on the inclusion/exclusion of SYN flag.
Workaround:
None
985401-1 : ProxySSL virtual servers should work with web acceleration (ramcache) profiles attached
Links to More Info: BT985401
Component: Local Traffic Manager
Symptoms:
Attempting to attach a web acceleration profile to a virtual server that has an SSL profile with ProxySSL enabled will result in the following validation error:
A validation error similar to:
01070734:3: Configuration error: Proxy SSL is not compatible with Web Acceleration profile on Virtual Server (<virtual server name>).
Conditions:
-- Virtual server using an SSL profile with ProxySSL enabled.
-- Attaching a web acceleration (webacceleration) profile to the virtual server.
Impact:
Unable to use the web acceleration profile with ProxySSL virtual servers.
Workaround:
Avoid using ProxySSL virtual servers with web acceleration (ramcache) profiles attached.
984897-1 : Some connections performing SSL mirroring are not handled correctly by the Standby unit.
Links to More Info: BT984897
Component: Local Traffic Manager
Symptoms:
Some of the connections performing SSL mirroring do not advance through TCP states as they should on the Standby unit.
Additionally, these connections do not get removed from the connection table of the Standby unit when the connections close. Instead, they linger on until the idle timeout expires.
Conditions:
A virtual server configured to perform SSL connection mirroring.
Impact:
Should the units fail over, some connections may not survive as expected.
Additionally, given a sufficient load and a long idle timeout, this could cause unnecessary TMM memory utilization on the Standby unit.
Workaround:
None.
984765-2 : APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)★
Links to More Info: BT984765
Component: Access Policy Manager
Symptoms:
NTLM User logon authentication fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) from the Active Directory (AD) server.
Conditions:
-- Upgrading from legacy versions to BIG-IP v14.1.2 or later.
-- AD servers are updated with latest security patches from Microsoft.
Impact:
NTLM Authentication fails after a week. APM end user client logon (such as Outlook users, Remote Desktop Users, and Browser-based NTLM Auth logons that use BIG-IP APM as forward/reverse proxy) fails, and the service is down.
Workaround:
To resolve the issue temporarily, use either of the following:
-- Reset the NTLM Machine Account with the 'Renew Machine Password' option.
-- Run the command:
bigstart restart nlad
The problem can reappear after a week, so you must repeat these steps each time the issue occurs.
984521-4 : Accept-Encoding header is stripped by Bot Defense profile in case of incompatible file extension and a dot in the file name
Links to More Info: BT984521
Component: Application Security Manager
Symptoms:
Bot Defense profile checks if a page is not an HTML page by checking the file extension (among other ways).
In case the filename contains a dot (.) - the parsing is wrong and it is not detected as incompatible. As a result, the Accept-Encoding header is removed (to allow injection in the response).
Conditions:
-- Bot Defense profile is attached to s virtual server configured with any response injection (Device ID, Browser Verification, or Single Page Application).
Request is sent to an incompatible file extension (one of gif,png,bmp,jpg,ico,css,mp3,mp4,mpg,avi,wmv,mov,3gp,fla,swf,js), and filename contains a dot (.).
Impact:
Accept-Encoding header is removed, causing the server to not send a gzipped response.
Workaround:
Add this specific URL to sys db:
dosl7.parse_html_excluded_urls
984449-2 : Unnecessary swagger validation violation may raise due to behavioral WAF parameter traps that have identical name
Links to More Info: BT984449
Component: Application Security Manager
Symptoms:
An unnecessary swagger validation violation may be raised about illegal parameters which is actually the parameter trap that was injected by ASM and failed to be ignored by the enforcer. Only one of these parameter traps will be ignored - enforcement will be avoided for it. Expected behavior is to avoid enforcement for both parameters traps.
Conditions:
Security team provide 2 traps with type parameter and with identical name but with different values. In adition one of these parameter traps was injected by ASM to the web-page.
Impact:
Unecessary swagger validation violation may raise regarding one of these parameters traps and request may be blocked, instead of ignoring swagger enforcement for both parameters traps.
Workaround:
None.
982801-2 : AGC hardening
Links to More Info: BT982801
Component: Guided Configuration
Symptoms:
AGC does not follow current best practices.
Conditions:
- APM is provisioned
- AGC used for Azure AD Application
Impact:
AGC does not follow current best practices.
Workaround:
N/A
981777-1 : APM can sometimes reset client connections with POST body greater than 64k bytes
Links to More Info: BT981777
Component: Access Policy Manager
Symptoms:
Clients trying to send POST messages with a body greater than 64k bytes get reset from APM.
Conditions:
POST Body sent by the client is greater than 64k.
Impact:
Clients are unable to send POST requests greater than 64k bytes of data.
Workaround:
None
981485-6 : Neurond enters a restart loop after FPGA update.
Links to More Info: BT981485
Component: TMOS
Symptoms:
After FPGA firmware upgrade, the neurond process might enter a restart loop, unable to recover.
When the problem is present you might see logs similar to:
-- notice chmand[6674]: 012a0005:5: FPGA PNP FW upgrade check: req type 0, file:Latest
-- notice chmand[6674]: 012a0005:5: FPGA: Requesting type: 0, vers: Latest
-- notice chmand[6674]: 012a0005:5: FPGA: current type: 2, vers: hsb_5SGXEA7H2F35C2_t37dc_1d10_v5.23.5.0_d20.06.11.00.bit
-- notice chmand[6674]: 012a0005:5: FPGA: match for type: 0, vers: hsb_5SGXEA7H2F35C2_t37dc_1d10_v5.6.7.0_d20.06.11.00.bit
-- notice chmand[6674]: 012a0005:5: removed /var/db/mcpdb.* FPGA current disk firmware updated to: /L7L4_BALANCED_FPGA type: 0
-- notice chmand-fpga-pnp[17551]: Stopping TMM, BCM56xxd, and neurond
-- notice logger[17553]: /bin/bash /etc/init.d/fw_pnp_upgrade upgrade restart ==> /usr/bin/bigstart stop tmm bcm56xxd neurond
Conditions:
FPGA firmware mismatch, leading to FPGA firmware upgrade.
Impact:
Enhanced flow acceleration provided by the Neuron chip cannot be utilized.
Workaround:
Perform a full system restart.
981145-1 : DoS events do not include the attack name for "tcp syn ack flood"
Links to More Info: BT981145
Component: Advanced Firewall Manager
Symptoms:
BIG-IQ does not display the attack name for a 'tcp syn ack flood' attack.
Conditions:
DoS on BIG-IP enabled to address 'tcp syn ack flood' attack.
Impact:
Lack of DoS attack information. The mitigation occurs as expected. Only the notification information is missing.
Workaround:
None.
979045-1 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms
Links to More Info: BT979045
Component: TMOS
Symptoms:
After installing an Engineering Hotfix version of BIG-IP v14.1.0 or later, certain BIG-IP hardware systems. The Trusted Platform Module (TPM), status is showing as INVALID.
Conditions:
This may occur:
-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
- ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
- ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
- ID963017 (https://cdn.f5.com/product/bugtracker/ID963017.html)
-- The issue is observed only on the following platforms:
- i11600 / i11800
- i11400-DS / i11600-DS / i11800-DS
Impact:
The TPM status INVALID indicates that the system integrity is compromised when it is actually valid.
Workaround:
None.
978953-3 : The value of the sys db variable vlan.backplane.mtu intermittently out-of-sync with the value of the MTU of the kernel interface tmm_bp during the initial boot up
Links to More Info: BT978953
Component: Local Traffic Manager
Symptoms:
During the initial boot of the device the MTU of the tmm_bp kernel interface is out-of-sync with the value of sys db vlan.backplane.mtu as well as out-of-sync with the MTU displayed by the following command:
tmsh show /net vlan all-properties -hidden.
tmsh list net vlan tmm_bp all-properties -hidden.
Additionally, running the following command:
modify sys db vlan.backplane.mtu value <some value> (within the range accepted), and saving the configuration change does not last through a reboot.
Conditions:
This issue occurs on the first boot intermittently.
Impact:
When the values are seen at non-sync, after the modification of the backplane vlan mtu and saving the config, changing the mtu config value does not last through a reboot.
Workaround:
Rebooting the device resolves the issue
977953-3 : Show running config interface CLI could not fetch the interface info and crashes the imi
Links to More Info: BT977953
Component: TMOS
Symptoms:
The confd command 'show running-config' does not display interface information if nsm and bgpd are the only processes running.
If you run 'show running-config interface', imi crashes.
Conditions:
1. nsm and bgpd are the daemons running.
2. Run the "show running-config" command
Impact:
Imish cannot retrieve interface information from the show running-config command.
Workaround:
* Enable OSPF. For example,
# tmsh modify /net route-domain 0 routing-protocol add { BGP OSPFv3 }
# ps -ef | egrep -i ospf
root 11954 4654 0 11:25 ? S 0:00 ospf6d%0
977681-3 : Incorrect error message when changing password using passwd
Links to More Info: BT977681
Component: TMOS
Symptoms:
When using the 'passwd' utility from the command line to change a user password, the error message on why the new password is not accepted is wrong.
Instead of the actual reason why the new password is not accepted, the following message is printed:
"passwd.bin: Have exhausted maximum number of retries for service"
Conditions:
- Using the 'passwd' utility from the command line to change a user password.
- The new password is not accepted according to the configured tmsh auth password-policy.
Impact:
The real reason why the new password is not accepted is masked by the default error message:
"passwd.bin: Have exhausted maximum number of retries for service"
Workaround:
Instead of using the command line 'passwd' utility, change the user password using tmsh.
With tmsh, the real reason why a new password is not accepted is printed accurately:
root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify auth password root
changing password for root
new password: default
confirm password: default
01070366:3: Bad password (root): BAD PASSWORD: it is too simplistic/systematic
Or, when using the 'passwd' utility from the command line, it's still possible to find the actual reason why the new password isn't accepted in the /var/log/ltm log file.
977625-1 : GTM persistence records linger in tmm
Links to More Info: BT977625
Component: Global Traffic Manager (DNS)
Symptoms:
-- GTM persistence records are not cleared.
-- GTM still answers from persist records even though the persist records not listed by the "tmsh show gtm persist" command.
Conditions:
Persistence for wideip or application is disabled and then enabled quickly afterwards
Impact:
GTM answers from stale persist records.
Workaround:
Do not enable persistence right after disabling.
977449-1 : Total address and Total endpoints is shown as '0' in nat stats
Links to More Info: BT977449
Component: Advanced Firewall Manager
Symptoms:
Total address and Total endpoints is shown as '0' (zero) in the output of 'show ltm nat-stats roll-up-level fw-nat-source-translation-object name <name> all',
Conditions:
The prefix length for IPv6 source translation is configured as less than or equal to 64.
Impact:
There is no functional impact, as only the 'show' output is affected for the two stats.
Workaround:
None
976553-1 : Portal Access: Chrome/Edge browser: cookie transport: sync XMLHttpRequests should not be used in onbeforeunload handlers
Links to More Info: BT976553
Component: Access Policy Manager
Symptoms:
Error message in browser console:
Uncaught DOMException: Failed to execute 'send' on VM41 cache-fm.js:618
'XMLHttpRequest': Failed to load ''https://appportal.omo.nl/private/fm/volatile.html': Synchronous XHR in page dismissal. See https://www.chromestatus.com/feature/4664843055398912 for more details.
Conditions:
Setting and/or getting cookies in onbeforeunload/onunload handlers defined by the web-application.
Impact:
Web-application does not function as expected. Behavior varies, depending on web-application control flow.
Workaround:
Important: This workaround will work until later versions of Chrome and Edge Browser are released. You can refer to the release notes for these browsers to determine when functionality is removed.
Use an iRule to allow sync requests from onbeforeunload, onunload, and other page dismissal events.
This is intended to inject into responses from the BIG-IP virtual server header, Origin-Trial, using a token obtained from the Google Chrome developer console. This token allows for use of synchronous requests in page dismissal events. It should work for Chrome and Microsoft Edge browsers where such sync requests are disabled now.
To obtain the token you need to use the following iRule with your virtual server:
1. Go to the Chrome Origin Trials page:
https://developers.chrome.com/origintrials/#/trials/active.
2. Click the 'REGISTER' button to the right of 'Allow Sync XHR In Page Dismissal'.
3. Enter the origin of your virtual server and other information:
https://domain_of_your_virtual_server.
4. Click REGISTER.
By doing this, you obtain a token to use in place of the token provided in the following iRule.
Note: For additional info about Origin Trials and how they work:
https://github.com/GoogleChrome/OriginTrials/blob/gh-pages/developer-guide.md
when HTTP_RESPONSE_RELEASE {
HTTP::header insert Origin-Trial Aq5OZcJJR3m8XG+qiSXO4UngI1evq6n8M33U8EBc+G7XOIVzB3hlNq33EuEoXZQEt30Yv2W6YgFelr2aGUkmowQAAABieyJvcmlnaW4iOiJodHRwczovLzEwLjE5Mi4xNTIuMzk6NDQzIiwiZmVhdHVyZSI6IkFsbG93U3luY1hIUkluUGFnZURpc21pc3NhbCIsImV4cGlyeSI6MTU5ODk5NzIyMX0=
}
976517-2 : Tmsh run sys failover standby with a device specified but no traffic group fails
Links to More Info: BT976517
Component: TMOS
Symptoms:
The tmsh run /sys failiover standby device <device> command fails and returns an error if no traffic-group is specified:
Syntax Error: There is no failover device with a name (/Common/bigip2.localhost).
Conditions:
Two or more BIG-IPs configured with high availability (HA)
Impact:
You are required to specify all the traffic groups you want to failover to a peer.
Workaround:
For each traffic group that you want to failover to a peer run the tmsh run /sys failover standby.
For example if you want to fail over both traffic groups traffic-group-1 and traffic-group-2 to failover to bigip2.localhost, run the following:
tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-1
tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-2
If you want the device to be standby for all traffic groups but you don't care what device takes over as active, run the following command (note there is no traffic-group nor device):
tmsh run /sys failover standby
975725-5 : Wildcard virtual servers do not forward L3 unicast traffic sent to L2 broadcast
Links to More Info: BT975725
Component: Local Traffic Manager
Symptoms:
L3 unicast traffic with L2 broadcast destination MAC (ff:ff:ff:ff:ff:ff) matching wildcard virtual servers is not handled properly.
Conditions:
Wildcard virtual server is configured to handle such traffic.
Impact:
Traffic will not be forwarded properly.
Workaround:
Use specific non-wildcard virtual-server.
975657-1 : With HTTP2 enabled, only partial sorry contents (< 32KB) can be sent to the client via HTTP::respond
Links to More Info: BT975657
Component: Local Traffic Manager
Symptoms:
Partial content (<= max allowed "write-size" in HTTP2 profile i.e. 32KB) can be sent to client via the HTTP:respond iRule command.
Conditions:
-- HTTP2 enabled on virtual server
-- Content sent by the iRule exceeds 32KB
Impact:
Client fails to receive the whole content
974513-7 : Dropped requests are reported as blocked in Reporting/charts
Links to More Info: BT974513
Component: Application Security Manager
Symptoms:
Dropped requests are reported as blocked in Reporting/charts.
Conditions:
Request is dropped (or client side challenge / captcha is not answered) as part of a brute force mitigation or a slow post attack causes dropping of a request.
Impact:
Data reported might be incorrect. There is a filter for dropped requests which, when selected, does not show anything, even when there are drops.
Workaround:
None.
973341-1 : Customized device certs will break scripts relying on /config/httpd/conf/ssl.crt/server.crt
Links to More Info: BT973341
Component: Global Traffic Manager (DNS)
Symptoms:
Bigip_add, big3d_install, gtm_add will not work.
Conditions:
Device cert is customized.
Impact:
Bigip_add, big3d_install, gtm_add not work.
Workaround:
Copy the content of the new cert to default file "/etc/httpd/conf/ssl.crt/server.crt".
971065-2 : Using ACCESS::log iRule command in RULE_INIT event makes TMM crash
Links to More Info: BT971065
Component: Access Policy Manager
Symptoms:
TMM crashes.
Conditions:
- APM is provisioned.
- ACCESS::log command is invoked in RULE_INIT iRule event handler.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid using ACCESS::log in the RULE_INIT event.
969553-1 : A DNS Cache (or Network DNS Resolver) returns SERVFAIL to some queries.
Links to More Info: BT969553
Component: Global Traffic Manager (DNS)
Symptoms:
- A DNS Cache (or Network DNS Resolver) returns SERVFAIL responses to clients, despite the BIG-IP system receiving a good (albeit delayed) response from upstream servers.
- When this happens, the BIG-IP system rejects the responses from the upstream servers with ICMP errors (Destination unreachable - Port unreachable).
- If the db key dnscacheresolver.loglevel is set to debug5, the following error message is visible in the /var/log/ltm file when this issue occurs:
debug tmm[13147]: DNScache: request example.com. has exceeded the maximum number of glue fetches 17 to a single delegation point
- If a Network DNS Resolver is used with an HTTP Explicit Proxy profile, the symptoms can appear as "503 Service Unavailable" responses to clients due to DNS lookup failure.
Conditions:
This issue occurs when the following conditions are met:
- A DNS Cache (or Network DNS Resolver) is in use on the BIG-IP system.
- The aforementioned object is configured with a forward-zone that uses multiple servers to perform resolutions.
- The RTT of the servers fluctuates. For example, the servers are generally fast to reply for most domains, but take extra time to reply for a given domain.
- 'Randomize Query Character Case' is enabled in the DNS Cache (or Network DNS Resolver).
- If the requests for the domain take a long time to resolve, BIG-IP may reply with SERVFAIL.
Impact:
Clients of the BIG-IP DNS Cache (or Network DNS Resolver) are not returned an answer. As a result, application failures may occur.
Workaround:
You can work around this issue by changing 'Randomize Query Character Case' to 'No' in the DNS Cache (or Network DNS Resolver) settings.
968953-1 : Unnecessary authorization header added in the response for an IP intelligence feed list request
Links to More Info: BT968953
Component: Advanced Firewall Manager
Symptoms:
Empty authorization header in the response for an IP intelligence feed list request.
Conditions:
Feed list configured without username/password pair.
Impact:
Feed List request from dwbld adds unnecessary Authorization header. The backend server may blocking the request because the HTTP header Authorization is included.
Workaround:
None.
968949-7 : Keepalives aren't sent in FIN_WAIT_2 when using a TCP profile
Links to More Info: BT968949
Component: Local Traffic Manager
Symptoms:
When a client-side connection goes into FIN_WAIT_2, BIG-IP does not send keepalives even if they are being sent on the server-side connection.
Conditions:
- Virtual server configured with a TCP profile and network listener.
Impact:
Client-side connections timeout prematurely.
As a result, the server-side connections end up being open indefinitely.
Workaround:
No workaround currently known.
967769-1 : During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks
Links to More Info: BT967769
Component: TMOS
Symptoms:
Tmm crashes and restarts. The following panic message is found in /var/log/tmm:
notice panic: ../dev/hsb/if_hsb.c:6129: Assertion "HSB lockup, see ltm and tmm log files" failed.
Conditions:
-- Some error or glitch is detected on the high-speed bus (HSB).
-- Software commands a reset of the HSB and interface hardware.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
967737-3 : DNS Express: SOA stops showing up in statistics from second zone transfer
Links to More Info: BT967737
Component: Global Traffic Manager (DNS)
Symptoms:
Start of Authority (SOA) record is not displayed in zone statistics.
Conditions:
The issue appears after the 2nd zone transfer.
Impact:
This is a cosmetic issue without any actual impact.
Workaround:
None
967573-3 : Qkview generation from Configuration Utility fails
Links to More Info: BT967573
Component: TMOS
Symptoms:
When you attempt to generate a qkview using the Configuration Utility, the system fails to generate a qkview.
Conditions:
Trying to generate a Qkview using the Configuration Utility.
Impact:
The Configuration Utility cannot be used to generate a qkview.
Workaround:
Use the qkview command to generate a qkview from the command line.
967557-1 : Improve apm logging when loading sys config fails due to corruption of epsec rpm database
Links to More Info: BT967557
Component: TMOS
Symptoms:
Loading sys config fails and mcpd may not be running properly due to corruption of EPSEC rpm database. It is difficult to tell from logs that the issue is with epsec rpm database. This error may be the only indication:
emerg load_config_files[10761]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command.
Conditions:
Loading of sys config fails due to corruption of EPSEC rpm database.
Impact:
Difficult to troubleshoot the root cause for config load failure.
967353-1 : HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.
Links to More Info: BT967353
Component: Local Traffic Manager
Symptoms:
Client receives no response along with a connection reset by the BIG-IP system.
Conditions:
-- HTTP profile is enabled on the BIG-IP system.
-- Server sends HTTP response with one or more header field names separated with the trailing colon by a space.
Impact:
HTTP responses that should be delivered to the client by the proxy are not being sent out.
Workaround:
None
967245-1 : Incorrect SPVA counter incremented during Sweep attack on profile
Component: Advanced Firewall Manager
Symptoms:
Incorrect SPVA counters updated.
Conditions:
Configure DoS Sweep vector on an SPVA supported device.
Impact:
Usage of dos_spva_stat will result in displaying incorrect counters.
966785-1 : Rate Shaping stops TCP retransmission
Links to More Info: BT966785
Component: Local Traffic Manager
Symptoms:
When rate shaping is applied to a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.
Conditions:
This issue occurs when both of the following conditions are met:
-- Virtual server configured with a rate shaping.
-- Standard type of virtual server.
Impact:
The BIG-IP system does not retransmit unacknowledged data segments.
Workaround:
None
966613-6 : Cannot create XML profile based on WSDL when wsdl contains empty soap:address – getting error ‘Column 'object_uri' cannot be null’
Links to More Info: BT966613
Component: Application Security Manager
Symptoms:
Perl error returned when saving new XML content profile using wsdl file with empty soap:address node "<soap:address/>".
Conditions:
Creating a new content profile using a wsdl file which contains a "<soap:address/>" node which does not have a "location" attribute value.
When this content profile is saved, ASM attempts to create an associated URL with no value, which fails validation.
Impact:
After trying to save the content profile, you see an error message: "Could not create XML Profile; Error: DBD::mysql::db do failed: Column 'object_uri' cannot be null"
Workaround:
Delete the node "<soap:address/>" from the wsdl file
965849-1 : Displayed 'Route Domain ID' value is confusing if it is set to None
Links to More Info: BT965849
Component: Advanced Firewall Manager
Symptoms:
The numeric value of RT_DOMAIN_NONE is 65535. Lsndb displays this value, which is confusing.
Conditions:
If the parent route domain is set to "None", lsndb displays 65535.
Impact:
No impact on functionality.
Workaround:
None
965053-4 : [Regression of ID787881 & ID761032] DNSX fails to sign zone transfer using tsig key after failure
Links to More Info: BT965053
Component: Global Traffic Manager (DNS)
Symptoms:
DNSX fails to sign zone transfer using tsig key.
Conditions:
A transfer error occurs while DNSX is initializing.
Impact:
DNSX zones are not been updated.
Workaround:
Re-enter the tsig key secret.
964989-4 : AFM DOS half-open does not handle wildcard virtual servers properly.
Links to More Info: BT964989
Component: Advanced Firewall Manager
Symptoms:
AFM DOS half-open vector does not handle wildcard virtual servers properly.
Conditions:
-- Wildcard virtual-server.
-- AFM DOS half-open vector configured.
-- Attacks towards multiple destinations covered by a single virtual-server.
Impact:
- Wrong statistics reporting.
- Wrong status of syncookie protection.
- Unexpected traffic drops.
Workaround:
Split wildcard virtual server into a series of /32 virtual servers.
963393-2 : Key handle 0 is treated as invalid for NetHSM devices
Links to More Info: BT963393
Component: Local Traffic Manager
Symptoms:
HTTPS pool members are marked down when they are up.
Conditions:
-- SafeNet HSM configured
-- HTTPS monitor uses the safenet keys
-- The key handle generated by the HSM is 0
Impact:
Pool members are marked down because bigd cannot connect to the pool member using the Safenet HSM key.
Workaround:
Use in-TMM monitors as an alternative to bigd monitors.
963129-3 : RADIUS Accounting Stop message fails via layered virtual server
Links to More Info: BT963129
Component: Access Policy Manager
Symptoms:
RADIUS Stop messages do not exit the BIG-IP device after a client disconnects.
Conditions:
BIG-IP is configured with APM and multiple virtual servers and an iRule.
Impact:
RADIUS Accounting Stop is not sent.
Workaround:
None
962477-2 : REST calls that modify GTM objects as a user other than admin may take longer than expected
Links to More Info: BT962477
Component: TMOS
Symptoms:
After performing a REST call to modify a GTM object, subsequent requests may take longer than expected to complete. Delays of 800-1000ms are possible for a brief time after a GTM object is modified.
Conditions:
Modifying a GTM object with a user other than "admin". When a device is part of a GTM sync group.
Impact:
Slower than expected REST performance. Scripts that perform a series of modifications and subsequent queries could be heavily impacted.
Workaround:
Use the admin account or use transactions.
961653-3 : Unable to retrieve DNS link statistics via SNMP OID gtmLinkStatRate
Links to More Info: BT961653
Component: Local Traffic Manager
Symptoms:
Unable to retrieve link statistics via SNMP OID gtmLinkStatRate
config # snmpwalk -c public localhost F5-BIGIP-GLOBAL-MIB::gtmLinkStatRate
F5-BIGIP-GLOBAL-MIB::gtmLinkStatRate = No Such Object available on this agent at this OID
Conditions:
A BIG-IP DNS/LC system configured with link objects.
Try to do an snmpwalk for F5-BIGIP-GLOBAL-MIB::gtmLinkStatRate which is not successful.
Impact:
BIG-IP DNS system link statistics cannot be retrieved via SNMP.
Workaround:
No workaround.
961001-5 : Arp requests not resolved for snatpool members when primary blade goes offline
Links to More Info: BT961001
Component: Local Traffic Manager
Symptoms:
Arp requests not resolved for snatpool members and traffic does not go through when the primary blade becomes offline.
Conditions:
-- VIPRION platforms serving as AAA and Diameter virtual server to load-balance.
-- route-domain configured other than 0.
-- Radius authentication pool and snatpool are configured.
-- Primary blade goes offline and new Primary is not elected.
Impact:
Traffic failure when primary became offline.
Workaround:
Disable primary blade which is offline.
959965-1 : Asmlogd stops deleting old protobufs
Component: Application Security Manager
Symptoms:
Protobuf files are being cleaned only when trying to write to the protobuf file and on startup.
Conditions:
This occurs during normal operation.
Impact:
/var/asmdata1 can run out of disk space.
Workaround:
None
959957-1 : Asmlogd stops deleting old protobufs
Links to More Info: BT959957
Component: Application Security Manager
Symptoms:
Asmlogd restarts and there are asmlogd errors:
asmlogd|ERR|Oct 19 13:46:35.199|6005|,,asmlogd ended unexpectedly
asmlogd|ERR|Oct 19 13:46:35.203|6005|,,Can't call method "size" on an undefined value at /usr/local/share/perl5/F5/RequestLog.pm line 1902.
Conditions:
Disk is full -- the following warnings are being displayed:
err diskmonitor[3483]: 011d0004:3: Disk partition /var/asmdata1 (slot 1) has only 0% free
Impact:
Old protobuf files are not cleaned up.
Workaround:
0) If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
https://support.f5.com/csp/article/K14956
https://support.f5.com/csp/article/K42497314
1) To identify the empty partitions, look into:
SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G
2) For every partition that is empty, manually (or via shell script) execute this sql:
ALTER TABLE PRX.REQUEST_LOG DROP PARTITION empty_partition_name
where 'empty_partition_name' is the partition name as 'p100001'
4) Increase 'open_files_limit' to '10000'.
--------------------------------
In the /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter to 10000.
2. Restart MySQL:
bigstart restart mysql
--------------------------------
5) pkill asmlogd
Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.
959613-1 : Double-monitoring a generic-host virtual server might show blank 'Reason'
Links to More Info: BT959613
Component: Global Traffic Manager (DNS)
Symptoms:
When you double-monitor a Generic Host Virtual Server using the same monitor, the 'Reason' is omitted from the output:
-- Output of 'tmsh show gtm server <server> virtual-servers' shows a "blank" reason for monitoring failure/success.
-- If double-monitoring at pool level, the output of 'tmsh show gtm pool <type> <pool> members' shows a "blank" reason for monitoring failure/success.
Conditions:
-- Using the same monitor at virtual-server level and pool level
AND/OR:
-- Using the same monitor on two different pools (when monitoring the same virtual-server)
Impact:
Impedes your ability to identify the failure/success reason quickly.
Workaround:
-- Do not use the exact same monitor on both the virtual server and the pool level.
-- If double-monitoring at pool level, do not use the exact same monitor to monitor the same virtual-server on multiple pools.
959241-1 : Fix for ID871561 might not work as expected on the VCMP host
Links to More Info: BT959241
Component: TMOS
Symptoms:
Attempting to deploy an engineering hot fix (EHF) for ID871561 (https://cdn.f5.com/product/bugtracker/ID871561.html) fails in the same manner
Conditions:
-- Attempting to install an EHF containing a fix for ID871561 on a vCMP guest
-- The fix for ID871561 has not already been applied to the vCMP guest
Impact:
Unable to perform software installations on vCMP guests using installation media located on the vCMP host even if fix for ID871561 is available on VCMP guest.
Workaround:
Option 1:
===========
Make sure that the .iso files for both base image and engineering hotfix are copied to the vCMP guest (under /shared/images) before starting the installation. If installing the software from the command line, use syntax similar to the following:
tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>
Option 2:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. You can restart the vCMP guest and perform a hotfix installation on top of already installed base image, using syntax similar to the following:
tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>
Option 3:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. Ensure there is copy of the engineering hotfix image locally within the vCMP Guest.
Then restart the lind service on the vCMP Guest:
tmsh restart sys service lind
If running the vCMP Guest on multiple slots, you may need to restart lind on all slots. From the primary slot on the vCMP Guest, run:
clsh tmsh restart sys service lind
The hotfix installation should begin again, this time using the hotfix from within the /shared/images/ location on the vCMP Guest.
Option 4:
===========
Manually eject the CD from the vCMP guest's virtual CD drive, and then restart lind. On the vCMP Guest:
1. Confirm the wrong ISO image is still locked (inserted in the CD drive):
isoinfo -d -i /dev/cdrom
Note: Pay attention to the volume ID in the output from within the vCMP guest.
2. Unlock (eject) the image:
eject -r -F /dev/cdrom && vcmphc_tool -e
3. Verify the CD drive is now empty:
isoinfo -d -i /dev/cdrom
The output should report an error that includes:
<...> Sense Code: 0x3A Qual 0x00 (medium not present) Fru 0x0 <…>
4. Restart lind:
tmsh restart sys service lind
If running the vCMP Guest on multiple slots, you may need to restart lind on all vCMP Guest slots. From the primary slot on the vCMP Guest, run:
clsh tmsh restart sys service lind
959057-5 : Unable to create additional login tokens for the default admin user account
Links to More Info: BT959057
Component: TMOS
Symptoms:
When remote user authentication is configured, BIG-IP systems apply maximum active login token limitation of 100 to the default admin user account.
Conditions:
Remote Authentication is configured
Impact:
Unable to create more than 100 tokens for admin when remote authentication is configured
958785-8 : FTP data transfer does not complete after QUIT signal
Links to More Info: BT958785
Component: Local Traffic Manager
Symptoms:
When a QUIT signal is sent over an FTP connection to an FTP virtual server during a data transfer, the data connection is closed immediately instead of waiting until the transfer is complete.
Conditions:
- BIG-IP configured with an FTP virtual server
- A client connects to the FTP virtual server
- Client starts an FTP data transfer
- Client sends a QUIT signal before the data transfer completes.
Impact:
FTP data connections are closed prematurely, causing incomplete data transfers.
Workaround:
This does not occur if the FTP profile for the FTP virtual server has inherit-parent-profile set to enable.
958773-2 : [SAML SP] Assertion canonicalization fails if <AttributeValue> contains spaces.
Links to More Info: BT958773
Component: Access Policy Manager
Symptoms:
In /var/log/apm
[apmd]modules/Authentication/Saml/SamlSPAgent.cpp: 'verifyAssertionSignature()': 5883: Verification of SAML signature #1 failed
[apmd]SAML Agent: /Common/xxxxxx failed to process signed assertion, error: Digest of SignedInfo mismatch
Conditions:
SAML attribute values have double-byte spaces.
Impact:
Verification of SAML signature fails.
Workaround:
Remove double-byte spaces from SAML Attribute values (consult a vendor who populates SAML attribute values for advice on how to remove double-byte spaces).
958601-4 : In the GUI, searching for virtual server addresses does not match address lists
Links to More Info: BT958601
Component: TMOS
Symptoms:
In the GUI, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address list that contains an address that matches that search string, those virtual servers will not show up in the search results.
Similarly, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address that matches the search string, but are using a port list, those virtual servers will not show up in the search results.
Conditions:
-- Using Address Lists or Port lists with a virtual server.
-- Using the GUI to search for virtual servers based on address.
Impact:
Virtual servers that should match a search are not found.
Workaround:
None.
958157-4 : Hash collisions in DNS rapid-response packet processing
Links to More Info: BT958157
Component: Global Traffic Manager (DNS)
Symptoms:
DNS rapid-response (FastDNS) packet processing may cause unexpected traffic drops.
Conditions:
- DNS rapid-response is enabled in a DNS profile:
ltm profile dns dns {
enable-rapid-response yes
}
Note: This issue is more likely to occur on systems with a lower number of TMMs.
Impact:
Unexpected traffic drops
957993-4 : Unable to set a port list in the GUI for an IPv6 address for a virtual server
Links to More Info: BT957993
Component: TMOS
Symptoms:
When creating a virtual server in the GUI with an IPv6 destination address and a port list (shared object) or a source address list (shared object), the system returns an error similar to:
0107028f:3: The destination (0.0.0.0) address and mask (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) for virtual server (/Common/vs03-v6_dns) must be be the same type (IPv4 or IPv6).
Conditions:
-- Creating or updating a virtual server.
-- Attempting to use an IPv6 Host address with a Port List shared object or a Source Address List shared object.
Impact:
Unable to create/modify virtual server.
Workaround:
Create an Address List shared object with the IPv6 address in it and use that instead of the Host address.
955897-4 : Configuration may fail to load with named virtual-address for 0.0.0.0 in a non-zero route domain★
Links to More Info: BT955897
Component: TMOS
Symptoms:
When reading the configuration from /config files, the BIG-IP system may fail to load the configuration regarding a virtual server with a named virtual-address for address 0.0.0.0 in a non-default route domain:
err mcpd[21812]: 0107028b:3: The source (0.0.0.0%123) and destination (0.0.0.0) addresses for virtual server (/Common/vs1) must be in the same route domain.
Unexpected Error: Loading configuration process failed.
Conditions:
-- An LTM virtual-address object with a name.
-- The virtual-address's address is 0.0.0.0 (or the keyword 'any'). The IPv6 address :: (or the keyword 'any6') is not affected.
-- The virtual-address's address is in a route domain other than route domain 0. The route domain can be the partition's default route domain.
-- An LTM virtual server that uses the affected address as its destination.
Example:
tmsh create net route-domain 123
tmsh create ltm virtual-address allzeros-rd123 address 0.0.0.0%123
tmsh create ltm virtual allzeros-rd123 destination 0.0.0.0%123:0
tmsh save sys config
Impact:
The configuration fails to load from disk when the affected objects do not yet exist in running memory or binary cache, for example, during:
- Reinstalling
- Upgrading
- Loading manual changes to the /config/*.conf files
- MCP force-reload
Other operations such as rebooting, relicensing, and reloading the same configuration (such as 'tmsh load sys config' are not affected.
Workaround:
Replace the configuration that uses a named virtual-address with the direct address. Here is an example of the configuration in bigip.conf:
ltm virtual-address allzeros-rd123 {
address any%123
mask any
}
ltm virtual allzeros-rd123 {
destination allzeros-rd123:0
mask any
source 0.0.0.0%123
}
This can be rewritten to remove the virtual-address object, and replace the virtual server destination with the address (0.0.0.0 or 'any'):
ltm virtual allzeros-rd123 {
destination any%123:0
mask any
source 0.0.0.0%123
}
955773-3 : Fw_lsn_pool_pba_stat: excessively high active_port_blocks stat for IPv4
Links to More Info: BT955773
Component: Advanced Firewall Manager
Symptoms:
TMM specific stats shows unrealistic values.
Conditions:
The respective TMMs have shortage of NAT PBAs.
Impact:
No functional impact. Only on stats reporting side impact.
953477-1 : Syncookie HW mode not cleared when modifying VLAN config.
Links to More Info: BT953477
Component: TMOS
Symptoms:
Changing VLAN configuration can cause BIG-IP get stuck in hardware syncookie mode.
Conditions:
- Changing VLAN configuration when vlan-based syncookies are active.
For a list of platforms that support hardware syncookie protection, see https://support.f5.com/csp/article/K14779
Impact:
Device is stuck in hardware syncookie mode and generates syncookies.
Workaround:
Run the following command:
tmsh restart sys service tmm
Impact of workaround: restarting tmm disrupts traffic.
950953-3 : Browser Challenges update file cannot be installed after upgrade★
Links to More Info: BT950953
Component: Application Security Manager
Symptoms:
After upgrading BIG-IP, the Browser Challenges factory default update file cannot be installed, and you see this error:
Installation error: gpg: WARNING: unsafe ownership on homedir `/usr/share/live-update/share/gpg/browser_challenges_genesis_load'gpg: encrypted with 1024-bit ELG key, ID 7C3E3CE5, created 2007-03-20 "asm_sigfile_installer"gpg: Signature made Mon Aug 2
Conditions:
The new file that comes with the installation is ready to install
Impact:
New updated cannot be installed
Workaround:
There are 2 options:
1. download a new version of the update file (if exists)
2.
2.1 download a copy of that file from the machine to your locale machine
2.2 rename it :
> cp BrowserChallenges_20200722_072935.im BrowserChallenges_<CURRENT_DATE>_<CURRENT_TIME>.im
## the date and time are for tracking and the have to be in a specific format DATE : YYYYMMDD, TIME: HHMMSS
2.3 upload the file and install it manually from the LiveUpdate screen.
950305-5 : Analytics data not displayed for Pool Names
Links to More Info: BT950305
Component: Application Visibility and Reporting
Symptoms:
You cannot see reports (statistics->analytics->pool) when you choose to view by pool names.
Conditions:
This is encountered in the statistics screen.
Impact:
You can't see the statistics->analytics->pool report when you choose view by pool names.
949593-5 : Unable to load config if AVR widgets were created under '[All]' partition★
Links to More Info: BT949593
Component: Application Visibility and Reporting
Symptoms:
When upgrading to or loading saved configuration on BIG-IP software v13.0.0 or later, if the configuration contains AVR widgets created under a partition of '[All]', the config load fails.
Conditions:
This occurs if one or more AVR widgets in the configuration was created under the read-only '[All]' pseudo-partition.
This could have occurred if you were running a version of BIG-IP which did not include the fix for ID 721408.
Impact:
Upgrading to or loading an affected configuration on BIG-IP v13.x or later fails.
Workaround:
Manually edit the /config/bigip.conf configuration file and change '[All]' to 'Common':
# sed -i 's/\\\[All\]/Common/g' /config/bigip.conf
# tmsh load sys config
# tmsh save sys config
This should be done before upgrading to BIG-IP v13.x or later, or before saving configuration to be loaded later, or before loading a saved configuration from the config files.
949477-4 : NTLM RPC exception: Failed to verify checksum of the packet
Links to More Info: BT949477
Component: Access Policy Manager
Symptoms:
NTLM authentication fails with the error:
RPC exception: Failed to verify checksum of the packet.
Conditions:
-- Start nlad process with 'encryption'.
-- Configure a user, and map that user to a huge number of groups.
-- Configure NTLM front-end authentication.
Impact:
User authentication fails.
Workaround:
1. Run the 'nlad' process with '-encrypt no' in the file /etc/bigstart/startup/nlad.
2. Disable encryption for nlad:
# vim /etc/bigstart/startup/nlad
change:
exec /usr/bin/${service} -use-log-tag 01620000
to:
exec /usr/bin/${service} -use-log-tag 01620000 -encrypt no
3. Restart nlad to make the change effective, and to force the schannel to be re-established:
# bigstart restart nlad
949137-1 : Clusterd crash and vCMP guest failover
Links to More Info: BT949137
Component: Local Traffic Manager
Symptoms:
Clusterd crashes and a vCMP guest fails over.
Conditions:
The exact conditions under which this occurs are unknown. It can occur during normal operation.
Impact:
Memory corruption and clusterd can crash, causing failover.
Workaround:
None.
948601-1 : File object checksum attribute is not updated when an external data-group file or external monitor file is edited from GU
Links to More Info: BT948601
Component: TMOS
Symptoms:
SHA1 checksum attribute/property of the file object is not persisted/published/propagated to the MCP datastore/GUI.
Conditions:
This could be observed when an external data-group file or external monitor file definition is edited from GUI.
Below mentioned is the workflow where the issue can be seen/replicated,
System ›› File Management : Data Group File List >> FILE
Edit the "definition" field of the file object & click update.
1.) edit sys file data-group "filename"
2.) list sys file data-group "filename"
Aforementioned commands can be used from TMOS shell to understand the correct behavior that is expected when the same is done from GUI
Impact:
You are unable to identify whether the file object was modified by just validating/comparing the file object's metadata/schema property i.e. "checksum SHA1"
Workaround:
None
947745-3 : Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error
Links to More Info: BT947745
Component: Local Traffic Manager
Symptoms:
Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error message:
hud_tcp_serverside_handler/3676: 10.0.0.20.21 - 10.10.10.1.51147: unexpected serverside message HUDEVT_CHILD_CONNECTE
Conditions:
FTP profile is in use
Impact:
Logs entries in the log file
Workaround:
None
947613-2 : APM reset after upgrade and modify of LDAP Group Lookup★
Links to More Info: BT947613
Component: Access Policy Manager
Symptoms:
-- Per-Request Policy fails.
-- APM reset the connection.
Conditions:
Upgrade from 13.1.3.4 to 15.1.0.4 and modify the LDAP Group Lookup.
Impact:
APM resets the connection.
Workaround:
1. Create a new empty object with the same expression as the LDAP Group Lookup.
2. Remove the LDAP Query Agent.
3. Restart the system:
bigstart restart tmm
947217-6 : Fix of ID722682 prevents GTM config load when the virtual server name contains a colon★
Links to More Info: BT947217
Component: Global Traffic Manager (DNS)
Symptoms:
GTM is unable to load the configuration.
Conditions:
-- GTM has been upgraded to a version with fix for ID722682 from a version that does not have the fix for ID722682
-- A GTM server has a name with no colon
-- That GTM server has a virtual server with colon in the name
-- That virtual server is added to a pool
Impact:
GTM config file cannot be loaded successfully after upgrade.
Workaround:
Edit bigip_gtm.conf manually to delete "\\" or replace colon ":" with other non-reserved char. such as "-".
945413-2 : Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync
Links to More Info: BT945413
Component: TMOS
Symptoms:
The BIG-IP system constantly downloads the certificate bundle if the CA-bundle manager config includes a URL.
Symptoms are different depending on if BIG-IP systems is in a manual or automatic sync device group.
Manual sync device groups will not stay in sync.
Automatic sync device groups will constantly sync.
Conditions:
The CA-bundle manager is configured.
Impact:
The keymgmtd and mcpd process gets into a loop that causes constant config changes and if the ca-bundle-manager includes a URL, the BIG-IP system constantly downloads the bundle.
Workaround:
The ca-bundle manager should be configured without the update-interval(i.e. update-interval value set to 0) and while updating set the update-now to YES
For config sync between peers
1.If the config sync type is set to manual full/incremental
Then manually sync the devices either in GUI or TMSH
2.If the config sync type is set to Automatic
Then bundle manager will be synced without any manual intervention
945189-5 : HTTPS monitor fails due to missing ECDHE-RSA-AES256-CBC-SHA★
Links to More Info: BT945189
Component: Local Traffic Manager
Symptoms:
After upgrade, the 'DEFAULT' cipher in the server SSL profile attached to the HTTPS monitor does not include the ECDHE-RSA-AES256-CBC-SHA cipher suite in the Client Hello.
Conditions:
After upgrade, HTTPS monitor cipherlist is read from server SSL profile ciphers and set to DEFAULT after upgrade.
Impact:
1. Upgrade breaks the SSL pool monitoring.
2. It is also possible that the pools monitoring succeeds but with unexpected ciphers from the 'DEFAULT' list which may cause increased resource usage or unexpectedly weaker encryption.
Note: The ciphers negotiated between the HTTPS backend being monitored and the server SSL profile will still belong to the 'DEFAULT' list.
Workaround:
BIG-IP provides ways to customize the cipher string used by the server SSL profile.
Via the configuration utility:
https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-ltm-configuring-custom-cipher-string-for-ssl-negotiation/configuring-a-custom-cipher-string-for-ssl-negotiation.html
Via tmsh commands:
https://support.f5.com/csp/article/K65292843
944173-4 : SSL monitor stuck does not change TLS version
Links to More Info: BT944173
Component: Local Traffic Manager
Symptoms:
The SSL monitor remains in the current TLS version and does not switch to another version when a server changes.
Conditions:
-- SSL monitor configured.
-- Server configuration changes from TLSv1.2 to TLSv1.
Impact:
Pool members marked down.
Workaround:
Use the In-TMM monitor.
943441-4 : Issues in verification of Bot Defense with F5 Anti-Bot Mobile SDK
Links to More Info: BT943441
Component: Application Security Manager
Symptoms:
Verification may be incomplete when using the F5 Anti-Bot Mobile SDK with the Bot Defense profile.
Conditions:
-- Using the Bot Defense profile together with the F5 Anti-Bot Mobile SDK.
-- Enabling the Mobile Applications section in the profile.
Impact:
Mobile application verification may be incomplete.
Workaround:
None
942729-3 : Export of big Access Policy config from GUI can fail
Component: Access Policy Manager
Symptoms:
Export of Access Policy times out after five minutes and fails via the GUI
Conditions:
Exact conditions are unknown, but it occurs while handling a large access policy.
Impact:
Unable to redeploy configuration
Workaround:
Use thge cli to export the access policy:
K30575107: Overview of the ng_export, ng_import and ng_profile commands
https://support.f5.com/csp/article/K30575107
941961-4 : Upgrading system using WAM TCP profiles may prevent the configuration from loading
Links to More Info: BT941961
Component: WebAccelerator
Symptoms:
If a BIG-IP is on version 13.1.0 through 15.1.x and has profiles in use that use wam-tcp-wan-optimized and/or wam-tcp-lan-optimized as parent profiles, then when the configuration is upgraded to 16.0.0, the configuration fails to load, with an error similar to:
err mcpd[10087]: 01020036:3: The requested parent profile (/Common/wam-tcp-wan-optimized) was not found.
On devices that are provisioned with not just the LTM module this may lead to an out of memory condition as the config load failure prevents memory provisioning completing leaving too little 4KB page (host) memory and too much huge page memory.
If suffering memory pressure then management access to device will be sluggish or not possible.
Conditions:
-- Upgrading from version 13.1.0 through 15.1.x.
-- Using profiles derived from wam-tcp-wan-optimized and/or wam-tcp-lan-optimized.
Impact:
Configuration does not load.
Workaround:
Remove these profiles and adjust the configuration elements that use them accordingly. If it is difficult to work on the device it may be necessary to rollback to earlier version and make changes there. Usually it would be better then to delete newer software volume and reinstall it at which point the modified config will be copied across and installed on newer volume.
Here are two examples:
-- Copy the definition of 'wam-tcp-wan-optimized' from /defaults/wam_base.conf into /config/bigip.conf, and then reload the configuration.
-- Change the references to wam-tcp-wan-optimized to something else in your config file (e.g., tcp-wan-optimized), and then reload the configuration.
941773-1 : Video resolution mis-prediction
Links to More Info: BT941773
Component: Traffic Classification Engine
Symptoms:
Certain video traffic is not getting classified with high accuracy.
Conditions:
- Behavioral classifier for Classification Engine is enabled
Impact:
- Mis-predictions can lead to higher definition videos being categorized as low-definition videos and vice versa.
941765-1 : Video resolution mis-predictions
Links to More Info: BT941765
Component: Traffic Classification Engine
Symptoms:
BIG-IP's traffic playback resolution prediction is calculated on all individual connections of a client's video stream.
Conditions:
- Video streaming client downloads through BIG-IP
- Video is downloaded using multiple connections.
Impact:
- Mis-prediction in the video resolution.
940837-4 : The iRule command node is not triggered in CLIENT_ACCEPTED with HTTP/2.
Links to More Info: BT940837
Component: Local Traffic Manager
Symptoms:
The node iRule command causes the specified server node to be used directly, thus bypassing any load-balancing. However, with HTTP/2, the node command may fail to execute within the CLIENT_ACCEPTED event. This results in no traffic being sent to configured node.
Conditions:
-- A node command is used under CLIENT_ACCEPTED event.
-- An HTTP/2 profile applied to virtual server.
-- The HTTP/2 protocol in use.
Impact:
With HTTP/2 configured, the iRule node command fails to execute within the CLIENT_ACCEPTED event, causing no traffic to be sent to the desired node.
Workaround:
As a workaround, you may use HTTP_REQUEST event instead of CLIENT_ACCEPTED in iRule syntax.
940733-5 : Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt★
Links to More Info: K29290121, BT940733
Component: Global Traffic Manager (DNS)
Symptoms:
The system fails during the boot-up process, reports a libcrypto validation error, and the system halts. The console will show this error:
Power-up self-test failures:
OpenSSL: Integrity test failed for libcrypto.so
This occurs after one of the following:
-- Upgrading a FIPS-enabled BIG-IP system, booting to a volume running an earlier software version
-- Running big3d_install from a BIG-IP GTM configuration to a BIG-IP LTM
On a FIPS-licensed BIG-IP LTM configuration, when checking the big3d version you may see something similar to this:
/shared/bin/big3d -V
fips.c:204:f5_get_library_path: failed to dlopen libcrypto.so.1.0.2za
./big3d version big3d Version 17.0.0.0.0.22 for linux
Conditions:
-- FIPS-licensed BIG-IP system.
-- Upgrade.
-- Boot into a volume running an earlier version of the software.
Another way to encounter the issue is:
-- FIPS-licensed BIG-IP LTM.
-- BIG-IP DNS (GTM) device running a higher software version than the LTM.
-- Run big3d_install from a BIG-IP GTM-configuration pointing to FIPS-licensed BIG-IP LTM configuration.
Impact:
System boots to a halted state or big3d may continuously restart.
Workaround:
Before booting to the volume with the earlier version, delete /shared/bin/big3d.
Note: This issue might have ramifications for DNS/GTM support. DNS/GTM is not FIPS-certified.
If the target software volume has already experienced this issue (the system boots to a halted state), addition to deleting /shared/bin/big3d, follow the instructions in K25205233: BIG-IP System halted while booting. Halt at boot after FIPS Integrity Check Result FAIL :: https://support.f5.com/csp/article/K25205233 .
For additional information, see K29290121: Rollback after upgrade or big3d_install may cause FIPS to halt system on boot :: https://support.f5.com/csp/article/K29290121.
939989-3 : TMM may be killed by sod when shutting down
Links to More Info: BT939989
Component: Local Traffic Manager
Symptoms:
In rare cases, TMM may be killed by sod while it is shutting down.
Conditions:
Conditions vary, but this may commonly occur with platforms using the xnet driver with SR-IOV. This includes certain VE platforms as well as VELOS R2xxx R4xxx.
Impact:
A core file is created in /var/core/.
Workaround:
None
939933-7 : Monpd restarts every few seconds due to missing of AVR database
Links to More Info: BT939933
Component: Application Visibility and Reporting
Symptoms:
The database was not created by monpd, because the ‘init_avrdb’ file was not under the /var/avr.
Conditions:
The monpd is down after booting into HD1.2 on 2 slots.
Impact:
Clearing AVR database will remove all existing statistics data.
Workaround:
1. Stop monpd: bigstart stop monpd
2. Clean data base: touch /var/avr/init_avrdb
3. Clean the statistics file are waiting to be loaded:
cd /var/avr/loader
rm -rf *
4. Start monpd: bigstart start monpd
939249-1 : iSeries LCD changes to secure mode after multiple reboots
Links to More Info: BT939249
Component: TMOS
Symptoms:
After repeatedly rebooting an iSeries platform, the LCD can become erroneously set to secure mode on its own, and you are unable to use the menus on the LCD.
Conditions:
-- Repeated reboots of the device.
-- The db lcd.showmenu value initially set to enable are required.
-- Other required conditions are not fully known.
Impact:
-- LCD becomes set to secure mode.
-- The bigdb variable lcd.showmenu is changed to 'disable'.
Workaround:
Run the commands:
tmsh modify sys db lcd.showmenu value disable
tmsh modify sys db lcd.showmenu value enable
This clears the secure mode of the LCD.
938545-1 : Oversize plugin Tcl object results can result in 0-length messages and plugin crash
Links to More Info: BT938545
Component: Local Traffic Manager
Symptoms:
Bd crashes.
Conditions:
-- ASM enabled.
-- iRule used.
-- Command arguments are greater than maximum MPI message size.
Impact:
ASM traffic disrupted while bd restarts.
Workaround:
None.
938145-3 : DAG redirects packets to non-existent tmm
Links to More Info: BT938145
Component: TMOS
Symptoms:
-- Connections to self-IP addresses may fail.
-- SYNs packets arrive but are never directed to the Linux host.
Conditions:
-- Provision as vCMP dedicated host.
-- Create a self-IP address with appropriate allow-service.
Impact:
Repeated attempts to connect to the self-IP (e.g., via ssh) fail.
Workaround:
None
937665-1 : Relaystate in SLO request results in two Relaystates in SLO Response
Links to More Info: BT937665
Component: Access Policy Manager
Symptoms:
When BIG-IP APM acts as the SAML IdP and receives a redirect binding single logout (SLO) request that contains a relaystate, the BIG-IP APM generates an SLO response that contains two relaystates.
Conditions:
-- BIG-IP APM configured as IdP
-- Redirect binding SLO request contains a relaystate
Impact:
SLO processing on SP may not work.
Workaround:
None.
937573-1 : Connections drop in virtual server with Immediate Action On Service Down set to Drop
Links to More Info: BT937573
Component: Local Traffic Manager
Symptoms:
In a virtual server configured with Immediate Action On Service Down set to Drop and an iRule to pick a pool different from the one attached to the virtual server, if the default pool is attached in an offline state, connections are always dropped even when the default pool becomes available later.
Conditions:
- Virtual server configured with Immediate Action On Service Down set to Drop.
- An iRule selects a different pool from the one attached to the virtual server.
Impact:
Connections are silently dropped.
Workaround:
Change the virtual server's Immediate Action On Service Down setting to None.
937481-5 : Tomcat restarts with error java.lang.OutOfMemoryError
Links to More Info: BT937481
Component: TMOS
Symptoms:
In the GUI, while trying to list a large configuration, tomcat restarts with error java.lang.OutOfMemoryError: Java heap space due to a large read operation.
Conditions:
-- From the GUI, navigate to Local Traffic :: Pools :: Pool List.
-- The configuration contains approximately 10,000 objects (objects include pools, nodes, virtual servers, etc.).
Impact:
When the system attempts to list the large configuration, tomcat restarts, resulting in 503 error.
Workaround:
Use the provision.tomcat.extramb database variable to increase the maximum amount of Java virtual memory available to the tomcat process.
Impact of workaround: Allocating additional memory to Apache Tomcat may impact the performance and stability of the BIG-IP system. You should perform this procedure only when directed by F5 Technical Support after considering the impact to Linux host memory resources.
-- Using a utility such as free or top, determine if you have enough free memory available to use this procedure.
For example, the following output from the free utility shows 686844 kilobytes available:
total used free shared buffers cachedMem:
16472868 15786024 686844 807340 827748 2543836
-/+ buffers/cache: 12414440 4058428
Swap: 1023996 0 1023996
-- View the current amount of memory allocated to the tomcat process by typing one of the following commands:
ps | grep " -client" | egrep -o Xmx'[0-9]{1,5}m'
The command output appears similar to the following example:
Xmx260m
Xmx260m
-- View the current value of the provision.tomcat.extramb database variable by typing the following command
tmsh list /sys db provision.tomcat.extramb
-- Set the provision.tomcat.extramb database variable to the desired amount of additional memory to be allocated using the following command syntax:
modify /sys db provision.tomcat.extramb value <MB>
-- If the device is part of a high availability (HA) configuration, the provision.tomcat.extramb database value should be synchronized to the peer devices from the command line. To run the ConfigSync process, use the following command syntax:
tmsh run /cm config-sync <sync_direction> <sync_group>
For example, the following command pushes the local device's configuration to remote devices in the Syncfailover device group:
tmsh run /cm config-sync to-group Syncfailover
-- Restart the tomcat process by typing the following command:
restart /sys service tomcat
936777-1 : Old local config is synced to other devices in the sync group.
Links to More Info: BT936777
Component: Global Traffic Manager (DNS)
Symptoms:
Newly added DNS/GTM device may sync old local config to other devices in the sync group.
Conditions:
Newly added DNS/GTM device has a more recent change than other devices in the sync group.
Impact:
Config on other DNS/GTM devices in the sync group are lost.
Workaround:
You can use either of the following workarounds:
-- Make a small DNS/GTM configuration change before adding new devices to the sync group.
-- Make a small DNS/GTM configuration change on the newly added device to re-sync the correct config to other DNS/GTM devices.
936361-2 : IPv6-based bind (named) views do not work
Links to More Info: BT936361
Component: Global Traffic Manager (DNS)
Symptoms:
Bind does not match IPv6 addresses configured for a zone view, and returns REFUSED responses, rather than the
expected answers.
After enabling debug logging in bind (see K14680), the apparent source address of the IPv6 DNS requests shows as being in the fe80::/96 range, rather than the IPv6 source address that sent the request.
For example:
debug 1: client @0x579bf188 fe80::201:23ff:fe45:6701%10#4299: no matching view in class 'IN'
Conditions:
- BIG-IP DNS is provsioned
- One or more ZoneRunner views is defined using IPv6 addresses.
- A DNS query is sent from an IPv6 source address
Impact:
You cannot use DNS views in bind (zonerunner) based on IPv6 addresses.
Workaround:
If possible, use only IPv4 addresses to define views for DNS queries
936061-3 : Variable session.user.agent missing for Edge Client & F5 Access clients
Links to More Info: BT936061
Component: Access Policy Manager
Symptoms:
When connecting with Edge Client & F5 Access clients the BIG-IP APM session variable session.user.agent is missing from APM sessions.
Conditions:
BIG-IP APM
Edge Client & F5 Access clients
Impact:
Session variable session.user.agent cannot be used for BIG-IP APM Access Policy logic flows
Workaround:
An iRule can be used to generate a like session variable. For example:
# This event fires once per session
when ACCESS_SESSION_STARTED {
log local0. "Setting User-Agent based on HTTP data - [HTTP::header User-Agent]"
ACCESS::session data set session.custom.client.useragent [HTTP::header User-Agent]
#Use this variable in the VPE to make some decision
}
935769-5 : Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time★
Links to More Info: BT935769
Component: Advanced Firewall Manager
Symptoms:
Version upgrade takes more time than usual when the config contains address-lists with a lot of IP addresses. The same delay will be observed with 'tmsh load sys config' as well.
Conditions:
-- Configure address-list with 10K to 20K IP addresses or address ranges or subnets.
-- Configuration loading (e.g. Post upgrade, running tmsh load sys config, modification of the configuration and subsequent full load as in full config sync)
Impact:
Version upgrade / 'tmsh load sys config' process takes a long time than usual.
Workaround:
1) Convert continuous individual addresses in the address-lists to IP address ranges and subnets if possible.
2) Remove the huge address-lists from config before the upgrade and add back after the upgrade process is finished.
3) Upgrading to a release or EHF that contains the fix for 1209409. 1209409 does not eliminate the issue but it does reduce the time it takes to validate certain address lists.
935485-4 : BWC: flows might stall when using dynamic BWC policy
Links to More Info: BT935485
Component: TMOS
Symptoms:
When multiple flows are passing through the single instance of BWC policy, one or more flows might stall for a few seconds or more. The fairness among the flows is also affected.
Conditions:
-- BWC dynamic policy is enabled.
-- Multiple flows are passing through a single instance of the BWC dynamic policy.
Impact:
Some of the flows may stall.
Workaround:
None.
934825-2 : Restarting MCPD via command line may not restart the aced process
Links to More Info: BT934825
Component: Access Policy Manager
Symptoms:
Configurations with secure ID authentication may face issues after restarting MCPD using the command line (bigstart restart mcpd).
Conditions:
Executing the "bigstart restart mcpd" from command line does not always restart the aced process.
Impact:
Configurations with secure ID authentication may face issues after restarting MCPD and may not restart the aced process.
Workaround:
"bigstart restart mcpd" is not the recommended way to restart MCPD. Please restart the BIG-IP system to reflect any changes you have made.
934133-3 : Unable to Create/delete ltm virtual server via CLI transaction when destination is not specified on the ltm virtual object
Links to More Info: BT934133
Component: TMOS
Symptoms:
A CLI transaction fails with an error:
transaction failed: 0107028f:3: The destination (::) address and mask (255.255.255.255) for virtual server (/Common/foo) must be be the same type (IPv4 or IPv6).
Conditions:
-- A CLI transaction is used to create or delete a virtual server
-- When destination is not specified.
-- The virtual server references a traffic matching criteria
Impact:
The transaction fails with error and the virtual server is not created/deleted.
Workaround:
None
933777-5 : Context use and syntax changes clarification
Links to More Info: BT933777
Component: Application Visibility and Reporting
Symptoms:
There are two context and syntax-related issues:
-- In v14.x, the context for tmsh analytics commands related to server side connections changed. For example, 'total-server-side-conns' became a simple 'server-side-conns'.
-- In v13.x and 14.x, the calculation method for 'max-tps' changed from cumulative to commutative.
Conditions:
This occurs in either of the following scenarios:
-- Using tmsh analytics commands related to max-tps in v13.x or later.
-- Using tmsh analytics commands related to server side connections in BIG-IP v14.x and later.
Impact:
Stats names do not reflect their actual values. The 'max-tps' value is no longer valid for client IP context. These changes might have varied impacts, depending on your configuration.
Workaround:
None
933597-5 : Mandatory arguments missing in tmsh security protocol-inspection profile help
Links to More Info: BT933597
Component: TMOS
Symptoms:
Missing mandatory arguments for tmsh security protocol-inspection profile command list.
Conditions:
Profile - Configures the protocol inspection profiles
Module - security protocol-inspection profile
Impact:
Tmsh does not specify the mandatory arguments, which makes it difficult to write any script or automate the tmsh command around this security profile.
Workaround:
Specify the following arguments for this profile:
-- Ports
932553-6 : An HTTP request is not served when a remote logging server is down
Links to More Info: BT932553
Component: Local Traffic Manager
Symptoms:
BIG-IP systems provide an option to sanitize HTTP traffic via the http_security profile. When the profile is configured to alarm on a violation, it is possible that a connection to the violating client is reset if a remote logging server is marked down.
Conditions:
-- A BIG-IP system has an HTTP profile and and an http_security profile with the alarm option set.
-- A remote logging server is configured via a BIG-IP pool.
-- The pool has a monitor that marks all the pool members down.
-- A request with an HTTP violation is processed and triggers an alarm configured in the http_security profile.
Impact:
-- A TCP connection to a client is reset by the BIG-IP system.
-- The web page may not render, or may not render as expected.
-- Data are not delivered to a server with a POST request.
Workaround:
None.
932461-5 : Certificate update on the SSL profile server for the HTTPS monitor: BIG-IP does not use the updated certificate.
Links to More Info: BT932461
Component: Local Traffic Manager
Symptoms:
When you overwrite the certificate that is configured on the SSL profile server and is used with the HTTPS monitor, the BIG-IP system neither uses a client certificate nor continues to use the old certificate.
After you update the certificate, the stored certificate is incremented. However, the monitor log indicates that it is using the old certificate.
Conditions:
--Create a pool with an HTTPS pool member.
--Create an HTTPS monitor with a certificate and key.
--Assign the HTTPS monitor to the HTTPS pool.
--Update the certificate through GUI or TMSH.
Impact:
The monitor tries to use the old certificate or does not present a client certificate after the update.
Workaround:
Use one of the following workarounds:
-- Restart bigd:
bigstart restart bigd
-- Modify the server SSL profile certificate key. Set it to ‘none’, and switch back to the original certificate key name.
The bigd utility successfully loads the new certificate file.
932193-1 : Improper handling of multiple cookie headers results in security bypass
Links to More Info: BT932193
Component: Application Security Manager
Symptoms:
Improper handling of multiple cookies results in security bypass when certain server technologies are used. The multiple cookie headers are handled separately in ASM, but the backend server concatenates it and can lead to potential signature attacks.
Conditions:
When PHP server technology is used as backend and a specially crafted request is sent with multiple cookies header.
Impact:
Bypass of negative security enforcement and can affect certain server technologies
932189-1 : Incorrect BD Swap Size units on ASM Resources chart
Links to More Info: BT932189
Component: Application Visibility and Reporting
Symptoms:
The 'BD Swap Size' reported on the 'Security :: Reporting : ASM Resources : Memory Utilization' page is much too high and incorrect.
Conditions:
ASM provisioned.
Impact:
Graphically reported BD swap memory usage is incorrect.
Workaround:
None.
931797-3 : LTM virtual address netmask does not persist after a reboot
Links to More Info: BT931797
Component: TMOS
Symptoms:
The virtual address netmask is missing after the system reboots.
Conditions:
When referencing an "ltm traffic-matching-criteria" object from the virtual server.
Impact:
Netmask address is set to 'any' after the system reboots.
Workaround:
None
931629-5 : External trunk fdb entries might end up with internal MAC addresses.
Links to More Info: BT931629
Component: TMOS
Symptoms:
The vCMP host might have external trunk with internal MAC addresses. This is visible via 'tmsh show net fdb'.
Conditions:
-- vCMP is provisioned and has guests deployed on it.
-- vCMP host uses trunks.
-- Create VLANs using trunks and assign it to guests.
-- Guests need to be in high availability (HA) configuration.
Impact:
Traffic processing is disrupted.
Workaround:
None.
931149-3 : Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings
Links to More Info: BT931149
Component: Global Traffic Manager (DNS)
Symptoms:
RESOLV::lookup returns an empty string.
Conditions:
The name being looked up falls into one of these categories:
-- Forward DNS lookups in these zones:
- localhost
- onion
- test
- invalid
-- Reverse DNS lookups for:
- 127.0.0.0/8
- ::1
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 0.0.0.0/8
- 169.254.0.0/16
- 192.0.2.0/24
- 198.51.100.0/24
- 203.0.113.0/24
- 255.255.255.255/32
- 100.64.0.0/10
- fd00::/8
- fe80::/10
- 2001:db8::/32
- ::/64
Impact:
RESOLV::lookup fails.
Workaround:
Use a DNS Resolver ('net dns') and RESOLVER::name_lookup / DNSMSG:: instead of RESOLV::lookup:
1. Configure a local 'net dns' resolver, replacing '192.88.99.1' with the IP address of your DNS resolver:
tmsh create net dns-resolver resolver-for-irules answer-default-zones no forward-zones add { . { nameservers add { 192.0.2.1:53 } } }
2. Use an iRule procedure similar to this to perform PTR lookups for IPv4 addresses:
proc resolv_ptr_v4 { addr_v4 } {
# Convert $addr_v4 into its constituent bytes
set ret [scan $addr_v4 {%d.%d.%d.%d} a b c d]
if { $ret != 4 } {
return
}
# Perform a PTR lookup on the IP address $addr_v4, and return the first answer
set ret [RESOLVER::name_lookup "/Common/resolver-for-irules" "$d.$c.$b.$a.in-addr.arpa" PTR]
set ret [lindex [DNSMSG::section $ret answer] 0]
if { $ret eq "" } {
# log local0.warn "DNS PTR lookup for $addr_v4 failed."
return
}
# Last element in '1.1.1.10.in-addr.arpa. 600 IN PTR otters.example.com'
return [lindex $ret end]
}
-- In an iRule, instead of:
RESOLV::lookup @192.0.2.1 $ipv4_addr
Use:
call resolv_ptr_v4 $ipv4_addr
930625-1 : TMM crash is seen due to double free in SAML flow
Links to More Info: BT930625
Component: Access Policy Manager
Symptoms:
When this issue occurs the TMM will crash
Conditions:
Exact reproduction steps are not known but it occurs during SAML transactions
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
930217-1 : Zone colors in ASM swap usage graph are incorrect
Links to More Info: BT930217
Component: Application Visibility and Reporting
Symptoms:
In GUI ASM memory utilization chart, 'BD swap size, Total swap size' graph show inconsistent background colors. It looks like these colors are assigned with an assumption that swap usage is shown as percentage but it is shown as absolute value.
Conditions:
-- ASM is provisioned.
-- Viewing ASM memory utilization chart/
Impact:
Potential confusion viewing colors in ASM memory utilization chart.
Workaround:
None. This is a cosmetic issue only.
929173-3 : Watchdog reset due to CPU stall detected by rcu_sched
Links to More Info: BT929173
Component: TMOS
Symptoms:
Rcu_sched detected CPU stall, which can cause vCMP host reboot. The device reboots without core and records "Host Watchdog timeout."
Typically there will logs in kern.log similar to:
err kernel: : [526684.876928] INFO: rcu_sched detected stalls on CPUs/tasks: ...
Conditions:
Host undergoing a watchdog reset in a vCMP environment.
Impact:
CPU RCU stalls and host watchdog reboots
929133-6 : TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'
Links to More Info: BT929133
Component: TMOS
Symptoms:
VLANs with a name that that start with "eth" will cause tmm to fail and restart.
Conditions:
Vlan name that starts with "eth"
Impact:
Since tmm fails to start, the BIG-IP cannot serve traffic.
Workaround:
Rename all vlans that start with "eth"
928665-4 : Kernel nf_conntrack table might get full with large configurations.
Links to More Info: BT928665
Component: TMOS
Symptoms:
Linux host connections are unreliable, and you see warning messages in /var/log/kern.log:
warning kernel: : [182365.380925] nf_conntrack: table full, dropping packet.
Conditions:
This can occur during normal operation for configurations with a large number of monitors, for example, 15,000 or more active entries.
Impact:
Monitors are unstable/not working at all.
Workaround:
1. Modify /etc/modprobe.d/f5-platform-el7-conntrack-default.conf
increasing the hashsize value:
options nf_conntrack hashsize=262144
2. Save the file.
3. Reboot the system.
928445-5 : HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2
Links to More Info: BT928445
Component: Local Traffic Manager
Symptoms:
HTTPS monitor state is down when server_ssl profile cipher string has the value 'TLSv1_2'.
-- configured cipherstring TLSv1_2/TLSv1_1 is rejected by OpenSSL.
Conditions:
-- Pool member is attached with HTTPS monitor.
-- Monitor is configured with an SSL profile.
-- The configured server_ssl profile has cipher string as DEFAULT:!TLSv1_2.
Impact:
Pool status is down.
Workaround:
-- Enable 'in-tmm' monitoring.
-- Use SSL options available in the server SSL profile to disable TLSv1_2 or TLSv1_1 instead of cipher string.
-- Use the same cipher string with cipher group / cipher rule that is attached to the SSL profile.
928389-6 : GUI becomes inaccessible after importing certificate under import type 'certificate'
Links to More Info: BT928389
Component: TMOS
Symptoms:
After importing a new certificate, httpd goes down and the GUI becomes inaccessible.
Conditions:
Upload new certificate using Import-type 'Certificate' option.
Impact:
The GUI is inaccessible as soon as you import a new device certificate using import-type 'Certificate'.
Workaround:
Manually copy the matching key to /config/httpd/conf/ssl.key/server.key and restart apache (bigstart restart httpd)
If you do not have the matching key, generate a new key/cert pair from the command line by following K9114
928353-4 : Error logged installing Engineering Hotfix: Argument isn't numeric★
Links to More Info: BT928353
Component: TMOS
Symptoms:
When installing an Engineering Hotfix, the following error may be logged in /var/log/liveinstall.log:
Argument "" isn't numeric in numeric eq (==) at /var/tmp/install/pkgcpio/usr/local/lib/tm_install/Hotfix.pm line 651.
Conditions:
This error may occur when installing an Engineering Hotfix, if the Engineering Hotfix does not include an update to the nash-initrd component.
Impact:
The error message gives a mistaken impression that the Engineering Hotfix did not install successfully. However, it does install correctly, and the system operates without issue. You can safely ignore this message.
Workaround:
None.
927589-1 : ILX::call command response get truncated
Links to More Info: BT927589
Component: Local Traffic Manager
Symptoms:
If a response to an ILX::call command is larger than 64 KB, data is truncated.
Conditions:
-- iRule script including an ILX::call command in use.
-- Return response is greater than 64 KB.
Impact:
iRule fails and the connection aborts.
Workaround:
None.
927441-5 : Guest user not able to see virtual server details when ASM policy attached
Links to More Info: BT927441
Component: TMOS
Symptoms:
When ASM is attached to a Virtual Server, a BIG-IP user account configured with the Guest role cannot see virtual server details. An error message is printed instead:
01070823:3: Read Access Denied: user (guestuser) type (GTM virtual score).
Conditions:
-- ASM Policy attached to virtual server.
-- Logging onto the BIG-IP system using an account configured with the guest user role.
-- Running the command:
tmsh show ltm virtual detail
Impact:
Cannot view virtual server details.
Workaround:
None.
927025-1 : Sod restarts continuously
Links to More Info: BT927025
Component: TMOS
Symptoms:
After upgrading to v14.1.2.6, sod keeps restarting and dumping core.
Conditions:
This occurs when /dev/shm/chmand is missing and the system restarts chmand and sod upon reload.
Note: It is unknown how this condition might occur.
Impact:
Unstable sod process can affect failover functionality in BIG-IP systems.
Note: This happens only the first time after upgrade. To recover, you must power down the system for a full reboot.
Workaround:
Run the following command:
restorecon /dev/shm/chmand
926549-3 : AFM rule loops when 'Send to Virtual' is used with Virtual Server iRule 'LB::reselect'
Links to More Info: BT926549
Component: Advanced Firewall Manager
Symptoms:
With some configurations, executing a command such as 'tmsh show security firewall global-rules active' loops continuously, causing stat counters to rise, and possibly log messages to be written to /var/log/ltm.
Conditions:
-- AFM is routing traffic to a Virtual Server through the 'Send to Virtual' option.
-- The target Virtual Server uses the 'LB_FAILED' iRule to select a new Virtual Server through virtual command and 'LB::reselect'.
Impact:
The iRule loops continuously, causing stat counters to rise, and possibly logging messages in /var/log/ltm.
Workaround:
This configuration should be avoided, but if it is used, and if this does happen, you can restart tmm:
bigstart restart tmm
This stops the current looping, until it is triggered again.
Impact of workaround: Traffic disrupted while tmm restarts.
926425-4 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
Links to More Info: BT926425
Component: Advanced Firewall Manager
Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection continue to be unsupported until hardware SYN cookies are disabled.
Conditions:
SYN Cookie activated on Neuron-capable platforms:
+ VIPRION B4450N blade
+ BIG-IP iSeries devices (ix800) except the i850, ix2800, and ix4800:
-- BIG-IP i5800 Series
-- BIG-IP i7800 Series
-- BIG-IP i11800 Series
-- BIG-IP i15800 Series
Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.
Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options are not taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.
Workaround:
You can use any of the following to clear the HSB issue:
-- Restart neurond.
-- Restart TMM,
-- Reboot the device.
926417-3 : AFM not using the proper FQDN address information
Links to More Info: BT926417
Component: Advanced Firewall Manager
Symptoms:
Duplicate resolved entries in FQDN address-lists may cause FQDN to use incorrect address information until the next FQDN reload.
Conditions:
Any two FQDN address-lists having entries which DNS resolves to the same IP address present in the configuration, at any point since the last TMM restart/FQDN load.
Impact:
Even after one of the duplicate entries is removed, AFM does not use proper FQDN address information.
Workaround:
Remove the problematic rule and recreate the same rule again
or Remove one of the duplicate addresses, and run "tmsh load security firewall fqdn-entity all" command,
or restart TMM.
926085-2 : In WebUI node or port monitor test is not possible, but it works in TMSH
Links to More Info: BT926085
Component: Local Traffic Manager
Symptoms:
When attempting to test a newly created Pool Member monitor, node address field is disabled, you cannot enter a node address. This prevents from using the Test operation to test this type of monitor in the WebUI.
Conditions:
-- Create a new Pool Member monitor (not a Node Address monitor). For example, HTTP, HTTPS, FTP, TCP, or Gateway ICMP.
-- With the monitor configuration displayed in the WebUI, click the Test tab.
-- View the Address field, and try to run the test.
Impact:
The Address field is disabled, with *.* in the field. You cannot enter a node address. The test fails with following message:
invalid monitor destination of *.*:80.
invalid monitor destination of *.*:443. (:port used to test)
Workaround:
Run either of the following TMSH commands:
-- tmsh run ltm monitor <type> <name> destination <IP address>:<port>
-- tmsh modify ltm monitor <type> <name> destination *:*
For example, for HTTP:
-- tmsh run ltm monitor http my_http destination <IP address>:<port>
-- tmsh modify ltm monitor http my_http destination *:*
For example, for HTTPS:
-- tmsh run ltm monitor https my_https destination <IP address>:<port>
-- tmsh modify ltm monitor https my_https destination *:*
924589-3 : PEM ephemeral listeners with source-address-translation may not count subscriber data
Links to More Info: BT924589
Component: Policy Enforcement Manager
Symptoms:
When a PEM profile is associated with a protocol that can create dynamic server-side listeners (such as FTP), and source-address-translation is also enabled on the virtual server, traffic on that flow (for example ftp-data) is not associated with the subscriber, and is therefore not counted or categorized.
Conditions:
-- Listener configured with PEM and FTP profiles
-- Some form of source address translation is enabled on the listener (for example, SNAT, Automap, SNAT Pool)
Impact:
Inaccurate subscriber traffic reporting and classification.
Workaround:
None.
924297-4 : Ltm policy MCP objects are not being synced over to the peer device
Links to More Info: BT924297
Component: TMOS
Symptoms:
An LTM policy does not sync to the peer device, but the devices report "In Sync".
Conditions:
-- Sync/failover device group with full load on sync disabled
-- A draft policy is attached to a parent policy's rule actions and published.
-- A config sync occurs (manually or automatically)
Impact:
The LTM policy does not sync to the peer device.
Workaround:
Perform a full config sync:
tmsh run cm config-sync force-full-load-push to-group <device group name>
922641-6 : Any iRules that park in a clientside or serverside command leave the iRule attached to the wrong flow
Links to More Info: BT922641
Component: Local Traffic Manager
Symptoms:
iRule commands issued after a clientside or serverside command operate on the wrong peer flow.
Conditions:
An iRule contains a script that parks in a clientside or serverside command.
Examples of parking commands include 'table' and 'persist'.
Impact:
The iRule commands operate on the wrong peer flow.
Workaround:
Avoid using commands that park inside the clientside or serverside command.
922613-6 : Tunnels using autolasthop might drop traffic with ICMP route unreachable
Links to More Info: BT922613
Component: TMOS
Symptoms:
Traffic that should be encapsulated and sent via tunnel might get dropped with an ICMP error, destination unreachable, unreachable route. This happens in a scenario where no route exists towards the remote tunnel endpoint and the BIG-IP system relies on autolasthop to send the encapsulated traffic back to the other end of the tunnel.
Conditions:
No route exists to the other end of the tunnel.
Impact:
Traffic dropped with ICMP error, destination unreachable, unreachable route.
Workaround:
Create a route towards the other remote end of the tunnel.
922153-5 : Tcpdump is failing on tmm 0.x interfaces
Links to More Info: BT922153
Component: TMOS
Symptoms:
The tcpdump command exits immediately with an error:
errbuf ERROR:TMM side closing: Aborted
tcpdump: pcap_loop: TMM side closing: Aborted
Conditions:
Capturing the packets on tmm interfaces.
Impact:
Unable to capture the packets on specific tmm interfaces.
Workaround:
There are two possible workarounds:
-- Start tcpdump on the tmm that actually owns the interface using the TCPDUMP_ADDR command; for example, using blade1 for 1/0.16, run the command:
TCPDUMP_ADDR=127.1.1.16 tcpdump -w testcap.pcap -s 0 -i 1/0.16
-- Send the TCPDUMP_ADDR command to a specific tmm, which could work from any blade (127.20.<slot>.<tmmnumber+1> (e.g. 127.20.1.1 == slot1/tmm0, 127.20.2.16 == slot2/tmm15):
TCPDUMP_ADDR=127.20.1.16 tcpdump -w testcap.pcap -s 0 -i 1/0.16
922053-1 : inaccurate number of trunk members reported by bcm56xxd/bcmLINK
Links to More Info: BT922053
Component: TMOS
Symptoms:
The "bcmLINK" process (sometimes referred to as "bcm56xxd") may fail with a segmentation fault and be restarted, leaving behind a core-dump file for "bcmLINK".
An error message may be logged about the condition "max_mbrs > 0".
Conditions:
-- occurs in multi-blade VIPRION system with trunked interfaces
-- precise trigger is not known
Impact:
Momentary disruption of traffic handling by TMM.
Workaround:
None known.
921993-1 : LTM policy with a 'contains' operator does not work as expected when using an external data group.
Links to More Info: BT921993
Component: Local Traffic Manager
Symptoms:
If a combination of other operators and the 'contains' operator are used in LTM Policy, searches might fail if the hashing-based operators have not populated the target entries.
Conditions:
-- LTM policy with 'contains' operator.
-- Use of external datagroups.
Impact:
LTM policy might not work as expected with external data groups.
Workaround:
Use either of the following workarounds:
-- If applicable, change the 'contains' operator to 'starts_with' in the policy.
-- Change the policy into an iRule (executing '[class get <datagroup]' )
921069-3 : Neurond cores while adding or deleting rules
Links to More Info: BT921069
Component: TMOS
Symptoms:
Neurond cores if it receives error while adding or deleting rules in neuron hardware.
Conditions:
Adding or deleting rules in neuron hardware
Impact:
Neurond cores
Workaround:
None
920817-7 : Wide IP operations performed in quick succession result in missing resource records and out of sync journals.
Links to More Info: BT920817
Component: Global Traffic Manager (DNS)
Symptoms:
Two issues occur with Wide IP operations performed in quick succession:
1. DNS Zone syncing is missing resource records.
2. In some cases it throws named/zrd error: journal rollforward failed: journal out of sync with zone.
Conditions:
This issue can occur when a large number of configuration changes, including Wide IP changes, are made simultaneously on multiple GTM/DNS devices in a sync group.
Impact:
DNS resource records can be missing from the BIND DNS database.
The impact of this issue is that if GSLB Load Balancing falls back to BIND, the DNS resource records may not be present.
Manually remove the .jnl files in order to restore named/zrd on all GTMs.
Workaround:
Restrict configuration (Wide IP) changes to one GTM/DNS device in a device group.
Note: It is also possible to turn off zone syncing. GTM/DNS configuration is still synced, but you lose the ability to sync non-Wide IP changes to the BIND DB.
If you do not use ZoneRunner to add additional non-Wide IP records, this is only a problem when GSLB resorts fallback to BIND.
This can be mitigated with DNSX and DNS (off device) for non Wide IP Resource Records.
Manually remove the .jnl files in order to restore named/zrd on all GTMs.
919917-5 : File permission errors during bot-signature installation
Links to More Info: BT919917
Component: Application Security Manager
Symptoms:
When you install Bot-Sig IM file through LU, /var/log/ltm shows file permission errors.
Cannot open lock file (/var/run/config_lock), permission denied.
Cannot open command history file (/root/.tmsh-history-root), Permission denied : framework/CmdHistoryFile.cpp, line 92.
Conditions:
Installing bot-signature.
Impact:
If MCPD restart or box reboot immediately after bot-signature installation without following other configuration change, then the bot-signature installation is reverted.
Workaround:
Any configuration change in LTM that follows the bot-signature installation prevents it from being reverted.
918693-5 : Wide IP alias validation error during sync or config load
Links to More Info: BT918693
Component: Global Traffic Manager (DNS)
Symptoms:
DB validation exception occurs during GTM config sync or config load:
01070734:3: Configuration error: DB validation exception, unique constraint violation on table (gtm_wideip_alias) object ID (1 /Common/alias.test.com www.test.com). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:gtm_wideip_alias status:13)
Unexpected Error: Loading configuration process failed.
Conditions:
-- A wideip alias is moved from one wideip to another
-- GTM sync occurs, or a gtm config is loaded manually.
This issue can occur any time a GTM config is loaded or synchronised where the new configuration has a wideip with an alias, which is already configured on a different wideip in the existing in-memory GTM configuration.
Impact:
You are unable to load config or full sync from peer GNS/GTM.
Workaround:
Follow this procedure:
1. Delete the wide IP alias on the destination device.
2. Try the sync or load config operation again.
917637-5 : Tmm crash with ICAP filter
Links to More Info: BT917637
Component: Service Provider
Symptoms:
Tmm crashes while passing traffic.
Conditions:
-- Per-request policies configured.
-- ICAP is configured.
This is rare condition that occurs intermittently.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
915493-6 : imish command hangs when ospfd is enabled
Links to More Info: BT915493
Component: TMOS
Symptoms:
Running the imish command hangs when ospfd is enabled.
Conditions:
-- Dynamic routing enabled.
-- The ospfd protocol is enabled.
-- Running the imish command.
Impact:
The imish operation hangs.
Workaround:
Restart the ospfd daemon.
915473-4 : Accessing Dashboard page with AVR provisioned causes continuous audit logs
Links to More Info: BT915473
Component: TMOS
Symptoms:
Navigating to Statistics :: Dashboard in the GUI with AVR or APM provisioned causes continuous audit logging and restjavad logs.
Conditions:
-- AVR provisioned
-- An administrator navigates to Statistics :: Dashboard.
Impact:
The continuous extra logs might lead to confusion and may not be helpful.
Workaround:
None.
915141-5 : Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'
Links to More Info: BT915141
Component: TMOS
Symptoms:
Availability status of virtual server can be left 'available' even if the corresponding pool's availability becomes 'unknown'.
Conditions:
- Pool member is configured as an FQDN node.
- You set monitor to 'none' with the pool.
Impact:
Inconsistent availability status of pool and virtual server.
Workaround:
Set the FQDN node to 'force offline', and then 'enable'. This triggers virtual server's status updates and syncs to pool.
913917-1 : Unable to save UCS
Links to More Info: BT913917
Component: Global Traffic Manager (DNS)
Symptoms:
You are unable to create a backup UCS.
You see a warning in /var/log/restjavad.0.log:
[WARNING][8100/tm/shared/sys/backup/306b4630-aa74-4a3d-af70-0d49bdd1d89e/worker UcsBackupTaskWorker] Failure with backup process 306b4630-aa74-4a3d-af70-0d49bdd1d89e.
This is followed by a list of some files in /var/named/config/namedb/.
Conditions:
Named has some Slave zones configured and is going through frequent zone transfer.
Impact:
You are unable to create a UCS file.
Workaround:
Stop named zone transfer while doing UCS backup.
913713-3 : Rebooting a blade causes MCPd to core as it rejoins the cluster
Links to More Info: BT913713
Component: TMOS
Symptoms:
Tmm and mcpd cores for slot2
Conditions:
On the standby chassis, reboot the primary blade and wait for it to rejoin the cluster. Once it does, mcpd will core.
Impact:
Traffic disrupted while tmm and mcpd mcpd restarts.
Workaround:
N/A
913013-1 : Racoon daemon may crash once at startup
Links to More Info: BT913013
Component: TMOS
Symptoms:
When the IKEv1 racoon daemon starts, it may immediately exit with a core file.
Conditions:
One of the following events may lead to the restart:
-- BIG-IP systems start or restart as a standalone device.
-- BIG-IP becomes the Active member of High Availability (HA) setup.
Impact:
Racoon restarts. Because this restart happens when racoon is trying to start, no IPsec IKEv1 tunnels are affected because they are down anyway.
Workaround:
None
912293-5 : Persistence might not work properly on virtual servers that utilize address lists
Links to More Info: BT912293
Component: Local Traffic Manager
Symptoms:
-- Connections to the virtual server might hang.
-- Increased tmm CPU utilization.
Conditions:
-- A virtual server is configured with a traffic-matching-criteria that utilizes a source-address-list and/or destination-address-list.
-- The virtual server utilizes certain persistence one of the following persistence types:
+ Source Address (but not hash-algorithm carp)
+ Destination Address (but not hash-algorithm carp)
+ Universal
+ Cookie (only cookie hash)
+ Host
+ SSL session
+ SIP
+ Hash (but not hash-algorithm carp)
Impact:
-- High tmm CPU utilization.
-- Stalled connections.
Workaround:
Enable match-across-virtuals in the persistence profile.
Note: Enabling match-across-virtuals might might affect the behavior of other virtual servers in the configuration that utilize persistence.
911497-1 : Unbound's backoff algorithm interacts badly with net resolver iRules
Links to More Info: BT911497
Component: Global Traffic Manager (DNS)
Symptoms:
Using RESOLVER::name_lookup in an iRule against a net resolver forward zone name server that happens to be down can result in the iRule pausing for up to a few minutes.
Conditions:
Nameserver configures as fwd-zone in net resolver should be down.
Impact:
The connection to the virtual server is paused for a significant amount of time.
Workaround:
Use a pool of dns-servers, and configure the pool to monitor the backend dns servers and load balance to healthy pool members.
911241-8 : The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug
Links to More Info: BT911241
Component: Global Traffic Manager (DNS)
Symptoms:
The iqsyncer utility leaks memory.
Conditions:
-- There is a large bigip_gtm.conf.
-- The log.gtm.level is set to debug.
Impact:
The iqsyncer utility exhausts memory and is killed.
Workaround:
Do not set log.gtm.level equal to or higher than debug.
910777-1 : Sending ASM report via AWS SES failed duo to wrong content type
Links to More Info: BT910777
Component: Application Visibility and Reporting
Symptoms:
When you attempt to send an ASM report via AWS SES, the message bounces with the following message:
Could not send e-mails: SMTP Error: data not accepted.; Transaction failed: Expected MIME type, got ;; Error code: 554.
This occurs because the BIG-IP system is sending out the report message with an empty Content-Type in the multipart MIME, which the AWS mail host cannot process.
Conditions:
This is encountered in the following scenario:
1. Set up SMTP and ASM schedule report.
2. Click Send Now, and get the error message in GUI.
3. SSH into the BIG-IP system.
4. Add this line under the following snippet:
[admin@bigip:Active:Standalone] ~ # chmod 644 /var/ts/dms/script/avrexport/avrmail.php
[admin@bigip:Active:Standalone] ~ # vi /var/ts/dms/script/avrexport/avrmail.php
if (!$mail_subject) $mail_subject = "BIG-IP Analytics Report";
if (!$mail_body) $mail_body = "Attached to this e-mail is a BIG-IP Analytics Report issued at $mail_time\n\n";
if (!$mail_from) $mail_from = 'BIG-IP Reporter';
if (!$mail_content_type) $mail_content_type = 'text/html'; <<<< Add this line for add text/html into content type.
[admin@bigip:Active:Standalone] ~ # chmod 444 /var/ts/dms/script/avrexport/avrmail.php
5. Click Send Now again and it works.
Note: To use AWS SES, you must verify your email address first (as a Sender). You can search SES in AWS and verify your email in Email Addresses. AWS sends an email. Click the embedded link after receipt, and then you can use it as the Sender address on the BIG-IP system.
Impact:
Cannot receive ASM reports.
908829-2 : The iqsyncer utility may not write the core file for system signals
Links to More Info: BT908829
Component: Global Traffic Manager (DNS)
Symptoms:
In certain instances, the iqsyncer utility may not write the core file for system signals.
Conditions:
-- SELinux policies enabled.
-- Run the iqsyncer utilities to initiate a core dump with system signals SIGABRT, SIGQUIT, and SIGSEGV.
Impact:
The iqsyncer utility does not write core file.
Workaround:
Disable SELinux with 'setenforce 0'.
You can now generate a core with a SIGQUIT (-3), but not with SIGABRT or SIGSEGV.
908801-2 : SELinux policies may prevent from iqsh/iqsyncer dumping core
Links to More Info: BT908801
Component: Global Traffic Manager (DNS)
Symptoms:
SELinux policies may prevent the iqsh/iqsyncer utilities from dumping core information.
Conditions:
-- SELinux policies enabled.
-- Run the iqsh/iqsyncer utilities to initiate a core dump.
Impact:
The operation does not result in dumping the core information.
Workaround:
Disable SELinux with 'setenforce 0'.
908753-5 : Password memory not effective even when password policy is configured
Links to More Info: BT908753
Component: TMOS
Symptoms:
The BIG-IP system does not prevent you from specifying previously used passwords, even if Secure Password Enforcement is enabled with password memory set to a non-zero value.
Conditions:
-- Password memory in auth settings is not 0 (zero).
-- Attempt to specify a previously specified password
Impact:
Password history to prevent user from using same password is not enforced.
Workaround:
None.
908453-5 : Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly
Links to More Info: BT908453
Component: TMOS
Symptoms:
When a trunk is configured with a name longer than 32 characters on a vCMP host, guests update the working-mbr-count for the trunk incorrectly when another trunk on the host changes. This might result in vCMP guests failing over unexpectedly.
Conditions:
-- Trunk configured with a name longer than 32 characters on vCMP host.
-- Trunk made available to guests for high availability (HA) Group scoring.
-- At least one other trunk configured on vCMP host.
-- Interface state changes in any other trunk.
Impact:
The vCMP guests may fail over unexpectedly.
Workaround:
Do not use trunk names longer than 32 characters.
908005-5 : Limit on log framework configuration size
Links to More Info: BT908005
Component: TMOS
Symptoms:
While the system config is loading, numerous error messages can be seen:
-- err errdefsd[26475]: 01940010:3: errdefs: failed to add splunk destination.
-- err errdefsd[585]: 01940015:3: errdefs: failure publishing errdefs configuration.
Conditions:
This can occur during a log-config update/load that has numerous log-config objects configured.
Impact:
The system does not log as expected.
Workaround:
None. An Engineering Hotfix is available and can be requested through F5 Support.
908001-2 : vCMP guest CPU usage may increase 4-5% after upgrade of vCMP host to v16.1.x★
Links to More Info: BT908001
Component: Performance
Symptoms:
All vCMP guest configurations might see a 4-5% increase in CPU usage while running on VIPRION and iSeries platforms with the vCMP host upgraded to v16.1.x
Conditions:
-- All configurations (guest software version is not relevant)
-- Running vCMP on VIPRION and iSeries platforms
-- 'Host' upgraded to v16.1.x
Impact:
Increase of CPU usage of about 4-5% on the vCMP guest. This is not expected to cause noticeable performance impacts unless the vCMP guest CPU is already close to 100% use, when it is possible there may be up to a 15% TPS decrease.
If you are running vCMP on VIPRION and iSeries platforms, first evaluate your scenarios and capacity plan if you plan to upgrade the 'host' to 16.1.x.
Note: There is no CPU usage increase when v16.1.x 'guest' instances are run on an earlier 'host' version.
Guidance: In determining whether to upgrade the vCMP host to v16.1.x, carefully evaluate the performance and sizing requirements of your specific configuration.
Workaround:
None
907177-5 : Priority of embedded APM iRules is ignored
Links to More Info: BT907177
Component: Local Traffic Manager
Symptoms:
Custom iRule events are executed before the embedded APM iRule events, despite the custom iRule's priority value being larger than the APM iRule's priority value.
Conditions:
-- APM is provisioned.
-- Custom iRule with a priority value larger the APM iRule's priority value.
Impact:
Custom iRule event is executed before APM iRule event.
Workaround:
None.
906653-1 : Server side UDP immediate idle-timeout drops datagrams
Links to More Info: BT906653
Component: Local Traffic Manager
Symptoms:
With immediate idle-timeout, flows may be closed before a datagram is forwarded.
Conditions:
-- Immediate idle-timeout is set on the server context of a UDP virtual server.
Impact:
Datagrams are dropped periodically depending on traffic load.
Workaround:
None.
905477-6 : The sdmd daemon cores during config sync when multiple devices configured for iRules LX
Links to More Info: BT905477
Component: Local Traffic Manager
Symptoms:
The iRules LX workspaces belong on only one device in a Device Service Cluster (DSC). If you have the same iRules LX workspace configured on multiple devices and then perform a config sync operation, the sdmd daemon cores.
Conditions:
-- Multiple devices configured with the same iRules LX workspace in a DSC.
-- Change one of the devices such that the configuration requires a config sync.
-- Perform the config sync.
Impact:
The sdmd daemon cores. Although having multiple devices configured with the same iRules LX workspace is an incorrect configuration, sdmd should not core.
Workaround:
When the iRules LX workspace is correctly configured, i.e., on only one device in a DSC, there is no need to config sync, so this issues does not occur.
904713-2 : FailoverState device status and CM device status do not match shortly after triggering failover
Links to More Info: BT904713
Component: TMOS
Symptoms:
After triggering failover, the result returned by the API endpoint /mgmt/tm/shared/bigip-failover-state (the BIG-IP failover state worker) may not match the actual device failover state.
Conditions:
This may happen on an high availability (HA) setup with a sync-failover device group.
Impact:
Actions that require the correct output of the BIG-IP failover state worker may fail. For instance, deleting an SSL Orchestrator topology followed by immediately triggering failover may encounter this issue, causing the deletion to fail.
Workaround:
After waiting for a short amount of time, the BIG-IP failover state worker gets in sync with the device failover state. So in the example of deleting an SSL Orchestrator topology, the deletion should be successful if you try again after a short wait.
904537-1 : The csyncd process may keep trying to sync the GeoIP database to a secondary blade
Links to More Info: BT904537
Component: Local Traffic Manager
Symptoms:
The most common symptom is when csyncd repeatedly syncs the GeoIP files and loads the GeoIP database, causing a large number of Clock advanced messages on all tmms.
Repeated log messages similar to the following are reported when a secondary slot logs into the primary slot to load the sys geoip database:
-- info sshd(pam_audit)[17373]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=x.x.x.x attempts=1 start="Wed Apr 29 13:50:49 2020".
-- notice tmsh[17401]: 01420002:5: AUDIT - pid=17401 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys geoip.
Conditions:
-- VIPRION or vCMP guests.
-- Either of the following:
- First installing the GeoIP database if the /shared/GeoIP/v2 directory does not exist.
- When a new blade is installed into a chassis.
Impact:
Repeated logs of Clock advanced messages.
Workaround:
Run the command:
clsh bigstart restart csyncd
904401-5 : Guestagentd core
Links to More Info: BT904401
Component: TMOS
Symptoms:
Guestagentd crashes on a vCMP guest.
Conditions:
This can occur during normal operation in a vCMP environment.
Impact:
Guestagentd crashes on the vCMP guest, and the vCMP host does not have accurate guest information, such as version, provisioning, high availability (HA) status, and tmm status.
Workaround:
None.
903573-3 : AD group cache query performance
Links to More Info: BT903573
Component: Access Policy Manager
Symptoms:
Active Directory queries are slow.
Conditions:
This issue occurs under the following conditions:
-- Active Directory (AD) authentication used.
-- There are lots of AD caches in the environment, and users are in deeply nested groups.
Impact:
Active Directory query time can be excessive.
Workaround:
None
903501-3 : VPN Tunnel establishment fails with some ipv6 address
Links to More Info: BT903501
Component: Access Policy Manager
Symptoms:
VPN Tunnel establishment fails with some ipv6 address
Conditions:
- APM is provisioned.
- Network Access with IPv6 virtual server is configured.
Impact:
VPN Tunnel cannot be established.
Workaround:
1. Disable the DB variable isession.ctrl.apm:
tmsh modify sys db isession.ctrl.apm value disable
2. Perform 'Apply Access Policy' for the access policy attached to the virtual server.
Important: The iSession control channel is needed if optimized apps are configured, so use this workaround only when 'No optimized apps are configured' is set (available in the GUI by navigating to Access :: Connectivity / VPN : Network Access (VPN) : Network Access Lists :: {NA resources} :: 'Optimization' tab).
902445-3 : ASM Policy Event Logging stops working after 'No space in shmem' error disconnection mitigation
Links to More Info: BT902445
Component: Application Security Manager
Symptoms:
ASM event logging stops working.
Conditions:
This can occur during normal ASM operation. It occurs after ASM executes 'No space in shmem' error disconnection mitigation, and this error is logged.
Impact:
ASM Policy Event Logging stop working; new event is not saved.
Workaround:
Restart asmlogd and pabnagd:
pkill asmlogd
pkill pabnagd
901569-4 : Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.
Links to More Info: BT901569
Component: Local Traffic Manager
Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow.
Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.).
Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server.
Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue.
901041 : CEC update using incorrect method of determining number of blades in VIPRION chassis★
Links to More Info: BT901041
Component: Traffic Classification Engine
Symptoms:
There is an issue with the script used for the Traffic Intelligence (CEC (Classification Engine Core)) Hitless Upgrade that misses installing on some blades during install/deploy on VIPRION systems.
Symptoms include:
-- POST error in the GUI.
-- Automatic classification updates are downloaded successfully, but downloaded packages disappear after some time if you do not proceed to install/deploy.
Conditions:
-- CEC hitless update.
-- Using VIPRION chassis.
Impact:
Unable to auto-update Classification signature package on all slots, because the slot count reported for CEC is 0. These packages are installed only on the current slot.
Workaround:
Install the package manually on each slot.
Note: When you refresh the GUI page, the downloaded package appears in the 'Available to Install' list, and you can proceed to install on each slot.
899253-1 : [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist
Links to More Info: BT899253
Component: Global Traffic Manager (DNS)
Symptoms:
Making changes to wide IP pools through GUI management do not take effect.
Conditions:
-- GTM configuration contains a sufficiently high number of pools (~ 15,000).
-- Using the GUI to assign a pool to a wide IP.
Impact:
Changes do not take effect. Unable to use the GUI to manage which pools are associated with a wide IP.
Workaround:
Use TMSH.
898381-3 : Changing the setting of apm-forwarding-fastl4 profile does not take effect
Links to More Info: BT898381
Component: Access Policy Manager
Symptoms:
Changing the setting of apm-forwarding-fastl4 profile does not take effect and is not getting applied to the last leg of client-initiated VPN traffic.
Conditions:
- APM is configured on the BIG-IP system.
- BIG-IP Administrator (Admin) has configured a VPN tunnel.
- Admin is trying to change the TCP characteristic of the last leg of VPN tunnel traffic by tuning the parameters of FastL4 profile apm-forwarding-fastl4.
Impact:
Admin cannot enforce the updated values of apm-forwarding-fastl4 profile on the last leg of client-imitated VPN tunnel traffic.
Workaround:
None.
897437-7 : First retransmission might happen after syn-rto-base instead of minimum-rto.
Links to More Info: BT897437
Component: Local Traffic Manager
Symptoms:
If a TCP profile is configured with a syn-rto-base value that is lower than minimum-rto, the first retransmission might happen after syn-rto-base.
This behavior is encountered only if the BIG-IP system is unable to compute the new RTO value before the retransmission timer expires, meaning:
-- The BIG-IP system has not received a packet with a TCP timestamp reply.
-- The BIG-IP system has not received an ACK for a timed sequence number.
Conditions:
Configured value of syn-rto-base is lower than minimum-rto.
Impact:
Retransmission might happen sooner than expected.
Workaround:
There are two possible workarounds:
-- Avoid using a syn-rto-base value that is lower than the minimum-rto value (the default values are 3 seconds for syn-rto-base and 1 second for minimum-rto).
-- Consider enabling timestamps to allow faster RTT measurement.
896565-2 : Clusterd.peermembertimeout to set peer member timeout does not work all the time
Links to More Info: BT896565
Component: Local Traffic Manager
Symptoms:
Clusterd.peermembertimeout timeout does not work all the time. The default value (10s) might be used instead.
Conditions:
Clusterd.peermembertimeout is modified to a value other than default.
Impact:
New value of clusterd.peermembertimeout is not in use.
895669-3 : VCMP host does not validate when an unsupported TurboFlex profile is configured
Links to More Info: BT895669
Component: TMOS
Symptoms:
There is no validation error for when unsupported TurboFlex profiles are configured on vCMP hosts for relevant platforms. Due to this lack of validation, it can result in incorrect FPGA firmware being loaded on the host and thus a guest may fail to start or reboot constantly.
Conditions:
(1) Provision vCMP on the host and deploy 2x guests with 4 cores
(2) On the vCMP host, manually change TurboFlex profile type to be one that it does not support.
Impact:
Incorrect FPGA firmware is loaded on the host, which can cause problems with the data plane on the guest.
Workaround:
Only use supported turboflex profiles.
894593-2 : High CPU usage caused by the restjavad daemon continually crashing and restarting
Links to More Info: BT894593
Component: TMOS
Symptoms:
Restjavad may become unstable if the amount of memory required by the daemon exceeds the value allocated for its use.
Conditions:
The memory required by the restjavad daemon may grow significantly in system configurations with either a high volume of device statistics collection (AVR provisioning), or a with relatively large number of LTM objects managed by the REST framework (SSL Orchestrator provisioning).
Impact:
The overall system performance is degraded during the continuous restart of the restjavad daemon due to a relatively high CPU usage.
Workaround:
Please don't apply the workarounds below if encountering issues after upgrade to 14.1.5.1-, 15.1.7-, 16.1.3.1- and 17.0.0.1 and you already have restjavad.useextramb set to true. If you have low restjavad memory under these conditions it is likely you are encountering a problem caused by the behaviour change introduced in ID 1025261 ( https://cdn.f5.com/product/bugtracker/ID1025261.html ). The linked article has suggestions on how to mitigate the issue.
If you have restjavad.usextramb set to false and need more memory after upgrade to a version above you will also need to set provision.restjavad.extramb to a sensible value as well as the commands below - typically something like 384 + 80% of MIN (provision.extramb | 2500), so 1984 MB for example below.
That's a high value and it may be possible to set it lower eg it may be worth trying 384 + 20% of MIN(provision.extramb|2500) which is 784 MB for example beneath. You can try different values quite quickly by changing provision.restjavad.extramb and restarting restjavad which should only effect availability of REST API for a few seconds. Generally 384 MB should be seen as the minimum.
Increase the memory allocated for the restjavad daemon (e.g., 2 GB), by running the following commands in a BIG-IP terminal.
tmsh modify sys db restjavad.useextramb value true
tmsh modify sys db provision.extramb value 2000
bigstart restart restjavad
Note changing provision.extramb is service effecting and systems may take several minutes to return to a state they could handle traffic. It also needs to be set on each peer of a service cluster.
Note this may lead to impact on multi-module systems with ASM as approximately only 50-60% of provision.extramb value would be allocated as extra host memory and restjavad may take up to 80% of provision.extramb. It also lowers the ASM specific host allocation resulting in some tighter memory constraints on ASM daemons. Try to use the smallest value that works.
893801-2 : Launching resources that are published on an APM Webtop from multiple VMware servers will fail when the Native View client is selected
Links to More Info: BT893801
Component: Access Policy Manager
Symptoms:
If APM is configured to publish multiple VMware resources (VCS servers) on an APM Webtop, and you select the Native View Client when you launch a resource, you can launch desktops and applications only from the first resource. Attempts to launch desktop or applications from other resources result in an error.
Conditions:
-- APM is configured to protect multiple VMware resources (VCS servers) and publish those resources on an APM Webtop.
-- You attempt to launch a desktop or application specifying the native VMware client.
Impact:
Cannot access desktops and applications from multiple VMware back-ends.
Workaround:
Use HTML5 client instead.
891565-1 : The Subject Alternative Name (SAN) field in Certificates and Certificate Signing Requests is limited to 4095 bytes
Links to More Info: BT891565
Component: Local Traffic Manager
Symptoms:
When creating a Certificate Signing Request (CSR) or when creating or using a Certificate (CRT), there is a limit of 4096 bytes in the Subject Alternative Names (SAN) field.
Since one byte is reserved, the value entered into that field cannot exceed 4095 bytes.
Note that if the SAN list is so long that it causes the entire SSL handshake (ie, all handshake messages combined) to exceed 32K, then the handshake will be aborted with the code "hs msg overflow" - see K40902150 for further details.
Conditions:
- Generation of a Certificate Signing Request with a large SAN list.
(or)
- Use of a client-ssl profile with a virtual server, where an associated certificate contains a large SAN field
Impact:
Very long SAN values cannot be used
Workaround:
- Create multiple certificates, where each certificate has a sufficiently short SAN list, then create client-ssl profiles for each cert+key, then assign all of those profiles to the same virtual server.
- Reduce the length of the Subject Alternative Name field, if possible by collapsing multiple entries into one by using wildcards, for example '*.example.com', rather than 'one.example.com;two.example.com'
891333-2 : The HSB on BIG-IP platforms can get into a bad state resulting in packet corruption.
Links to More Info: K32545132, BT891333
Component: TMOS
Symptoms:
Networking connectivity issues, such as ARP resolution issues, high availability (HA) failures, health monitor instability, etc.
Packet captures with Wireshark or tshark can be used to show bit-errors/corruption in the network packet for traffic passing through the HSB. This corruption can occur in various parts of the packet such as the MAC address, EtherType, packet checksums, etc.
Conditions:
This can occur on BIG-IP hardware platforms containing a high-speed bridge (HSB).
Impact:
Network connectivity problems on some traffic passing through the affected HSB. Could be reflected in the status of Config Sync or more health monitors down on one member of HA pair.
Workaround:
Reboot the affected device.
If a reboot does not resolve the issue, then its most likely a hardware issue. Please work with Support on a RMA.
F5 has introduced a detection mechanism in newer versions of code. Please refer to the following document for more details: https://cdn.f5.com/product/bugtracker/ID1211513.html
891145-7 : TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal
Links to More Info: BT891145
Component: Local Traffic Manager
Symptoms:
SYNs received with TSVal <= TS.Recent are dropped without sending an ACK in FIN-WAIT-2 state.
Conditions:
-- Timestamps are enabled in TCP profile.
-- Local TCP connection is in FIN-WAIT-2 state.
-- Remote TCP connection abandoned the flow.
-- A new TCP connection sends a SYN with TSVal <= TS.Recent to the local connection.
Impact:
The new TCP connection cannot infer the half-open state of Local TCP connections, which prevents faster recovery of half-open connections. The local TCP connection stays around for a longer time.
Workaround:
There are two workarounds:
-- Reduce the Fin Wait 2 timeout (the default: 300 sec) so that TCP connection is terminated sooner.
-- Disable TCP Timestamps.
888885-3 : BIG-IP Virtual Edition TMM restarts frequently without core
Links to More Info: BT888885
Component: Local Traffic Manager
Symptoms:
The following messages are found in the QKViews:
"bigipA notice MCP bulk connection aborted, retrying"
"bigipA notice Initiating TMM shutdown"
Prior to this, the TMM process logs that it is waiting for its instances to reach different states. For example,
"localhost notice ixlv(1.3)[0:7.0]: Waiting for tmm1 to reach state 1..."
In the /var/log/ltm file, the following message are found sometimes.
"bigip1 crit tmm9[19358]: 01230017:2: Unable to attach to PCI device 00:09.00 for Interface 1.5"
Conditions:
BIG-IP VE with SR-IOV enabled on a Red Hat Enterprise Linux 7.7 which is a part of Red Hat OpenStack Platform 13
Impact:
The TMM process restarts without a core file repeatedly.
Traffic disrupted while tmm restarts.
888081-6 : BIG-IP VE Migration feature fails for 1NIC
Links to More Info: BT888081
Component: TMOS
Symptoms:
When a saved UCS is attempted to be restored in a new BIG-IP Virtual Edition (VE) in order to migrate the configuration, it fails.
load_config_files[28221]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- 01071412:3: Cannot delete IP (x.x.x.x) because it is used by the system config-sync setting.
Conditions:
The UCS load step might fail if the DB variable Provision.1NicAutoconfig is set to disable.
Impact:
The UCS restore fails.
Workaround:
The DB variable can be set to enable before loading the UCS.
# tmsh modify sys db provision.1nicautoconfig value enable
887681-4 : Tmm SIGSEGV in rrset_array_lock,services/cache/rrset.c
Links to More Info: BT887681
Component: Global Traffic Manager (DNS)
Symptoms:
TMM Cored with SIGSEGV.
Conditions:
N/A.
Impact:
Traffic disrupted while tmm restarts.
887621-4 : ASM virtual server names configuration CRC collision is possible
Links to More Info: BT887621
Component: Application Security Manager
Symptoms:
A policy add/modify/delete fails with the following error:
-- crit g_server_rpc_handler_async.pl[19406]: 01310027:2: ASM subsystem error (asm_config_server.pl ,F5::ASMConfig::Handler::log_error_and_rollback): Failed on insert to DCC.VS_RAMCACHE (DBD::mysql::db do failed: Duplicate entry '375946375' for key 'PRIMARY').
Conditions:
This can occur when adding a policy. The chance of it occurring increases when there are many virtual servers.
Impact:
Every config update fails.
Workaround:
Figure out which virtual servers have the CRC collision (by looking into DCC.RAMCACHE_VS). Change the name of one of these virtual servers.
You can get the name of the affected virtual server by using the entry reported in the 'Duplicate entry' log, and running this command.
mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e 'SELECT * FROM DCC.VS_RAMCACHE WHERE vs_name_crc = 375946375'
887265-4 : BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration★
Links to More Info: BT887265
Component: Local Traffic Manager
Symptoms:
When booting to a boot location for the first time, the system does not come on-line.
Conditions:
-- There is a large configuration.
-- VLAN failsafe is configured, and the failsafe-action is something other than failover.
-- The BIG-IP system is an appliance.
Impact:
BIG-IP processes continually restart (VLAN failsafe-action failover-restart-tm), or the BIG-IP system continually reboots (VLAN failsafe-action reboot)
Workaround:
Either disable VLAN failsafe or set the failsafe-action to failover during an upgrade.
887045-7 : The session key does not get mirrored to standby.
Links to More Info: BT887045
Component: Local Traffic Manager
Symptoms:
When a session variable key length is 65 KB, session mirroring fails for that specific key.
Conditions:
-- APM high availability (HA) setup.
-- Access Policy is configured and synced across both devices.
-- A session variable key of ~65 KB arrives
Impact:
The session key does not get mirrored to standby.
Workaround:
None
886145-1 : The 'Reconnect' and 'Reconnect All' buttons do not work if reached via a particular section of the DNS GUI.
Links to More Info: BT886145
Component: Global Traffic Manager (DNS)
Symptoms:
The 'Reconnect' and 'Reconnect All' buttons (introduced in BIG-IP version 14.1.0 to restart some or all iQuery connections) do not work when clicked.
The 'Reconnect' button does not become enabled when a server is selected from the list, and an error is logged in the browser console.
The 'Reconnect All' button is clickable but returns the error when clicked:
No response action specified by the request.
Conditions:
You have accessed the buttons via the following GUI path:
DNS :: GSLB :: Data Centers :: [dc name] > Servers
Impact:
The buttons do not work, making the corresponding feature unavailable from the GUI.
Workaround:
Access the buttons using the following alternative GUI path:
DNS :: GSLB :: Servers
884729-1 : The vCMP CPU usage stats are incorrect
Links to More Info: BT884729
Component: TMOS
Symptoms:
The vCMP CPU usage stats are incorrect when process on a secondary blade has the same PID as that of primary blade's qemu process.
Conditions:
A process on a secondary blade has the same PID as that of primary blade's qemu process.
Impact:
The vCMP CPU usage stats are intermittently incorrect.
Workaround:
None.
883149-7 : The fix for ID 439539 can cause mcpd to core.
Links to More Info: BT883149
Component: TMOS
Symptoms:
Mcpd cores during config sync.
Conditions:
This occurs on rare occasions when the device transitions from standby to active, and the connection between the BIG-IP peers stalls out.
Impact:
Mcpd cores. Traffic disrupted while mcpd restarts.
Workaround:
None
882933-1 : Nslookup might generate a core during system restart
Links to More Info: BT882933
Component: Global Traffic Manager (DNS)
Symptoms:
Nslookup generates a core file. The core file name might start with "nslookup", "isc-worker", "isc-timer" or "isc-socket".
Conditions:
Multiple instances of nslookup are running when the system shuts down.
Impact:
A core file is generated. However, since this is during system shutdown, the impact should be minimal.
882729-5 : Applied Blocking Masks discrepancy between local/remote event log
Links to More Info: BT882729
Component: Application Security Manager
Symptoms:
Applied Blocking Masks discrepancy between local/remote event log, ASM logging event logs both locally and remotely to BIG-IQ has discrepancy.
Conditions:
This occurs when "Applied Blocking Masks" logs are emitted on a device where local and remove event logging is configured.
Impact:
This is cosmetic but can lead to confusion.
882725-6 : Mirroring not working properly when default route vlan names not match.
Links to More Info: BT882725
Component: Local Traffic Manager
Symptoms:
When using two BIG-IP systems to mirror traffic, mirroring occurs when the default gateway VLAN names match; however, if the default gateway VLAN names don't match, then the BIG-IP system does not mirror client-side packets to the peer, which causes the standby BIG-IP system to reset all client-side flows on failover.
Conditions:
-- Two BIG-IP LTM systems configured as a high availability (HA) pair.
-- Default gateway VLAN names don't match between them.
Impact:
BIG-IP system does not mirror client-side packets to the peer, which causes the next-active device to reset all client-side flows on failover.
Upon failover all flows are being RST just like a typical failover scenario without mirroring implemented.
Workaround:
Use same VLAN name on all external VLANs that might be used for mirroring.
882609-7 : ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back
Links to More Info: BT882609
Component: TMOS
Symptoms:
After setting a device's ConfigSync IP to 'none' and then back to an actual IP address, the device remains in a disconnected state, and cannot establish ConfigSync connections to other BIG-IP systems in its trust domain.
MCPD periodically logs messages in /var/log/ltm:
err mcpd[27610]: 0107142f:3: Can't connect to CMI peer a.b.c.d, TMM outbound listener not yet created.
Conditions:
--- BIG-IP system is in a trust domain with other BIG-IP systems.
--- Local device's ConfigSync IP is set to 'none', and then back to an actual IP address.
Impact:
Devices unable to ConfigSync.
Workaround:
This workaround will disrupt traffic while TMM restarts:
1. Ensure the local ConfigSync IP is set to an IP address.
2. Restart TMM:
bigstart restart tmm
This workaround should not disrupt traffic:
Copy and paste the following command into the Advanced Shell (bash) on a BIG-IP system, and then run it. This sets the ConfigSync IP for all device objects to 'none', and then back to their correct values.
TMPFILE=$(mktemp -p /var/tmp/ ID882609.XXXXXXX); tmsh -q list cm device configsync-ip > "$TMPFILE"; sed 's/configsync-ip .*$/configsync-ip none/g' "$TMPFILE" > "$TMPFILE.none"; tmsh load sys config merge file "$TMPFILE.none"; echo "reverting back to current"; tmsh load sys config merge file "$TMPFILE"
881937-2 : TMM and the kernel choose different VLANs as source IPs when using IPv6.
Links to More Info: BT881937
Component: Local Traffic Manager
Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, can use a MAC and IPv6 source address from different VLANs.
Conditions:
-- Multiple VLANs configured with IPv6 addresses.
-- Multiple routes to the same destination, either the same or more specific, default routes, etc., that cover the traffic destination.
-- Changes are made to routes that cause the traffic to the destination to shift from one VLAN and gateway to another. This can be typically observed with dynamic routing updates.
- The db key snat.hosttraffic is set to disable.
Impact:
Traffic to the destination may fail because the incorrect source IPv6/MAC address is used, which might cause monitor traffic to fail.
Workaround:
tmsh list sys db snat.hosttraffic
tmsh modify sys db snat.hosttraffic value enable
tmsh save sys config
881065-5 : Adding port-list to Virtual Server changes the route domain to 0
Links to More Info: BT881065
Component: Local Traffic Manager
Symptoms:
When attaching the port-list to virtual server dest:port-list, the route domain of the virtual server is changed to the default value of 0, and the port-list is not correctly applied. This is encountered in the GUI but not in the CLI.
Conditions:
Using port-list along with virtual server in non default route domain using the GUI.
Impact:
You are unable to use the GUI to attach a port-list that uses a non-default route domain to a virtual server.
Workaround:
Use tmsh to attach a port-list to a virtual server if the port-list uses a non-default route domain.
880689-1 : Update oprofile tools for compatibility with current architecture
Component: TMOS
Symptoms:
Current operf as shipped with BIG-IP is out of date and will not work.
Per the oprofile page (https://oprofile.sourceforge.io/news/) the version included in our systems (0.9.9) was released in 2013.
Conditions:
Opcontrol still works but operf will not load.
# operf --version
use the opcontrol command instead of operf.
Impact:
Outdated operf means that it cannot be used for troubleshooting purposes.
880565-5 : Audit Log: "cmd_data=list cm device recursive" is been generated continuously
Links to More Info: BT880565
Component: Device Management
Symptoms:
The system generates and logs the following message continuously, at the rate of 3 times a minute, in /var/log/audit:
-- bigip1 notice tmsh[47755]: 01420002:5: AUDIT - pid=47755 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=cd / ;
-- bigip1 notice tmsh[47755]: 01420002:5: AUDIT - pid=47755 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=list cm
Conditions:
This occurs during normal operation.
Impact:
Audit log file contains numerous 'cmd_data=list cm device recursive' messages.
Workaround:
-- To suppress all messages, do the following:
1. Edit the 'include' section of syslog configuration to suppress audit logs of 'cmd_data=cd /' and 'cmd_data=list cm device recursive':
# tmsh edit /sys syslog all-properties
2. Replace 'include none' with following syntax:
===
sys syslog {
- snip -
include "
filter f_audit {
facility(local0) and match(AUDIT) and not match(\"cmd_data=list cm device recursive|cmd_data=cd /\");
};"
- snip -
}
-- To filter the messages sent to existing remote syslog servers, do the following:
1. Set sys syslog remote-servers none:
# tmsh modify sys syslog remote-servers none
2. Define the remote syslog server in the 'sys syslog include' statement.
3. Add the following filter:
filter f_remote_server {
not (facility(local0) and message(\"AUDIT\") and match(\"cmd_data=list cm device recursive|cmd_data=cd /\"));
};
Result: The system sends all messages to the remote syslog server, excluding the messages that match the filter.
Here is a sample filter, with sample data:
sys syslog {
include "
filter f_remote_server {
not (facility(local0) and message(\"AUDIT\") anD match(\"cmd_data=list cm device recursive|cmd_data=cd /\"));
};
destination d_remote_loghost {
udp(\"10.0.0.1\" port(514));
};
log {
source(s_syslog_pipe);
filter(f_remote_server);
destination(d_remote_loghost);
};
"
}
879969-8 : FQDN node resolution fails if DNS response latency >5 seconds
Links to More Info: BT879969
Component: TMOS
Symptoms:
When resolving FQDN names for FQDN nodes/pool members, pending DNS requests are timed out after 5 seconds with no response from the DNS server.
If there is a persistent latency of 5 seconds or greater in the DNS server responses, FQDN name resolution will fail and ephemeral nodes/pool members will not be created.
Conditions:
- BIG-IP using FQDN nodes/pool members
- Persistent latency of 5 seconds or greater in the DNS server responses
Impact:
Ephemeral pool members may not be created, thus no traffic will be sent to the intended pool members.
Workaround:
Resolve any persistent latency issues that might cause delays of 5 seconds or more in DNS server responses.
878253-5 : LB::down no longer sends an immediate monitor probe
Links to More Info: BT878253
Component: Local Traffic Manager
Symptoms:
The iRule command LB::down is supposed to send an immediate monitor probe, but it does not.
Conditions:
-- Executing LB::down in an iRule.
Impact:
A monitor probe is not immediately sent, which may cause a pool member to be marked down longer than it should be.
872165-4 : LDAP remote authentication for REST API calls may fail during authorization
Links to More Info: BT872165
Component: TMOS
Symptoms:
LDAP (or Active Directory) remote authentication fails during authorization for REST API calls.
Clients receive 401 Unauthorized messages and /var/log/restjavad.x.log may report messages similar to the following:
-- [I][1978][26 Mar 2021 13:23:36 UTC][8100/shared/authn/login AuthnWorker] User remoteuser failed to login from 192.0.2.1 using the tmos authentication provider
-- [WARNING][807][26 Mar 2021 14:43:24 UTC][RestOperationIdentifier] Failed to validate Authentication failed.
Conditions:
LDAP (or Active Directory) remote authentication configured with a User Template instead of a Bind Account.
Impact:
Unable to authenticate as remote-user for access that uses authorization, like REST API calls.
Workaround:
You can use either of the following workarounds:
-- Configure LDAP/AD remote authentication to utilize a Bind account instead of the User Template.
-- Create a local user account for each remote user, allowing local authorization (authentication remains remote).
869541-3 : Series of unexpected <aborted> requests to same URL
Links to More Info: BT869541
Component: Access Policy Manager
Symptoms:
Series of unexpected <aborted> requests to same URL
Conditions:
Web-app using special code pattern in JavaScript.
For example:
loc = window.location;
obj = {}
for (i in loc) {
obj[i] = loc[i];
}
Impact:
Page load is aborted
Workaround:
Following iRule can be used with customized SPECIFIC PAGE_URL value:
when REWRITE_REQUEST_DONE {
if {
[HTTP::path] ends_with "SPECIFIC_PAGE_URL"
} {
# log "URI=([HTTP::path])"
# Found the file we wanted to modify
REWRITE::post_process 1
set do_fix 1
}
}
when REWRITE_RESPONSE_DONE {
if {[info exists do_fix]} {
unset do_fix
set strt [string first {<script>try} [REWRITE::payload]]
if {$strt > 0} {
REWRITE::payload replace $strt 0 {
<script>
(function () {
var dl = F5_Deflate_location;
F5_Deflate_location = function (o) {
if (o.F5_Location) Object.preventExtensions(o.F5_Location)
return dl(o);
}
})()
</script>
}
}
}
}
869121-2 : Logon Page configured after OAuth client in access policy VPE, get error message Access policy evaluation is already in progress for your current session
Links to More Info: BT869121
Component: Access Policy Manager
Symptoms:
When 'Logon Page' agent is configured after 'OAuth client' in access policy VPE, you see an error message that says 'Access policy evaluation is already in progress for your current session'
Conditions:
In access VPE, Logon page after OAuth client agent in standard customization type.
Impact:
Cannot process further to reach resources.
Workaround:
Try to configure the access policy in Modern customization if it's not already configured that way.
When message box configured after OAuth client and observing the same above Access policy evaluation error message
Workaround:
Use a 'Logon Page' agent instead of the 'Message Box' agent and configure it such as:
all fields Type will be set to 'none'
message for the users will be mentioned in the 'Form Header text' field
Logon Button value will be changed from 'Logon' to 'Continue'
This should simulate exactly the look and feel of a message box but will prevent the issue from happening.
869049-7 : Charts discrepancy in AVR reports
Links to More Info: BT869049
Component: Application Visibility and Reporting
Symptoms:
Discrepancy in AVR reports. When filtering on the 'last month' interval, a specific number of total requests per virtual server is shown. Then when filtering to the present day from a date that encompasses that month, a lower number is reported.
Conditions:
-- Number of records in database exceeds the maximum mount of data that AVR can aggregate between different table-resolutions.
-- There are metrics on the report other than the default one (hits-count).
Impact:
Stats on DB get corrupted and incorrect.
Workaround:
None.
868801-2 : BIG-IP still sends STARTTLS if the 'No encryption' SNMP option is enabled
Links to More Info: BT868801
Component: TMOS
Symptoms:
The SMTP 'No Encryption' configuration option is not honored by the BIG-IP device.
Conditions:
The 'No Encryption' option is selected under the SMTP configuration object.
Impact:
BIG-IP disregards its SMTP configuration and attempts to initiate TLS.
Workaround:
None
868557-1 : Unable to initiate SWG database download from Admin UI when management network has no direct internet connectivity.
Links to More Info: BT868557
Component: Access Policy Manager
Symptoms:
If the management network is not directly connected to the internet, 'Download Now' action on 'Access ›› Secure Web Gateway : Database Settings : Database Download' fails the connectivity check and refuses to start database download.
Conditions:
-- Configure proxy in the same subnet and block BIG-IP management traffic on the gateway
-- Remove default routes from linux routing table and add route to the proxy server if necessary.
Impact:
Database download fails and you see an error message:
"Database download server (download.websense.com) could not be reached. Please verify the correctness of the DNS lookup server configured on this BIG-IP system."
Workaround:
-- Run the following tmsh command:
tmsh modify sys url-db download-schedule urldb download-now true
-or-
-- Configure download settings and wait until the scheduled database download.
867985-6 : LTM policy with a 'shutdown' action incorrectly allows iRule execution
Links to More Info: BT867985
Component: Local Traffic Manager
Symptoms:
BIG-IP systems provide manipulation tools over a connection with an LTM policy and/or iRule. LTM policy takes precedence over iRules and has an option to shutdown a connection based on satisfied conditions. When a connection is closing, an iRule should not be executed under the same conditions.
Conditions:
-- The BIG-IP system has a virtual server with an LTM policy and an iRule.
-- The LTM policy has action 'shutdown connection' under certain conditions.
-- The iRule has an event which is triggered under the same conditions.
Impact:
The iRule is executed before the connection is being reset.
Workaround:
None.
867549-1 : LCD touch panel reports "Firmware update in progress" indefinitely★
Links to More Info: BT867549
Component: TMOS
Symptoms:
After a software upgrade that includes an LCD firmware update, the LCD touch panel may remain stuck reporting an error indefinitely / for longer than 30 minutes:
Firmware update in Progress may take up to 30 minutes.
Conditions:
This issue occurs when all of the following conditions are met:
-- You have one of the following BIG-IP platforms:
* i850
* i2x00
* i4x00
* i5x00
* i7x00
* i10x00
* i11x00
* i15x00
* HRC-i2x00
* HRC-i5x00
* HRC-i10x00
-- You perform a software upgrade that updates the firmware on the LCD touch panel, e.g. upgrading from BIG-IP v13.1.x to BIG-IP v14.1.x or newer.
Impact:
The system is functional, but the LCD displays the firmware update screen indefinitely. The LCD cannot be used while it is frozen on the firmware update warning screen.
Workaround:
Important: Before attempting this workaround, check that there are no indications the system is still performing a firmware update (such as a terminal prompt), and that the following messages can be found in /var/log/ltm after the most recent boot:
notice chmand[6302]: 012a0005:5: firmware update succeeded.
notice chmand[6302]: 012a0005:5: Firmware check finished.
These messages indicates that the firmware update has finished, and the LCD is displaying the warning screen in error, so it is safe to perform the workaround.
Reboot the BIG-IP system to return the LCD to normal operation.
After a reboot of the BIG-IP operating system, the LCD touch panel should be responsive.
867253-4 : Systemd not deleting user journals
Links to More Info: BT867253
Component: TMOS
Symptoms:
When setting 'SystemMaxUse' to any value, systemd does not honor this limit, and the specified size is exceeded.
Conditions:
Using a non-TMOS user account with external authentication permission.
Note: Systemd-journald is configured to create a user journal for every remote user that logs into the BIG-IP system.
Impact:
Journald filling up the file system. These journals are allocated with a minimum size of 4MiB and are not removed when the log entries age-out.
Workaround:
Option 1:
To immediately free up space, manually remove per-user journal logs from the following location:
/var/log/journal/*/user-*
Option 2:
To prevent the system from creating these journal files going forward:
1. Edit /etc/systemd/journald.conf and add the following at the bottom of the file:
SplitMode=none
2. Restart systemd-journal service
# systemctl restart systemd-journald
3. Delete the existing user journal files from /var/log
# rm /var/log/journal/*/user-*
Note:
-- You must apply this workaround separately to each blade of a VIPRION or vCMP guest running on a VIPRION.
-- You must reapply this workaround after performing software installations.
865653-1 : Wrong FDB table entries with same MAC and wrong VLAN combination
Links to More Info: BT865653
Component: TMOS
Symptoms:
Forwarding DataBase (FDB) table has duplicate MAC entries with the incorrect VLANs.
MAC entries are correct in the switch but not in the control plane.
Conditions:
Enable L2Wire.
Impact:
Duplicate MAC entries with incorrect VLANs in FDB table.
Workaround:
Restart bcm56xxd:
bigstart restart bcm56xxd
Note: You can use tmsh to see the table:
tmsh -m show net fdb
863601-5 : Panic in TMM due to internal mirroring interactions
Links to More Info: BT863601
Component: Wan Optimization Manager
Symptoms:
The Traffic Management Microkernel suddenly restarts due to a SIGSEGV segmentation fault.
Conditions:
-- APM is being used.
-- Connection mirroring is being used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid configuring connection mirroring when APM is being used.
862949-4 : ZoneRunner GUI is unable to display CAA records
Links to More Info: BT862949
Component: Global Traffic Manager (DNS)
Symptoms:
Attempting to manage a CAA record via the GUI shows an error:
Resolver returned no such record.
Conditions:
-- Navigate to DNS :: Zones :: ZoneRunner :: Resource Record List :: Search All Records.
-- Click on record of type CAA.
Impact:
Unable to update CAA records via the GUI.
Workaround:
You can use either of the following workarounds:
-- Manually edit the BIND configuration.
-- Delete the record and create a new one with the desired changes.
862001-6 : Improperly configured NTP server can result in an undisciplined clock stanza
Links to More Info: BT862001
Component: Local Traffic Manager
Symptoms:
There can be an undisciplined clock stanza in /etc/ntp.conf, resulting in an undisciplined clock.
NTP documentation:
http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock
Conditions:
This might occur in at least the following ways:
-- No server is specified in 'sys ntp servers {}'.
-- A server does exist, but an improper method was used to configure the NTP server.
Impact:
When the LOCAL undisciplined clock is left as a valid time-source, it delays the system synchronizing time to a real NTP server. It can also result in time being adjusted incorrectly if the the remote time-source becomes unreachable.
Workaround:
Configure a dummy server via 'ntp servers {}' that does not respond.
While this removes the undisciplined local clock, it does result in ntpd having an unreachable time source, and could be flagged in diagnostics, misdirect other troubleshooting, generate unnecessary traffic, etc.
However, if the 'dummy' source starts responding, it could become a rogue time source.
860573-6 : LTM iRule validation performance improvement by tracking procedure/event that have been validated
Links to More Info: BT860573
Component: TMOS
Symptoms:
Loading (with merge) a configuration file that references some iRules results in validating every iRule and ends up validating the same procedures multiple times for every virtual server a single iRule is associated with.
Conditions:
Configuration which has 100's of virtual servers, some iRules that are assigned to all virtual servers and a few library iRules.
Impact:
Task fails (via REST) or ends up taking a really long time when run manually.
Workaround:
None.
860277-6 : Default value of TCP Profile Proxy Buffer High Low changed in 14.1
Links to More Info: BT860277
Component: Local Traffic Manager
Symptoms:
Version: 13.1.3.1
# tmsh list ltm profile tcp tcp proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
proxy-buffer-high 49152
proxy-buffer-low 32768
}
proxy-buffer-high
Specifies the highest level at which the receive window is closed.
The default value is 49152.
proxy-buffer-low
Specifies the lowest level at which the receive window is closed.
The default value is 32768.
Version: 14.1.2.2
# list ltm profile tcp TCP proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
proxy-buffer-high 65535
proxy-buffer-low 32768
}
proxy-buffer-high
Specifies the highest level at which the receive window is closed.
The default value is 131072.
proxy-buffer-low
Specifies the lowest level at which the receive window is closed.
The default value is 98304.
Conditions:
Looking at the help for proxy-buffer-high and proxy-buffer-low in tmsh
Impact:
The default value for proxy-buffer-high is 65535 and the default value for proxy-buffer-low is 32768, but the help text indicates that the defaults are 13072 and 98304 respectively.
858877-5 : SSL Orchestrator config sync issues between HA-pair devices
Links to More Info: BT858877
Component: TMOS
Symptoms:
SSL Orchestrator configuration deployment across BIG-IP devices in a high-availability (HA) group may result in inconsistent state, if during deployment the connectivity between the HA peers is lost.
Conditions:
Deploying SSL Orchestrator configuration across BIG-IP devices in an HA group.
Impact:
Inconsistent SSL Orchestrator configuration on BIG-IP devices in an HA group.
Workaround:
Run the /usr/bin/ha-sync script. See ha-sync -h for help.
857769-1 : FastL4+HTTP or FastL4+Hash-Persistence virtual servers do not work correctly in DSR mode.
Links to More Info: BT857769
Component: Local Traffic Manager
Symptoms:
Given a long-lived TCP connection that can carry multiple client requests (for example, but not limited to, HTTP requests), the BIG-IP system fails to forward requests after the forty-eighth one.
The client will try re-transmitting the answered request, but the BIG-IP system will persist in dropping it.
Conditions:
This issue occurs when all of the following conditions are met:
1) The virtual server uses the FastL4 profile.
2) The virtual server also uses the HTTP or Hash-Persistence profiles.
3) The virtual server operates in DSR (Direct Server Return) mode (also known as N-Path).
Impact:
The BIG-IP system fails to forward traffic.
Workaround:
Do not use the HTTP or Hash-Persistence profiles with a FastL4 virtual server operating in DSR mode.
Note: It is fine to use an iRule that calls hash persistence commands (for example, "persist carp [...]") as long as the Hash-Persistence profile is not associated to the virtual server. This technique will allow you to persist on a hash based on L4 information that you can extract at CLIENT_ACCEPTED time. For example, the following iRule correctly persists a specific client socket to a pool member in a FastL4 DSR configuration:
when CLIENT_ACCEPTED {
persist carp [IP::client_addr]:[TCP::client_port]
}
851837-1 : Mcpd fails to start for single NIC VE devices configured in a trust domain
Links to More Info: BT851837
Component: TMOS
Symptoms:
Single NIC BIG-IP Virtual Edition (VE) devices configured in a trust domain (e.g., in high availability (HA)) cannot reload a running configuration when restarted and/or when mcpd fails to load the config, and reports a validation error:
err mcpd[25194]: 0107146f:3: Self-device config sync address cannot reference the non-existent Self IP ([IP ADDR]); Create it in the /Common folder first.
Conditions:
Single NIC VE devices configured in a trust domain (e.g., HA)
Impact:
The mcpd process fails to start, and the configuration does not load.
Workaround:
Manually copy and paste the self IP configuration snippet into the /config/bigip_base.conf file:
1. Connect to the CLI.
2. Edit bigip_base.conf, and add the following:
net self self_1nic {
address 10.0.0.1/24
allow-service {
default
}
traffic-group traffic-group-local-only
vlan internal
}
Note: replace 10.0.0.1 with the IP indicated in the error message
3. Save the changes and exit.
4. Load the configuration using the command:
tmsh load sys config
5. If APM or ASM is provisioned/configured, then also restart services with this command:
bigstart restart
851385-8 : Failover takes too long when traffic blade failure occurs
Links to More Info: BT851385
Component: Local Traffic Manager
Symptoms:
When blades 1 and 4 are disabled on the active chassis, the failover period is between 3.4 to 4.7 seconds before the next-active device starts processing messages.
If the blades are physically pulled from the chassis,
the failure occurs within 1 second.
Conditions:
-- Multi-blade VIPRION system
-- Blades 1 and 4 are connected to the network via trunks, blades 2 and 3 are CPU-only blades
-- Blades 1 and 4 are disabled via the GUI
Impact:
Significant delay before BIG-IP delivers a web page during between-cluster failover
846977-7 : TCP:collect validation changed in 12.0.0: the first argument can no longer be zero★
Links to More Info: BT846977
Component: Local Traffic Manager
Symptoms:
Validation for TCP::collect was changed in BIG-IP software v12.0.0 (with the introduction of JET specifications). Prior to 12.0.0, there were no restrictions on the values of the two arguments. As of 12.0.0, the first argument ('collect_bytes') must be a positive integer, and the second argument ('skip_bytes) must be a non-negative integer.
Occurrences of 'TCP::collect 0 0' in iRules experience issues when upgrading to a newer version, producing warnings in LTM log:
/Common/T_collect:9: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid argument 0; expected syntax spec:"136 17][TCP::collect 0 0].
Conditions:
-- Using a version of BIG-IP software earlier than 12.0.0, configure an iRule with a 'TCP::collect 0 0' command.
-- Upgrade to 12.0.0 or later.
Impact:
Warning in the LTM log file. The iRules containing 0 values do not function as expected. There is no other impact.
Workaround:
Change 'TCP::collect 0 0' to a value other than 0 (zero) in any iRules before or after upgrade.
844925-5 : Command 'tmsh save /sys config' fails to save the configuration and hangs
Links to More Info: BT844925
Component: TMOS
Symptoms:
The 'tmsh save /sys config' command hangs and fails to save the configuration if there is a memory allocation failure when creating the reply.
Conditions:
-- A large number of iApps: in the thousands.
-- Each iApp has tens of variables.
Impact:
Because tmsh cannot save the configuration, if the BIG-IP system reboots, any changes made since the last successful save are lost.
Workaround:
Run the command:
tmsh save /sys config binary
This does not save the configuration to files in /config, but it does at least allow you to save the binary configuration.
That way, you can reboot the BIG-IP system and not lose the configuration.
Note: It is possible that a reboot will provide sufficient memory to save to configuration files. It depends on the configuration of virtual memory at the time of the save. It is possible that every time you want to save the config, you must use the binary option.
843293-1 : When L7 performance FPGA is loaded, "tmsh show sys fpga" shows standard-balanced-fpga.
Links to More Info: BT843293
Component: TMOS
Symptoms:
When L7 performance FPGA is loaded, "tmsh show sys fpga" shows standard-balanced-fpga. "tmsh list sys fpga" will list the expected type "l7-performance-fpga".
Conditions:
-- iSeries i5000/i7000/i10000/i11000/i15000 platform
-- Pay as you grow (PAYG) license applied
-- L7 performance FPGA is loaded
Impact:
"tmsh show sys fpga" shows standard-balanced-fpga
This is cosmetic and there is no function impact. "tmsh list sys fpga" will list the correct type "l7-performance-fpga".
Workaround:
N/A
842669-6 : Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log
Links to More Info: BT842669
Component: TMOS
Symptoms:
Systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log. Bare ')' being logged to /var/log/user.log., for example:
cat /var/log/user.log
[...]: Deleting file /shared/core/*.core.*
[...]: Deleting file /shared/core/*.core.*
[...] )
[...] )
Conditions:
This occurs when the system logs syslog messages containing embedded newlines, such as
- The cron process tries and fails to send an email because of output from a cron script.
- audit log entries when editing irules
- Modifying the syslog 'include' configuration
- Applying ASM policy configuration change
- GTM.debugprobelogging output from big3d
- iqsyncer mcpd message debug output (log.gtm.level=debug)
Impact:
The logging subsystem accepts syslog messages with embedded newlines, and writes first line to the appropriate file, and remaining lines to both /var/log/user.log and /var/log/messages
Workaround:
View the logs using journalctl
842193-6 : Scriptd coring while running f5.automated_backup script
Links to More Info: BT842193
Component: iApp Technology
Symptoms:
When the iApp, f5.automated_backup, script is terminated due to the max-script-run-time, the script still continues and finishes, sometimes with scriptd coring and posting error messages in /var/log/ltm:
-- info logger[17173]: f5.automated_backup iApp autobackup: STARTED
-- info logger[17175]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs GENERATING
-- err scriptd[13532]: 014f0004:3: script has exceeded its time to live, terminating the script <------ after 20 secs, it continues even after the scriptd core.
-- notice sod[3235]: 01140041:5: Killing /usr/bin/scriptd pid 13532.
-- warning sod[3235]: 01140029:4: high availability (HA) daemon_heartbeat scriptd fails action is restart.
-- info logger[19370]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs SAVED LOCALLY
(/var/local/ucs)
-- info logger[19372]: f5.automated_backup iApp autobackup: FINISHED
Conditions:
Configure the iApp application with f5.automated_backup template to do auto-backup at regular intervals.
Impact:
Scriptd core.
Workaround:
Increasing the sys scriptd max-script-run-time higher then the default of 300 seconds might be helpful if the higher timeout allows the script to complete.
For example, if the script is saving a UCS and the save takes 400 seconds, then increasing the max-script-run-time to 430 seconds would allow the script to finish and would work around this issue.
842137-6 : Keys cannot be created on module protected partitions when strict FIPS mode is set
Links to More Info: BT842137
Component: Local Traffic Manager
Symptoms:
When the Hardware Security Module (HSM) FIPS mode is set to FIPS 140-2 Level 3 protection, new keys cannot be created in the module's protected partition.
Note: Although FIPS grade Internal HSM (PCI card) is validated by the Marvell company at FIPS 140-2 Level 3, the BIG-IP system is not 140-2 Level 3 validated.
Conditions:
-- FIPS 140-2 Level 3 protection is configured on a NetHSM partition.
-- You attempt to create a FIPS key using that partition.
Impact:
New Keys cannot be create.
Workaround:
Follow these steps to generate a new NetHSM key called 'workaround' and install it into the BIG-IP config:
1. Generate the key:
[root@bigip1::Active:Standalone] config # fipskey.nethsm --genkey -o workaround -c module
WARNING: fipskey.nethsm will soon be deprecated for use with Thales. Please switch to using tmsh commands instead.
tmsh commands...
Generate Key:
tmsh create sys crypto key <key_name> security-type nethsm [gen-certificate|gen-csr] ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate CSR for existing key:
tmsh create sys crypto csr <csr_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate Self-Signed Certificate for existing key:
tmsh create sys crypto cert <cert_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Delete Key:
tmsh delete sys crypto key <keyname>
str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=2048 embedsavefile="workaround" plainname="workaround" digest=sha256]
key generation parameters:
operation Operation to perform generate
application Application pkcs11
protect Protected by module
verify Verify security of key yes
type Key type RSA
size Key size 2048
pubexp Public exponent for RSA key (hex)
embedsavefile Filename to write key to workaround
plainname Key name workaround
x509country Country code
x509province State or province
x509locality City or locality
x509org Organisation
x509orgunit Organisation unit
x509dnscommon Domain name
x509email Email address
nvram Blob in NVRAM (needs ACS) no
digest Digest to sign cert req with sha256
Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622
Starting synchronisation, task ID 5de83486.6e9e32d7f367eaf4
Directory listing failed: No such file or directory
2. Confirm the presence of the key with the label 'workaround':
[root@bigip1::Active:Standalone] config # nfkminfo -l
Keys with module protection:
key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622 `workaround'
Keys protected by cardsets:
...
3. Install the key:
[root@bigip1::Active:Standalone] config # tmsh install sys crypto key workaround from-nethsm
4. Install the public certificate:
[root@bigip1::Active:Standalone] config # tmsh install sys crypto cert workaround from-local-file /config/ssl/ssl.crt/workaround
839361-7 : iRule 'drop' command does not drop packets when used in DNS_RESPONSE
Links to More Info: BT839361
Component: Global Traffic Manager (DNS)
Symptoms:
The iRule 'drop' command may not drop a DNS response when called under DNS_RESPONSE event.
Conditions:
iRule drop is used under DNS_RESPONSE event.
Impact:
DNS response may be improperly forwarded to the client.
Workaround:
Use DNS::drop instead.
838597-5 : Unable to load license/dossier when going down for vCMP
Links to More Info: BT838597
Component: TMOS
Symptoms:
After provisioning vCMP on the BIG-IP system and rebooting, vcmpd might core during the shutdown with a log message in /var/log/ltm "Unable to load license/dossier: Failed to connect to HAL via halmsg".
Conditions:
This occurs when rebooting the BIG-IP system after provisioning vCMP.
Impact:
This crash does not impact any functionality - system is shutting down anyway
Workaround:
None
838337-8 : The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.
Links to More Info: BT838337
Component: TMOS
Symptoms:
In 2019, Brazil cancelled DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP system's time zone database needs to be updated to reflect this change.
Conditions:
None.
Impact:
BIG-IP systems configured to use "America/Sao_Paul" (or other applicable Brazilian localities) will still apply DST. Hence time will spring forward and backward on previously designated dates.
This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, etc. will use incorrect time.
Note: You can inspect the time changes your system is due to apply by running the following command from the BIG-IP system's advanced shell (bash):
zdump -v <timezone>
For example:
zdump -v America/Sao_Paulo
Workaround:
As a workaround, you can set the BIG-IP system's time zone to that of a different country with the same UTC offset and already not observing DST.
For example, instead of using "America/Sao_Paul", you could use "America/Buenos_Aires" to obtain the same result.
830073-7 : AVRD may core when restarting due to data collection device connection timeout
Links to More Info: BT830073
Component: Application Visibility and Reporting
Symptoms:
Avrd crashes, one or more core avrd files exist in /var/core
Conditions:
-- A BIG-IP system is managed by BIG-IQ via secure channel
-- Avrd is restarted.
Impact:
Avrd cores as it is shutting down. During avrd shutdown, the BIG-IQ data collection device (DCD) is unreachable for 10 minutes
Workaround:
None.
829657-5 : Possible TMM crash with a multi-IP PEM subscriber configured with more than 16 IP addresses
Links to More Info: BT829657
Component: Policy Enforcement Manager
Symptoms:
TMM crash.
Conditions:
PEM configured with a multi-IP subscriber with more than 16 IP addresses.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not create a PEM subscriber with more than 16 IP addresses.
829021-1 : BIG-IP does not account a presence of http2 profile when response payload is modified
Links to More Info: BT829021
Component: Local Traffic Manager
Symptoms:
The BIG-IP system might close a connection when the HTTP response payload is modified and sent without chunking encoding. If communication goes over an HTTP connection, the BIG-IP system closes a connection to tell a client that a response is served. With HTTP/2 connections, an unsized response is marked with the END_STREAM flag. This case is not accounted for, and the BIG-IP system closes HTTP communication with a server anyway.
Conditions:
-- A virtual server has an http/2 profile configured on the client side.
-- There are other profiles configured which can modify the HTTP response payload.
Impact:
The BIG-IP system wastes resources not reusing a server side HTTP connection when an unsized response is sent over an HTTP/2 connection to a client.
Workaround:
None.
814273-6 : Multicast route entries are not populating to tmm after failover
Links to More Info: BT814273
Component: TMOS
Symptoms:
Multicast route entries are not populating in tmm after failover. ZebOS has the multicast entries, but tmm does not.
Conditions:
-- High Availability (HA) configured, with multicast traffic.
-- A failover occurs.
Impact:
Multicast traffic does not pass through properly
Workaround:
Clear the multicast entries in ZebOS manually:
> clear ip mroute *
> clear ip igmp group
812693-5 : Connection in FIN_WAIT_2 state may fail to be removed
Links to More Info: BT812693
Component: Local Traffic Manager
Symptoms:
If a connection that has a fully closed client-side, but a server-side still in FIN_WAIT_2, receives a SYN matching the same connflow, the idle time is reset. This can result in the fin-wait-2-timeout never being reached. The SYN will be responded to with a RST - 'TCP Closed'
Conditions:
- Client side connection has been fully closed. This may occur if a client SSL profile is in use and an 'Encrypted Alert' has been received.
- Server side has sent a FIN which has been ACK'd, but no FIN has been received from the server.
- SYN received matching the existing connflow before the FIN-WAIT-2-timeout has been reached (300 default).
Impact:
Connection may fail to be removed in a timely manner. New connection attempts are RST with 'TCP Closed'
Workaround:
You can use either of the following:
-- Ensure servers are sending FIN's so as not to leave the connection in a FIN_WAIT_2 state.
-- Mitigate the issue by lowering the FIN-WAIT-2-timeout to a smaller value, e.g., FIN-WAIT-2-timeout 10.
811829 : BIG-IP as Authorization server: OAuth Report GUI display expired token as active
Links to More Info: BT811829
Component: Access Policy Manager
Symptoms:
Expired tokens status is shown as ACTIVE in the GUI whereas it is shown AS EXPIRED in the CLI via tmsh list apm oauth token-details
Conditions:
-- Access tokens/Refresh tokens should be expired
Impact:
Misleading information regarding the token status
Workaround:
Uuse 'tmsh list apm oauth token-details' but this shows only the first 100 tokens
809089-4 : TMM crash after sessiondb ref_cnt overflow
Links to More Info: BT809089
Component: TMOS
Symptoms:
Log message that indicates this issue may happen:
session_reply_multi: ERROR: unable to send session reply: ERR_BOUNDS
[...] valid s_entry->ref_cnt
Conditions:
-- Specific MRF configuration where all 500 session entries are owned by a single tmm.
-- High rate of session lookups with a lot of entries returned.
Note: This issue does not affect HTTP/2 MRF configurations.
Impact:
TMM core: the program terminates with signal SIGSEGV, Segmentation fault. Traffic disrupted while tmm restarts.
Workaround:
1. Change MRF configuration to spread session lookups across multiple tmms.
2. Reduce the sub-key entries to far below 500.
808801-6 : AVRD crash when configured to send data externally
Links to More Info: BT808801
Component: Application Visibility and Reporting
Symptoms:
AVRD can crash repeatedly when configured to send telemetry data externally.
Conditions:
-- AVR is configured to send telemetry data to an external source (like connection with BIG-IQ).
-- Large number of config objects in the system, such as virtual servers and pool members.
Impact:
AVRD process crashes, and telemetry data is not collected.
Workaround:
Split the configuration updates into smaller batches
808481-6 : Hertfordshire county missing from GTM Region list
Links to More Info: BT808481
Component: TMOS
Symptoms:
Hertfordshire county is missing from Regions in the United Kingdom Country/State list.
Conditions:
-- Creating a GTM region record.
-- Attempting to select Hertfordshire county for the United Kingdom.
Impact:
Cannot select Hertfordshire county from United Kingdom Country/State list.
Workaround:
None.
807569-3 : Requests fail to load when backend server overrides request cookies and Bot Defense is used
Links to More Info: BT807569
Component: Application Security Manager
Symptoms:
When Bot Defense is used on the backend server that overrides request cookies, requests to non-HTML resources may fail, or may receive the whitepage JavaScript challenge. An example is when a back-end server responds with a Set-Cookie header containing empty values for each cookie request cookie it does not recognize.
Conditions:
-- Bot Defense is enabled.
-- Backend server is overriding the Bot Defense cookies with the TS prefix.
Impact:
Some URLs fail to load following the JavaScript challenge.
Workaround:
Use an iRule to strip the TSPD_101 cookie from the request before forwarding it to the backend:
when HTTP_REQUEST_RELEASE {
HTTP::cookie remove "TSPD_101"
}
807309-5 : Incorrect Active/Standby status in CLI Prompt after failover test
Links to More Info: BT807309
Component: TMOS
Symptoms:
After running 'promptstatusd -y' to check current failover status, it displays an incorrect Active/Standby status in the CLI prompt.
Conditions:
This occurs under the following conditions:
1. Modify the db variable: bigdb failover.state.
2. Check that /var/prompt/ps1 and CLI prompt reflect the setting.
2. Reboot the BIG-IP system.
Impact:
Status shown in the prompt does not change.
Workaround:
Do not run 'promptstatusd -y' command manually.
The db variable 'failover.state is a status-reporting variable. The system does not report status manually set to something other than the actual status.
Note: 'promptstatusd' is not a BIG-IP user command, it is a daemon. It is highly unlikely that manually running this command will produce information that is useful or relevant to the status being sought.
805561-1 : Change of pool configuration in OneConnect environment can impact active traffic
Links to More Info: BT805561
Component: Local Traffic Manager
Symptoms:
In OneConnect environments, when the default pool is updated for the first time, active connections reconnect to new pool members. Further update to pool configuration has no impact on traffic.
Conditions:
-- Virtual server configured with OneConnect profile.
-- Default pool is updated when active connections are present.
Impact:
Active traffic disrupted.
Workaround:
None.
804089-2 : iRules LX Streaming Extension dies with Uncaught, unspecified error event
Links to More Info: BT804089
Component: Local Traffic Manager
Symptoms:
You are using a virtual with an ilx profile generated from an iRules LX Streaming extension and observed the following error or similar.
Sep 05 09:16:52 pid[5850] Error: Uncaught, unspecified "error" event. (ETIMEDOUT)
Sep 05 09:16:52 pid[5850] at ILXFlow.emit (events.js:163:17)
Sep 05 09:16:52 pid[5850] at ILXFlowWrap.ilxFlowErrorCb [as onIlxError] (/var/sdm/plugin_store/plugins/<pluginName>/extensions/<workspaceName>/node_modules/f5-nodejs/lib/ilx_flow.js:108:10)
Conditions:
Virtual server with an ilx profile generated from an iRules LX Streaming extension. The problem is aggravated if a web-acceleration profile is configured.
Impact:
Traffic may be disrupted until the sdmd daemon has respawned another node.js process.
803773-3 : BGP Peer-group route-maps are not applied to newly configured address-family ipv6 peers
Links to More Info: BT803773
Component: TMOS
Symptoms:
Inbound or outbound route-map configuration may not be applied properly to address-family ipv6 members of peer-group
Conditions:
This happens when route-map is applied to a peer-group before the neighbor gets configured as a peer-group member.
For example:
conf t
no route-map test
no router bgp 64512
route-map test permit 10
match ipv6 address 2001::1/128
router bgp 64512
neighbor pg1 peer-group
neighbor pg1 remote-as 64512
address-family ipv6
neighbor pg1 activate
neighbor pg1 route-map test out
end
conf t
router bgp 64512
neighbor 2001::2 peer-group pg1
end
Impact:
route-map configuration inherited from the peer-group (in or out) may not be applied to the BGP neighbor
Workaround:
After a peer is added:
- Remove peer-group route-map configuration.
- Re-add peer-group route-map configuration.
- Clear BGP sessions to apply new config.
803157-4 : LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots
Links to More Info: BT803157
Component: TMOS
Symptoms:
In reboot case, the BIG-IP system buffers the shutdown sequence log messages and writes them to disk once the syslog service starts during the boot process. The boot_marker message is written before shutdown messages sync to disk. This leads to out-of-sequence log messages, making it difficult to determine when the service stop occurred.
Conditions:
Reboot the BIG-IP system.
Impact:
Log messages appear out of order. It is difficult to tell whether service stop happened as part of reboot, or any error during the subsequent boot process.
Workaround:
None.
798885-6 : SNMP response times may be long when processing requests
Links to More Info: BT798885
Component: TMOS
Symptoms:
SNMP queries to the BIG-IP system may take longer (up to 15% more time) to process on BIG-IP systems with large configurations. mcpd CPU usage increases by a small amount (up to 10%) during these queries.
Conditions:
-- Large configuration.
-- Using SNMP to query statistics on the BIG-IP system.
Impact:
A small increase in response time to SNMP requests to the BIG-IP. Some SNMP queries might fail due to timeouts. mcpd CPU usage is slightly elevated while processing these queries.
Workaround:
If the responses to SNMP queries are taking too long, MCPD and SNMPD may overburden the control plane. It may be necessary to lengthen the timeout and retry values used by the SNMP client. It may also be helpful to trim what is queried, for example, not repetitively walking large tables like the Virtual Server or LTM Pool Member tables for statistics.
797573-1 : TMM assert crash with resulting in core generation in multi-blade chassis
Links to More Info: BT797573
Component: Local Traffic Manager
Symptoms:
TMM crashes while changing settings.
Conditions:
Seen on multi-blade chassis with either one of the options:
-- Running system with DoS and other traffic.
-- Create a new vCMP guest and deploy it.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
796985-4 : Default IPv4 IP address is assigned to Alt-Address in isolated vCMP guest; vCMP host or guest are upgraded and guest is 'Inoperative'★
Links to More Info: BT796985
Component: TMOS
Symptoms:
VCMP host or guest is upgraded, and the vCMP guest is 'Inoperative', with messages similar to the following in /var/log/ltm:
-- warning clusterd[1546]: 013a0005:4: Clusterd using /VERSION for SW specification.
-- info clusterd[1546]: 013a0023:6: Blade 1: No info received from slot: Starting up
-- err clusterd[1546]: 013a0004:3: result {
-- err clusterd[1546]: 013a0004:3: result.code 17237812
-- err clusterd[1546]: 013a0004:3: result.attribute float_mgmt2_ip
-- err clusterd[1546]: 013a0004:3: result.message 01070734:3: Configuration error: Cluster alt-address: 192.168.1.246 cannot be the same address family as cluster address: 192.168.1.246
-- err clusterd[1546]: 013a0004:3: }
-- err clusterd[1546]: 013a0004:3: Per-invocation log rate exceeded; throttling.
-- notice clusterd[1546]: 013a0006:5: Disconnecting from mcpd.
-- info clusterd[1546]: 013a0007:6: clusterd stopping...
Conditions:
-- Isolated vCMP guest.
-- Both 'Address' and 'Alt-Address' are assigned the same IPv4 address.
-- Upgrade occurs.
Impact:
Upon host/guest upgrade, vCMP guest is 'Inoperative'.
Workaround:
-- For new vCMP guests, or prior to booting the vCMP guest to an affected version for the first time, assign it a management-ip from the vCMP host. This prevents the alt-address from being assigned and the issue from occurring on subsequent upgrades.
tmsh modify vcmp <guest_name> management-ip 192.168.1.246/24
-- For existing vCMP guests already on an affected version, but not currently experiencing the issue, assign a management-ip from the vCMP host and remove the alt-address from within the vCMP guest to prevent the issue from occurring in a future upgrade or reboot:
host# tmsh modify vcmp guest <guest-name> management-ip 192.168.1.246/24
guest# tmsh modify sys cluster default alt-address none
-- When already upgraded and seeing the issue on a guest, set a management-ip from the vCMP host and run the following commands within the guest to remove the alternate address from the configuration file:
host# tmsh modify vcmp guest <guest-name> management-ip 192.168.1.246/24
guest# bigstart stop clusterd
guest# sed -i s/alt_addr=.*// -i /shared/db/cluster.conf
guest# bigstart start clusterd
795633-1 : GUI and REST API unable to add virtual servers containing a space in the name to a pool
Links to More Info: BT795633
Component: Global Traffic Manager (DNS)
Symptoms:
The GUI and REST API are unable to add virtual servers containing a space in the name to a pool.
Conditions:
Virtual server name contains a space.
Impact:
Unable to manage pool members if the virtual server contains a space in the name.
Workaround:
Use tmsh.
788257-5 : Bigd.mgmtroutecheck setting ignored by in-tmm monitors after bigstart restart
Links to More Info: BT788257
Component: In-tmm monitors
Symptoms:
The bigd.mgmtroutecheck db variable can be enabled to prevent monitor traffic from going through the management interface (for information, see K14549: Overview of the 'bigd.mgmtroutecheck' database key :: https://support.f5.com/csp/article/K14549); however, if in-tmm monitors are configured, the setting will be ignored after a bigstart restart.
Conditions:
-- bigd.mgmtroutecheck is enabled
-- bigd.tmm is enabled (i.e., in-tmm monitors are configured).
-- tmm has a route configured to the management interface.
-- A pool member exists that matches a route through the management interface.
-- bigstart restart is performed.
Impact:
In-tmm monitor traffic uses the management interface if there is a route to the pool member via the management interface, even when bigd.mgmtroutecheck indicates it is enabled.
Workaround:
None
783077-2 : IPv6 host defined via static route unreachable after BIG-IP reboot
Links to More Info: BT783077
Component: Local Traffic Manager
Symptoms:
Static route unreachable after BIG-IP system reboot.
Conditions:
-- Add a static route.
-- Issue a ping (works fine).
-- Reboot the BIG-IP system.
-- Issue a ping (cannot pint the route).
Impact:
Static route exists in both kernel and LTM routing table but unable to ping the route after rebooting the BIG-IP system.
Workaround:
Workaround-1:
Delete the IPv6 route entry and recreate the route by issuing the following commands in sequence:
tmsh delete net route IPv6
tmsh create net route IPv6 network 2a05:d01c:959:8408::b/128 gw fe80::250:56ff:fe86:2065 interface internal
Workaround-2:
net route /Common/IPv6 {
gw fe80::456:54ff:fea1:ee02 <-- Change this address to unicast address from 2a05:d01c:959:8409::/64 network
interface /Common/Internal
mtu 1500
network 2a05:d01c:959:8408::b/128
}
782373-1 : GTM fails to log MCPD error in GTM log and logs it in LTM log instead.
Links to More Info: BT782373
Component: Global Traffic Manager (DNS)
Symptoms:
When using BIG-IP link monitors with the mentioned conditions, the system logs MCPD error messages (GTM config sync result from local mcpd: result) in the LTM instead of GTM.
# tail /var/log/gtm
May 15 11:58:54 gtm1a.test.net err iqsyncer[2684]: 011ae104:3: Gtm config sync result from local mcpd: result {
May 15 11:58:54 gtm1a.test.net notice gtmd[15881]: 011a0006:5: hookOnChild: SYNC syncer exited with status == 0.(success)
# tail /var/log/ltm
May 15 11:58:14 gtm1a.test.net err mcpd[9833]: 0107082c:3: Cannot modify the destination address of monitor /Common/my_bigi_link.
May 15 11:58:14 gtm1a.test.net err mcpd[9833]: 01071488:3: Remote transaction for device group /Common/gtm to commit id 1 6691325118043697493 /Common/bigip1 0 failed with error 0107082c:3: Cannot modify the destination address of monitor /Common/my_bigi_link..
May 15 11:58:24 gtm1a.test.net err mcpd[9833]: 0107082c:3: Cannot modify the destination address of monitor /Common/my_bigi_link.
May 15 11:58:24 gtm1a.test.net err mcpd[9833]: 01071488:3: Remote transaction for device group /Common/gtm to commit id 1 6691325118043697493 /Common/bigip1 0 failed with error 0107082c:3: Cannot modify the destination address of monitor /Common/my_bigi_link..
Expected logs:
# tail /var/log/gtm -f
May 7 13:39:21 gtm1a err iqsyncer[27803]: 011ae104:3: Gtm config sync result from local mcpd: result { result_code 17238060 result_message "0107082c:3: Cannot modify the destination address of monitor /Common/my_bigip_link." result_attribute monitor }
Conditions:
-- A bigip_link monitor with destination * written in bigip_gtm.conf.
-- That monitor is associated with a link.
-- The following command is run on one of the sync group peers:
tmsh load /sys config gtm-only.
Impact:
GTM log is missing MCPD error text, which instead gets logged in LTM log.
Workaround:
N/A
780745-5 : TMSH allows creation of duplicate community strings for SNMP v1/v2 access
Links to More Info: BT780745
Component: TMOS
Symptoms:
TMSH allows you to create multiple access records with the same IP protocol, same Source IP network, and same community string.
Conditions:
Duplicate access records are created in TMSH.
Impact:
Unintended permissions can be provided when an undesired access record with the correct community string is matched to a request instead of the desired access record.
Workaround:
Use the Configuration Utility to manage SNMP v1/2c access records. (The GUI properly flags the error with the message:
The specified SNMP community already exists in the database.
If you use tmsh, ensure that community strings remain unique within each Source IP Network for each IP protocol.
780437-8 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
Links to More Info: BT780437
Component: TMOS
Symptoms:
It is possible, although unlikely, for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.
As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.
The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.
Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.
Symptoms for this issue include:
-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.
-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.
-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):
qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img
qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img
-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]
Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.
-- Large configuration with many guests.
-- The VIPRION chassis is rebooted.
-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is Bug ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.
Impact:
-- Loss of entire configuration on previously working vCMP guests.
-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.
-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.
Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.
If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.
779185-1 : Forward zone deleted when wideip updated
Links to More Info: BT779185
Component: Global Traffic Manager (DNS)
Symptoms:
When a forward zone is configured in zonerunner, and a wideip is configured in the same zone, BIG-IP may delete the bind zone whenever the wide ip's pool members are modified.
Subsequent modifications of the same zone will then result in a new primary zone being created in bind.
Conditions:
- A forward zone is configured in bind (zonerunner)
- The pool members associated with a wideip are modified
Impact:
Queries that do not match wideips are passed to bind for processing, and are no longer forwarded to the nameserver configured in the forward zone.
Workaround:
- Recreate the zonerunner forward zone after modifying the wideip
779137-7 : Using a source address list for a virtual server does not preserve the destination address prefix
Links to More Info: BT779137
Component: Local Traffic Manager
Symptoms:
Configuring a network virtual server with a source address list causes the system to treat the virtual server as a host.
Conditions:
-- Configure a source address list on the virtual server.
-- Configure a network address for the destination of the virtual server (not an address list).
Impact:
Traffic does not flow to the virtual server as expected.
Workaround:
See K58807232
778513-3 : APM intermittently drops log messages for per-request policies
Links to More Info: BT778513
Component: TMOS
Symptoms:
APM may intermittently drop log messages, leading to missing information on policy execution or other events.
Conditions:
This might occur under either of the following conditions:
-- Using APM per-request policies, or ACCESS::log iRule commands.
-- APM is configured to use multiple log destinations (such as: local-db and local-syslog).
Impact:
Administrator may fail to report certain logging events, hindering troubleshooting or auditing efforts.
Workaround:
No workaround is possible.
When reviewing APM logs, keep in mind that during periods of high activity (greater than 100 log messages in 1-to-2 seconds) that the system may drop some log messages.
778501-5 : LB_FAILED does not fire on failure of HTTP/2 server connection establishment
Links to More Info: BT778501
Component: Local Traffic Manager
Symptoms:
When the server connection fails to be established due to server being down or actively rejecting the connection, LB_FAILED should fire and allow a new destination to be selected via iRule.
Conditions:
- iRule with LB_FAILED event
- server connection establishment fails
Impact:
Selection of a new destination via LB_FAILED is not possible, thus the client connection will be aborted.
Workaround:
No workaround available.
778225-6 : vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host
Links to More Info: BT778225
Component: TMOS
Symptoms:
Automatic hitless upgrade for protocol inspection fails on vCMP guests. This occurs because vCMP guest don't install f5_api_com key and certificates.
Conditions:
After licensing a vCMP guest, there is no f5_api_com key or certificate (you can run key_cache_path and crt_cache_path to determine that).
Impact:
Hitless upgrade fails for protocol inspection and traffic classification on vCMP guests.
Workaround:
Install the hitless upgrade IM package manually.
777389-7 : In rare occurrences related to PostgreSQL monitor, the mcpd process restarts
Links to More Info: BT777389
Component: TMOS
Symptoms:
Possible indications include the following:
-- Errors such as the following may appear in ltm/log:
- notice postgres[10872]: [466-1] WARNING: pgstat wait timeout.
- notice sod[27693]: 01140041:5: Killing /usr/bin/mcpd pid 7144.
- BD_CONF|ERR| ...failed to connect to mcpd after 5 retries, giving up...
- BD_CONF|ERR| ...can't read message from mcp conn, status:16908291.
- BD_MISC|CRIT| ...Received SIGABRT - terminating.
-- Errors such as the following may appear in the dwbld/log:
- Couldn't send BLOB notification - MCP err 16908291.
- Got a terminate/abort signal - terminating ...
- Terminating mcp_bridge thread.
-- Processes may restart unexpectedly, including mcpd, bd, and postgresql.
Conditions:
-- The 'mcpd' process attempts to read monitoring data from the PostgreSQL server, but no data is available.
-- A contributing factor might be that the AFM module is licensed but not configured.
Impact:
Failing to receive a monitoring response from the SQL server, MCPD goes into an infinite loop and skips the heartbeat report, resulting in its restart. While MCPD is restarting, the system is offline and does not process traffic. After restart, system operation returns to normal.
Workaround:
The chance of occurrence can be minimized by making sure that control-plane processes have sufficient memory to run efficiently.
775845-6 : Httpd fails to start after restarting the service using the iControl REST API
Links to More Info: BT775845
Component: TMOS
Symptoms:
After restarting httpd using the iControl REST API, httpd fails to start, even with a subsequent restart of httpd at the command line.
Similar to the following example:
config # restcurl -u admin:admin /tm/sys/service -X POST -d '{"name":"httpd", "command":"restart"}'
{
"kind": "tm:sys:service:restartstate",
"name": "httpd",
"command": "restart",
"commandResult": "Stopping httpd: [ OK ]\r\nStarting httpd: [FAILED]\r\n(98)Address already in use: AH00072: make_sock: could not bind to address n.n.n.n:n\nno listening sockets available, shutting down\nAH00015: Unable to open logs\n"
}
config # tmsh restart sys service httpd
Stopping httpd: [ OK ]
Starting httpd: [FAILED]
Conditions:
Restarting httpd service using iControl REST API.
Impact:
Httpd fails to start.
Workaround:
To recover from the failed httpd state, you can kill all instances of the httpd daemon and start httpd:
killall -9 httpd
tmsh start sys service httpd
775797-5 : Previously deleted user account might get authenticated
Links to More Info: BT775797
Component: TMOS
Symptoms:
A user account which may have originally been manually configured as a local user (auth user) but may have since been removed, might still get authenticated and be able to modify the BIG-IP configuration.
Conditions:
-- User account configured as local user.
-- The user account is deleted later.
(Note: The exact steps to produce this issue are not yet known).
Impact:
The deleted user that no longer exists in the local user list and which is also not explicitly authorized by remote role groups, can get authenticated. The deleted user is also able to modify the BIG-IP configuration via iControl.
Workaround:
None.
767473-2 : SMTP Error: Could not authenticate
Links to More Info: BT767473
Component: TMOS
Symptoms:
When using a "sys smtp-server" object (System >> Configuration >> Device >> SMTP) to configure an SMTP mail server, mail may be rejected by the remote SMTP server, and clicking on the "Test Connection" button returns "SMTP Error: Could not authenticate"
Conditions:
The remote SMTP server requires TLS1.2 or higher.
Impact:
Unable to send mail for BIG-IP features that make use of the 'sys smtp-server' object, such as AVR and ASM reports.
Workaround:
Configure the BIG-IP to relay mail through a locally administered SMTP server that allows TLS 1.0 connections (which may mean creating an SMTP relay that only accepts mail from BIG-IP devices and relays it securely to another SMTP server)
766593-7 : RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20
Links to More Info: BT766593
Component: Global Traffic Manager (DNS)
Symptoms:
RESOLV::lookup returns empty string.
Conditions:
Input bytes array is at length of 4, 16, or 20.
For example:
[RESOLV::lookup @dnsserveraddress -a [binary format a* $host1.d1test.com]]
Impact:
RESOLV::lookup returns empty string.
Workaround:
Use lindex 0 to get the first element of the array.
For example:
[RESOLV::lookup @dnsserveraddress -a [lindex [binary format a* $host1.d1test.com] 0]]
762097-5 : No swap memory available after upgrading to v14.1.0 and above★
Links to More Info: BT762097
Component: TMOS
Symptoms:
After an upgrade to v14.1.0 or higher, swap memory may not be mounted. TMM or other host processes may restart due to lack of memory.
Conditions:
-- System is upgraded to v14.1.0 or above.
-- System has RAID storage.
Impact:
May lead to low or out-of-memory condition. The Linux oom killer may terminate processes, possibly affecting service.
Typically management activities may be impacted, for example, a sluggish GUI (config utility) or tmsh sessions.
Workaround:
Mount the swap volume with correct ID representing the swap device.
Perform the following steps on the system after booting into the affected software version:
1. Get the correct ID (RAID device number (/dev/md<number>)):
blkid | grep swap
Note: If there is no RAID device number, perform the procedure detailed in the following section.
2. Check the device or UUID representing swap in /etc/fstab.
3. If swap is not represented with the correct ID, modify the /etc/fstab swap entry to point to the correct device.
4. Enable the swap:
swapon -a
5. Check swap volume size:
swapon -s
If the blkid command shows there is no UUID associated with the swap RAID device, use the following procedure:
1. Generate a random UUID:
uuidgen
2. Make sure swap is turned off:
swapoff -a
3. Recreate the swap partition with UUID generated in step 1:
mkswap -U <uuid_from_step_1> <raid_device_from_step_1>
4. Run blkid again to make sure that you now have a UUID associated with the raid device:
blkid | grep swap
5. edit fstab and find the line
<old_value> swap swap defaults 0 0
6. Replace the old value, whether it was an incorrect UUID or a device name, with the UUID generated in step 1, for example:
UUID=8b35b30b-1076-42bb-8d3f-02acd494f2c8 swap swap defaults 0 0
760400-1 : High number of vcmp guests on clusters and discovery appliances may result in retries for guest deployment
Links to More Info: BT760400
Component: TMOS
Symptoms:
- Guests coming up with retries and
- Messages like below in the LTM log
Guest (XXX): Killing VM process.
Conditions:
- Clusters or discovery appliances host
- High number of vcmp guests being deployed
Impact:
VCMP guests may become unable to pass traffic.
760354-7 : Continual mcpd process restarts after removing big logs when /var/log is full
Links to More Info: BT760354
Component: TMOS
Symptoms:
The BIG-IP device suddenly stops passing traffic. You might see errors similar to the following:
err mcpd[15230]: 01070596:3: An unexpected failure has occurred, TAP creation failed (tmm): Permission denied - net/validation/routing.cpp, line 168, exiting...
Conditions:
This might occur when when /var/log is full and then you remove big logs.
Impact:
The mcpd process restarts continuously. This occurs because tmm blocks mcpd from restarting after /var/log fills up.
Workaround:
Empty the contents of big size log files under /var/log and reboot the BIG-IP system.
If that does not resolve the problem, restart all processes (bigstart restart) or reboot the box.
759258-7 : Instances shows incorrect pools if the same members are used in other pools
Links to More Info: BT759258
Component: TMOS
Symptoms:
Monitor 'Instances' tab shows incorrect pools if the same members are used in other pools.
Conditions:
Steps to Reproduce:
1. Create custom monitor or use system default.
2. Assign that monitor to a test pool.
3. Navigate to Local Traffic :: Monitors, click the test monitor, then select the Instances tab.
Impact:
The test pool is displayed, as well any other pools that use the same member or members (but with other monitors assigned).
Workaround:
None.
758929-7 : Bcm56xxd MIIM bus access failure
Links to More Info: BT758929
Component: TMOS
Symptoms:
Bcm56xxd daemon running on certain BIG-IP devices might experience MIIM bus access failure. The system posts a message similar to the following in the ltm log:
info bcm56xxd: 012c0016:6: MiimTimeOut:soc_miim_write, timeout (id=0xc9 addr=0x1f data=0x0000)
Conditions:
Using one of the following platforms:
+ VIPRION B2250 Blade (A112)
+ VIPRION B2150 Blade (A113)
+ VIPRION B4300 Blade (A108)
+ BIG-IP 5250v
+ BIG-IP 7200S
+ BIG-IP i5600
+ BIG-IP i5820
+ BIG-IP i7800
+ BIG-IP i10800
Impact:
The affected BIG-IP system fails to pass traffic. If configured for high availability (HA) and the HA connection has not been disrupted, failover occurs.
Workaround:
Reboot the affected BIG-IP platform / VIPRION blade.
758491-5 : When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys
Links to More Info: BT758491
Component: Local Traffic Manager
Symptoms:
For Thales:
The ltm/log shows SSL handshake failures with similar lines (this is for Diffie-Hellman Key Exchange):
-- warning bigip1 tmm1[28813] 01260013 SSL Handshake failed for TCP 192.0.2.1:5106 -> 192.0.2.200:5607
-- warning bigip1 tmm1[28813] 01260009 Connection error: ssl_hs_vfy_sign_srvkeyxchg:13583: sign_srvkeyxchg (80)
-- debug bigip1 tmm1[28813] 01260036 FIPS acceleration device error: fips_poll_completed_reqs: req: 4 status: 0x1 : Cancel
-- err bigip1 pkcs11d[26259] 01680002 Key table lookup failed. error.
After enabling pkcs11d debug, the pkcs11d.debug log shows:
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_CLASS
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_CLASS matches
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_ID
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_ID does not match <===
For Safenet:
-- warning tmm1[17495]: 01260009:4: Connection error: ssl_hs_vfy_sign_srvkeyxchg:13544: sign_srvkeyxchg (80)
-- warning tmm1[17495]: 01260013:4: SSL Handshake failed for TCP 10.1.1.11:6009 -> 10.1.1.201:443
-- err pkcs11d[5856]: 01680002:3: Key table lookup failed. error.
Conditions:
1. Keys were created on earlier versions of BIG-IP software, no matter if using tmsh (Safenet) or using fipskey.nethsm (Thales, Safenet) and the device was upgraded to 14.1.0 or later.
2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm (Thales). For Safenet, fipskey.nethsm was deprecated in 14.0.0.
Impact:
SSL handshake failures.
Workaround:
There are two workarounds:
-- Re-create the keys using tmsh command.
IMPORTANT: This workaround is suitable for deployments that are new and not in production.
-- Re-import the keys from nethsm using:
tmsh install sys crypto key <key_label> from-nethsm
You can find the key_label here:
-- The rightmost string in the output of the Thales command:
nfkminfo -l
-- The string after label= in the 'cmu list' command for Safenet.
757787-5 : Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI.
Links to More Info: BT757787
Component: TMOS
Symptoms:
When creating a new rule or modifying an existing rule in a LTM/AFM Policy policy using the WebUI, the operation fails and an error similar to the following example is returned:
Transaction failed:010715bd:3: The parent folder is owned by application service (/Common/MyPolicy.app/MyPolicy), the object ownership cannot be changed to ().
Conditions:
-- The LTM/AFM Policy belongs to an Application Service (iApp).
-- The modification is attempted via the WebUI.
Impact:
Unable to make changes to existing LTM/AFM Policies.
Workaround:
Use the tmsh utility to make the necessary modifications to the LTM/AFM Policy. For example, the following command modifies an existing rule:
tmsh modify ltm policy myapp.app/Drafts/myapp_l7policy rules modify { 0 { conditions modify { 0 { http-method equals values { GET POST } } } } }
757486-2 : Errors in IE11 console appearing with Bot Defense profile
Links to More Info: BT757486
Component: Application Security Manager
Symptoms:
When Bot Defense profile is used and has Browser Verification enabled to either Verify Before Access, or Verify After Access, Microsoft Internet Explorer v11 (IE11) Browsers may display the following errors in the browser console:
HTML1512: Unmatched end tag.
a.html (26,1)
HTML1514: Extra "<body>" tag found. Only one "<body>" tag should exist per document.
a.html (28,1)
Conditions:
-- Bot Defense profile is enabled with Browser Verification.
-- End user clients are using the IE11 browser.
Impact:
Cosmetic error messages appear in an end user's browser console.
Workaround:
In order to work around this issue, inject the scripts to the '<body>' tag instead of the '<head>' tag. This can be done using this tmsh command:
tmsh mod sys db dosl7.parse_html_inject_tags value after,body,before,/body`
756830-6 : BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'
Links to More Info: BT756830
Component: TMOS
Symptoms:
The BIG-IP system may fail source translation for connections matching a virtual server that has connection mirroring enabled and source port selection set to 'preserve strict'.
Conditions:
Connections match a virtual server that has following settings:
- Connection mirroring is enabled.
- Source Port set to 'Preserve Strict'.
In addition, CMP hash selection (DAG mode) on the corresponding VLANs is set to 'Default DAG'.
Impact:
Source translation may fail on BIG-IP system, leading to client connection failures.
Workaround:
You can try either of the following:
-- Do not use the Source Port setting of 'Preserve Strict'.
-- Disable connection mirroring on the virtual server.
755207-3 : Large packets silently dropped on VE mlxvf5 devices
Links to More Info: BT755207
Component: TMOS
Symptoms:
Jumbo frames are disabled by default for Mellanox ConnectX-4 and ConnectX-5 devices using the mlxvf5 driver (i.e., many BIG-IP Virtual Edition (VE) configurations). Packets larger than 1500 bytes are silently dropped. Only packets up to 1500 bytes are supported when jumbo framers are disabled.
Conditions:
BIG-IP VE with SR-IOV using Mellanox ConnectX-4 or ConnectX-5 NICs.
Typically this represents VE configurations running on private Cloud environments such as VMware, KVM, OpenStack, and others.
Note: You can determine your environment by running the following commands:
# tmctl -d blade tmm/device_probed
# tmctl -d blade xnet/device_probed
Configurations exhibiting this issue either:
1. reports a value of 'mlxvf5' in the driver_in_use column in tmm/device_probed, and possibly reports 'tmctl: xnet/device_probed: No such table.'
2. reports a value of 'xnet' in the driver_in_use column in tmm/device_probed, and a value of 'mlxvf5' in the driver_in_use column in xnet/device_probed.
Impact:
Packets larger than 1500 bytes are dropped without a warning.
Workaround:
Enable jumbo frames and then restart tmm.
1. Add the following line to /config/xnet_init.tcl:
drvcfg mlxvf5 jumbo_support 1
2. Restart tmm:
bigstart restart tmm
Important: There are two possible mlxvf5 drivers. It is possible to enable jumbo frames only for the xnet-based driver.
Important: Enabling jumbo frames causes a performance loss for 1500-byte-size packet, but offers higher throughput at lower CPU usage for larger packets. Note that 1500 bytes is the most common size for internet packets.
753712-4 : Incorrect warning: Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family.
Links to More Info: BT753712
Component: TMOS
Symptoms:
An incorrect warning message is given when the inline source/dest address is changed:
-- warning mcpd[6927]: 01071859:4: Warning generated : Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family.
Conditions:
This occurs after you create a traffic-matching-criteria (port-list, address-list) with different source and destination addresses.
Impact:
An incorrect and confusing warning message is given. This warning does not affect traffic processing. It is inadvertently triggered when reading the configuration of the traffic matching profile. Virtual servers should continue to work, and the config should load as expected, despite the warning.
Workaround:
None
751719-5 : UDP::hold/UDP::release does not work correctly
Links to More Info: BT751719
Component: Carrier-Grade NAT
Symptoms:
UDP::hold/UDP::release do not work properly. Connections cannot be deleted and tmm logs an error:
crit tmm14[38818]: 01010289:2: Oops @ 0x2b6b31b:7903: Flow already has peer. Tried to overwrite.
Conditions:
iRule with UDP::hold/UDP::release
Impact:
UDP::hold/UDP::release does not work correctly
751451-4 : When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles
Links to More Info: BT751451
Component: Local Traffic Manager
Symptoms:
If there are HTTPS monitor objects that were created using BIG-IP software v12.x, when the BIG-IP is upgraded directly to v14.0.0 or later, the operation automatically creates server SSL profiles for the HTTPS monitors as needed. Those server SSL profile objects do not have 'no-tlsv1.3' included in their 'options' configuration.
Conditions:
-- Having HTTPS monitors configured in v12.x before upgrading.
-- Directly upgrading from v12.x to v14.0.0 or later
Impact:
TLSv1.3 gets enabled on the server SSL profiles.
Workaround:
-- To avoid this issue, upgrade from v12.x to v13.x, and then upgrade to v14.0.0 or later
-- To mitigate this issue, modify the affected profile to disable TLSv1.3.
749757-4 : -s option in qkview help does not indicate maximum size
Links to More Info: BT749757
Component: TMOS
Symptoms:
When running qkview with the -h option to obtain help, the -s (size) option is incorrectly rendered.
It should read:
[ -s <max file size> range:0-104857600 Bytes ]
Conditions:
-- Running qkview -h.
-- Viewing the -s (size) option help.
Impact:
The measurement size, bytes, is missing, which might result in confusion.
Workaround:
Use the -s option as normal, but be advised that the number should be in bytes, and that the maximum number is 104857600.
745125-2 : Network Map page Virtual Servers with associated Address/Port List have a blank address.
Links to More Info: BT745125
Component: TMOS
Symptoms:
On the Local Traffic > Network Map page, some virtual servers have a blank address.
Conditions:
An address list or port list is associated with the virtual server
Impact:
The Network Map will display a blank address field.
743826-7 : Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0)
Links to More Info: BT743826
Component: Application Visibility and Reporting
Symptoms:
When a pool member is defined with port any(0), calling the GetPoolMember() function, gives an incorrect error message that the pool member was not found.
Conditions:
Pool member with port any(0)
Impact:
Wrong error message printed to avrd.log
743444-2 : Changing monitor config with SASP monitor causes Virtual to flap
Links to More Info: BT743444
Component: Local Traffic Manager
Symptoms:
If you change the monitor configuration for a pool or pool member to include the SASP monitor and add or remove an additional monitor (e.g., TCP), the pool members affected by this configuration change will be marked Down/Unavailable (RED) for some period of time (e.g., 5 seconds) after the change.
During this time, if all pool members are marked down, any virtual servers associated with the pool are also marked down, interrupting traffic.
Conditions:
This occurs when changing the configured monitor for a pool or pool member in one of the following ways:
1. From a SASP monitor to a SASP plus another monitor.
2. From a SASP monitor plus another monitor, to a SASP monitor.
3. From a SASP monitor plus another monitor, to a SASP monitor plus a different monitor.
Impact:
Pool members affected by the monitor change are marked down by the SASP monitor until the SASP monitor receives member weights from the SASP GWM.
If the monitor configuration change affects all pool members in a pool, any virtual servers configured to use that pool are also marked down during this period.
Workaround:
If some members of the pool are configured to use a different monitor than the other pool members, only a subset of pool members are marked down as the result of the monitor configuration change, and the corresponding virtual servers are not marked down due to the monitor configuration change.
740274-2 : TMM stall during startup when syslog is not listening to tmm.pipe
Links to More Info: BT740274
Component: Local Traffic Manager
Symptoms:
When TMM runs at multi-thread mode which is by default, at the startup phase, except tmm.0, all threads stall. This happens when syslog-ng does not listen on tmm.pipe (for example, syslog-ng crashed or was unable to load the configuration).
Conditions:
This issue occurs when Syslog-ng is not listening on /var/run/tmm*.pipe.
Impact:
Tmm threads stall at startup, except tmm.0.
Workaround:
Resolve problems with syslog-ng.
739820-9 : Validation does not reject IPv6 address for TACACS auth configuration
Links to More Info: BT739820
Component: TMOS
Symptoms:
TACACS authentication does not support IPv6 address for the authentication server, but both GUI and TMSH allow IPv6 addresses to be configured for TACACS. Such configurations may result in failed logins with messages in /var/log/secure like
Aug 8 10:47:39 gtm-13108-174 err httpd[5948]: pam_tacplus: skip invalid server: 2001::1001:1001 (invalid port: no digits)
Conditions:
Use the GUI or TMSH to create or modify a TACACS server
Impact:
Remote authentication will fail unless a second server is configured with IPv4 address.
Workaround:
Do not configure IPv6 address for TACACS server
739475-6 : Site-Local IPv6 Unicast Addresses support.
Links to More Info: BT739475
Component: Local Traffic Manager
Symptoms:
No reply to Neighbor Advertisement packets.
Conditions:
Using FE80::/10 addresses in network.
Impact:
Cannot use FE80::/10 addressees in network.
Workaround:
None
722657-5 : Mcpd and bigd monitor states are intermittently out-of-sync
Links to More Info: BT722657
Component: Local Traffic Manager
Symptoms:
Bigd only informs mcpd of the state of a node on a state change. If the pool member status happens to be incorrect, this can cause the following symptoms.
-- Pool member status may be incorrect for a long time
-- Traffic may be directed to a pool member that is actually down.
Conditions:
-- Monitor is attached to pool member and bigd does not inform the state change event for a long time in certain corner cases.
-- No periodic events from bigd to mcpd.
Impact:
-- False monitor status in UI/CLI.
-- Large number of RST connections as traffic is directed to a pool member that is actually DOWN
Workaround:
None
721892-2 : Pfmand on vCMP guests does not recover after service interruption
Links to More Info: BT721892
Component: TMOS
Symptoms:
If pfmand on a vCMP host shuts down and starts back up, pfmand running on any of the vCMP guests loses connection and does not recover.
Conditions:
- vCMP host and guest(s) both have pfmand.healthstatus set to "enable"
- pfmand on the host shuts down and starts up again. This can sometimes occur due to re-licensing on the host.
Impact:
Pfmand on vCMP guests loses connection:
warning pfmand[20332]: 01660005:4: No connection to hypervisor.
Workaround:
Rebooting the vCMP host will allow the pfmand connection to be be re-established.
721591-2 : Java crashes with core during with high load on REST API
Links to More Info: BT721591
Component: TMOS
Symptoms:
Java crashes with core.
Conditions:
This is a random crash and there are no known conditions for reproducing it.
Impact:
This crash occurs randomly during normal operation and has following impact:
-- Stats are not available.
Workaround:
-- Restart the Java service with "bigstart restart restjavad" or "tmsh restart sys service restjavad".
-- Restart the BIG-IP system.
718796-7 : iControl REST token issue after upgrade★
Links to More Info: BT718796
Component: Device Management
Symptoms:
When upgrading to version 13.1.0.x or later, users who previously had permissions to make calls to iControl REST lose the ability to make those calls.
Conditions:
You will notice this issue when you use iControl REST and are upgrading to version 13.1.0.x or later.
You can also detect if the user is impacted by this issue with the following steps
1. Run below API to for impacted user account XYZ.
# curl -ik -u username:XYZ -XPOST https://localhost/mgmt/shared/authn/login --data-binary '{"username":"XYZ", "password":"XYZpass", "loginProviderName":"tmos"}' -H "Content-Type: application/json"
2. Find user XYZ's 'link' path under 'token' in previous output
There are two formats possible for 'link'
a. Path will have a UUID
For example "token"->"link"->"https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>"
b. Path will have a username (not UUID)
For example "token"->"link"->"https://localhost/mgmt/shared/authz/users/<username>"
3. Run below API to get list of user roles.
# restcurl -u "admin:<admin-user-pass>" /shared/authz/roles | tee /var/tmp/rest_shared_authz_roles.json
4. Check user XYZ's link path from step 2 in above output.
Check under the "userReferences" section for group "iControl_REST_API_User" . You will see the link path in one of the two formats listed in 2a/2b. If you do not see the user link path then you are impacted by this bug
Impact:
A previously privileged user can no longer query iControl REST. In addition, some remotely authenticated users may lose access to the Network Map and Analytics view after the upgrade.
Workaround:
You can repair the current users permissions with the following process:
1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process:
# restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator"
2) Restart services
# bigstart restart restjavad *or* tmsh restart /sys service restjavad
3) Now, when you create a new user, the permissions should start in a healthy state
4) If this still does not resolve the issue you could update shared/authz/roles/iControl_REST_API_User userReference list to add all affected users' accounts using PUT. Here you may need to use the UUID path as described under 'Conditions'
# restcurl shared/authz/roles/iControl_REST_API_User > role.json
# vim role.json
a. add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list
OR
b. add { "link": "https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>" } object to userReferences list
# curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User
718291-4 : iHealth upload error does not clear
Links to More Info: BT718291
Component: TMOS
Symptoms:
If an error occurs that sets the iHealth error string, then this string is never cleared.
Conditions:
Setting an invalid hostname for db variable proxy.host.
Impact:
The system reports the following error string: curl: (56) Recv failure: Connection reset by peer. This error message is never cleared, despite running a successful upload. The bogus error message could result in unnecessary confusion after a successful upload.
Workaround:
To clear the error message, run the following command:
/usr/bin/guishell -c "update diags_ihealth_request set error_str='';"
717174-5 : WebUI shows error: Error getting auth token from login provider★
Links to More Info: BT717174
Component: Device Management
Symptoms:
Occasionally, the BIG-IP Admin Utility TMUI fails to function correctly and produces the following error:
Error getting auth token from login provider.
This occurs when the BIG-IP REST Daemon restjavad fails to start up properly.
Conditions:
This error most often occurs on the first or second boot after upgrade, and more often on Virtual Edition BIG-IP platforms running on oversubscribed or slow hypervisors.
Impact:
TMUI and any other BIG-IP system components that rely on REST Workers such as: OpenID Connect key rotation discovery, portions of the TMOS Web Configuration Utility, and Guided Configuration (AGC and WGC) fail to function properly.
Workaround:
Restarting the BIG-IP REST daemons restjavad and restnoded will usually correct the problem. To do so, connect to the SSH console and issue the following two commands:
bigstart restart restjavad
bigstart restart restnoded
714705-8 : Excessive 'The Service Check Date check was skipped' log messages.
Links to More Info: BT714705
Component: TMOS
Symptoms:
Large numbers of these warnings are logged into the "ltm" file:
warning httpd[12345]: 0118000a:4: The Service Check Date check was skipped.
The message appears whenever a new "httpd" instance is launched.
Conditions:
The BIG-IP instance has been installed with a "no service check" license. These licenses are sometimes provided with cloud pre-licensed VE software images.
Impact:
Log files are saturated with many useless warnings. This can hide actual problems and impede their diagnosis.
Workaround:
During manual troubleshooting, commands such as the following may be used to filter the excess warnings:
# grep -v 'Service Check Date check was skipped' ltm | less
The syslog-ng 'include' filter mechanism is another possibility, but this should be attempted only with assistance of the F5 Support team.
713183-7 : Malformed JSON files may be present on vCMP host
Links to More Info: BT713183
Component: TMOS
Symptoms:
-- Many error messages such as the following may appear in the /var/log/ltm file:
warning vcmpd[7457]: 01510005:4: Failed to update guest stats from JSON file.
-- The output of 'tmsh show vcmp health' may omit some guests.
Conditions:
All needed conditions are not yet defined.
- vCMP is provisioned.
- Guests are deployed.
Impact:
Some vCMP guests may not show up in the output of the command:
tmsh show vcmp health
In addition, there might be files present named using the following structure:
/var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.
There is no functional impact to the guests or to the host, other than these lost tables, which are provided as a convenience to the vCMP host administrator.
Workaround:
In some cases, the condition can be cleared by taking these actions in the guest instance:
1. clsh touch /service/mcpd/forceload
2. clsh reboot
Otherwise, superfluous log messages may be filtered out of local logging by use of a sys syslog 'include' filter.
You can filter messages related to remote/external logging using the procedure in K13333: Filtering log messages sent to remote syslog servers :: https://support.f5.com/csp/article/K13333.
712925-3 : Unable to query a monitor status through iControl REST if the monitor is in a non-default partition
Links to More Info: BT712925
Component: TMOS
Symptoms:
It is not possible to query a monitor status through iControl REST if the monitor is in a non-default partition.
If the monitor is in the /Common partition it is possible to obtain the monitor status with following command:
[root@TEST_UNIT:Active:Disconnected] config # restcurl -u admin:admin /mgmt/tm/ltm/monitor/http/~Common~myHttpMonitor/stats
{
"kind": "tm:ltm:monitor:http:httpstats",
"generation": 0,
"selfLink": "https://<localhost path>",
"apiRawValues": {
"apiAnonymous": "------------------------------------\n LTM::Monitor /Common/myHttpMonitor \n------------------------------------\n Destination: <IP address:port>\n State time: down for 113hrs:38mins:54sec\n | Last error: No successful responses received before deadline. @2023.09.21 22:56:54\n\n"
}
}
If the monitor is in a non-default partition, the iContol REST interface returns a "404 - Object not found" error:
[root@TEST_UNIT:Active:Disconnected] config # restcurl -u admin:admin /mgmt/tm/ltm/monitor/http/~p1~myHttpMonitor/stats
{
"code": 404,
"message": "Object not found - /p1/myHttpMonitor",
"errorStack": [],
"apiError": 1
}
Conditions:
- A monitor is configured in a non-default partition
- Querying the status of the monitor in non-default partition using iControl REST
Impact:
It is not possible to query a monitor status through iControl REST if the monitor is in a non-default partition.
Workaround:
Use tmsh to query the status of the monitor.
Following is an example:
root@(TEST_UNIT)(cfg-sync Disconnected)(Active)(/Common)(tmos)# cd /p1
root@(TEST_UNIT)(cfg-sync Disconnected)(Active)(/p1)(tmos)# show ltm monitor http myHttpMonitor
----------------------------------
LTM::Monitor /p1/myHttpMonitor
----------------------------------
Destination: <IP address:port>
State time: down for 1hr:20mins:5sec
| Last error: No successful responses received before deadline. @2023.09.26 15:21:17
712241-8 : A vCMP guest may not provide guest health stats to the vCMP host
Links to More Info: BT712241
Component: TMOS
Symptoms:
A vCMP guest usually provides the vCMP host with some guest health statistics as a convenience to the vCMP host administrator. These stats are:
-- mgmt/tm/sys/ha-status
-- mgmt/tm/sys/software/status
-- mgmt/tm/sys/software/provision
These tables are created by the host when host vcmpd queries the guest over the vmchannel using REST.
These RESTful queries may sometimes fail, causing the queried vCMP guest to be omitted in the display of the output of the following command: $ tmsh show vcmp guest
Conditions:
-- vCMP provisioned.
-- Guests are deployed.
-- Host vcmpd queries the guest over the vmchannel using REST.
Impact:
There is no functional impact to the guests or to the host, other than these lost tables.
-- Some vCMP guests may not show up in the output of the following command: tmsh show vcmp health
-- Some guests may appear with the wrong status in the GUI. Such as being grey when it should be green.
-- Files containing guest information, kept in:
/var/run/vcmpd/<guestname>/json/(sys-ha-status.json|sys-provision.json|sys-software.json) may be missing from that directory.
-- There might be files present there named using the following structure:
/var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.
Workaround:
There is no workaround at this time.
711747-2 : Vcmp_pde_state_memcpy core during http traffic and pfmand resets.
Links to More Info: BT711747
Component: TMOS
Symptoms:
TMM restarts with core file available.
Conditions:
The issue occurs intermittently under the following conditions:
-- System uses pfmand.
-- pfmand health monitoring enabled (sys db pfmand.healthstatus value enable, this is the default).
-- The system is passing http traffic.
-- pfmand is reset (tmsh modify sys pfman device 0/00:0c.5 status reset).
Impact:
Traffic disrupted while TMM restarts.
Workaround:
N/A
708991-1 : Newly entered password is not remembered.
Links to More Info: BT708991
Component: TMOS
Symptoms:
- Upon enabling password remember feature and running 'tmsh load sys config default', the password history fails to verify and save the newly entered password.
- Upon installing a BIG-IP image for the first time, the default password is not updated.
Conditions:
- Installing first time BIG-IP image.
- Resetting the configuration using 'tmsh load sys config default'.
Impact:
The password is not remembered.
Workaround:
N/A
708680-4 : TMUI is unable to change the Alias Address of DNS/GTM Monitors
Links to More Info: BT708680
Component: Global Traffic Manager (DNS)
Symptoms:
TMUI (the GUI) is unable to change the Alias Address of DNS/GTM Monitors.
Conditions:
-- Using the GUI.
-- DNS/GTM monitors with alias address.
-- Attempting to change the Alias Address.
Impact:
Cannot change the Alias Address.
Workaround:
Use tmsh.
705869-1 : TMM crashes as a result of repeated loads of the GeoIP database
Links to More Info: BT705869
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crash due to the repeated loading of the GeoIP database.
Conditions:
Repeatedly loading the GeoIP database in rapid succession.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
Avoid repeated loading of the GeoIP Database.
703226-3 : Failure when using transactions to create and publish policies
Links to More Info: BT703226
Component: TMOS
Symptoms:
Use batch mode transactions to create Virtual Servers with Policies containing rules.
Conditions:
Create and publish in the same transaction a Policy containing rules.
Impact:
Operation fails.
This occurs because the system is trying to look up a policy that does not exist because the 'create' operation is not yet complete. This might happen when the create and publish operations occur simultaneously, which might happen in response to scripts from iApps, batch mode creation of policies, UCS load, upgrade operation--all try to create domain trust, and all might include the policy create in the same operation.
Workaround:
Separate the create Policy and publish Policy operations into two transactions when the Policy contains rules.
698594-4 : Cave Creek Crypto hardware reports a false positive of a stuck queue state
Links to More Info: K53752362, BT698594
Component: TMOS
Symptoms:
In some cases, a stuck crypto queue may be erroneously detected on Cave Creek-based systems. This includes BIG-IP 2x00, 4x00, i850, i2x00, i4x00, and HRC-i2800.
The system writes messages similar to the following example to the /var/log/ltm file:
crit tmm3[11707]: 01010025:2: Device error: crypto codec qa-crypto3-3 queue is stuck.
warning sod[4949]: 01140029:4: HA crypto_failsafe_t qa-crypto3-3 fails action is failover.
Conditions:
This issue occurs when all of the following conditions are met:
- Your BIG-IP system uses the Cave Creek encryption hardware.
- You are making use of hardware-based SSL encryption.
- The BIG-IP system is under heavy load.
Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover.
Workaround:
To work around this issue, you can modify the crypto queue timeout value. To do so, perform the following procedure.
Impact of workaround: Performing the following procedure should not have a negative impact on your system.
1. Log in to the BIG-IP system as an administrative user.
2. Log in to the Traffic Management Shell (tmsh) by running the following command:
tmsh
3. To change the crypto queue timeout value, run the following command:
modify /sys db crypto.queue.timeout value 300
4. Save the change by running the following command:
save sys config
Increasing the crypto queue timeout gives the hardware enough time to process all queued request.
696363-7 : Unable to create SNMP trap in the GUI
Links to More Info: BT696363
Component: TMOS
Symptoms:
Trying to create a SNMP trap may fail in the GUI with the following error message: An error has occurred while trying to process your request.
Conditions:
-- Trap destinations are configured using the GUI: When trap destinations are configured in the GUI, the trap name is generated using the destination IP address.
-- Traps of the same destination address were previously created and deleted.
Impact:
GUI parameter checking does not work as expected. BIG-IP Administrator is unable to create a SNMP trap session.
Workaround:
To work around this issue when using the GUI, remove all traps that have the same destination address as the new one that failed. Then re-add your destination.
Tip: You can use tmsh to create/delete/modify SNMP traps, which enables viewing of the generated names, making it easier to understand what error has occurred.
694765-7 : Changing the system's admin user causes vCMP host guest health info to be unavailable
Links to More Info: BT694765
Component: TMOS
Symptoms:
On the host, 'tmsh show vcmp health' does not display guest info.
The iControl REST log at /var/log/icrd contains entries similar to the following:
notice icrd_child[32206]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
Conditions:
The default admin user "admin" has been changed.
Note: You changed the default admin user by following the steps in the Article K15632: Disabling the admin and root accounts using the BIG-IP Configuration utility or the Traffic Management Shell: https://my.f5.com/manage/s/article/K15632.
Impact:
Many REST APIs do not function, and functionality such as vCMP guest health that depend on REST fails.
Workaround:
Rename the default system admin back to 'admin':
tmsh modify /sys db systemauth.primaryadminuser value admin
Note: If you are using the default 'admin' account, make sure you change the password as well.
691219-3 : Hardware syncookie mode is used when global auto last hop is disabled.
Links to More Info: BT691219
Component: TMOS
Symptoms:
When global auto last hop is disabled, for iSeries platforms (excluding i2xxx/i4xxx) and B4450 blades, hardware syncookie mode is used on SYN attack.
Conditions:
Global autohop is disabled. This setting is controlled by the following DB variable:
# tmsh list sys db connection.autolasthop
sys db connection.autolasthop {
value "disable"
}
The default setting is enable.
Impact:
The virtual server can enter hardware syncookie mode, at which point responses will be routed using the incoming packet route. This can break configurations that are using asymmetric routing.
Workaround:
Disable hardware syncookies by setting the following DB variable to false:
tmsh modify sys db pvasyncookies.enabled value false
690928-6 : System posts error message: 01010054:3: tmrouted connection closed
Links to More Info: BT690928
Component: TMOS
Symptoms:
Beginning in BIG-IP 12.0.0, the tmrouted process pushes dynamic routes directly to the Traffic Management Microkernel (TMM). This message indicates the system is shutting down and is expected behavior during the reboot or shutdown process. The appearance of this message on a stable running system may indicate an issue with tmrouted functionality.
System posts the following message in /var/log/ltm: 01010054:3: tmrouted connection closed
Conditions:
This message occurs when all of the following conditions are met:
-- You have configured the BIG-IP system to use dynamic routing.
-- The BIG-IP system is in the process of shutting down or rebooting.
Impact:
This message is benign, unless you view the message on a stable running system. In this case, the message may indicate an issue with the tmrouted process.
Workaround:
None.
690781-4 : VIPRION systems with B2100 or B2150 blades cannot run certain combinations of vCMP guest sizes
Links to More Info: BT690781
Component: TMOS
Symptoms:
VIPRION systems equipped with B2100 or B2150 blades cannot run any more vCMP guests in addition to three 1-slot 8-core guests.
So if a system has four blades, any additional guests created on the remaining blade will not be operational.
Although the system allows all guests to be created and started, the ones deployed last will not work correctly.
Specifically, the guests deployed last will fail to access TMM networks.
Additionally, the vCMP host logs messages similar to the following example to the /var/log/ltm file:
-- info bcm56xxd[13741]: 012c0016:6: FP(unit 0) Error: Group (6) no room.
-- err bcm56xxd[13741]: 012c0011:3: entry create failed: SDK error No resources for operation bs_field.cpp(447)
-- err bcm56xxd[13741]: 012c0011:3: geteid_qualify_egress failed: SDK error No resources for operation bs_field.cpp(2009)
-- err bcm56xxd[13741]: 012c0011:3: program dest mod/port rule failed: SDK error No resources for operation bs_vtrunk.cpp(5353)
-- err bcm56xxd[13741]: 012c0011:3: vdag class L4 redirect failed: SDK error No resources for operation bs_vtrunk.cpp(3261)
Conditions:
This issue occurs when the following conditions are met:
-- A C2400 VIPRION chassis is equipped with four B2100 or B2150 blades.
-- A vCMP configuration consisting of at least three 1-slot 8-core guests was put in place (in other words, three full-blade guests).
-- One or more vCMP guests are created on the remaining VIPRION blade in the chassis.
Impact:
One or more guests do not function properly as they cannot access TMM networks. All traffic fails to pass.
Workaround:
This issue is caused by a hardware limitation on B2100 and B2150 blades preventing this specific vCMP configuration from instantiating correctly.
As a workaround, you must specify different vCMP guest sizes.
For instance, you could use the following configuration:
-- Four 2-slot 4-core vCMP guests instead of four 1-slot 8-core vCMP guests
Although not the same, both configurations yield the same total number of TMM instances per guest.
689147-6 : Confusing log messages on certain user/role/partition misconfiguration when using remote role groups
Links to More Info: BT689147
Component: TMOS
Symptoms:
When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful.
Errors similar to the following appear in /var/log/ltm:
-- User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition.
-- Input error: invalid remote user credentials, partition does not exist, broken-partition
Errors similar to the following appear in /var/log/secure:
tac_authen_pap_read: invalid reply content, incorrect key?
Conditions:
Using remote role groups to set user/role/partition information for remote users, and either of the following:
-- A remote user is configured with the role of administrator, resource administrator, auditor, or web application security administrator, with access to a particular partition, rather than all. (These roles require access to all partitions.)
-- A remote user is configured with partition access set to a partition that does not exist on the BIG-IP system.
Impact:
The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure.
Workaround:
Check /var/log/ltm for more specific error messages.
683534-2 : 'tmsh show sys connection' command prompt displaying 4 billion connections is misleading
Links to More Info: BT683534
Component: Local Traffic Manager
Symptoms:
The 'tmsh show sys connection' may present a prompt asking you to confirm you want to display ~4 billion (4,294,967,295) connections:
# show sys connection max-result-limit infinite
Really display 4294967295 connections? (y/n)
Conditions:
-- The 'tmsh show sys connection' command is executed with max-result-limit option set to infinite.
Impact:
The value shown in the prompt (4294967295) is misleading, and does not reflect the actual number of connections being handled by the system. The 4294967295 number represents the maximum value the field can hold, not the number of actual connections.
Workaround:
None
679316-8 : iQuery connections reset during SSL renegotiation
Links to More Info: BT679316
Component: Local Traffic Manager
Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
Conditions:
This occurs when a system tries to send data over the iQuery connection while the two endpoints are performing SSL renegotiation.
Note: iQuery connections automatically perform SSL renegotiation every 24 hours.
Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.
Note: This is a subtly different issue from the one (with a very similar error, 140940F5 virtual server 140940E5) described in ID 477240: iQuery connection resets every 24 hours :: https://cdn.f5.com/product/bugtracker/ID477240.html (K16185: BIG-IP GTM iQuery connections may be reset during SSL key renegotiation :: https://support.f5.com/csp/article/K16185).
This issue occurs even in versions where ID 477240 is fixed. There is no fix for this specific trigger of the same message.
Note: The iQuery communication issue is fixed through ID 760471: GTM iQuery connections may be reset during SSL key renegotiation :: https://cdn.f5.com/product/bugtracker/ID760471.html.
Workaround:
There is no workaround at this time.
673573-8 : tmsh logs boost assertion when running child process and reaches idle-timeout
Links to More Info: BT673573
Component: TMOS
Symptoms:
An idle-timeout occurs while running a sub-process in interactive mode, resulting in a log message. tmsh logs a benign but ominous-looking critical error to the console and to /var/log/ltm if a tmsh command reaches idle timeout and a spawned sub-process is still running.
The errors in /var/log/ltm begin with the following text:
'boost assertion failed'
Conditions:
-- tmsh command reaches idle timeout.
-- Spawned sub-process is still running.
Impact:
Although the wording indicates a failure, the message is benign and you can safely ignore it.
Workaround:
None
669934-2 : Session commands may not work correctly in FLOW_INIT event.
Links to More Info: BT669934
Component: Local Traffic Manager
Symptoms:
Data read or write via session-related commands (e.g., table) in an iRule's FLOW_INIT event does not match that in other events.
Conditions:
This occurs when using session-related commands from FLOW_INIT event.
Impact:
iRule does not function as expected.
Workaround:
None.
666845-4 : Rewrite plugin can accumulate memory used for patching very large files
Links to More Info: K08684622, BT666845
Component: Access Policy Manager
Symptoms:
Rewrite plugin memory usage is significantly higher than normal (up to 200 MB RSS) and does not decrease.
Conditions:
This happens because the plugin caches and reuses already allocated chunks of memory instead of releasing them to the operating system.
Impact:
Out-of-memory crashes on systems with low amounts of memory.
Workaround:
Use one or both of the following workarounds:
-- Restart rewrite when memory usage is too high.
-- Disable patching for large (15-20 MB uncompressed) files.
663754-1 : Modifying the default management port can break internal functionality
Links to More Info: BT663754
Component: Device Management
Symptoms:
Modifying the default management port for httpd 443 (ssl-port) to anything else via tmsh, will break the below functionality :
1. Gossip Framework : REST high availability (HA) sync framework will not work.
2. Licensing via BIG-IQ
3. selfLinks will be wrong
Conditions:
Changing the default management port of BIG-IP for httpd from 443 to anything else.
Impact:
BIG-IP will be unable to provide below functionality :
1. Gossip Framework : REST high availability (HA) sync framework will not work.
2. Licensing via BIG-IQ
3. selfLinks will be wrong
4. iAppLx, SSL Orchestrator, Access Guided Configuration, AS3 will be affected as these modules depends on Gossip
Workaround:
NA
659579-6 : Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time
Links to More Info: BT659579
Component: TMOS
Symptoms:
Logs on icrd, restnoded, and restjavad are in the UTC time zone and are not aligned to the system time, which makes it difficult to determine the time during troubleshooting operations.
Conditions:
Checking the icrd, restnoded, and restjavad logs timestamps.
Impact:
Difficult to troubleshoot as the logs are not aligned with system time.
Workaround:
None
658943-5 : Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants
Links to More Info: BT658943
Component: TMOS
Symptoms:
During the platform migration from a physical BIG-IP system to a BIG-IP vCMP guest/F5OS Tenant, the load fails with one of the following messages:
01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.
01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.
Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest/F5OS Tenant.
Impact:
The platform migration fails and the configuration does not load.
Workaround:
You can use one of the following workarounds:
-- Remove all trunks from the source configuration prior to generation of the UCS.
-- Before loading the UCS archive onto the target BIG-IP, edit the archive and remove the trunk configuration from ./config/bigip_base.conf, and then repack the UCS.
-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.
-- K50152613
658850-6 : Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP
Links to More Info: BT658850
Component: TMOS
Symptoms:
When you load a UCS file using the platform-migrate parameter, the mgmt-dhcp value (enabled, disabled, or unset) will overwrite the value on the destination. Depending on the effect, this could change the destination's management IP and default management route.
If the UCS does not have mgmt-dhcp explicitly written out, note that its value is treated as the default for the local system, which varies by the type of system. On Virtual Edition (VE) platforms, the default is to enable DHCP. On all other platforms, the default is to disable DHCP.
Conditions:
This occurs when loading a UCS using the platform-migrate parameter:
tmsh load sys ucs <ucs_file_from_another_system> platform-migrate
Impact:
Changing the mgmt-dhcp value on the destination can result in management changing from statically configured to DHCP or DHCP to statically configured. This can result in loss of management access to the device, requiring in-band or console access.
Workaround:
There are a few ways to avoid this issue:
1. Specify the "keep-current-management-ip" parameter to the "load sys ucs" command, for instance:
tmsh load sys ucs <ucs_file_from_another_system> platform-migrate keep-current-management-ip
Note: The "keep-current-management-ip" parameter is undocumented and will not appear in context help or tab completion.
2. If you want to reset the target device to use a static IP, run the following commands after loading the UCS with the platform-migrate command:
tmsh modify sys global-settings mgmt-dhcp disabled
tmsh create sys management-ip <ip>/<mask>
tmsh delete sys management-route default
tmsh create sys management-route default gateway <ip>
652877-7 : Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades
Links to More Info: BT652877
Component: TMOS
Symptoms:
All services on one or all secondary blades in a VIPRION chassis restart, and MCPD logs errors similar to the following:
-- err mcpd[9063]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)
-- err mcpd[9063]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3:Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)... failed validation with error 17237812.
In versions prior to v11.6.0, the error is: 'Can't save/checkpoint DB object,' rather than 'Can't update_indexes/checkpoint DB object'.
Conditions:
Multi-bladed VIPRION system, where the 'if-index' value for VLANs differs between blades.
You can check the 'if-index' value by running the following command on each blade: tmsh list net vlan all if-index.
Impact:
MCPD restart on all secondary blades results in partial service outage.
Workaround:
Reactivate the license only on a system that is standby/offline.
648946 : Oauth server is not registered in the map for HA addresses
Links to More Info: BT648946
Component: Access Policy Manager
Symptoms:
The same loopback address is assigned to two listeners.
Conditions:
-- AAA Servers with pool.
-- OAuth Server.
Impact:
Traffic issues due loopback address that is assigned to OAuth Server, can be assigned to some other AAA Server that also uses pool.
Workaround:
None
646768-6 : VCMP Guest CM device name not set to hostname when deployed
Links to More Info: K71255118, BT646768
Component: TMOS
Symptoms:
When you access the vCMP guest instance after you deploy the system, the instance uses the hostname bigip1.
Conditions:
This issue occurs when all of the following conditions are met:
-- The BIG-IP system is running v11.6.0 or earlier.
-- You configure a vCMP guest instance that is running BIG-IP v11.6.0 or later.
-- You have configured the vCMP guest instance with a hostname other than bigip1.
-- You deploy the vCMP guest instance.
Impact:
The vCMP guest does not use the configured hostname.
Workaround:
-- In tmsh, run the following commands, in sequence:
mv cm device bigip1 HOSTNAME
save sys config
-- Rename the device name in the GUI.
637827-2 : VADC: after re-deploying a single-nic VM with multiple nics, a load can fail due to stp member 1.0
Links to More Info: BT637827
Component: TMOS
Symptoms:
The configuration fails to load with the following message:
01070523:3: No Vlan association for STP Interface Member 1.0
Unexpected Error: Loading configuration process failed.
Conditions:
In single-nic mode, the interface 1.0 exists and can be saved as a VLAN member. Upon re-deploying the virtual-machine from single nic mode to multi-nic, the 1.0 interface becomes pending and should no longer impact any configuration. However, a condition exists after a VLAN delete, where the associated (automatically created) stp member is not removed from the running config and can cause a load error.
Impact:
Load fails and requires manual intervention. Otherwise, the STP member is benign because vADC does not support STP.
Workaround:
Remove the STP interface member 1.0 and reload.
612083-3 : The System Event Log may list correctable hardware, PCIe or DMI errors.
Links to More Info: BT612083
Component: TMOS
Symptoms:
One or more of the following messages appear in the system event log:
CPU0 HW Correctable Error
CPU 0 Corrected Error: Port 1a PCIe* logical port has detected an error.
CPU 0 PCI/DMI Error B:D:F 0x8: xpglberrsts: pcie_aer_correctable_error
CPU 0 PCI/DMI Error B:D:F 0x8: corerrsts: receiver_error_status
CPU 0 PCI/DMI Error B:D:F 0x8: rperrsts: correctable_error_received
CPU 0 PCI/DMI Error B:D:F 0x8: rperrsts: multiple_correctable_error_received
CPU 0 Corrected Error: DMI Error Status
CPU 0 PCI/DMI Error B:D:F 0x0: xpglberrsts: pcie_aer_correctable_error
CPU 0 PCI/DMI Error B:D:F 0x0: corerrsts: receiver_error_status
CPU 0 PCI/DMI Error B:D:F 0x0: rperrsts: correctable_error_received
CPU 0 PCI/DMI Error B:D:F 0x0: rperrsts: multiple_correctable_error_received
Conditions:
The error messages may appear following an AC power cycle of the BIG-IP iSeries platforms: i2000, i2800, i4000 and i11800.
Impact:
The system detected an error on an internal bus and was able to correct it. There is no data loss or functional impact.
Workaround:
None
609878-6 : Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server
Links to More Info: BT609878
Component: Advanced Firewall Manager
Symptoms:
When loose-init is set, which has the implicit semantics of "every ACK packet can create a connection". Hence, there is never a "Bad ACK" to drop. This behavior is expected as per design, so while enabling this option one should aware of the side effects it will cause.
Conditions:
This issue will be seen when loose-init is enabled on the fastL4 profile and when the box is flooded with asymmetric ACK packets (or) Bad-Acks.
Impact:
Enabling loose initiation may make it more vulnerable to denial of service attacks.
Workaround:
When loose-init is set in the fastL4 profile, also turn on connection-limits on the virtual and also Eviction Policy to prevent flow-table exhaustion.
599135-4 : B2250 blades may suffer from high TMM CPU utilisation with tcpdump
Links to More Info: BT599135
Component: Local Traffic Manager
Symptoms:
B2250 blades may suffer from continuous TMM CPU utilization when tcpdump has been in use.
Conditions:
Run tcpdump on a B2250 platform
Impact:
Increment in TMM CPU utilization with every run of tcpdump.
Workaround:
Restart TMM, avoid the use of tcpdump.
580715-3 : ASM is not sending 64 KB remote logs over UDP
Links to More Info: BT580715
Component: Application Security Manager
Symptoms:
REmote logs are missing. The following log messages appears in bd.log and asm.log:
ASM configuration error: event code L3350 Failed to write to remote logger vs_name_crc 1119927693 LoggingAccount.cpp:3348`remote log write FAILED res = -3 <Failed to send remote message (remote server not responding)> errno <Message too long>.
Conditions:
-- A remote logger configured for UDP.
-- Max message length of 64 KB.
Impact:
Missing logs in the remote logger.
Workaround:
You can use either of the following workarounds:
-- Change the remote logger to TCP.
-- Reduce the message length to 1 KB.
563144-2 : Changing the system's admin user causes many errors in the REST framework.
Links to More Info: BT563144
Component: Device Management
Symptoms:
The iControl REST log at /var/log/icrd will have entries similar to the following:
notice icrd_child[32206]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
Conditions:
Change the default admin user, for example, by following the steps in the Article K15632: Disabling the admin and root accounts using the BIG-IP Configuration utility or the Traffic Management Shell: https://support.f5.com/csp/article/K15632.
Impact:
Many REST APIs do not function, and functionality that depends on REST fails.
Workaround:
There is no workaround. You must use the default admin in order for iControl REST calls to work.
554506-3 : PMTU discovery from the management interface does not work
Links to More Info: K47835034, BT554506
Component: TMOS
Symptoms:
Network connectivity issues to the BIG-IP management interface.
The management interface 'auto lasthop' feature (not to be confused with the auto lasthop setting on a virtual server) allows the BIG-IP to route responses to packets received on the management interface back to the MAC address of the layer-3 device that sent them, removing the need for static management-routes to be configured on the BIG-IP for communication beyond the management subnet.
The operation of the lasthop module interferes with the management interface's ability to dynamically learn Path MTU (PTMU) through ICMP unreachable messages.
Conditions:
The MTU on one section of the network path between a client device and BIG-IP management interface is lower than the BIG-IP management interface's configured MTU (for example, part of the path passes through a tunnel), and an intermediary router is sending 'ICMP unreachable, fragmentation required' packets back to the BIG-IP to instruct it to send smaller datagrams.
Impact:
Unable to complete a TLS handshake to the management interface IP, or other similar operations that require large frames.
Workaround:
BIG-IP management interface auto lasthop functionality can be disabled to allow the interface to function normally.
For more information see K52592992: Overview of the Auto Last Hop feature on the management interface, available at
https://support.f5.com/csp/article/K52592992.
550526-3 : Some time zones prevent configuring trust with a peer device using the GUI.
Links to More Info: K84370515, BT550526
Component: TMOS
Symptoms:
AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, and AWDT time zones prevent configuring trust with a peer device using the GUI.
Conditions:
-- Setting a BIG-IP system timezone to AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, or AWDT.
-- Using the GUI to add a peer device to a trust configuration.
Impact:
Adding a peer device using the GUI fails.
Workaround:
You can use either of the following workarounds (you might find the first one easier):
-- Temporarily set the device timezone to a non-affected timezone (e.g.; UTC), establish trust, and set it back:
1. Navigate to System :: Platform.
2. Under 'Time Zone', select 'UTC', and click 'Update'
3. Repeat steps one and two to change all devices that are to be part of the trust domain.
4. Establish device trust by navigating to Device Management :: Device Trust :: Add all peers to be part of the trust domain.
5. Once trust is established, navigate to System :: Platform, and change Time Zone back to preferred time zone.
-- Use tmsh to add a peer device in these timezones: AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, or AWDT.
547947-2 : Feeding empty username and password to the Logon Page followed by RadiusAuthAgent shows the session as Logged out
Links to More Info: BT547947
Component: Access Policy Manager
Symptoms:
Session logs out. No error messages or retry logon page.
---------------------------------------------
Your session is finished.
Logged out successfully.
Thank you for using BIG-IP.
To open a new session, please click here.
----------------------------------------------
Conditions:
Your environment has an access policy like the following
Success
Start -> Logon Page -> Radius Auth ----> Advanced resource assign (webtop) -> allow.
|
| failure
-----------------------------------------------> Deny.
If you connect to the virtual server with this access policy and provide an empty username and password, you are logged out of the session and asked to open a new session page.
Impact:
Without providing proper username and password, user is shown the error "Logged out successfully.", which is improper.
Workaround:
No mitigation observed.
539648-4 : Disabled db var Watchdog.State prevents vCMP guest activation.
Links to More Info: K45138318, BT539648
Component: TMOS
Symptoms:
If a vCMP guest user disables the watchdog using the db variable Watchdog.State, then the vCMP guest does not reach a running state as reported by the vCMP host.
Conditions:
This occurs when the user sets sys db Watchdog.State value disable.
Impact:
vCMP guest fails to be operational.
Workaround:
Do not change the Watchdog.State db variable. The vCMP host requires the watchdog to monitor the guest health.
538283-6 : iControl REST asynchronous tasks may block other tasks from running
Links to More Info: BT538283
Component: TMOS
Symptoms:
If an iControl REST asynchronous task is running, other iControl REST queries (synchronous or asynchronous) will wait until the asynchronous task completes before executing. If the asynchronous task is long-running, subsequent requests will block for a long time.
Conditions:
-- Executing an iControl REST task asynchronously.
-- Performing further iControl REST tasks (synchronous or asynchronous) while the asynchronous task is still running.
Impact:
Potential (and unexpected) long wait times while running a task asynchronously.
Workaround:
None.
528314-2 : Generating new default certificate and key pairs for BIG-IP ssl profiles via CLI will not be reflected in GUI or in tmsh
Links to More Info: K16816, BT528314
Component: TMOS
Symptoms:
Using CLI to generate new default certificate and key pairs for BIG-IP ssl profiles are not reflected in GUI or in tmsh.
Conditions:
Using OpenSSL commands to generate a new default certificate and key pair, as described in SOL13579: Generating new default certificate and key pairs for BIG-IP ssl profiles, available here: https://support.f5.com/kb/en-us/solutions/public/13000/500/sol13579.html.
Impact:
After the renewal, tmsh list sys file ssl-cert default.crt command or the general properties in the GUI SSL Cert List shows the old one. This is a cosmetic issue only. The system uses the new default.
Workaround:
Perform a force reload of mcpd by running the following commands: -- touch /service/mcpd/forceload. -- tmsh restart sys service mcpd.
527119-9 : An iframe document body might be null after iframe creation in rewritten document.
Links to More Info: BT527119
Component: Access Policy Manager
Symptoms:
Cannot use certain page elements (such as the Portal Access menu) in Google Chrome, and it appears that JavaScript has not properly initialized, and results in JavaScript errors on the following kinds of code:
iframe.contentDocument.write(html)
iframe.contentDocument.close()
<any operation with iframe.contentDocument.body>
Conditions:
-- The body of a dynamically created iframe document might be initialized asynchronously after APM rewriting.
-- Using the Chrome browser.
Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access. For example, one of applications known to contain such code and fail after APM rewriting is TinyMCE editor.
Workaround:
Revert rewriting of the document.write call with a post-processing iRule.
The workaround iRule will be unique for each affected application.
499348-14 : System statistics may fail to update, or report negative deltas due to delayed stats merging.
Links to More Info: BT499348
Component: TMOS
Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.
The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.
Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This might occur under the following conditions:
-- The system is spawning/reaping processes on a frequent basis (e.g., when there is a large number of external monitors).
-- iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server (this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis).
Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.
Workaround:
This issue has two workarounds:
1. Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following:
-- Reduce the frequency of configuration changes.
-- Reduce the use of 'SSL::profile' in iRules.
-- Reduce the number/frequency of processes being spawned by the system.
2. The second workaround has two parts:
a) Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command:
tmsh modify sys db merged.method value slow_merge
b) Change the merge-interval value to 2 to reduce CPU usage when merge-method is slow-merge.
tmsh modify /sys db merged.merge.interval {value "2"}
Note: Performing the second workaround has the side-effect of disabling tmstat snapshots on the device. The tmstat snapshots are intended for F5-internal use only: the lack of snapshots will have no bearing on the functionality of your system; however, F5 Support might be impacted in their ability to troubleshoot issues on your system.
493740-4 : tmsh allows cipher group creation with non-existent "require" or "exclude" cipher rule.
Links to More Info: BT493740
Component: TMOS
Symptoms:
Using tmsh it is possible to create a cipher group referencing a non-existent cipher rule with tmsh even if this configuration is invalid.
Conditions:
Use tmsh to create a cipher group referencing a non-existent cipher rule using a command like this, where the 'require' or the 'exclude' directive comes after the 'allow' directive.
The non-existent cipher rule is "no-exist" in these examples:
tmsh create ltm cipher group test-group { allow add { f5-default } require add { no-exist } }
tmsh create ltm cipher group test-group { allow add { f5-default } exclude add { no-exist } }
Impact:
The result is an invalid configuration that can break configuration synchronisation between BIG-IP peers in some cases (after upgrades, or full configuration reload, for example).
Also, when navigating to the cipher group the GUI does not show it.
The GUI may also show this error:
"An error has occurred while trying to process your request. "
Workaround:
Use the GUI to create a new cipher groups.
When using tmsh, don't create a cipher group referencing a non-existent cipher rule.
490139-7 : Loading iRules from file deletes the last few comment lines
Links to More Info: BT490139
Component: Local Traffic Manager
Symptoms:
Loading iRules from the iRules file deletes the last few comment lines immediately preceding the closing bracket.
Conditions:
This occurs when loading an iRule file containing a comment after the last closing brace and then upgrading to a known affected version
Impact:
Although the comments are removed, this does not affect iRule functionality.
Workaround:
Add comments in places other than immediately above the closing bracket.
464708-3 : DNS logging does not support Splunk format log
Links to More Info: BT464708
Component: Global Traffic Manager (DNS)
Symptoms:
DNS logging does not support Splunk format logging. It fails to log the events, instead logging err messages:
hostname="XXXXXXXXXXXXX.XX",errdefs_msgno="01230140:3:
Conditions:
DNS logging configured for Splunk format.
Impact:
DNS logging does not log Splunk format to HSL.
Workaround:
Use an iRule to send Splunk-formatted messages to the Splunk server.
For example:
ltm rule dns_logging_to_splunk {
when DNS_REQUEST {
set ldns [IP::client_addr]
set vs_name [virtual name]
set q_name [DNS::question name]
set q_type [DNS::question type]
set hsl [HSL::open -proto UDP -pool splunk-servers]
HSL::send $hsl "<190>,f5-dns-event=DNS_REQUEST,ldns=$ldns,virtual=$vs_name,query_name=$q_name,query_type=$q_type"
}
when DNS_RESPONSE {
set ldns [IP::client_addr]
set vs_name [virtual name]
set q_name [DNS::question name]
set q_type [DNS::question type]
set answer [DNS::answer]
set hsl [HSL::open -proto UDP -pool splunk-servers]
HSL::send $hsl "<190>,f5-dns-event=DNS_RESPONSE,ldns=$ldns,virtual=$vs_name,query_name=$q_name,query_type=$q_type,answer=\"$answer\""
}
}
447522-1 : GUI: SNMPV3 Incorrectly requires "OID" when creating an SNMP user.
Links to More Info: BT447522
Component: TMOS
Symptoms:
The BIG-IP GUI incorrectly requires an OID to be specified when creating an SNMPv3 user.
Conditions:
Creating an SNMPv3 user via the BIG-IP GUI.
Impact:
An OID can be used to restrict the view that the user has to a particular branch of the tree, but should not be a required attribute.
Workaround:
- Enter a value of ".1" (with a leading dot) to allow access to all OIDs
(or)
- Create the user using tmsh instead of the GUI, where the oid-subset attribute is not mandatory.
431503-11 : TMSH crashes in rare initial tunnel configurations
Links to More Info: K14838, BT431503
Component: TMOS
Symptoms:
In rare BIG-IP configuration scenarios, TMM may crash during its startup process when the tunnel configurations are loaded.
Conditions:
During TMM startup, a tunnel is created, then immediately removed during the configuration load period, when TMM neighbor messages may be in flight via the tunnel. When the race condition fits, the neighbor message may land on an invalid tunnel.
Impact:
TMM crash in rare race conditions.
Workaround:
None.
382363-8 : min-up-members and using gateway-failsafe-device on the same pool.
Links to More Info: K30588577
Component: TMOS
Symptoms:
The system does not require setting a pool's min-up-members greater than 0 (zero) when also using gateway-failsafe-device on the same pool.
Conditions:
A pool's min-up-members is 0 when gateway-failsafe-device is set.
Impact:
Failure to set min-up-members greater than 0 when using gateway-failsafe-device might cause errors. The tmm might crash.
Workaround:
Set min-up-members greater than 0 when using gateway-failsafe-device.
369640-8 : iRules might return incorrect data when multiple partitions and/or folders contain objects with the same name
Links to More Info: K17195
Component: Local Traffic Manager
Symptoms:
iRules might return incorrect data when the BIG-IP configuration has folders or multiple administrative partitions that contain objects with the same name.
As a result of this issue, you may encounter one or more of the following symptoms:
-- Client connections receive incorrect data.
-- The BIG-IP system incorrectly load balances client connections.
Conditions:
This issue occurs when all of the following conditions are met:
-- The configuration includes objects of the same name in different folders or administrative partitions
-- An iRule references the object without using the fully-qualified path, e.g. "pool example_pool" instead of "pool /Common/folder1/example_pool"
Impact:
Client connections receive incorrect data, or are load balanced incorrectly.
Workaround:
To work around this issue, always specify full paths to objects referenced in iRules, e.g. instead of:
pool example_pool
use:
pool /Common/example_pool
349706-4 : NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN
Component: Access Policy Manager
Symptoms:
Network access sends 1.1.1.1 as X-VPN-serer-IP and Edge client reserves this IP for PPP communication with APM server.
Conditions:
-- VPN is configured on BIG-IP.
-- Edge Client/webtop is used to connect to VPN.
Impact:
If VPN is connected:
1. The user may not access the 1.1.1.1 address from the client machine.
2. if 1.1.1.1 is used as a dns server ip in Network Access configuration, DNS resolution may fail on the client machine.
Workaround:
NA
342319-1 : BIND forwarder server list and the recursion and forward options.
Component: TMOS
Symptoms:
When you add a Domain Name System (DNS) server to the BIND forwarder server list from the Configuration utility, the recursion option is set to no and the forward option is not set.
Conditions:
The parameters 'recursion yes' and 'forward only' are not being updated in named.conf when creating entries in the BIND Forwarder Server List from the GUI.
Impact:
This issue may cause some DNS queries that are sent to the BIG-IP system to fail.
Workaround:
You can work around this issue by setting the recursion and forward options. For more information, see SOL12224: Configuring the BIND forwarder server list does not correctly set additional options for the named.conf file, available here: http://support.f5.com/kb/en-us/solutions/public/12000/200/sol12224.html.
222220-8 : Distributed application statistics are not passed correctly.
Links to More Info: K11931
Component: Global Traffic Manager (DNS)
Symptoms:
Distributed application statistics include only requests passed to its first wide IP.
For BIG-IP versions 12.0.0 and later, distributed application statistics are always zero.
Conditions:
Viewing distributed application statistics on configurations with multiple wide-IP members.
Impact:
The system does not pass statistics for requests to all wide-IP members in the distributed application.
Note: For BIG-IP versions 12.0.0 and later, the system does not pass statistics for requests to any wide-IP-members in the distributed application.
Workaround:
None
1671545-2 : BIND no longer follows CNAME to populate A records in the reply
Links to More Info: BT1671545
Component: Global Traffic Manager (DNS)
Symptoms:
When answering authoritative queries, the named process (also known as 'bind') does not return the target (for example, 'A' records) related to a cross-zone CNAME between two locally served zones.
For example, if BIG-IP is configured with a wideip such as www.gslb.example.org, and a DNS query is sent to it for 'A' records for www.example,org, that query falls through to, and is handled by bind, and bind responds with a CNAME to www.gslb.example,org, then the previous behaviour was that bind would also include the related A records that the CNAME pointed to.
When the 'A' record in the reply pass back through BIG-IP DNS, they are rewritten to match the wideip's pool state, so the result passed to the client is the same as if the wideip was the query.
A code fix for security improvements in bind version 9.12 and later alters this behaviour so that the 'A' records are no longer populated into the reply, which means the rewrite logic in BIG-IP does not take place, and the CNAME alone is passed back to the DNS client.
Conditions:
DNS query resolution of CNAME records via BIND.
Impact:
Incomplete DNS resolution.
Workaround:
Instead of using bind to resolve the CNAME, configure BIG-IP to do it.
Option 1: Configure the wideip with an alias that it will also respond to. This will return a response (for example an A record) to the client, as if the client had queried the gslb record.
tmsh modify gtm wideip a www.gslb.example.org aliases add { www.example.org }
Option 2: Create a wideip for the 'www.example.org' record, which points to a CNAME pool, which contains the www.gslb.example.org record, and disable minimal-responses. This method is more complicated, but also more flexible, for example it could be used as a fallback if other 'A' record pools associated with the wideip are unavailable. This method will cause BIG-IP to return both the CNAME and A record in the DNS reply.
tmsh create gtm wideip a www.gslb.example.org pools add { gtmpool }
tmsh create gtm pool cname CNAME_www.example.org members add { www.gslb.example.org }
tmsh create gtm wideip a www.example.org pools-cname add { CNAME_www.example.org } minimal-response disabled
1671149-2 : Timestamp cookies might cause problem for PVA-accelerated connections.
Links to More Info: BT1671149
Component: Advanced Firewall Manager
Symptoms:
Timestamp cookies might cause performance issues for PVA-accelerated connections.
Conditions:
-- PVA offload configured (any stage).
-- DOS ACK (TS) vector enabled with timestamp cookies.
Impact:
Connection resets/slow performance.
Workaround:
Disable PVA acceleration.
1670465-2 : TMMs might not agree on session ownership when multiple cluster geometry changes occur.
Links to More Info: BT1670465
Component: TMOS
Symptoms:
TMMs might not agree on session ownership when multiple cluster geometry changes occur in a quick succession.
Conditions:
Cluster geometry changes occur in a quick succession, for example two blades come up one after another during a software upgrade.
Impact:
Session might be dropped few minutes/seconds after cluster geometry change happens
Workaround:
None
1670225-2 : 'Last Error' field remains empty after initial monitor Down status post-reboot
Links to More Info: BT1670225
Component: Local Traffic Manager
Symptoms:
After rebooting the BIG-IP system, the 'Last Error' field in the /var/log/ltm log for a TCP monitor shows as empty (null) following the first occurrence of the monitor's down status.
mcpd[6893]: 01070638:5: Pool /Common/http_pool member /Common/192.168.10.71:80 monitor status down. [ /Common/my_tcp_monitor: down; last error: ] [ was up for 0hr:0min:41sec ]
Conditions:
The issue occurs when the monitor status of system is up and rebooted and during the first occurrence of a monitor's down status following the reboot.
Impact:
Users may not be able to determine the cause of monitor failures immediately after a system reboot, as the 'Last Error' field does not provide the necessary diagnostic information
Workaround:
None
1644569-2 : Header signature override cache mechanism
Links to More Info: BT1644569
Component: Application Security Manager
Symptoms:
Cache misses and unnecessary cache insertions occur when using header signature overrides. Headers with the same name but different values are treated as different Cyclic Redundancy Check (CRC) keys, resulting in multiple cache entries for the same header.
Conditions:
Signature check is enabled, and requests are sent with the same header name but different values.
Impact:
Causes an increase in cache insertions, leading to performance inefficiencies.
Workaround:
Disable signature check on headers.
1644497-2 : TMM retains old Certificate Revocation List (CRL) data in memory until the existing connections are closed
Links to More Info: BT1644497
Component: TMOS
Symptoms:
In TMM memory, the old CRL data is available until the existing connections are closed. This may exhaust TMM memory.
Conditions:
- Connections last for a long time.
- Frequent updates on the CRL.
Impact:
TMM memory exhausts.
Workaround:
- Dynamic CRL or CRLDP on the Client-SSL profile can be configured to dynamically verify the SSL certificate revocation status.
or
- Online Certificate Status Protocol (OCSP) can be enabled on the Client-SSL profile to validate SSL certificate revocation status.
1642301-2 : Loading single large Pulse GeoIP RPM can cause TMM core
Links to More Info: BT1642301
Component: Global Traffic Manager (DNS)
Symptoms:
Creates a TMM core.
Conditions:
Loading large Pulse GeoIP RPM resources.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use GEOIP Edge database.
1641421-2 : Folders in the GTM synchronized group does not have same value as the inherited traffic group
Links to More Info: BT1641421
Component: Global Traffic Manager (DNS)
Symptoms:
In some GTM members, the inherited traffic group is set to false.
Conditions:
When folders are synchronized to GTMs that are in an LTM HA synchronized group.
Impact:
In a few conditions, it will cause GTM configuration loss.
Workaround:
None
1637797-2 : Memory leak in TMM of TCL memory when a procedure is called with too few arguments
Links to More Info: BT1637797
Component: Local Traffic Manager
Symptoms:
TMM memory growth over time.
There may be an error message in the LTM log similar to:
01220001:3: TCL error: /Common/irule <CLIENT_ACCEPTED> - wrong # args: should be "call my_proc <arg1> <arg2> while executing "call my_proc $variable"
Note that the LTM log message may be throttled and not visible in the current logs.
Conditions:
An iRule calls a procedure with insufficient arguments.
Impact:
- Memory leak in TMM.
- TMM experiences an out-of-memory state and might crash.
Workaround:
Ensure that the called procedure provides enough arguments.
1637477-2 : Negotiated Window scaling by HW SYN cookie not accounted by TMM
Links to More Info: BT1637477
Component: Local Traffic Manager
Symptoms:
When hardware SYN cookie mode is activated, the hardware will negotiate window scaling with the client, but TMM still assumes no window scaling is involved.
Conditions:
When the receive window size and send buffer size are both at or below 65535, TMM establishes the TCP connection without using TCP window scaling.
This can happen if a profile such as this one is used:
- ltm profile tcp tcp-legacy
- ltm profile tcp tcp-wan-optimized
- since they have the following settings:
- receive-window-size 65535
- send-buffer-size 65535
Impact:
TMM interprets the client’s advertising in a very small window, which reduces its performance.
Workaround:
Increase to 65536 or higher for either one of the following:
- receive-window-size
- send-buffer-size
1635829-2 : Sint Maarten (SX) and Curacao (CW) are unavailable in Geolocation enforcement and event log filter
Links to More Info: BT1635829
Component: Application Security Manager
Symptoms:
Sint Maarten (SX) and Curacao (CW) countries are unavailable in Geolocation enforcement and event log filter.
Conditions:
ASM is provisioned.
Impact:
Unable to apply Geolocation enforcement to the country codes SX and CW.
Workaround:
None
1635209-1 : FW NAT policy with automap does not work with ALG protocols in active mode
Links to More Info: BT1635209
Component: Advanced Firewall Manager
Symptoms:
Connection is dropping when firewall NAT policy uses SNAT automap and ALG.
Conditions:
-- FW NAT translation using source automap.
-- ALG protocol profile applied.
Impact:
-- Connection is dropped
Workaround:
None
1635013-1 : The "show sys service" command works only for users with Administrator role
Links to More Info: BT1635013
Component: TMOS
Symptoms:
A guest or non-root user must be able to use the TMSH “show sys service” command, as there is no rule associated with a schema.
Conditions:
The issue occurs when the user is a non-root user.
Impact:
A non-root user will not be able to run the command even though they have permissions.
Workaround:
None
1633925-2 : Neurond is crashing intermittently during the creation/deletion of Neuron rules.
Links to More Info: BT1633925
Component: TMOS
Symptoms:
Neurond crashes are observed intermittently and core files are generated in the /shared/core folder.
Conditions:
When a profile-based DOS vector threshold is configured with a very low value, it may result in frequent addition/deletion of Neuron rules.
Impact:
Neurond crashes will be observed and may result in software-only mitigation due to failure in Neuron rule addition. Once Neurond comes up, rules are recreated allowing with the hardware mitigation.
Workaround:
Increase in threshold values for Profile-based DOS vectors if the configured value is very low.
1633573-2 : Active/Active Deployment Leads to DCC corruption due to duplicate sync files
Links to More Info: BT1633573
Component: Application Security Manager
Symptoms:
If changes are applied to two devices in auto-sync device groups at the same time, database corruption could occur.
Conditions:
Active/active deployment with ASM auto-sync enabled in a full sync group, and automatic policy builder running on both devices with traffic.
Impact:
Possible Policy enforcement corruption errors
Workaround:
Spurious changes and applying the affected policies fix the corruption.
1632925-2 : Sod does not update the value for sys DB failover.crcvalues
Links to More Info: BT1632925
Component: TMOS
Symptoms:
- The Traffic Groups GUI on a device in a device group reports the following even if the traffic group is in sync:
“The traffic group configuration on this device does not match with other devices. Sync the Configuration between devices.”
- Traffic group CRC values are consistent among peer devices when dumping the sod registers into /var/log/sodlog using the command /bin/cmd_sod get info.
- Restarting sod does not change the DB var failover.crcvalues from 'disagree' to 'agree'.
Conditions:
The DBVAR failover.crcvalues was previously set to disagree before the sod restart.
Impact:
The GUI displays the incorrect message in contrast to the actual state of the traffic group.
Workaround:
-- Ensure that the traffic groups are in sync and the peers agree on the CRC values.
-- Manually set the db var failover.crcvalues to 'agree' on the affected device. The commands would be:
tmsh modify sys db failover.crcvalues value agree
tmsh save sys config
1629693-2 : Continuous rise in DHCP pool current connections statistics
Links to More Info: BT1629693
Component: TMOS
Symptoms:
- Displays all properties of the dhcp_pool in its raw format under the LTM pool.
- Displays a rising count of current connections.
Conditions:
When a pool is used for DHCP servers.
Impact:
Wrong statistics showing a growing number of connections.
Workaround:
None
1629465-2 : Configuration synchronization fails when there is large number of user partitions (characters in user partition names exceeds sixty five thousand)
Links to More Info: BT1629465
Component: TMOS
Symptoms:
Configuration synchronization fails with the below errors,
err mcpd[6505]: 01070712:3: Caught configuration exception (0), MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())' failed with error: 16908375, 01020057:3: The string with more than 65535 characters cannot be stored in a message..
err mcpd[6505]: 01071488:3: Remote transaction for device group /Common/[device group] to commit id [commit id #] [config stamp #] /Common/[hostname] 0 failed with error 01070712:3: Caught configuration exception (0), MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())' failed with error: 16908375, 01020057:3: The string with more than 65535 characters cannot be stored in a message...
Conditions:
Traffic group with multiple devices and a large amount of user partitions (total character in the user partition names exceeds sixty five thousand)
Impact:
Configuration synchronization fails.
Workaround:
Reduce the number of user partitions and the characters in the partition names, or split the configuration into separate vCMP guests.
1629329-1 : A webpage can be stuck after opening a dropdown list
Links to More Info: BT1629329
Component: Application Security Manager
Symptoms:
A webpage on the protected application gets stuck
Conditions:
The ASM policy is configured with the CSRF feature and Ajax blocking page. There are some conditions at act on the page itself.
Impact:
A webpage gets stuck and unresponsive.
Workaround:
None
1629221 : BWC menu is not available in UI when licensing DHD
Links to More Info: BT1629221
Component: TMOS
Symptoms:
You are unable to view "Acceleration->Bandwidth Controllers" in Advanced Menu and are unable to configure anything from the GUI
Conditions:
-- Install the DHD license
Impact:
Not able to to access the Bandwidth Controllers menu from the GUI
Workaround:
Use tmsh command to configure or access.
tmsh create net bwc policy test max-rate 10000000
1628065 : TMM crash upon replacing L7 DOS policy
Links to More Info: BT1628065
Component: Anomaly Detection Services
Symptoms:
TMM crashes.
Conditions:
- ADOS L7 configured
- Replacing DOS policy under traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1627261 : Restoration of crldp aaa requires manual intervention after a network outage
Links to More Info: BT1627261
Component: Access Policy Manager
Symptoms:
Restoration of crldp aaa requires manual intervention after a network outage.
Conditions:
Configure crdp AAA with update interval non-zero and after network outrage crldp AAA began to fail.
Impact:
AAA fails after network outrage.
Workaround:
The issue could only be solved by setting the "Update Interval" setting from "0" to something else and then back to "0" (including "apply policy").
1626273 : [SAML][APM] BIG-IP as SP fails to validate IdP signature with cert bundle
Links to More Info: BT1626273
Component: Access Policy Manager
Symptoms:
SAML SP fails to validate assertion and logs
"err apmd[28223]: 01490204:3: /Common/ap:sso:fa1e00bc: SAML Agent: /Common/sso_saml_auth_ag failed to process signed assertion, error: RSA decrypt"
Conditions:
-- SAML certificate rotation as stated in K85751335 should be used
-- SAML assertion Response should be signed using second certificate in the configured cert bundle in the IDP connector config of SAML SP
Impact:
SAML authentication fails
Workaround:
The certificate used to sign the SAML Assertion response should always be the first certificate in the cert bundle configured as part of idp connector config.
1624625-2 : L7 policy for bot defense enable without profile name causes issues.
Links to More Info: BT1624625
Component: Application Security Manager
Symptoms:
When configuring L7 policy with bot defense enable command, but not setting the profile name, the command is not honored and tmm core can occur.
Conditions:
Bot Defense profile is attached to VS.
L7 policy is configured for enabling bot defense profile, without profile name (from editing bigip.conf only, GUI does not allow this)
Impact:
The bot defense enable command fails, and tmm may core. Traffic disrupted while tmm restarts.
Workaround:
Set the profile name in the Bot Defense enable command.
1624557-2 : HTTP/2 with RAM cache enabled could cause BIG-IP to return HTTP 304 with content
Links to More Info: BT1624557
Component: Local Traffic Manager
Symptoms:
When the server replies to BIG-IP with HTTP 304 (not modified) and the BIG-IP system returns the contents of the RAM cache, it will not change the HTTP code 304 returned by the server when sending the cached content back to the client. The client will reject the HTTP 304 with content since it is expecting 200 OK with content.
Conditions:
-- Content in RAM cache has expired
-- The BIG-IP system requests an update from the origin server
-- The origin server returns 304 Not Modified.
Impact:
The BIG-IP system sends the response to the client as a 304 along with the content, causing the client to reject the content.
Workaround:
Disable RAM cache or alternatively have the server never return HTTP 304 but rather the content with 200 OK, even if unchanged.
1623921-1 : IPencap monitor probes from bigd are prone to connection re-use.
Links to More Info: BT1623921
Component: Local Traffic Manager
Symptoms:
When using a DNS monitor with IP encapsulation, TMM handles probe encapsulation. Bigd reuses source ports after closing sockets quickly, but TMM applies a 30-second timeout, leading to connection re-use. This can result in probes being incorrectly encapsulated to the wrong pool member, causing inaccurate health monitoring
Conditions:
1. DNS monitor configured with 'transparent' destination and IP encapsulation enabled.
2. Large number of pool members (e.g., 60).
Impact:
Probes may be encapsulated to the wrong destination, leading to inaccurate health monitoring of pool members.
Workaround:
None
1623597 : Nat46/64 hardware connection re-offload is not optimal.
Links to More Info: BT1623597
Component: TMOS
Symptoms:
Nat46/64 hardware connection re-offload is not optimal.
Conditions:
Nat46/64 configuration with hardware offload (fastl4).
Impact:
Not optimal resource usage.
Workaround:
None
1621949-2 : [PA]Applications break when specific host is in rewrite control list of rewrite profile
Links to More Info: BT1621949
Component: Access Policy Manager
Symptoms:
You may observe applications not working with console error like
ERROR TypeError: Cannot read properties of undefined (reading 'location/window')
Conditions:
Rewrite profile's rewrite control list contains specific host instead of Any/Any.
Impact:
Applications via Portal Access is not working.
Workaround:
Custom irule
=======
when REWRITE_REQUEST_DONE {
if { [HTTP::path] ends_with "main.99af53556af6dbcb.js" } {
REWRITE::post_process 1
set rewrite_new 1
}
}
when REWRITE_RESPONSE_DONE {
if {[info exists rewrite_new]} {
unset rewrite_new
set rewrite_str {/*F5_*/ F5_g_window /*_5F#window#*/ .open().location.href=r}
set rewrite_str_len [string length $rewrite_str]
set strt [string first $rewrite_str [REWRITE::payload]]
if {$strt > 0} {
REWRITE::payload replace $strt $rewrite_str_len {F5_g_window.open(r)}
}
}
}
=======
1621481-2 : Tmrouted in a restart loop when large number of route-domains is configured.
Links to More Info: BT1621481
Component: TMOS
Symptoms:
Tmrouted enters a restart loop when large number of route-domains is configured.
Conditions:
Large number of route-domains configured (~ >1000)
Impact:
Tmrouted is unable to start successfully.
Workaround:
None
1621317-2 : Uncaught (in promise) TypeError: Failed to construct 'MouseEvent': Please use the 'new' operator, this DOM object constructor cannot be called as a function.
Links to More Info: BT1621317
Component: Access Policy Manager
Symptoms:
Below console error in devtools
Uncaught (in promise) TypeError: Failed to construct 'MouseEvent': Please use the 'new' operator, this DOM object constructor cannot be called as a function.
Conditions:
Portal Access with Modern JS
Impact:
Unable to download CSV files
Workaround:
Custom irule:
==========
when REWRITE_REQUEST_DONE {
if {
[HTTP::path] ends_with "index.html"
} {
set flgx 1
REWRITE::post_process 1
}
}
when REWRITE_RESPONSE_DONE {
if {[info exists flgx]} {
unset flgx
set str {if(typeof(F5_flush)}
set strt [string first $str [REWRITE::payload]]
if {$strt > 0} {
REWRITE::payload replace $strt 0 {
(function (window) {
// Polyfills DOM4 MouseEvent
const MouseEventPolyfill = function (eventType, params) {
params = params || { bubbles: false, cancelable: false };
const mouseEvent = document.createEvent('MouseEvent');
mouseEvent.initMouseEvent(eventType,
params.bubbles,
params.cancelable,
window,
0,
params.screenX || 0,
params.screenY || 0,
params.clientX || 0,
params.clientY || 0,
params.ctrlKey || false,
params.altKey || false,
params.shiftKey || false,
params.metaKey || false,
params.button || 0,
params.relatedTarget || null
);
return mouseEvent;
}
MouseEventPolyfill.prototype = Event.prototype;
window.MouseEvent = MouseEventPolyfill;
})(window);
}
}
}
}
==========
1620785-2 : F5 cache mechanism relies only on Last-Modified/If-Modified-Since headers and ignores the etag/If-None-Match headers
Links to More Info: BT1620785
Component: Local Traffic Manager
Symptoms:
-- Server has a document x with etag - AAAA
-- When the client requests for x through BIG-IP, BIG-IP caches it and responds with 200 OK.
-- Document on Server changes; new etag is BBBB and cache in BIG-IP is expired
-- Clients sending requests with If None-Match: BBBB, should receive 304 with BBBB response but receiving 200 OK with AAAA.
Conditions:
-- Client having access to the server directly and through BIG-IP with cache enabled.
(Or)
-- Deployment containing two BIG-IPs with caching enabled one at a time.
Impact:
BIG-IP serves old documents when requested with etag of the latest document
Workaround:
When HTTP_REQUEST_RELEASE {
if { [HTTP::header exists If-None-Match] && [HTTP::header exists ETag] }{
HTTP::header remove If-None-Match
}
}
1620725-2 : IPsec traffic-selector modification can leak memory
Links to More Info: BT1620725
Component: TMOS
Symptoms:
Memory leak after traffic-selector modification.
Conditions:
- Create a valid IPsec tunnel configuration.
- Constantly modify the traffic-selector.
Continuous modifications can cause instability.
Impact:
Modifying a traffic-selectors will leak memory.
In a typical environment, where selectors are configured once and not reconfigured hundreds or thousands of times, the memory leak will have no impact.
Workaround:
Delete traffic-selector and create traffic-selector again instead of modifying.
1617329-2 : GTM LDAP may incorrectly mark a pool member as DOWN when chase-referrals is enabled
Links to More Info: BT1617329
Component: Local Traffic Manager
Symptoms:
LDAP monitoring can fail to detect a member as UP when "chase-referrals" is set to "yes", even if the server response does not contain any referral.
Conditions:
GTM LDAP monitor is setup with chase-referral enabled
Impact:
A pool member may continue to be marked as DOWN, even if available
Workaround:
Set chase-referral to disable
1617229-2 : The tmsh ipsec ike command causes mcp memory leak
Links to More Info: BT1617229
Component: TMOS
Symptoms:
Memory leak occurs while using the tmsh show or delete command with ike-peer and traffic-selection name options.
Conditions:
Execute the tmsh show or delete command with ike-sa with name option.
Impact:
There is a memory leak.
Workaround:
Do not include a specific ike-peer name or traffic-selector name as part of tmsh show or delete ike-sa command.
1617101-2 : Bd crash and generate core
Component: Application Security Manager
Symptoms:
Bd crashes
Conditions:
Unknown
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
1617041-2 : Latest installed update missing on secondary device GUI
Links to More Info: BT1617041
Component: Application Security Manager
Symptoms:
The live update GUI misses currently installed updates on secondary after installing latest updates on primary BIG-IP.
Conditions:
-- BIG-IP configured for high availability (HA)
-- Primary is installed with the latest updates.
Impact:
User has to verify updates on secondary using curl command or navigating through GUI to check latest signature status on secondary device.
Workaround:
The live updates can be manually checked and installed on the secondary device via GUI
1616629-2 : Memory leaks in SPVA allow list
Links to More Info: BT1616629
Component: Advanced Firewall Manager
Symptoms:
Adding and removing entries from an address list on a BIG-IP configured for hardware DoS may result in a memory leak.
Conditions:
-- BIG-IP HSB hardware and VELOS.
-- AFM provisioned
-- security dos profile with a whitelist
Impact:
Tmm memory usage may grow over time. Eventually this could cause a crash. Traffic disrupted while tmm restarts.
Workaround:
Avoid using a DoS whitelist, or periodically restart tmm.
1615081-2 : Remove SHA and AES Constraint Checks in SNMPv3
Links to More Info: BT1615081
Component: TMOS
Symptoms:
SNMPv3 user cannot be created with a combination of SHA-2 and AES.
The following errors are observed:
> 'SHA-256 + AES' returns "The AES privacy protocol keys cannot be shorter than 192 with SHA-2 auth protocol."
> 'SHA-512 + AES' returns "The AES privacy protocol keys cannot be shorter than 192 with SHA-2 auth protocol."
> 'SHA + AES-256' returns "SHA-2 auth protocol is required with longer AES keys."
> 'SHA + AES-192' returns "SHA-2 auth protocol is required with longer AES keys."
Conditions:
- Creating SNMPv3 user with combination of SHA-2 and AES.
Impact:
Unable to create SNMPv3 user with lower keys.
Workaround:
None
1612561-2 : The "Source Address" field on the Virtual Server configuration page does not accept IPv4-mapped IPv6 addresses
Links to More Info: BT1612561
Component: TMOS
Symptoms:
On the GUI Virtual Server configuration page, it's not possible to add an IPv4-mapped IPv6 address to the "Source Address" field ("Host" radio button selected).
When trying to add an IPv4-mapped IPv6 address, for example "0:0:0:0:0:ffff:ac1f:c179/128", the GUI throws this error:
"Error parsing IP address: 0:0:0:0:0:ffff:ac1f:c179/128"
Conditions:
On the GUI Virtual Server configuration page, add an IPv4-mapped IPv6 address with any of these possible syntaxes:
0:0:0:0:0:ffff:ac1f:c179/128
::ffff:192.168.0.128/128
::ffff:ac1f:c179/128
Impact:
The GUI throws an error and it's not possible to add the IPv4-mapped IPv6 address.
Workaround:
Add the IPv4-mapped IPv6 source address via tmsh:
# create ltm virtual test_ipv6_00637978 destination ::0.433 source ::ffff:ac1f:c179/128
1612201-2 : Malformed certificates found in local /config/httpd/conf/ssl.crt/server.crt
Links to More Info: BT1612201
Component: Global Traffic Manager (DNS)
Symptoms:
The gtm_add command fails with:
"ERROR: found "END CERT..." without BEGIN at line: 0.
ERROR: Malformed certificates found in local /config/httpd/conf/ssl.crt/server.crt."
Conditions:
A device certificate in PEM format contains a newline as CRLF:
-- Create device certificate where "-----BEGIN CERTIFICATE-----" is terminated with CRLF ('\r\n' 0x0D 0x0A) instead of LF ('\n' 0x0A)
-- Perform the gtm_add.
Impact:
The gtm_add command fails with a malformed certificate error.
Workaround:
To mitigate use openssl x509 to convert CRLF to LF:
# cp /config/httpd/conf/ssl.crt/server.crt /config/httpd/conf/ssl.crt/server.crt-back
# openssl x509 -in /config/httpd/conf/ssl.crt/server.crt-back > /config/httpd/conf/ssl.crt/server.crt
1606813-2 : Zone transfer fails for large zones when using TSIG key
Links to More Info: BT1606813
Component: Global Traffic Manager (DNS)
Symptoms:
-- Zone transfer fails when DNSSEC is enabled. Malformed records exist in traffic captures.
-- Error logs such as err zxfrd[4833]: 01531012:3: Transfer of zone <zone name> failed due to invalid TSIG were seen.
Conditions:
-- Larger zone with large number of records
-- DNSSEC and TSIG is enabled
Impact:
Zone transfer fails with DNSSEC enabled.
Workaround:
Zone transfer works fine if DNSSEC is not used on the Master DNSX server.
1605125-3 : TMM might crash when AFM is used on the Virtual Edition of BIG-IP
Links to More Info: BT1605125
Component: Advanced Firewall Manager
Symptoms:
TMM might crash when AFM is used on the Virtual Edition of BIG-IP.
Conditions:
- BIG-IP virtual edition.
- AFM with DoS vectors is enabled.
Impact:
The traffic is disrupted when TMM restarts.
Workaround:
None
1604377-3 : When feed list has multiple URLs with multiple subdomains then url cat-query is not working as expected
Links to More Info: BT1604377
Component: Traffic Classification Engine
Symptoms:
When the feed list has multiple URLs with various subdomains, as shown below:
google.com,16569
google.com/subdomain1,24630
google.com/subdomain1/subdomain2,24646
The URL google.com/subdomain1/subdomain2 is not being classified as expected
Conditions:
The feed list has to be created with multiple URLs with various subdomains similar to the below:
google.com,16569
google.com/subdomain1,24630
google.com/subdomain1/subdomain2,24646
Impact:
The URL might not get classified as expected
Workaround:
None
1604021-1 : Using CLI, the creation of urlcat-id TMSH command with values 28671 and 65536 must fail, but it is getting created.
Links to More Info: BT1604021
Component: Traffic Classification Engine
Symptoms:
The user defined URL category ID must be in a numeric range of 28672 to 32768. The GUI displays an error when the custom URL category ID is outside the range. But, the TMSH command accepts the full `uint16` range.
Conditions:
TMSH must display an error when it is outside the value range.
Impact:
It will overlap with the predefined data type category ID.
Workaround:
Configure the cusotm caterogy ID from the GUI.
1603445-2 : Wccpd can have high CPU when transitioning from active to standby
Links to More Info: BT1603445
Component: TMOS
Symptoms:
Wccpd on a device can be seen taking a high amount of CPU.
Conditions:
This can happen on a box running wccpd with a connection to a router and the box is going from active to standby.
Impact:
High cpu usage reducing the box's performance.
Workaround:
Restart the wccpd daemon on the standby (where the high CPU is observed):
bigstart restart wccpd
1602777 : "411 Length required" during NTLM negotiation
Links to More Info: BT1602777
Component: Access Policy Manager
Symptoms:
The NT LAN Manager (NTLM) Single Sign-On (SSO) fails with “411 required Length” response sent to the client.
Conditions:
- Stream profile should be attached to the VS
- NTLM SSO should be enabled on the Access profile
Impact:
The Transfer-Encoding and Content-Length headers are not sent to the NTLM server.
SSO fails and the backend NTLM server cannot be accessed.
Workaround:
The following iRule workaround can be applied:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events enable
}
when HTTP_REQUEST {
# Disable the stream filter for requests
STREAM::disable
}
when HTTP_RESPONSE {
if { [HTTP::header value Content-Type] contains "text"} {
STREAM::expression "@https://internal.com@https://external.com@"
STREAM::enable
}
}
1602641-3 : Configuring verified-accept and SSL mirroring on the same virtual results in stalled connections.
Links to More Info: BT1602641
Component: Local Traffic Manager
Symptoms:
If a virtual server has SSL mirroring and with verified-accept enabled, the set handshake timeout value will be delayed during the SSL handshake client connections. The standby unit will not copy the connection to the virtual server.
Conditions:
- Verified accept enabled
- SSL mirroring enables
- An HA pair
Impact:
- SSL connections delayed inside the SSL handshake
- SSL connections are not mirrored to the peer unit.
Workaround:
Disable mirroring or disable verified-accept.
1602345-2 : Resource records are not always created when wideips are created in a bundle
Links to More Info: BT1602345
Component: Global Traffic Manager (DNS)
Symptoms:
Resource records are not created for some of the created WideIPs.
Conditions:
WideIPs are created in a bundle.
Impact:
Resource records are missing.
Workaround:
Wait for more than a minute before creating another wideip;
Or
When resource records are found missing, delete the related wideips and also delete related db zone file for that wideip, then recreate the wideip.
1602209-1 : The bigipTrafficMgmt.conf file is not copied from UCS to /config/snmp★
Links to More Info: BT1602209
Component: TMOS
Symptoms:
After restoring a UCS file, or after an upgrade, the file /config/snmp/bigipTrafficMgmt.conf is not updated.
Conditions:
The /config/snmp/bigipTrafficMgmt.conf has been modified.
Impact:
If the file was modified, the modifications are lost on upgrade or UCS install. The file will need to be modified again and snmpd restarted, and restarted on all blades/slots.
Workaround:
Edit the bigipTrafficMgmt.conf by hand after the upgrade.
1602033-2 : Delays in REST API Calls post upgrade to 17.1.1.x★
Links to More Info: BT1602033
Component: TMOS
Symptoms:
You encounter delays in REST API calls after upgrading to version 17.1.1.x. Async commands may time out and expired operation exceptions may occur.
Symptoms you may see
-- "Error 500 AsyncContext timeout" in restjavad.0.log
-- The system occasionally does not grant a REST API token
-- High CPU utilization by java
-- GUI timeout
-- Spurious 400 / 500 errors from iControl REST
Conditions:
The problem occurs after upgrading to version 17.1.1.x despite configuring timeout values to 300 for icrd and restjavad
Impact:
The delays in REST API calls and recurring timeout exceptions can disrupt normal operations, leading to degraded system performance and potential service disruptions. Users relying on the affected REST API endpoints may experience slower response times, leading to decreased productivity and efficiency.
Workaround:
Restarting restjavad mitigates the issue but the issue may occur again.
1601581-2 : Virtual-address settings are not restored properly when overlapping NAT policy with proxy-arp is removed.
Links to More Info: BT1601581
Component: Local Traffic Manager
Symptoms:
Consider a case where there exists a nat policy with proxy-arp enabled overlapping with a virtual-address. If a nat policy proxy-arp option is removed some settings on a virtual-address might not take effect (arp disabled/icmp disabled).
Conditions:
Example of affected configuration:
security nat policy policy1 {
rules {
rule_001 {
destination {
addresses {
0.0.0.0/0 { }
}
proxy-arp enabled
}
ltm virtual-address 0.0.0.0 {
address any
arp disabled
icmp-echo disabled
mask any
}
Impact:
Incorrect traffic handling.
Workaround:
After deleting proxy-arp option from nat policy, toggle one of settings of virtual-address.
1600669-2 : Inconsistency in iRule parsing for iControl REST and tmsh/WebUI
Links to More Info: BT1600669
Component: TMOS
Symptoms:
After sending iRule content with POST via iControl REST - 400 error is returned similar to below:
{"code":400,"message":"can't parse TCL script beginning with\n\nproc someproc {}{\n log local0. \"something\"\n}\n } \n","errorStack":[],"apiError":26214401}%
Conditions:
iRule contains closing and opening curly brackets next to each other without a space e.g.:
proc someproc {}{
instead of
proc someproc {} {
Impact:
iRule is not added to BIG-IP and 400 error is returned
Workaround:
Add space between closing and opening curly brackets
1600617-2 : Few virtio driver configurations may result in excessive memory usage
Links to More Info: BT1600617
Component: TMOS
Symptoms:
Certain virtio driver configurations may result in excessive memory usage, which in some cases, leads to issues with forwarding traffic.
'tmctl page_stats' output can be examined on a newly launched system to verify if any of the TMMs except for TMM0 have their memory exhausted.
Conditions:
Virtio driver memory usage scales up with:
- Number of queues.
- Number of TMMs.
- Number of interfaces.
- Queue size.
Increasing these numbers might cause a problem trigger.
Impact:
Excessive memory usage, in some cases, leads to problems with traffic forwarding.
Workaround:
Scale down on the number of queues and their size. Reduce the number of interfaces.
1600333-2 : When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install
Links to More Info: BT1600333
Component: TMOS
Symptoms:
Route updates are dropped.
When enabling nsm debug, you might see message similar to:
2024/06/20 22:49:11 errors: NSM : addattr: buffer too small(missing: 4 bytes)
2024/06/20 22:49:11 errors: NSM : netlink_route: error at tmos_api.c:806
Conditions:
-- max-path set to a high value (64) in ZebOS
-- Long VLAN names are used
Impact:
Tmrouted never sees the NEWROUTE update.
Workaround:
- If 'max-paths ibgp 16' of higher is desired, then use smaller VLAN names
- If changing VLAN names is not desired, then use a lower value on 'max-paths ibgp X'
1600265-1 : Request_status is alerted in remote logging while local logging shows blocked
Links to More Info: BT1600265
Component: Application Security Manager
Symptoms:
"request_status" is "alerted" in remote logs for blocked requests.
Conditions:
Viewing remote logs for blocked requests
Impact:
"blocked" requests are misinterpreted as "alerted" in remote logs
Workaround:
None
1599597-2 : BD start failure
Links to More Info: BT1599597
Component: Local Traffic Manager
Symptoms:
BD repeatedly fails to start
Conditions:
- VE has 32 no htsplit cpu cores
- VE has license that restricts number of tmm to be 4
- ASM provisioned
- ASM policy is attached to virtual server
Impact:
BD fails to start and the system status is Offline
Workaround:
Change number of cpu cores of the VM to 28, 24, 20, 16, 12, 8 or 4.
1599213-6 : Deleting a signature takes more time
Component: Application Security Manager
Symptoms:
Deleting a signature is substantially longer than adding a signature.
Conditions:
Deleting a signature on a device with many policies and multiple user-defined Signature Sets.
Impact:
Deleting a signature takes more time than expected.
Workaround:
None
1598465-3 : Tmm core while modifying traffic selector
Component: TMOS
Symptoms:
Tmm core
Conditions:
Create the Interface mode configuration.
keep the selector's local/remote address as 0.0.0.0/0
on other side peer. keep Traffic selector's ip specific. */32
Initiate tunnel. It will cause traffic selector narrowing.
Modify the Traffic selector.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No Workaround
1598421-2 : When uri is added with / at the end and category in a feedlist then the uri is not categorized as expected
Component: Traffic Classification Engine
Symptoms:
When uri is added with / at the end and category in a feedlist then the uri is not categorized as expected.
If a feedlist is created as below
google.com,24626
google.com/subdomain1/,24631
Then when the BIG-IP system queries google.com/subdomain1/ it is being categorized as Internet_Portals(24626)
Conditions:
A feedlist has to be created similar to below case with multiple subdomains and different categories for uri with / at the end and no / at the end
google.com,24626
google.com/subdomain1/,24631
Impact:
When feedlist is defined similar to below case:
google.com,24626
google.com/subdomain1/,24631
then, URL Categorization based operations might get impacted
Workaround:
None
1598405-2 : Intermittent TCP RST with error 'HTTP internal error (bad state transition)' moreover with larger files for Explicit Proxy virtual server when HTTP_REQUEST_SEND iRule event in use.
Links to More Info: BT1598405
Component: Local Traffic Manager
Symptoms:
When the HTTP_REQUEST_SEND iRule event is triggered, after the completion of the TLS handshake and acknowledgment by BIG-IP from the server, BIG-IP sends a TCP RST with the error message ‘bad state transition’.
Conditions:
- BIGIP1 as a proxy for clients
- BIGIP2 with LTM and APM provisioned, connects to the server
- BIGIP2 has ACCESS::session iRule command under HTTP_REQUEST_SEND event
Impact:
Client-side traffic may get disrupted.
Workaround:
Move [ACCESS::session data get "session.ad.last.attr.sAMAccountName"] in HTTP_REQUEST event, assign value to tcl variable, reuse tcl variable in HTTP_REQUEST_SEND.
1598345 : [APM] Unable to access virtual IP when address-list configured
Links to More Info: BT1598345
Component: Access Policy Manager
Symptoms:
You may observe below error when accessing virtual server
===============
Access was denied by the access policy. This may be due to a failure to meet access policy requirements.
The session reference number: 8df760ba
Access policy configuration has changed on gateway. Please login again to comply with new access policy configuration
Thank you for using BIG-IP.
===============
Conditions:
APM virtual server with address-lists configured
Impact:
Unable to use APM functionality
1596481-3 : Staged signature IDs and name are not logged in remote logger for websocket traffic
Links to More Info: BT1596481
Component: Application Security Manager
Symptoms:
Staged signature IDs are not visible
Conditions:
Remote logger for websocket traffic is configured
Impact:
Lack of visibility of staged signatures, and difficult to monitor websocket traffic
Workaround:
With HTTP, staged signature details can be seen on the remote logger
1596445-3 : TMM crashes when firewall NAT policy uses automap and SIP/RTSP/FTP ALG.
Links to More Info: BT1596445
Component: Advanced Firewall Manager
Symptoms:
TMM crashes when firewall NAT policy uses SNAT automap and SIP/RTSP/FTP ALG.
Conditions:
-- FW NAT translation using source automap.
-- SIP/RTSP/FTP protocol profile applied.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1593621-3 : TMM core on IPSEC config load/sync stats★
Component: TMOS
Symptoms:
Crash observed after upgrade
Conditions:
Upgrade to 15.1.10 -> 17.1.1.3
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
1592209-2 : Monitored objects stays "Offline (Enabled)" even after manually enabling the server object after reboot
Links to More Info: BT1592209
Component: Global Traffic Manager (DNS)
Symptoms:
A Generic host server object reports “Offline (Enabled)”.
When enabling the server object, the bellow message is logged to /var/log/gtm:
gtmd[xxxx]: 011a5004:1: SNMP_TRAP: Server /Common/[generic-server] (ip=192.1.1.51) state change blue --> red (No enabled virtual server available)
Conditions:
-- Any operations that cause GTMd to rebuild its probe list. Following are a few example operations:
- Monitored objects being disabled,
- GTMd restart,
- Loss of iQuery to other GTMs,
- Adding or removing probes.
-- BIG-IP is running on a software versions 17.1.1 or 16.1.5 or later versions in which the ID 1133201 is fixed.
Impact:
Virtual servers that are associated with the affected generic server object may stay unavailable. Hence, pool or wideIP, which uses the affected server object, may be unavailable too.
Workaround:
After the issue, restart the GTMd. Generic host server object will be get back to 'Available (Enabled)' status.
Following is an example command to restart the GTMd:
# tmsh restart /sys service gtmd
1591197-2 : Specific JSON enforcement is not working
Links to More Info: BT1591197
Component: Application Security Manager
Symptoms:
An issue was detected with the JSON schema pattern attribute
Conditions:
When something is defined as a pattern in the JSON schema, it's enforcement can be bypassed on a specific scenario
Impact:
A missed JSON schema violation
Workaround:
None
1590689-3 : Loss of kernel routes occurs on 1NIC Virtual Edition when the DHCP lease expires.
Links to More Info: BT1590689
Component: TMOS
Symptoms:
In the single NIC, BIG-IP Virtual Edition is assigned an IP address by a DHCP server. When the DHCP lease expires and the BIG-IP is assigned a new IP address, some of the routes are removed from the kernel routing tables.
Conditions:
An issue occurs in the BIG-IP system with the below condition,
- Single NIC BIG-IP Virtual Edition
- IP address is assigned by a DHCP server
- The DHCP lease expires and the Virtual Edition is assigned a new IP address
Impact:
Some routes are removed from the kernel routing tables thus causing a potential loss of connectivity on the management network and on the data plane.
Workaround:
All the kernel routes can be reinstalled when you disable and re-enable the DHCP client using the,
tmsh modify sys global-settings mgmt-dhcp disabled
tmsh modify sys global-settings mgmt-dhcp enabled
1590085-2 : DoSL7D ICC errors are observed during higher throughput with DoS profile on Active-Active setup
Links to More Info: BT1590085
Component: Application Security Manager
Symptoms:
Occurrence of too many Intelligent Client Cache (ICC) errors during higher throughput on Active-Active setup.
Conditions:
- Active-Active BIG-IP setup
- DoS profile should be attached
- Higher throughput condition
Impact:
Failure of configuration sync between Active-Active BIG-IPs, due to ICC errors.
Workaround:
None
1589813-1 : Change in behaviour when setting value HTTP::payload to 0 in irule from v16 onwards★
Links to More Info: BT1589813
Component: Local Traffic Manager
Symptoms:
When HTTP_REQUEST_DATA {
set empty ""
HTTP::payload replace 0 $clen $empty
set request_length [HTTP::header "Content-Length"]
log local0. "request_length $request_length"
HTTP::release
}
$request_lenght throws non zero value since v16.0.0
Conditions:
V16.x/v17.x loaded version can observe $request_length throws non zero/garbage value.
(but observed $request_length as zero value in eg v15.1.10.4)
Impact:
$request_lenght throws non zero/garbage value.
Workaround:
None
1589753-2 : [BGP] IPv6 routes not installed/pushed after graceful restart when IPv6 peer-groups are configured.
Links to More Info: BT1589753
Component: TMOS
Symptoms:
Some IPv6 routes are not installed/pushed after graceful restart when IPv6 peer-groups are configured.
Conditions:
- BGP configured with peer-group activated under IPv6 address-family.
- BGP graceful restart took place.
Impact:
Routes are missing on BIG-IP. Routes are not sent to IPv6 peers.
Workaround:
Do not use peer-groups under IPv6 address-family. Configure peers separately instead.
1589629-2 : An ICMPv6 Neighbor Solicitation sent to the last address on an IPv6 subnet is using the wrong Destination MAC address
Links to More Info: BT1589629
Component: Local Traffic Manager
Symptoms:
The destination MAC address of the ICMPv6 Neighbor Solicitation message is incorrect.
Conditions:
An IPv6 SelfIP address is used.
Impact:
No node on the network would respond to ICMPv6 Neighbor Solicitation messages.
Workaround:
None
1589293-2 : Mcpd "IP::idle_timeout 0" warning generated in /var/log/ltm
Links to More Info: BT1589293
Component: TMOS
Symptoms:
When creating iRule with command "IP::idle_timeout 0" mcpd reports an error message similar to:
May 17 07:00:53 bigip.local warning mcpd[9215]: 01071859:4: Warning generated : /Common/test.irule:13: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid argument 0; expected syntax spec:"1077 19][IP::idle_timeout 0]
Conditions:
Whenever iRule includes the "IP::idle_timeout 0" statement
Impact:
mcpd displays unnecessary LTM logs with a warning message
1589269-1 : The maximum value of sys db provision.extramb was reduced from 8192 to 4096 MB★
Links to More Info: BT1589269
Component: SSL Orchestrator
Symptoms:
From version 16.1.0 the maximum value of sys db provision.extramb is 4096 MB, reduced from 8192 MB. It will be automatically set to 4096 during the upgrade if it has a higher setting.
Conditions:
Any BIG-IP device running software version 16.1.0 or higher.
Impact:
It is extremely rare to need values of provision.extramb above 4096 MB.
No impact on upgrade if value of sys db provision.extramb is 4096 or less. After the upgrade, it is not possible to increase the value above 4096.
If greater than 4096 the value will be reduced to 4096 when upgrading to version 16.1.0 or higher. This may leave device with insufficient 4KB page memory (also known as host memory) which may lead to issues due to memory pressure such as oom killer killing processes, poor scheduling of processes which may cause core dumps, and sluggish management access.
Workaround:
None
1589213-1 : Content signatures are triggered for FileUploads even though check attack signature is disabled
Links to More Info: BT1589213
Component: Application Security Manager
Symptoms:
Having FileUpload parameters and disabling the "Check for attack signatures" results in content and paramcontent signatures violations.
Conditions:
- Create parameters with a FileUpload option
- Disable Check attack signature.
Impact:
Requests are blocked
Workaround:
None
1589045-2 : When the ADMD process becomes unresponsive during the attack, TMM continues to mitigate bad traffic after the attack
Links to More Info: BT1589045
Component: Anomaly Detection Services
Symptoms:
TMM continues to mitigate bad traffic after an attack.
Conditions:
ADMD is stuck or overloaded for a long time.
Impact:
Traffic mitigation continues after the attack ends.
Workaround:
To restart ADMD, use the following command:
#bigstart restart admd
1588841-3 : SA Delete is not send to other end
Links to More Info: BT1588841
Component: TMOS
Symptoms:
If an IPsec tunnel is deleted, the remote peer will not know about the deletion and invalid Security Associations (SAs) will remain valid.
Conditions:
- Create IPsec interface mode tunnel.
- Establish tunnel.
- Change the configuration so that tunnel will be recreated.
- Check on remote peer. SAs is not deleted immediately.
Impact:
Multiple SAs will be present on remote peer for some time.
Workaround:
The old SAs can be manually deleted on the peer device.
1586765-1 : In r2k/4k platforms vlan tagged to multiple interfaces, packets forwarded to all interfaces irrespective of destination is reachable.
Component: Local Traffic Manager
Symptoms:
In r2k/4k platforms, when the same VLAN is assigned to multiple interfaces, traffic originating from a tenant is being transmitted over all VLAN-tagged interfaces, rather than just the interface where the destination is reachable.
Conditions:
When the same VLAN is assigned to multiple interfaces.
Impact:
Packets may be transmitted over incorrect interfaces to subsequent networking devices. In such a scenario, devices adjacent would need to handle the additional traffic.
Workaround:
None
1584297-1 : PEM fastl4 offload with fastl4 leaks memory
Links to More Info: BT1584297
Component: Policy Enforcement Manager
Symptoms:
A tmm memory leak occurs while passing PEM traffic. The tmctl memory_usage_stat command shows pem_hud_cb_data memory is high.
Conditions:
-- A PEM profile with fast-pem enabled
-- The PEM profile is assigned to a Fast L4 virtual server
Impact:
A memory leak occurs. This could cause tmm to crash. Traffic disrupted while tmm restarts.
Workaround:
Either of these workarounds will be effective.
-- Do not use Fast L4 offload for Fast L4 PEM virtual servers
-- Do not use Fast L4 for the PEM virtual if fast-pem is enabled
1584217-2 : Captcha prompt not presented
Links to More Info: BT1584217
Component: Application Security Manager
Symptoms:
The captcha prompt is not presented when the request size (headers and body) is large.
Conditions:
-- Enable brute force feature with captcha mitigation or use irule.
-- Trigger a captcha for a request that originally is more than 10KB.
-- Size of headers and body together is more than 10KB.
Impact:
No new captcha prompt after submitting an empty or incorrect answer.
Workaround:
None
1584089 : The trunk name length must not exceed 64 characters.
Links to More Info: BT1584089
Component: TMOS
Symptoms:
Trunk length accepts more than 64 characters.
Conditions:
Create trunk with name containing 64+ characters (64 + NULL)
Impact:
If it exceeds more than 78 characters, the crash is happening and interfaces are going down. Interfaces going down when bcm56xxd crashes.
1583701-2 : Access Policy Export does not write OCSP profile correctly to ng_export.conf
Links to More Info: BT1583701
Component: Access Policy Manager
Symptoms:
After exporting an Access Policy, further import shows such error:
Import error: 0107134a:3: File object by name (Common/Cert_Name_Example.crt) is missing. Unexpected Error: Loading configuration process failed.)
Conditions:
- OCSP profile configured with "Verify Other"
- OCSP Auth agent configured with such OCSP responder in an Access Policy
Impact:
Unable to export/import Access policy
Workaround:
On the BIG-IP system where the export is made:
- Edit OCSP responder AAA profile
- Under advanced, remove the certificate from "Verify Other" entry and then click Finished
- Apply Access Policy
- Export Access Policy
on the BIG-IP system where the import is made:
- Import the previously exported Access Policy
- Edit OCSP responder which should now be available
- Under advanced, select relevant certificate in "Verify Other" entry and then click Finished
1583345 : Zonerunner GUI can become unresponsive when managing large number of records
Links to More Info: BT1583345
Component: Global Traffic Manager (DNS)
Symptoms:
Zonerunner GUI becomes unresponsive when attempting to view a large number of resource records.
Conditions:
DNS zones with a large number of resource records (over 60k) or when the cumulative number of resource records of all the zones exceeds 1000k records.
Impact:
- Zonerunner is a DNS client just like dig and nslookup. When it displays all the resource records in a zone, it makes an AXFR request to bind.
- When it is asked to display a large number of records, the process can be CPU intensive and the GUI can become unresponsive.
Workaround:
- Limit the number of records per zone to less than 60k.
- Limit the cumulative number of records to less than 1000k
1582257 : Bcm56xxd crashes when executing qkview if the length of the trunk name exceeds 78 characters.
Links to More Info: BT1582257
Component: TMOS
Symptoms:
Running qkview causes bcm56xxd to the core.
Conditions:
If the trunk name exceeds 78 characters, running qkview will cause bcm56xxd to core.
Impact:
Interfaces going down when bcm56xxd crashes.
1581685-2 : iRule 'members' command counts FQDN pool members.
Links to More Info: BT1581685
Component: Local Traffic Manager
Symptoms:
iRule 'members' command counts and lists FQDN pool members.
Conditions:
- create a pool with at least one FQDN member.
- use the members function in an iRule.
Impact:
iRule with members command will not give the desired result.
Workaround:
When FQDN pool members are present, using the 'members' command in the iRule will not yield the desired result.
1581653-2 : Unbounded GENERICMESSAGE queue growth
Links to More Info: BT1581653
Component: Service Provider
Symptoms:
TMM memory grows while passing traffic.
Conditions:
The GENERICMESSAGE::message iRule event is used with the no_response parameter set to 'no'.
If requests messages are sent and a response message does not occur, the request messages are added to the cur_pending_requests. It keeps growing without any control.
Impact:
Cur_pending_requests under profile_genericmsg_stat keeps growing. "filter" memory keeps growing.
Workaround:
None
1581085 : In APM, TMM Core event triggered a Failover
Links to More Info: BT1581085
Component: Access Policy Manager
Symptoms:
Adding too many settings to the single customization image leads to undefined behaviour.
Following is an example:
^/public/images/customization//Common/<ap>_ap_general_ui/logo_
^/public/images/customization//Common/<ap>_ap_general_ui/banner_
^/public/images/customization/.+/(front|background|shrink(ed)?|expand(ed)?|separator|urlsame|urlnew|home|search_res|vdi_settings|banner|toolbar|contentpane|company|disconnect|warning|help|fw|logopopup|bannerpopup|toolbarpopup|cntpanelefthov|cntpanerighthov|cntpanemiddlehov|disconleft|disconright|disconmiddle|disconlefthov|disconrighthov|disconmiddlehov|disconnected|connected|waiting|sprites|side|logout|page|logo|go|image([0-9]{1,2})?)_.+
^/public/advanced/images//Common/<ap>/image[0-9]{2}\.(gif|png|jpg|jpeg)$
Conditions:
Parsing of access profile.
Impact:
Incorrect parsing of the Access Profile: Customization fields lead TMM Core event and triggered a Failover.
Workaround:
None
1581057-3 : Wr_urldbd IPC memory leak
Links to More Info: BT1581057
Component: Traffic Classification Engine
Symptoms:
Increase in wr_urldbd memory usage. wr_urldbd IPC message queue pileup.
Conditions:
BIG-IP with Service provider configuration which tries to achieve URL Categorization of subscriber traffic. SP DAG is configured. Most requests are being processed by the same TMM.
Impact:
Memory leak in wr_urldbd, leading to a stuck or inconsistent state.
Workaround:
Traffic disrupted while tmm restarts.
1581001-2 : Memory leak in ipsec code
Links to More Info: BT1581001
Component: TMOS
Symptoms:
There is a TMM memory leak in the IPsec code.
Conditions:
IPsec tunnels is configured.
Impact:
A TMM memory leak can eventually cause tmm to crash. Traffic disrupted while tmm restarts.
Workaround:
Restart TMM.
1580369-2 : MCPD thrown exception when syncing from active device to standby device.
Links to More Info: BT1580369
Component: TMOS
Symptoms:
Config sync fails on the secondary blade and MCPD restarts.
In /var/log/ltm:
err mcpd[7906]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/custom_urldb_d/:Common:custom_feedlist_348871_3751" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
err mcpd[7906]: 0107134b:3: (rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1518) [Receiver=3.0.9] ) errno(0) errstr().
err mcpd[7906]: 0107134b:3: (syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
err mcpd[7906]: 0107134b:3: (rsync process failed.) errno(255) errstr().
err mcpd[7906]: 01070712:3: Caught configuration exception (0), Failed to sync files..
Conditions:
- A BIG-IP system with multiple blades and multiple slots configured for high availability
- Active device has to download the custom_urldb file from a server
- A config sync occurs
Impact:
Config sync to the secondary blade fails and MCPD throws an exception and restarts on the secondary. The cluster primary blade has the correct custom_urldb file. This will impact incremental syncing to other peers in the device group.
Workaround:
None
1580313-3 : The server_connected event related logs in policy attached to a FastL4 virtual server is not logged to the LTM log
Links to More Info: BT1580313
Component: Local Traffic Manager
Symptoms:
The server_connected event logs are not seen in LTM logs.
Conditions:
Connect to a backend server through FastL4 Virtual Server with server_connected event log in LTM policy.
Impact:
The server_connected event logs not seen in LTM logs.
Workaround:
None
1580229-3 : Tmm tunnel failed to respond to ISAKMP
Component: TMOS
Symptoms:
While trying to negotiate the tunnel, multiple IPSEC SAs are created. This increases the tunnel count, but the tunnels are not in a working state.
Conditions:
-- Use wildcard ips for source/destination address in traffic selector.
-- Change the destination address to a specific address.
Impact:
IPSEC traffic is disrupted.
Workaround:
Keep responder's IKE peer as passive so that it can never be an initiator.
1579857 : [APM][Address-space]apm resource address-space input validation missing for ipv6
Links to More Info: BT1579857
Component: Access Policy Manager
Symptoms:
Some specific IPv6 addresses are silently converted to fe80::%vlan26505
Conditions:
Add fe80:6789::0 for the ipv6 address in an address-space resource
(tmos)# modify apm resource address-space test_space ipv6 add { fe80:6789::0 }
Impact:
The IPv6 address is converted to fe80::%vlan26505
(tmos)# list apm resource address-space test_space all-properties
apm resource address-space test_space {
app-service none
cfg-uri none
description none
discovery-interval 0
dns { *.test.com }
ipv4 {}
ipv6 { fe80::%vlan26505 }
last-discovery-time 1969-12-31:16:00:00
max-response-size 131072
partition Common
trusted-ca-bundle none
type custom
}
TMSH does not delete this address and does not return an error:
(tmos)# modify apm resource address-space test_space ipv6 delete { fe80::%vlan26505 }
(tmos)#
Workaround:
None
1579841 : [APM][Address-space]apm resource address-space input validation missing for ipv4
Links to More Info: BT1579841
Component: Access Policy Manager
Symptoms:
You are able to create an address-space APM resource without specifying the subnet. This results in an address space that has a /32 subnet mask.
Conditions:
Create a new address space (IPv4 or IPv6) either via CLI or TMUI (Access >> Connectivity/VPN >> Network Access (VPN) >> Address Space) and add an address without specifying the subnet.
(tmos)# create apm resource address-space test_space type custom ipv4 add { 10.10.10.10 }
Impact:
When you view the properties in TMSH and the GUI, the address is displayed, but without a netmask:
(tmos)# list apm resource address-space test_space all-properties
apm resource address-space test_space {
app-service none
cfg-uri none
description none
discovery-interval 0
dns none
ipv4 { 10.10.10.10 }
ipv6 none
last-discovery-time 1969-12-31:16:00:00
max-response-size 131072
partition Common
trusted-ca-bundle none
type custom
}
Workaround:
None
1579805-2 : GTM load balancing decision logs contain truncated pool member details.
Links to More Info: BT1579805
Component: Global Traffic Manager (DNS)
Symptoms:
The load balancing decision logs for GTM contains truncated pool member details.
Conditions:
Enable 'load-balancing-decision-log-verbosity { pool-selection pool-traversal pool-member-selection pool-member-traversal }' at the WIDEIP level to view detailed pool member information in the logs, which are currently truncated.
Impact:
Minimal impact; logs lack comprehensive details.
Workaround:
None
1579637-2 : Incorrect statistics for LTM. Rewrite profile with rewrite_uri_translation mode
Links to More Info: BT1579637
Component: TMOS
Symptoms:
Statistics for a rewrite profile are zeroes when using it in LTM with rewrite-uri-translation mode
Conditions:
LTM usecase with "Rewrite Profile".
Configure rewrite-uri-translation for "Rewrite Profile".
Impact:
URI translation is working but there are no statistics.
All statistics are set to zero on "tmctl profile_rewrite_stat -w 240"
Workaround:
None
1579533-2 : Jitterentropy read is restricted to FIPS mode or TMM usage only, for performance reasons
Links to More Info: BT1579533
Component: Local Traffic Manager
Symptoms:
If jitterentropy-read from CPU jitter is used in all cases, a big performance problem is seen for most cases where BIG-IP works in non-FIPS mode.
Conditions:
The issues occur when BIG-IP operates in non-FIPS or FIPS mode and use jitterentropy to generate seed.
Impact:
Very high CPU utilization is seen when BIG-IP handles traffic while in non-FIPS mode.
Workaround:
None
1578637-2 : TMM may drop MRF messages after a failover.
Links to More Info: BT1578637
Component: Service Provider
Symptoms:
If the Standby unit of an HA pair configured for MRF mirroring drops a message, the TCP state will be out of sync between the two units and possibly cause the Standby to fail to pass traffic when it goes Active.
Conditions:
BIG-IP configured with HA mirroring and MRF
profile_diameterrouter_stat.common.tot_messages_standby_dropped has incremented on the affected profile
A failover occurs
Impact:
After a failover, TMM will ACK incoming MRF messages and not forward them to the peer.
Workaround:
Delete the affected connflow.
Ensure that messages are not dropped on the standby by any or all of the following:
- Increase the mirrored-message-sweeper-interval:
modify ltm message-routing diameter profile router <name> mirrored-message-sweeper-interval 1000 -> 5000
- Ensure that the HA connection does not have excessive latency or packet loss. The "Buffered" stat in the ha-mirror statistics table should be low. See K54622241 for details.
- Ensure that the Maximum Pending Messages setting in the Diameter router profile is high enough to handle the message load.
1578597-1 : Religion URL Categories not found on SWG database download
Links to More Info: BT1578597
Component: Access Policy Manager
Symptoms:
Error messages in /var/log/apm
"The requested URL Category (/Common/Lesser-Known_Religions) was not found."
"The requested URL Category (/Common/Widely-Known_Religions) was not found."
Conditions:
APM provisions and SWG database downloads enabled.
Impact:
Religion URLs do not get get categorized properly from the SWG database
Workaround:
None
1577773-2 : Fix for ID1168157 does not work for some non-basic latin characters.
Links to More Info: BT1577773
Component: Application Security Manager
Symptoms:
Malformed JSON error occurs when few non-basic latin characters are in schema block after the fix for ID1168157.
Conditions:
Non basic Latin characters are found in the schema entry of OpenAPI file.
Fix for ID1168157 is included.
Impact:
The entity "JSON schema validation file" in security policy will not be created for "schema" entry that contain special ASCII characters.
1576593-2 : Unable to tcpdump on interface name with length = 64.
Links to More Info: BT1576593
Component: TMOS
Symptoms:
Users cannot perform tcpdump on a TMM interface with an exact maximum interface name length of 64.
Conditions:
The interface name length is equal to 64.
Impact:
Unable to perform tcpdump.
Workaround:
None
1576565-2 : Expect header is not forwarded to pool when PingAccess profile is applied to VS
Links to More Info: BT1576565
Component: Access Policy Manager
Symptoms:
When a PingAccess profile is added to a virtual HTTP, expect headers from clients are not forwarded to the HTTP server even though headers exist.
Conditions:
Basic PingAccess setup
Attach the ping pool to the PingAccess profile
PingAccess profile added to a virtual server
Restart the PingAccess plugin (it will cache lookups and the Expect header is only dropped for cache misses)
Bigstart restart ping_access_agent
Send an HTTP request with an Expect header, e.g.
curl --location --request POST https://10.10.10.88/ -H "Expect: 100-continue" -H "Foo: bar" -vk
Impact:
Since no HTTP 100 is received by the client, it causes connection retries and eventually times out not able to send requests further.
1573629-1 : wr_urldbd cloud lookup is not optimal using a connection
Component: Traffic Classification Engine
Symptoms:
The wr_urldbd cloud lookup is currently utilizing only one connection and that connection is not being used efficiently.
Conditions:
wr_urldbd does use the connection not efficiently.
Impact:
wr_urldbd does use the connection not efficiently.
Workaround:
none
1573601-2 : MCP query for fw_rule_stat takes ~23s to complete
Links to More Info: BT1573601
Component: Advanced Firewall Manager
Symptoms:
- On average mcpd takes more time to process large firewall rule stats ~20k, but sometimes it takes even longer.
- MCPD abruptly removes the LACPD connection causing LACPD to restart.
- Multiple MPCD query response exceeding messages and then lead to bcm core.
Ex: 010e0004:4: MCPD query response exceeding 60 seconds
Conditions:
More(~20k) firewall rules configured along with pccd.overlap.check enabled.
Impact:
MCPD response is slow for fw_rule_stat query and some protocols[LACPD] restarts abruptly and lead to bcm core.
Workaround:
Disable db pccd.overlap.check
1573593 : Sometimes GTM topology pool-member-traversal ignores matching topology records
Links to More Info: BT1573593
Component: Global Traffic Manager (DNS)
Symptoms:
When ldns and server subnet are in same subnet range, GTM topology pool-member-traversal ignores matching topology records.
Conditions:
Ldns and server subnet are in same subnet range
Impact:
GTM topology load balancing decision is impacted.
Workaround:
Restart mcpd.
1573577 : Insufficient input validation for object name fields in BIG-IP Management GUI
Links to More Info: BT1573577
Component: TMOS
Symptoms:
In certain situations, TMUI does not follow the best security practices.
Conditions:
Payload field accepts any input data under
System-> Crypto Offloading -> Crypto Server (Create)
Impact:
N/A
Workaround:
Specify valid data in the payload field.
1572545-2 : Upgrade from version 14.X to version 15.X may encounter problems with L2 forwarding for some of the flows.★
Links to More Info: BT1572545
Component: Local Traffic Manager
Symptoms:
L2 forwarding issues may be encountered for some flows. Due to this, there can be hinderances in the traffic flow towards server.
Conditions:
Flow 1:
Client(L3 Net1)--- (vg2)--> BIG-IP --(vg1)--> Gateway --(vg1)--> BIG-IP (again) --(vg2)--> server(L3 Net2)
1. Client and server are in same vlan but not in same subnet.
2. Gateway is in another vlan, it is the gateway for both client and server.
3. connection.vlankeyed is disabled.
4. After an upgrade from 14.X to 15.X, traffic returning from gateway towards the server is dropped
Flow 2:
Client --(VG1)--> BIG-IP --(nonVgVlan1)--> IPS --(nonVgVlan2)--> BIG-IP (again) --(VG2)--> Server
1. Client traffic over transparent vlan-group towards Server is intercepted by a standard virtual server and sent to IPS on a non-vlan-group vlan.
2. connection.vgl2transparent is enabled
3. When traffic is sent from BIG-IP to IPS, the destination MAC will be the MAC address of a server (ARL non local) and the source MAC is still the original client MAC which is breaking the returning traffic from IPS.
4. The expectation here is traffic leaving from BIG-IP to IPS should have BIG-IP nonVgVlan1 MAC address as source MAC.
Impact:
Traffic drop is observed when packets are sent towards server.
Workaround:
For this workaround, ensure "nw_l2_transparent license enabled".
1. For Flow 1, keep connection.vgl2transparent disabled and add the following config:
ltm virtual VG_transparent {
destination <SERVER>
ip-protocol tcp
l2-forward
mask 255.255.255.255
profiles {
fastL4 { }
}
rules {
t-nexthop
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vlans {
vg2
}
vlans-enabled
}
ltm rule t-nexthop {
when CLIENT_ACCEPTED {
nexthop vg1 transparent
}
when SERVER_CONNECTED {
nexthop vg2 transparent
}
}
2. For Flow 2, keep connection.vgl2transparent disabled.
1572505-1 : BD crash with specific iRule
Links to More Info: BT1572505
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
With certain iRule
Impact:
ASM traffic disrupted while bd restarts.
Workaround:
None
1571817-2 : FQDN pool member status down event is not synced to the peer device
Links to More Info: BT1571817
Component: TMOS
Symptoms:
The peer unit is showing an incorrect state for the pool member.
Conditions:
1. Create the FQDN pool and ensure that the state is 'up'.
2. Change the state to 'down' on the active device.
3. Synchronize the configuration while ensuring incremental synchronization.
4. Check the status of the pool on the active device and verify if the state is 'down'.
5. On the standby device, the status of the pool state is 'up'.
Impact:
The status of the pool members is incorrect.
Workaround:
None
1567173-2 : Http2 virtual server removes header with empty value on the server side
Component: Local Traffic Manager
Symptoms:
If the HTTP2 request from a client has a header with an empty value, this header is removed while forwarding the request to the server.
Conditions:
HTTP2 request with HTTP2 profile attached.
Impact:
Empty headers are not forwarded, which could cause traffic disruption if the empty headers are expected or needed.
Workaround:
No workaround.
1567013-2 : Pool member stats are not reported for 2 of 10 pool-members in MRF diameter pool
Links to More Info: BT1567013
Component: Local Traffic Manager
Symptoms:
A problem is noticed when previous connections to the pool member exist and a new pool member is added with the same IP address and port.
Due to this, the pool member (same IP and port) has no connections associated with it. If new connections are made to the new pool member, the stats will be non-zero
Conditions:
Pool members with long-lived connections are deleted after re-creating the pool member. Now the new pool member does not have any connections, so its stats will be zero until a new connection is made
Impact:
But the reason you are seeing empty stats is that the new pool member (same IP and port) has no connections associated with it. When new connections are made to the new pool member, the stats will be non-zero
Workaround:
If you do not want to lose the stats, it is recommended to avoid deleting pool members with outstanding connection(s) and consider disabling them instead.
1566921-2 : Client connection gets reset after upgrade to 17.1.1★
Links to More Info: BT1566921
Component: Anomaly Detection Services
Symptoms:
Client connection gets reset
Conditions:
iRule attached to virtual server with AVR::disbale
Impact:
Connection reset, request does not pass.
Workaround:
Remove AVR::disable iRule
1566893-2 : Config fails to load while upgrading from 14.0.x to 15.1.10.3★
Links to More Info: BT1566893
Component: Access Policy Manager
Symptoms:
A few category names and descriptions have updates from Forcepoint, and incorporating those changes in 15.1.10 triggered this upgrade failure.
Conditions:
Upgrade from the BIG-IP version where the latest category names were not present to the version where they exist with some additional configuration will fail the BIG-IP upgrade.
Impact:
After the upgrade, the configuration fails to load with one or more "In url-filter" errors.
01070734:3: Configuration error: In url-filter {}...
Workaround:
Remove the affected category names before attempting the BIG-IP upgrade.
1566721-2 : The SIP MRF virtual servers with mirroring enabled can lead to a connflow leak on standby
Links to More Info: BT1566721
Component: Service Provider
Symptoms:
There is a connflow memory leak on standby.
Conditions:
SIP MRF virtual servers with mirroring enabled
Impact:
TMM memory use will increase on the standby device.
Workaround:
None
1566269 : Cookie SameSite attribute is removed by sesstimeout.js
Links to More Info: BT1566269
Component: Access Policy Manager
Symptoms:
Observe samesite cookie is missing in Developer tools.
Conditions:
APM set SameSite attribute to F5_ST cookie, When enabled "Samesite option*".
* Access Profile > SSL Orchestrator/Auth Domains > Cookie options
Impact:
Samesite cookie is missing
Workaround:
None
1562833-2 : Qkview truncates log files without notification
Links to More Info: BT1562833
Component: TMOS
Symptoms:
When generating a qkview on a BIG-IP system via the GUI or command line:
-- Log files included in the qkview will be truncated if they exceed the maximum log file size.
-- Log file truncation occurs even with the "-s 0" command line option or "Unlimited snaplen" GUI checkbox, if the log file exceeds 100MB in size.
-- No user-visible notification is provided that log file truncation has occurred.
The "Unlimited snaplen" GUI checkbox does not actually remove the maximum log file size limit of 100MB. Selecting the "Unlimited snaplen" GUI checkbox limits the maximum log file size to 100MB. Log files larger than 100MB will still be truncated, even if the "Unlimited snaplen" checkbox is selected when generating a Support Snapshot from the GUI.
Conditions:
Log file truncation occurs if:
-- The log file exceeds 5MB in size and:
-- The qkview utility is launched from the command line without the "-s" option to specify a larger maximum file size, or a Support Snapshot is request from the GUI without selecting the "Unlimited snaplen" checkbox.
-- The log file exceeds 100MB in size and:
-- The qkview utility is launched from the command line with the "-s 0" option to specify a 100MB maximum file size, or a Support Snapshot is request from the GUI without selecting the "Unlimited snaplen" checkbox.
-- The log file exceeds the maximum file size specified by the "-s" option when running the qkview utility from the command line.
Impact:
Log files included in qkviews may be truncated unexpectedly without the user being aware.
If additional actions are not taken to create untruncated archives of affected log files, data required to diagnose BIG-IP issues may be permanently lost due to incomplete data in the qkview, and subsequent log rotation on the affected BIG-IP system.
Workaround:
To check whether a qkview file contains truncated log files, use the "tar" utility at a command line to check for files with "_truncated" appended to the file name.
For example:
tar -tf /var/tmp/my-test-qkview.qkview | grep truncated
var/log/DBDaemon-0.log_truncated
If the qkview file contains truncated log files, manually create a log file archive containing untruncated versions of the affected log files.
1561713-2 : BD total_max_mem is initialized with a low (default) value resulting in many issues with long request buffers and traffic failing
Component: Application Security Manager
Symptoms:
When BD starts it is assigned a very low value for total_max_mem
Conditions:
ASM provisioned
Impact:
This causes many connections to fail with ASM resetting them.
Workaround:
Monitor "var/log/ts/asm_start.log" for the "F5::ProcessHandler::start_bd,,bd exec line" and see the value for "total_umu_max_size".
If it is "768000" or there are other visible errors - restart asm on that device.
1561697-2 : Applying mutliple policies causes apmd to use a lot of CPU causes failure in sessiondb related operations
Component: Access Policy Manager
Symptoms:
When you apply multiple access policies, and if there are macros in VPE that expand to lot of Access policy Agents, then creation and initialization of those agents with recursive macro expansion will take more time and also cause 50% to 60% CPU usage by APMD process.
Now in this case if LDAP server, especially with pool members configured may lead to 100% CPU usage for more than 2 to 5 min. This is due to clearing of LDAP cache.
As LDAP servers pool members use loopback interface and also session db operations are done on same interface, this may lead to failure in session db set/get operations which ultimately leads to failures in OAuth Scope validation and other operations.
Conditions:
1. Applying an access policy that is for one or more policies, with more agents (around 3000 for example).
2. LDAP servers are configured and User sends new LDAP auth and query requests to APM at same time.
3. Session db operations should fail to see any unexpected failures like oauth scope validation failure.
Impact:
OAuth scope validation fails due to high CPU usage by APMD and Access policy is evaluated as failure and Basic auth headers are send to backend.
Workaround:
None
1561537-2 : SSL sending duplicate certificates
Component: Local Traffic Manager
Symptoms:
Duplicate certificates sent during the SSL handshake.
Conditions:
The chain contains the public certificate and both are configured in the client-ssl profile.
Impact:
BIG-IP on clientside SSL sends duplicate certificates during handshake to the client
Workaround:
Remove the public server certificate from the chain.
1561077-2 : Page gets redirected before Captcha is displayed
Component: Application Security Manager
Symptoms:
The blank frame Captcha is not displayed to the user.
Conditions:
-- The website is built with React
-- DoSL7 profile attached
-- ASM policy with blank frame Captcha is configured
Impact:
Blank frame Captcha is momentarily displayed and then dismissed and the user does not get a chance to solve the captcha.
Workaround:
None
1561069 : Initial policy sync of any address space fails
Links to More Info: BT1561069
Component: Access Policy Manager
Symptoms:
Error: 01b7010d:3: The APM resource network-access (/Common/na2) that is associated with the APM resource address-space (/Common/any-space) does not exist."
Conditions:
Initial policy sync with any address-space with "Use source configuration on target" enabled.
Impact:
Initial Policy sync fails.
Workaround:
None
1560853-2 : [GUI] error while updating the rewrite profile uri-rules name have both leading and trailing "/"
Links to More Info: BT1560853
Component: TMOS
Symptoms:
Error when updating rewrite profile.
Conditions:
Uri-rules name has both leading and trailing "/".
Impact:
Uri-rules for rewrite profile is not able to be updated through GUI.
Workaround:
Remove either leading or trailing "/" from uri-rules name.
1559961-2 : PVA FastL4 accelerated flows might not honor configured keep-alive-interval.
Links to More Info: BT1559961
Component: Local Traffic Manager
Symptoms:
PVA FastL4 accelerated flows may not honor configured keep-alive-interval.
Conditions:
The keep-alive-interval option is configured on the FastL4 profile.
Impact:
Some connections may be prematurely terminated.
1558869-2 : Tmsh generated config file which fails to load for VLAN specific non-default route-domain IPv6
Links to More Info: BT1558869
Component: Local Traffic Manager
Symptoms:
The configuration fails to load with an error:
Syntax Error:(/config/bigip_base.conf at line: 138) "fe80::1%vlan333%1/64" invalid address
Conditions:
Tmsh is used to create a non-default route-domain IPv6 for a VLAN, for example:
# tmsh create net self fe80:14d::1%1/64 vlan test
Impact:
The configuration fails to load.
Workaround:
None
1558857-1 : Pool command support functionality to be implemented in WS_REQUEST event
Links to More Info: BT1558857
Component: Local Traffic Manager
Symptoms:
We can create the following iRule in BIG-IP with the pool command. However, the iRule does not work as expected.
when WS_REQUEST {
log local0. "using myHttpOss2"
pool myHttpOss2
}
Conditions:
Create an iRule with a WS_REQUEST event and include pool command in it.
Impact:
It limits the user functionality, and they cannot write the irules according to their need.
Workaround:
Whatever is supported in HTTP_REQUEST should be supportable in WS_REQUEST also. Even though we cannot use the pool command in WS_REQUEST, the purpose can be achieved using the HTTP_REQUEST event.
1558581-1 : Host authority sub component not parsed properly
Links to More Info: BT1558581
Component: Application Security Manager
Symptoms:
URLs lacking a scheme are incorrectly parsed as paths rather than server addresses.
Conditions:
This occurs when the server URL is configured without the scheme.
Impact:
Misconfiguration of URLs leads to false positive blocks. The host authority is parsed as a path.
Workaround:
This behavior can be corrected by adding scheme
openapi: 3.0.0
info:
title: Sample API
version: 1.0.0
servers:
- url: https://beta.application-management-test.eset.systems/
paths:
/sample_endpoint:
get:
summary: Create a new entry
description: Endpoint to create a new entry with name, age, and date of birth.
responses:
'200':
description: Success response
'400':
description: Invalid request payload
1555525-1 : WCCP traffic may have its source port changed
Links to More Info: BT1555525
Component: Local Traffic Manager
Symptoms:
WCCP traffic may have its source port changed as it leaves the Linux host. This could cause WCCP sessions to not be established.
Conditions:
-- WCCP configured
-- BIG-IP Virtual Edition platform or r2000 or r4000 tenants.
Impact:
WCCP messages may not be successfully processed by the peer because the source port is not 2048.
Workaround:
Cat >> /config/tmm_init.tcl << EOF
proxy BIGSELF {
listen 0.0.0.0%\${rtdom_any} 2048 netmask 0.0.0.0 {
proto \$ipproto(udp)
srcport strict
idle_timeout 30
transparent
no_translate
no_arp
l2forward
tap enable all
protect
}
profile _bigself
}
EOF
bigstart restart tmm
1555461-2 : TCP filter is not setting packet priority on keep-alive tx packets
Links to More Info: BT1555461
Component: Local Traffic Manager
Symptoms:
When running traffic with multi-bladed environments, some of the TCP MPI backplane packets are not marked with a packet priority.
Conditions:
Any multi-bladed environment.
Impact:
TCP keepalive packets are not prioritized in the driver
Workaround:
None
1555437-2 : QUIC virtual server with drop in CLIENT_ACCEPTED crashes TMM
Links to More Info: BT1555437
Component: Local Traffic Manager
Symptoms:
TMM crashes on connection if the drop is executed in an iRule on CLIENT_ACCEPTED event.
Conditions:
If an iRule contains a drop that is executed on CLIENT_ACCEPTED or CLIENT_DATA on a virtual server supporting HTTP3 (QUIC/UDP) then TMM crashes.
Impact:
Traffic is disrupted while restarting TMM.
Workaround:
In iRule use FLOW_INIT as the event instead of CLIENT_ACCEPTED to call drop.
1555021-2 : Mysql error after roll forward upgrade when uploading base version's csv over upgraded version.★
Component: Application Security Manager
Symptoms:
Mysql error when loading 16.1.4 ucs over 16.1.5 system can be seen in asm log.
Conditions:
Loading of 16.1.4 ucs on itself - does not cause to any error and loading of 16.1.5 ucs on itself - does not cause to any error. Only loading of 16.1.4 ucs over 16.1.5 system - causes to above mysql error.
Impact:
A Foreign key constraint fails DCC.HSL_DATA_PROFILES.
Workaround:
None.
1554029-2 : HTML::disable not taking effect in HTTP_REQUEST event
Links to More Info: BT1554029
Component: Local Traffic Manager
Symptoms:
A HTML::disable inside an HTTP_REQUEST event will not take effect.
It does work for HTTP_RESPONSE.
Conditions:
When an HTML::disable is inside an HTTP_REQUEST.
Impact:
HTML::disable does not take effect
Workaround:
If possible. have the HTML::disable in the HTTP_RESPONSE.
1553761-2 : Incorrect packet statistics counting upon connection reject/closure.
Links to More Info: BT1553761
Component: Local Traffic Manager
Symptoms:
In rare circumstances, connection statistics might be inaccurate on the BIG-IP system.
Conditions:
Some of these conditions will make the problem more likely to happen:
- Flow abruptly torn down.
- iRule with drop command.
- iRule with reject command.
Impact:
Incorrect packet statistics are reported.
1553533-2 : Negative frame number might result in bd crash.
Links to More Info: BT1553533
Component: Application Security Manager
Symptoms:
Modifying ASM cookies like cookie prefix, suffix base and revision base might cause bd to crash.
Conditions:
See K54501322: Modifying ASM cookie names at https://my.f5.com/manage/s/article/K54501322
Change the ASM Cookie prefix name, revision base and suffix base as per the above article.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
1553169-2 : Parsing tcp payload using iRules can be inaccurate because of binary to string conversion
Links to More Info: BT1553169
Component: Local Traffic Manager
Symptoms:
When an iRule is used to parse tcp payload, the value returned as string can be inaccurate.
Conditions:
TCP payload is parsed using iRule.
Impact:
The iRule functionality may not work as expected, as the parsed data can be inaccurate.
Workaround:
None
1552705 : New subsession reads access_token from per-session policy instead of per-request policy.
Links to More Info: BT1552705
Component: Access Policy Manager
Symptoms:
When BIG-IP is configured with OAuth Agents both in per-session policy and per-request policy, OAuth Flow fails to execute successfully.
Conditions:
When new subsessions are created TMM fails to read the access token from subsession variables. Therefore, gets the old token from the main session, i.e. per-session policy.
Impact:
BIG-IP Administrator will not be able to configure BIG-IP as OAuth Client & RS with both per-session policy and per-request policy.
Workaround:
Use OAuth Agents only in the per-request policy, configure per-session policy with just empty allow.
1552441-2 : Error message for bot-signature update failure.
Component: Application Security Manager
Symptoms:
Currently there is no specific error message when bot-signature installation fail due to TMM memory pressure. In the event of the failure, user needs to plan restarting TMM as it may lead further issues.
Conditions:
Bot-signature update performed under TMM memory pressure.
Impact:
No clear error for the update failure, and subsequent unexpected system state.
Workaround:
Look for a message "notice MCP message handling failed" in the LTM log.
1550933-2 : Gtm virtual server query_all related SNMP query could get wrong result
Links to More Info: BT1550933
Component: TMOS
Symptoms:
Gtm virtual server query_all related SNMP query could get wrong result such as gtmVsNumber with log message such as:
Duplicate oid index found: bigip_gtm_vs.c:184
Conditions:
Similar gtm server and virtual server name combination
Impact:
SNMP query returns wrong results.
Workaround:
Use less similar virtual server names. If the virtual server name is long, ensure the string is different at the beginning of the virtual server name.
1550869-2 : Tmm leak on request-logging or response logging on FTP virtual server
Component: Local Traffic Manager
Symptoms:
Tmm memory leak is observed.
Conditions:
Either of these conditions:
-- An LTM profile with request-logging enabled
-- response-logging enabled on a virtual server supporting FTP
Impact:
A tmm memory leak occurs.
Workaround:
Disable request/response logging on the FTP virtual server.
1550737 : Error "Access encountered error: ERR_ARG" was logged repeatedly after an upgrade
Links to More Info: BT1550737
Component: Access Policy Manager
Symptoms:
Observed that this message appeared often in /var/log/apm. (approximately 150 times per second)
err tmm3[9072]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access_session.c, Function: access_session_ip_session_mapping_create_key, Line: 6701
err tmm3[9072]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access_session.c, Function: access_session_lookup_session_by_ip, Line: 6900
Conditions:
An internal software API call triggers the unexpected result.
Impact:
Logs may display the appearance of many issues, even if there are no behavioral anomalies.
The logs look alarming, but can be ignored if there is not an actual behavioral issue that needs to be analyzed.
Workaround:
Disable db variable \"Tmm.Access.ExtendedLog\"
# setdb Tmm.Access.ExtendedLog disable
# getdb Tmm.Access.ExtendedLog
disable
When DB variable is set to disable, these logs are filtered.
1549661-2 : Logs sent to syslog-ng on VIPRION devices utilize truncated hostname instead of FQDN
Links to More Info: BT1549661
Component: TMOS
Symptoms:
Log messages sent to syslog-ng process, most commonly within /var/log/messages with a message such as the following:
slot1/bigip1 notice syslog-ng[2357]: Configuration reload request received, reloading configuration;
Conditions:
-- VIPRION device (either multi-bladed or single-slot) being utilized
-- Hostname contains a period and the log truncates it at the first period.
Impact:
The syslog-ng log messages on VIPRION devices contain truncated hostnames instead of using the complete FQDN.
Workaround:
None
1549429 : Google-InspectionTool classified as Suspicious Browser.
Links to More Info: BT1549429
Component: Application Security Manager
Symptoms:
Google-InspectionTool classified as Suspicious Browser in the 16.1.4 version.
Conditions:
Create a Bot profile and send a request with "Google-InspectionTool" from a linux client.
curl http://<VS>/index.html -H 'User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.216 Mobile Safari/537.36 (compatible; Google-InspectionTool/1.0;)' -H 'X-Forwarded-For: 66.249.79.236' -H 'Host: mpt.gob.es' -H 'AMP-Cache-Transform: google;v="1 ..2"'
Impact:
Valid request is getting blocked.
Workaround:
Can create a custom bot signature.
1549397-2 : Pool member from statically-configured node deleted along with ephemeral pool member using same IP address
Links to More Info: BT1549397
Component: Local Traffic Manager
Symptoms:
If an LTM pool is created containing both FQDN and statically-configured pool members using different port numbers, and the FQDN name resolves to the same IP address as the statically-configured node, if the FQDN name no longer resolves to that IP address, the statically-configured pool member may be deleted along with the ephemeral pool member with the same IP address.
In this configuration, the pool in question may be found to contain:
-- a statically-configured (not ephemeral) pool member referencing the statically-configured node
-- an ephemeral pool member with the same node name and IP address as the statically-configured node
Both pool members have the same node name and IP address, since only one node can exist for a given IP address. This prevents a separate ephemeral node from being created with the same IP address as the statically-configured node, forcing both pool members to reference the same statically-configured node with the given IP address.
Conditions:
-- The LTM pool contains both FQDN pool members and pool members referencing statically-configured nodes.
-- The FQDN and statically-configured pool members use different port numbers.
-- The FQDN name resolves to one or more IP addresses that match the statically-configured node.
-- The DNS server subsequently no longer resolves the FQDN name to that IP address.
Impact:
Pool members may be deleted unexpectedly when DNS records/name resolution changes.
Workaround:
To work around this issue:
-- Use the same port number for both statically-configured pool members and FQDN pool members.
-- Add the statically-configured pool member(s) to the pool before adding any FQDN pool members which resolve to the same IP address(es).
1538285-2 : BIG-IP splits the PUBLISH message when the MQTT profile is applied
Component: Local Traffic Manager
Symptoms:
When the PUBLISH message is sent from a client, BIG-IP splits the message and forwards it in two packets down the chain.
Conditions:
Basic Virtual Server with MQTT profile applied.
Impact:
Even small messages are fragmented and reorganization cannot be implemented well by some applications. Thus, MQTT messages cannot be read.
Workaround:
None
1538241-2 : HTTP may not forward POST with large headers and parking HTTP_REQUEST_RELEASE iRule
Links to More Info: BT1538241
Component: Local Traffic Manager
Symptoms:
The request is not immediately forwarded to the server. It may be forwarded if the server closes the connection.
Conditions:
Under certain scenarios, the HTTP virtual server with the below iRule attached may not forward HTTP POST requests with large headers:
HTTP_REQUEST_RELEASE {
HTTP::header replace Authorization [string repeat x 4096]
after 1
}
Impact:
HTTP POST request is not forwarded to the server side within 60 seconds, resulting in connection issues.
Workaround:
A possible workaround is to move the processing from HTTP_REQUEST_RELEASE to HTTP_REQUEST_SEND.
Note: However, this workaround can be highly dependent on what actions are performed in the iRules involved.
1519001-2 : After a crash, tmm may experience memory corruption
Links to More Info: BT1519001
Component: Local Traffic Manager
Symptoms:
On an F5OS tenant on affected platforms, if tmm does not stop gracefully - meaning it crashed or was killed, it may experience memory corruption when it starts again, leading to another crash.
Conditions:
-- F5OS tenant on a VELOS system or an r5000, r10000, or r12000-series appliance.
-- Tmm does not shut down gracefully
r4000 and r2000 series appliances are not affected.
Impact:
Tmm may crash again when it starts up. Traffic disrupted while tmm restarts.
Workaround:
Reboot the tenant, or if tmm is able to start, shut down tmm gracefully and restart.
1517469-2 : Database monitor daemon process memory and CPU consumption increases over time
Links to More Info: BT1517469
Component: Local Traffic Manager
Symptoms:
When monitoring pool members using the LTM or GTM mssql (Microsoft SQL Server) monitor, memory and CPU consumption by the database monitor daemon (DBDaemon) process may increase over time.
The increase in memory consumption by the DBDaemon process may be gradual and relatively steady over a long period of time, until memory consumption nears an RSS size of approximately 150MB. At that point, CPU consumption may start increasing rapidly. These increases may continue until the DBDaemon process restarts, restoring normal memory and CPU consumption until the cycle begins again.
Conditions:
This issue may occur when using the mssql (Microsoft SQL Server) monitor to monitor LTM or GTM pools/members. BIG-IP versions affected by this issue use the MS SQL JDBC (Java DataBase Connectivity) driver v6.4.0 to enable the DBDaemon process to connect to Microsoft SQL Server databases. This issue is not observed with other database types, which use different vendor-specific JDBC drivers, or with more current versions of the MS SQL JDBC driver.
The time required for memory and CPU consumption to reach critical levels depends on the number of pool members being monitored, the probe interval for the configured mssql monitors, and whether the mssql monitors are configured to perform a database query (checking the results against a configured recv string) or to make a simple TCP connection with no query (send & recv strings) configured.
In one example, a configuration with 600 monitored pool members with a mix of monitors with and without queries and an probe interval of 10 seconds was observed to reach critical memory and CPU consumption levels and restart to recover after approximately 24 hours of continuous operation.
To view the memory and CPU usage for the DBDaemon process as recorded over time in tmstats tables, use the following commands.
-- To obtain the Process ID (PID) of the DBDaemon process, observe the numeric first element of the output of the following command:
"ps ax | grep -v grep | grep DB_monitor"
-- To view memory and cpu usage for the DBDaemon process, use the PID obtained from the above command in the following command:
"tmctl -D /shared/tmstat/snapshots/blade0/ -s time,cpu_usage_5mins,rss,vsize,pid proc_pid_stat pid=pid_from_above_command"
The output of the above command will display statistics at one-hour intervals for the preceding 24 hours, then statistics at 24-hour intervals for prior days.
The "cpu_usage_5mins" and "rss" columns display, respectively, the CPU and resident memory usage for the specified DBDaemon process. Gradual increases in "rss" to a critical upper limit near 150MB, and sharp increases in CPU usage as this critical upper memory limit is reached, are indications that this problem is occurring.
Impact:
As more objects remain in memory in the DBDaemon process, database monitor query operations may complete more slowly, which may cause pool members to be marked Down incorrectly.
As memory and CPU consumption reach critical levels, more pool members may be marked Down.
While the DBDaemon process restarts, all pool members monitored by database monitors (mssql, mysql, oracle, postgresql) may be marked Down until the restart is complete and normal operation resumes
Workaround:
To prevent memory and CPU consumption from reaching critical levels, you can manually restart the DBDaemon process at a time of your choosing (e.g., during a scheduled maintenance window).
1510477-2 : RD rule containing zones does not match expected traffic on the Network firewall policy
Links to More Info: BT1510477
Component: Advanced Firewall Manager
Symptoms:
The ICMP packets are dropped based on the default match rule, instead of the RD rule match.
Conditions:
ICMP firewall policies created with Zone include Route Domain (RD) with two or more VLANs in the created Zone.
Impact:
The ICMP packets are dropped based on the default match rule instead of using the RD rule match to drop.
Workaround:
None
1505137 : While provisioning both ASM and AFM modules, getting configuration error in DoS Profile with Accelerated signature/TLS signature and Http allow list is enabled.
Links to More Info: BT1505137
Component: Application Security Manager
Symptoms:
Getting error when overriding default in Http allow list. But, able to update config, successfully, when "Use default" is used in the Http allow list.
Conditions:
ASM and AFM modules configured. Try to configure Http allow list with "Use default" option. Able to update the config successfully without any error, which is not expected.
Impact:
Confusion occurs whether to enable Accelerated signature, TLS signature and HTTP allow list, together.
Workaround:
None
1505081-2 : Each device in the HA pair is showing different log messages when a pool member is forced offline
Links to More Info: BT1505081
Component: Local Traffic Manager
Symptoms:
On an HA pair, if a pool member is forced offline, different log messages related to the pool member's previous monitor status are seen on the active and standby devices.
Conditions:
On an HA pair, force a pool member offline.
Impact:
A potentially confusing log message occurs.
The Active device may display "[ was forced down for 0hr:2mins:28sec ]"
The Standby device may display "[ was up for 0hr:2mins:14sec ]".
No other functional impact.
Workaround:
None.
1498361-3 : Custom HTTP::respond does not fire as part of custom connect-error-message in HTTP explicit proxy profile.
Links to More Info: BT1498361
Component: Local Traffic Manager
Symptoms:
HTTP::respond does not fire when custom error message is configured in http explicit proxy config.
Conditions:
1. In http explicit proxy config, configure custom error message using 'HTTP::respond'.
2. Setup virtual server with backend server which sends a reset when connected. It can also be another BIG-IP with iRule.
3. From a client, try to access the backend server.
4. Server sends a reset.
Impact:
The custom error message configured in the explicit proxy config is not relayed back to client and the actual response from backend server is repeated.
Workaround:
None
1497989-2 : Community list might get truncated
Links to More Info: BT1497989
Component: TMOS
Symptoms:
When using route-map to delete communities, the resulting community list might not be correct.
Conditions:
Deleting community statements from the community list using route-map.
Impact:
When using route-map to delete communities the resulting community list might not be correct.
Workaround:
None
1497665-2 : Certain urldb glob-match patterns are now slower to match
Links to More Info: BT1497665
Component: SSL Orchestrator
Symptoms:
The BIG-IP system has CPU usage and fewer supported open connections.
Conditions:
- Thousands of glob-match patterns in the url-db.
- iRule that uses the CATEGORY::lookup command.
- Patterns are of the following forms:
\*://blah.com
\*://blah.com/
\*://blah.foo.com/\*
\*://\*.bar.com
Impact:
BIG-IP cannot support as many connections as it should be able to.
Workaround:
Use patterns like this:
http\*://blah.com
http\*://blah.com/
http\*://blah.foo.com/\*
http\*://\*.bar.com
1497633-2 : TMC incorrectly set /32 mask for virtual-address 0.0.0.0/0 when attached to a VS
Links to More Info: BT1497633
Component: Local Traffic Manager
Symptoms:
When a 0.0.0.0/0 virtual-address created by a wildcard virtual server and a Traffic-Matching-Criteria (TMC) is attached to it, the mask for the 0.0.0.0 virtual address will be incorrectly modified.
Conditions:
Create a wildcard Virtual server with virtual address 0.0.0.0/0.
Attach a Traffic-Matching-Criteria with destination and source addresses as 0.0.0.0/0.
Impact:
The virtual server's address is advertised with an incorrect mask of /32, making the redistributed route via ZebOS ineffective.
1497369-2 : HTTP::respond will not always be executed when rate limit on all pool members is reached.
Component: Local Traffic Manager
Symptoms:
HTTP::respond will not always be executed when the rate limit on all pool member is reached.
Conditions:
When the rate limit is reached on all pool members, LB_FAILED does not get called. If any HTTP::respond is in that rule to generate a redirect, it will not be invoked.
Impact:
LB_FAILED not executed when all pool member rate limit have been reached.
Workaround:
If only a 302 redirect is what is needed, then configure a fallback-host in the ltm-profile. The iRule event is triggered when a fallback host exists.
If a 301 redirect is needed, then there are no workaround.
1496841 : CRLDP Lookup fails for lower update-interval value
Links to More Info: BT1496841
Component: Access Policy Manager
Symptoms:
When BIG-IP is configured with CRLDP authentication and the 'update-interval' is set to as low as '5 seconds' CRLDP lookup fails for few requests.
Conditions:
'update-interval' value is set to as low as '5 seconds'
Impact:
BIG-IP fails to perform CRLDP Lookup for every 'update-interval' seconds.
Workaround:
Setting the 'update-interval' to '0' or days ( in seconds ) could resolve this issue.
1496353-2 : Violation details for "HTTP protocol compliance failed - Multiple host headers" violation are not available in the event log
Component: Application Security Manager
Symptoms:
Violation details are missing under the "HTTP protocol compliance failed - Multiple host headers" violation in the event log.
Conditions:
When the "HTTP protocol compliance failed - Multiple host headers" violation is triggered.
Impact:
Incomplete information is displayed for the violation "HTTP protocol compliance failed - Multiple host headers"
Workaround:
None.
1496313-2 : Use of XLAT:: iRule command can lead to the TMM crash
Component: Carrier-Grade NAT
Symptoms:
The XLAT:: iRule command family can under certain circumstances lead to the TMM crash
Conditions:
XLAT:: iRule commands at play
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use XLAT:: iRule commands
1496205-3 : Static CNAME pool members may get deleted when corresponding WideIPs are deleted
Links to More Info: BT1496205
Component: Global Traffic Manager (DNS)
Symptoms:
A static CNAME pool member is deleted.
Conditions:
A corresponding wideip with the same name is deleted, if that wideip was created after the static cname pool member was created.
Impact:
Static CNAME pool member is incorrectly deleted.
Workaround:
Create the wideip first.
1494397-3 : Virtual wire is not working on r5000 and r10000 platform, traffic is not forwarded on correct egress
Component: Local Traffic Manager
Symptoms:
The virtual wire feature on the r5000 and r10000 platforms is not working.
Traffic is getting into the tenant through ingress but not forwarded on correct egress or server-side r5000 or r10000 interface.
Conditions:
1. Configure virtual wire on r5000 or r10000 appliance.
2. Configure the tenant and attach a VLAN and virtual wire to a tenant.
3. Send icmp traffic from client to server.
Impact:
The virtual wire will not work on the r5000 or r10000 platform.
Workaround:
None
1494281 : "XML data does not comply with schema or WSDL document" violation always points to the last Attribute name
Links to More Info: BT1494281
Component: Application Security Manager
Symptoms:
"XML data does not comply with schema or WSDL document" violation buffer always points to the last Attribute name.
Conditions:
Element tag has more than 1 Attribute:
<xs:element name="Content">
<xs:complexType>
<xs:sequence>
<xs:element name="Message" type="xs:string" />
</xs:sequence>
<xs:attribute name="Type" type="xs:string" use="required" />
<xs:attribute name="case" type="xs:string" use="required" />
</xs:complexType>
</xs:element>
Impact:
Wrong violation data buffer is seen in the GUI, when the violation may have been triggered on a different attribute.
Workaround:
None
1494217-2 : Server response does not pass through after replacing the profile.
Links to More Info: BT1494217
Component: Local Traffic Manager
Symptoms:
When a virtual server with a profile of an idle-timeout set to "immediate" is replaced with another profile with an idle-timeout set to a non-zero value, the server response traffic is not passed to the client.
Conditions:
-- Virtual server with tcp/udp profile.
-- the idle-timeout parameter is set to immediate.
-- The fastL4 profile is replaced with another fastL4 profile
-- the idle-timeout parameter is set to a non-zero value
Impact:
Clients do not receive responses from the server.
Workaround:
None
1493869-2 : 'Duplicate OID index found' warning observed while running snmpwalk for F5-BIGIP-SYSTEM-MIB::sysProcPidStatProcName periodically
Links to More Info: BT1493869
Component: TMOS
Symptoms:
Certain processes failed to get monitored during the snmpwalk due to duplicate OID index.
Conditions:
Run snmp walk for F5-BIGIP-SYSTEM-MIB::sysProcPidStatProcName periodically
#snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.12.1.2.1.2
Impact:
A list of processes cannot be reliably retrieved using F5-BIGIP-SYSTEM-MIB::sysProcPidStatProcName
1492769-2 : SPVA stats-related may cause memory leak
Links to More Info: BT1492769
Component: Local Traffic Manager
Symptoms:
On specific platforms using EPVA HSB with SPVA stats involved, memory leaks might be observed.
Conditions:
Specific to this platform when SPVA statistics are involved.
Impact:
Memory is slowly running out
Workaround:
None
1492337-2 : TMM fails to start up using Xnet-DPDK-virtio due to out of bounds MTU
Links to More Info: BT1492337
Component: TMOS
Symptoms:
TMM goes into a restart loop and fails to start with an error message that the MTU is out of bounds
Log message:
notice virtio_mtu_set(): MTU should be between 68 and 1500
Conditions:
- Using Xnet-DPDK-virtio driver
- NIC is configured to have an MTU less than NDAL's configured MTU. By default, this is an MTU < 9198
Impact:
TMM goes into a restart loop and fails to start
Workaround:
Create /config/tmm_init.tcl with the following entry
ndal mtu <value> 1af4:1041
Replacing <value> with the corresponding value in the following log line in /var/log/tmm
notice virtio_mtu_set(): MTU should be between 68 and <value>
1490977-3 : Websense URLDB download fails with IPv6 sys DNS
Links to More Info: BT1490977
Component: Access Policy Manager
Symptoms:
The urldbmgrd fails to download the database and logs the below errors:
THREAD: D128E700; ERROR; Could not resolve m_downloadServer: download.websense.com.
THREAD: D128E700; ERROR; WsHttpClientConnect: Failed to resolve host address.
THREAD: D128E700; ERROR; DDSCommDownloadDatabase: WsHttpClientConnect failed: 4
Conditions:
IPv6 sys DNS is configured
Impact:
Urldb download fails.
Workaround:
If possible, change the DNS resolver to IPv4.
1490861-2 : "Virtual Server (/Common/xxx yyy)" was not found" error while deleting a virtual server in GTM
Links to More Info: BT1490861
Component: TMOS
Symptoms:
When attempting to delete a virtual server in GTM, mcpd throws an error falsely indicating that the requested virtual server was not found, even though the virtual server has been deleted successfully.
Conditions:
Virtual servers are deleted from both TMUI and TMSH.
Impact:
The virtual server has been deleted but the log message incorrectly indicates there was an error. The log message can be ignored.
Workaround:
None
1489817-2 : Fix crash due to number of VLANs
Links to More Info: BT1489817
Component: TMOS
Symptoms:
TMM crashes.
Conditions:
- xnet-iavf driver
- Number of VLANs for a given interface >=128
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Reduce the number of VLANs to <128
1482769-2 : JSON schema failing after upgrade to 15.1.10.2★
Links to More Info: BT1482769
Component: Application Security Manager
Symptoms:
A violation occurs with "JSON data does not comply with JSON schema"
Issue is caused as a regression of ID 1295009 and 1305157
Conditions:
This occurs when using a JSON profile
Impact:
Requests are getting blocked with violation "JSON data does not comply with JSON schema".
Workaround:
None
1481969-3 : In-tmm monitor marks all pool members down suddenly
Links to More Info: BT1481969
Component: In-tmm monitors
Symptoms:
- Logs similar to the following are observed in /var/log/ltm with no entry stating that bigd was restarted
Monitor Agent TMM 0: channel connection closed
Monitor Agent TMM 0: channel connection opened
Monitor Agent TMM 0: channel authenticated
- Probes to nodes are not sent from tmm
- Pool is marked as down
Conditions:
- in-tmm monitors are enabled
Specific conditions are not known at this time
Impact:
All pool members are marked as down suddenly
Workaround:
None
1481929-2 : Possible TMM crash on a race of BADOS and DOSL7 mitigations
Links to More Info: BT1481929
Component: Anomaly Detection Services
Symptoms:
TMM crash
Conditions:
Configured BADOS with DOSL7/Bot protection.
The attack is handled by BADOS and DOSL7 blocks as well.
Impact:
TMM crash
1481889-2 : High CPU utilization or crash when CACHE_REQUEST iRule parks.
Links to More Info: BT1481889
Component: Local Traffic Manager
Symptoms:
When CACHE_REQUEST iRule parks, upon resumption the Ramcache filter erroneously stays in CACHE_INIT state resulting in processing of the request twice, subsequently causing high CPU or a crash when an invalid address is encountered.
Conditions:
- HTTP Virtual server
- httpcompression profile
- optimized-caching profile
- CACHE_REQUEST iRule with ms delay
- Multiple attempts to request a compressed doc
Impact:
- High CPU on boxes with 4G of valid memory after the key is hashed - on smaller boxes, will crash when an invalid address is encountered.
Workaround:
- Removal of CACHE_REQUEST iRule if avoidable
1475041-2 : Token is getting deleted in 10 mins instead of 20 minutes.
Links to More Info: BT1475041
Component: TMOS
Symptoms:
- Tokens in var/run/pamcache are getting deleted before the expected time.
- csync is creating the issue by deleting token from /run/pamcache before the expiry period of token.
- restjavad/mcpd is working fine, as expected.
Conditions:
- VIPRION device must be used.
- token must be created under /var/run/pamcache
- after token creation, check every 10 minutes if the token is available or not.
Impact:
- Token is getting deleted in 10 minutes instead of 20 minutes.
Workaround:
N/A
1474749-1 : ASM policy IP Address Exceptions list entry shows incorrect route_domain
Component: Application Security Manager
Symptoms:
While creating an ASM policy's IP Address Exceptions list entry with a non-default route domain (not "0"), it is unexpectedly stored with the default route domain "0".
Conditions:
- ASM policy created under partition with route domain other than "0".
Impact:
IP Address Exceptions list may not work as expected for partitions with route domain other than "0".
Workaround:
None
1474401-2 : [HA failover resulting in connections on new Active not being maintained via mirroring on Standby]
Component: Service Provider
Symptoms:
When failover occurs through software, it leaves the connections on the active device still running. This is causing the current new active to continue to operate and retain previous connections. The previous active is still generating watchdog messages on the previous active connection, thus keeping it alive. This connection is from a different HA generation and is not part of a mirroring relationship. When failing over again via software, these previous connections are causing trouble.
Conditions:
Need a HA pair and connections have to be alive on both Active and standby.
Impact:
The old connections can create unwanted traffic concerning watchdog messages.
1474125-2 : iControl LX extension packages wrongly tagged as "IAPP" when synced to the HA peer unit
Links to More Info: BT1474125
Component: Device Management
Symptoms:
The HA unit where the iControl LX extension package is synced to tags it as IAPP.
Conditions:
iControl LX extension package is installed on the active device of a BIG-IP HA pair
Impact:
You are unable to differentiate installed iControl LX extension packages from virtual server iApps LX packages on the standby BIG-IP GUI.
Workaround:
None
1473913-2 : Proxy Connections drop due to wrong counting
Component: Local Traffic Manager
Symptoms:
Proxy Connections are dropped. The reset cause in a package capture indicates "F5RST: Not connected"
Conditions:
Can happen during a DOS attack with standard mitigation mode enabled.
Impact:
Random connections are dropped
Workaround:
Use conservative mitigation mode.
1472589 : Support for disabling ACCESS for OAuth-RS Profile Type virtual server
Links to More Info: BT1472589
Component: Access Policy Manager
Symptoms:
You are unable to disable ACCESS logic for a virtual server with the Profile-Type 'OAuth-Resource Server'
Conditions:
Virtual Server with 'OAuth-Resource server' profile type checks for Authorization header, preflight requests do not have such header so get 400 Bad request in return.
Impact:
You will not be able to disable ACCESS logic for virtual server with Profile-Type 'OAuth-Resource Server'
Workaround:
Configure another virtual server with Profile-Type 'All' and redirect the specific (i.e pre-flight) requests to that VS.
Attach below irule on existing VS,
when HTTP_REQUEST {
set auth_token "abcasdfasdfnaskzfiajsfhasikasigiashdfnaksjdnkasdfnkajnsdkjfnaksjdnfanskdfnkas";
set original_headers [HTTP::header "Authorization"]
if { $original_headers eq "" } {
HTTP::header insert "Authorization" "Bearer $auth_token"
log local0. "new irule redirect event"
HTTP::redirect "http://10.103.119.36/"
} else {
HTTP::header replace "Authorization" "Bearer $auth_token"
}
}
1471681 : SELinux module 'nfast' is missing after an upgrade.★
Links to More Info: BT1471681
Component: TMOS
Symptoms:
After an upgrade, you can see:
# semodule --list-modules=full | grep nfast
'nfast' module is missing.
Conditions:
The issue is caused by the upgrade of BIG-IP software. Before upgrade 'nfast' module is there, after upgrade the module is missing.
Impact:
The only implication of missing 'nfast' module is failing Luna client software upgrade.
Workaround:
As a workaround, you can reinstall semodule after upgrade:
semodule -i /shared/nfast/scripts/lib/nfast.pp
It would also make installation of nShield software possible.
1470085 : MDM has wrong links for Microsoft GCC High and DoD environments
Links to More Info: BT1470085
Component: Access Policy Manager
Symptoms:
When making a POST request to "login.microsoftonline.us," a resource POST parameter contains a URL for "api.manage.microsoft.com" instead of the expected "api.manage.microsoft.us".
Conditions:
MDM with GCC High/DoD Environments.
Impact:
Endpoint inspection fails.
Workaround:
None
1469897-3 : Memory leak is observed in IMI when it is invoked via icall script
Links to More Info: BT1469897
Component: TMOS
Symptoms:
IMI(part of ZebOS routing) might leak memory when executed via iCall script
Conditions:
iCall script invoking IMI, for example listing dynamic routing configuration.
Impact:
Memory leak leading to a process crash.
1469889-2 : URI should not raise violation when the SSRF violation is turned off
Component: Application Security Manager
Symptoms:
SSRF violation should not be raised when the URI parameter is enabled and SSRF learning and blocking settings are disabled.
Conditions:
Disable SSRF learning and blocking settings
Impact:
URI is raising a violation when the SSRF violation is turned off
Workaround:
NA
1469337-1 : iRule cycle count statistics may be incorrect
Links to More Info: BT1469337
Component: Local Traffic Manager
Symptoms:
The iRule CPU cycle information for long-running LTM iRules might be misreported.
Conditions:
An iRule runs for a long time. The length of time depends on the processor, but typically for more than a second.
Impact:
The CPU cycle information reported for an iRule event could be misreported.
Workaround:
None
1469229-2 : Enabling ssh-rsa and ecdsa keys support to switch between slots
Links to More Info: BT1469229
Component: TMOS
Symptoms:
In FIPS mode ssh-rsa key is not supported for switching between slots in clustered environment.
Conditions:
When FIPS mode is enabled only ecdsa key will be supported to switch between slots.
Impact:
Unable to switch slots in FIPS mode
1469221-1 : SSH access issues due to line wrapping in known_hosts file
Links to More Info: BT1469221
Component: TMOS
Symptoms:
Line wrapping in the known_hosts file introduced the incorrect whitespace in /config/ssh/ssh_known_hosts (generated by /etc/sysconfig/sshd-functions) this makes known_hosts entry non-functional because the contents of the file are space delimited.
Conditions:
-- SSHD configuration is modified to specify MaxAuthTries to a value of 3 or lower (the default value for MaxAuthTries is 6).
Impact:
Unable to SSH from one blade to another in a VIPRION or clustered vCMP guest or VELOS tenant, e.g. "ssh 127.3.0.whatever" or "ssh slot2".
Unable to SSH to localhost, e.g. "ssh localhost".
Workaround:
Do not specify a lower-than-default value for MaxAuthTries in the SSHD configuration.
1468769-2 : Signature Compile error for bot-signature emitted in asm control plane
Component: Application Security Manager
Symptoms:
After creating an user-defined bot-signature with a certain way, there will be an error emitted in asm control plane.
ASM subsystem error (asm_config_server.pl,F5::NegativeSignatures::Collection::Compiler::get_compiled_collection): Failed to compile rule "__SOME_RULE_HERE__" for signature id 3187068479 -- skipping
Conditions:
Create an user-defined bot-signature with a semi-colon and a space
Impact:
The rule may not be identified as expected.
Workaround:
None
1468473-3 : Statistics for DNS validating resolver not showing properly for Client hits and misses
Links to More Info: BT1468473
Component: Global Traffic Manager (DNS)
Symptoms:
Statistics are not shown properly for Client hits and misses.
Conditions:
DNS validating resolver.
Impact:
Statistics are not shown properly.
Workaround:
None
1466325-2 : Live Update installation window does not disappear when an installation error occurs
Links to More Info: BT1466325
Component: Application Security Manager
Symptoms:
If a Live Update fails to install, attempting to re-install may result in a loading window that does not disappear.
Conditions:
-- Any type of Live Update (e.g. Bot Signatures) encounters an error
-- Attempt to re-install the file(System ›› Software Management : Live Update page)
Impact:
The live update window does not close and it is not possible to determine if the live update was successful.
Workaround:
Reload the page.
1465621-2 : Destination and Service fields are empty on virtual server Security policies tab
Links to More Info: BT1465621
Component: Advanced Firewall Manager
Symptoms:
Unable to access Virtual Server (Policies).
To access the Policies tab, the db afm.allowtmcvirtuals value must be set to true, the default value is set to false.
After the value change, the Destination and Service values are fetching default values instead of configured one.
No Functional Impact and only GUI issue.
Conditions:
- Create VS
- Create a Port list and add to the VS
Impact:
No Functional Impact and only GUI issue.
Workaround:
None
1464201-3 : GTM rule created with wildcard * from GUI results in configuration load error
Links to More Info: BT1464201
Component: Global Traffic Manager (DNS)
Symptoms:
GTM configuration load with error similar to the following:
Syntax Error:(/config/bigip_gtm.conf at line: 4) the "create" command does not accept wildcard configuration identifiers
Conditions:
Create GTM rule with name having wildcard
Impact:
GTM configuration fails to load.
Workaround:
None
1462421-2 : PVA connections are not re-accelerated after a failover.
Links to More Info: BT1462421
Component: TMOS
Symptoms:
After a failover, not all PVA-accelerated flows are accelerated on the new peer.
Conditions:
-- PVA acceleration enabled
-- Connection mirroring
Impact:
No PVA acceleration for mirrored flows on the newly active unit.
Workaround:
Delete the affected flows and then cause them to be re-created. Disable HA mirroring.
1462337-2 : Intermittent false PSU status (not present) through SNMP
Links to More Info: BT1462337
Component: TMOS
Symptoms:
PSU status displays as (2) Not Present through SNMP.
Conditions:
Unknown conditions
Impact:
False alarm in SNMP monitoring.
Workaround:
None
1455953-2 : The iRule "string first" command might fail to find the search string
Links to More Info: BT1455953
Component: Local Traffic Manager
Symptoms:
String first fails to find the search string or returns an incorrect location.
Conditions:
The "string first" command is being used in an iRule.
The string being searched contains binary or Unicode data.
A non-zero start index is provided.
For example:
set needle "needle"
set haystack "my\u2022data\xc2with needle"
set location [string first $needle $haystack 1]
This will result in the location being set to "-1".
Additionally,
set location [string first $needle $haystack 2]
will set the location to the incorrect location.
Impact:
Unexpected iRule behavior with some inputs.
Workaround:
None
1455781-2 : Virtual to virtual SNAT might fail to work after an upgrade.
Links to More Info: BT1455781
Component: Local Traffic Manager
Symptoms:
Virtual to virtual SNAT might fail to work after an upgrade.
Conditions:
- Virtual-to-virtual configuration (chaining) with SNAT applied on the first virtual.
- The SNAT pool members are not reachable via any route entry.
Impact:
SNAT is not applied on the first virtual, which might lead to connection failures.
Workaround:
Add any route towards SNAT pool members, and re-create the SNAT pool.
1447389-3 : Dag context may not match the current cluster state
Links to More Info: BT1447389
Component: TMOS
Symptoms:
When the cluster state changes during synchronization of dag context in a HA pair, dag context may not match the current cluster state.
This is a rare-occurance problem and happens
only during frequent updates of the cluster state.
Conditions:
- HA pair is configured, the system role is the next-active
- The cluster state changes during the synchronization of the dag state.
Impact:
- one blade is not present in the dag context
Workaround:
Restart TMM
1440409-3 : TMM might crash or leak memory with certain logging configurations
Links to More Info: BT1440409
Component: Local Traffic Manager
Symptoms:
TMM might crash or leak memory with certain logging configurations.
Conditions:
Virtual-to-virtual chaining is used for handling syslog messages.
Impact:
Memory leak or Crash.
Workaround:
None
1436221-2 : Modify b.root-servers.net IPv4 address to 170.247.170.2 and IPv6 address to 2801:1b8:10::b
Component: Global Traffic Manager (DNS)
Symptoms:
USC/ISI, which operates b.root-servers.net, renumbered the IPv4 and IPv6 addresses on November 27, 2023. The current IPv4 address is 170.247.170.2, and the current IPv6 address is 2801:1b8:10::b. USC/ISI continues to support the root service over the current IPv4 and IPv6 addresses until November 27, 2024,(one year). This enables a stable transition while new root hints files are distributed in software and operating system packages.
Conditions:
Several profiles include the b.root-servers.net
Impact:
As USC/ISI supports the current IPv4 and IPv6 addresses for a minimum of one year (November 27, 2024), there is minimal impact. A single timeout for pending TLD queries can occur when accessing an old IP address using round-robin. Normally, the hint's TTL which is more than a month can cause a timeout when the old IP stops responding.
Workaround:
None
1429813-4 : ASM introduce huge delay from time to time
Links to More Info: BT1429813
Component: Application Security Manager
Symptoms:
During high traffic, the response to some requests will be delayed for more than 1 second.
Conditions:
ASM Policy attached to the Virtual Server and during high traffic conditions.
Impact:
Some critical URLs like payment links, will timeout for the user.
Workaround:
None
1429717-2 : APM as oAuth AS intermittently returning HTTP/1.1 400 Bad Request
Links to More Info: BT1429717
Component: Access Policy Manager
Symptoms:
BIG-IP configured as oAuth AS on a VIPRION environment intermittently, the oAuth token request (POST /f5-oauth2/v1/token) fails with 400 Bad Request.
Following is an example APM logs error:
"Error Code (invalid_request) Error Description (Invalid parameter (auth_code).)"
Conditions:
BIG-IP configured as oAuth AS.
Impact:
Authentication failed, unable to reach back-end resources.
Workaround:
None
1411061-2 : API Protection rate limiting can cause cores with high traffic
Links to More Info: BT1411061
Component: Access Policy Manager
Symptoms:
Tmm cores and restarts
Conditions:
-- APM API Protection rate limiting is enabled
-- High traffic volumes
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1410441 : Large file transfer over SFTP/SSH proxy failure
Links to More Info: BT1410441
Component: Advanced Firewall Manager
Symptoms:
Large file (> 110MB) transfer failed using put command over SFT/SSH Proxy enabled.
Conditions:
OpenSSH client/Server version <8.2p1
SSH Proxy profile attached to BIG_IP VS.
Large file(110MB) transfer using the Put command.
Impact:
File transfer failed.
Workaround:
Slow down the file transfer in kb/sec rate.
Ex:
sftp -l 1000 <VS-IP>
put <filename>
1410285-2 : Genesis bot signature file does not install after upgrade
Links to More Info: BT1410285
Component: Application Security Manager
Symptoms:
Genesis bot signature file does not install after upgrade, even after removing signature overrides.
Conditions:
Installing the Genesis BotSignatures_xxxx_yyyy.im fails after upgrade due to a Bot Defense Signature that cannot be deleted because it is in use by a Bot Defense Profile Signature Override.
Deleting the conflicting Signature Override causes subsequent installing of the Genesis BotSignatures_xxxx_yyyy.im to fail silently (install endlessly spinning in UI).
Impact:
Cannot install Genesis BotSignatures_xxxx_yyyy.im after upgrade.
Workaround:
Remove bot signature override from bot defense profile - *before upgrade*.
After upgrade Genesis BotSignatures_XXX_yyy.im installs successfully.
1409537-3 : The chmand fails to fully start on multi-slot F5OS tenants when the cluster members have addresses or alternate addresses
Links to More Info: BT1409537
Component: TMOS
Symptoms:
The chassis manager daemon (chmand) is wedged and does not fully start causing MCPD and cluster to never start.
Conditions:
This issue is seen when IPv6 alternate addresses to the cluster members are added and rebooted to a slot.
Impact:
The slot does not come online and stays inoperative.
Workaround:
None
1408281 : GUI allows to modify source '/any' in bot-defence white list
Links to More Info: BT1408281
Component: Application Security Manager
Symptoms:
The system goes offline as the configuration is wrong.
Conditions:
Bot defence white list with source as any and URL.
Impact:
The system goes offline as the configuration is wrong
Workaround:
None
1408229-2 : VCMP guest deployment may fail on newly installed blade
Links to More Info: BT1408229
Component: TMOS
Symptoms:
If a VCMP guest is configured to be Provisioned or Deployed to multiple blades in a VIPRION chassis, and one of those blades is replaced or has a new installation of BIG-IP installed, the VCMP guest may fail to be Provisioned or Deployed to the newly installed/reinstalled blade.
A message similar to the following may be logged to the LTM log (/var/log/ltm):
<date> <time> slot# err vcmpd[#####]: 01510004:3: Guest (GUEST_NAME): Install to VDisk /shared/vmdisks/GUEST_IMAGE_NAME.img FAILED: Child exited with non-zero exit code: 255
When this issue occurs, the blade where the VCMP guest image fails to be installed is found not to be running the KVM kernel module:
[root@CHASSIS_NAME:/S1-green-P::Active:Standalone] ~ # clsh 'lsmod | grep kvm'
=== slot 2 addr 127.3.0.2 color green ===
kvm_intel 179624 68
kvm 603109 1 kvm_intel
irqbypass 13503 1 kvm
=== slot 3 addr 127.3.0.3 color green ===
kvm_intel 179624 0
kvm 603109 1 kvm_intel
irqbypass 13503 1 kvm
=== slot 4 addr 127.3.0.4 color green === <<<<<<< no 'kvm' module shown for affected blade
=== slot 5 addr 127.3.0.5 color blue ===
=== slot 6 addr 127.3.0.6 color blue ===
=== slot 7 addr 127.3.0.7 color blue ===
=== slot 8 addr 127.3.0.8 color blue ===
=== slot 1 addr 127.3.0.1 color green ===
kvm_intel 179624 68
kvm 603109 1 kvm_intel
irqbypass 13503 1 kvm
Conditions:
This may occur if:
-- VCMP is provisioned, and one or more VCMP guests are provisioned/deployed in a VIPRION chassis with multiple blades.
-- One of the blades is replaced with a new blade (such as from an RMA replacement).
-- The newly installed/reinstalled blade has a version of BIG-IP installed that does not match the BIG-IP version installed and running on the existing blades in the chassis.
-- The newly installed/reinstalled blade must reboot multiple times to complete the installation of all required BIG-IP versions to match the existing blades in the chassis.
-- One or more VCMP guests are configured to be Provisioned and/or Deployed to the newly installed/reinstalled blade's slot.
-- The newly installed/reinstalled blade does not automatically reboot after successfully provisioning VCMP after the automated installation of the final (matching) BIG-IP version.
Impact:
The VCMP guest fails to be Provisioned or Deployed to the newly installed/reinstalled blade.
Workaround:
To work around this issue when it occurs, reboot the affected blade.
-- From the console of the affected blade:
reboot
-- From the console of another blade in the chassis:
clsh --slot=# reboot
(where # is the slot number of the affected blade)
1407997-3 : Enforcer crash due to the ASM parameter configuration
Component: Application Security Manager
Symptoms:
An ASM policy that is configured with a parameter that has a "Parameter Value Type" value set to "Ignore value" may cause BD CPU cores to reach 90-100% of their capacity, resulting in a bd core.
Conditions:
The "Parameter Value Type" value is set to "Ignore value" in the ASM policy. The same parameter has to be included in the incoming request.
Impact:
Long request processing time that may cause the enforcer to crash. Traffic disrupted while bd restarts.
Workaround:
Set the "Parameter Value Type" value to "Auto detect" or any other value.
1404253-2 : [NAT-LOGS] PBA Lease Duration suffers from a 32-bit rollover after 50 days
Links to More Info: BT1404253
Component: Advanced Firewall Manager
Symptoms:
On NAT logs, the sum of PBA start time and duration values do not match with the log-generated time.
Conditions:
NAT policy in action with PBA and block-life-time is 0 which implies infinite time.
Impact:
The duration field in the logs does not show the right value.
Workaround:
None
1404205-1 : [Standard Customization]Web VPN cannot connect with Chinese Language
Links to More Info: BT1404205
Component: Access Policy Manager
Symptoms:
Web VPN does not work with below error in developer tools console
"Uncaught SyntaxError: Unexpected token ']'"
Conditions:
--Standard Customization
--Chinese Language (zh-cn)
Impact:
Unable to use web VPN (browser based VPN)
Workaround:
--Use other languages
--Use Modern Customization
1403869-3 : CONNFLOW_FLAG_DOUBLE_LB flows might route traffic to a stale next hop
Links to More Info: BT1403869
Component: TMOS
Symptoms:
Pool members configured with IP encapsulation or any type of flow using CONNFLOW_FLAG_DOUBLE_LB flag might take some time to refresh its nexthops.
Conditions:
BIG-IP receives an ECMP route towards a server over two different BGP peers and the server is a pool member with IPIP encapsulation enabled. One of the BGP peers goes down and the route gets removed immediately, but BIG-IP is still forwarding traffic to this peer for the next few seconds, even though tmm.inline_route_update is enabled.
Impact:
The connection is using the old, invalid next hop for a few seconds.
Workaround:
None
1401569-2 : Engineering Hotfix readme file refers to non-applicable "full_box_reboot" command★
Links to More Info: BT1401569
Component: TMOS
Symptoms:
The readme file automatically produced for BIG-IP Engineering Hotfixes contains the following instructions:
This hotfix may not be operational without a FULL
system restart. To accomplish this, use the command:
/usr/bin/full_box_reboot
However, the full_box_reboot command is not part of the documented or recommended workflows for current BIG-IP versions.
Conditions:
These instructions are contained in the .readme file that may accompany a BIG-IP Engineering Hotfix provided by F5 to resolve critical issues, under the terms and conditions of the F5 critical issue hotfix policy as described at:
https://my.f5.com/manage/s/article/K4918
Impact:
The instructions in the Engineering Hotfix readme file may be confusing due to inconsistency with documented workflows for installing BIG-IP Engineering Hotfixes.
Workaround:
After the software installs and boots to the volume with installed software no further reboot is required.
1400533 : TMM core dump include SIGABRT multiple times, on the Standby device.
Links to More Info: BT1400533
Component: Access Policy Manager
Symptoms:
The tmm running on the Standby device is repeatedly killed by sod. There are number of SessionDB ERROR messages on the tmm log.
/var/log/tmm1:
notice session_ha_context_callback: SessionDB ERROR: received invalid or corrupt HA message; dropped message.
Conditions:
-- BIG-IP configured for high availability (HA)
-- Mirroring enabled
-- APM enabled
-- Traffic is being passed on the active device
Impact:
Tmm restarts on the standby device. If a failover occurs while the tmm is restarting, traffic is disrupted.
Workaround:
None
1400257-1 : Citrix Autodetect fails when STA is configured in Storefront
Component: Access Policy Manager
Symptoms:
When the user configures Citrix integration mode and configures STA servers configured on both Storefront and APM access policy, Auto-discovery of the Citrix Workspace app will fail. Users can still continue with the already installed option.
Conditions:
The issue is seen when Citrix Integration mode is configured and STA resolution enabled. Also, users access APM using a Browser client.
Impact:
The user needs to click multiple times to download the ica file and load the desktop.
Workaround:
None
1400161-2 : Enhance HTTP2 receive-window to maximum
Links to More Info: BT1400161
Component: Local Traffic Manager
Symptoms:
While uploading a 100 MB file, the client repeatedly runs out of the window and the processing of a window update is relatively slow and builds up to quite an overhead.
Conditions:
Virtual server with HTTP2 profile.
Impact:
The transfer time of HTTP2 is increased as compared to HTTP/1.1.
Workaround:
None
1400001-3 : PVA dedicated mode does not accelerate all connections
Links to More Info: BT1400001
Component: TMOS
Symptoms:
While in PVA dedicated mode, all flows may not be fully accelerated because neuron rules are not created for flow collisions.
Conditions:
A fastL4 profile with pva-acceleration set to "dedicated.
sys turboflex profile-config set to "turboflex-low-latency"
This type of configuration is commonly used for hardware-optimized FIX low latency electronic trading traffic.
Impact:
Higher latency for these connections because they are not in PVA.
Workaround:
None
1399741-1 : [REST][APM]command 'restcurl /tm/access/session/kill-sessions' output on APM is empty
Links to More Info: BT1399741
Component: TMOS
Symptoms:
Active APM Sessions are not returned when running the kill-sessions command.
Conditions:
'restcurl /tm/access/session/kill-sessions' is run.
Impact:
Active access sessions are not the same on BIG-IP and BIG-IQ since BIG-IQ uses this API (/tm/access/session/kill-sessions).
Workaround:
None
1399517-1 : FrameElement Wrappers occasionaly returns 'Undefined' instead of original Window object failing to load frame/iframes
Links to More Info: BT1399517
Component: Access Policy Manager
Symptoms:
Iframes are not loading properly
Conditions:
Modern Rewriting/Mode is used
Impact:
Application fail to load iframes
Workaround:
Use the below iRule:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if {
[HTTP::path] ends_with "cache-fm-Modern.js"
} {
HTTP::respond 200 content [ifile get ModernCachefm]
}
}
iFile - Request the ifile with fix via Escalation
1399253-3 : Tmm restarts due to mcpd disconnect when memory runs out with high tmm CPU and memory xdata use
Links to More Info: BT1399253
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm restarts with messages similar to this:
alert tmm[24857]: 011a0027:1: Out of memory resources (Resource temporarily unavailable) while attempting to allocate a path table.
err tmm[24857]: 011ae0f6:3: Encountered error while processing mcp message at ../gtmdb/db_gtm_path.c:151 : Unable to add path
Conditions:
A BIG-IP system is flooded with dns queries with load balancing methods using path metrics.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1399193-2 : SIP parser not parsing response when ;; in the to: or from:
Links to More Info: BT1399193
Component: Service Provider
Symptoms:
Messages are not forwarded
Conditions:
When a sip message contains ;; in the to or from, for example:
t: <sip:+18005551212@10.10.24.2;user=phone>;;tag=70c1a1e1
Impact:
Message is not forwarded
Workaround:
None
1399017-4 : PEM iRule commands lead to TMM crash
Component: Policy Enforcement Manager
Symptoms:
In a few circumstances PEM iRule commands lead to a TMM crash.
Conditions:
PEM iRule commands
Impact:
TMM crash, traffic is disrupted.
Workaround:
None
1398925-2 : Virtual Server status change log message fails to report actual status
Links to More Info: BT1398925
Component: Local Traffic Manager
Symptoms:
-- SNMP_TRAP log message reports the virtual server status as available but does not report that it has been disabled by parent due to its default pool.
-- Then, when a pool member is enabled, the virtual server status will be available again, but there is no log message indicating this change.
Conditions:
-- Disable all pool members in a pool and watch the virtual server status log messages
Impact:
Virtual server status cannot be identified and tracked via log messages.
Workaround:
None
1398809-2 : TMM can not process traffic on Cisco ENIC
Links to More Info: BT1398809
Component: TMOS
Symptoms:
- TMM cannot process traffic
- Within '/var/log/tmm', there is the following log line
rte_enic_pmd: Rq 0 Scatter rx mode not being used
- 'tmctl -d blade tmm/xnet/dpdk/stats' stat table shows a large (several 10000) for 'mbuf_inuse' and 'frag_inuse', and 'mbuf_alloc_fail' is an extremely large count (in the scale of millions) and continuously increasing
Conditions:
- TMM is using Xnet-DPDK drivers
- BIG-IP is connected to a Cisco ENIC card
In addition to the above, one or both of the following
a) Only 1 RX queue available
b) MTU <= 1920
By default, TMM will set MTU to 1500 for ENIC.
Impact:
Traffic disrupted as TMM is not able to receive nor send packets.
Workaround:
Both of following must be done:
1) Configure ENIC to have 2 or more RX queues available
2) Create a file '/config/tmm_init.tcl' containing the following line:
ndal mtu 9000 1137:0043
1396369 : APM[Saml IdP] - Support for metadata containing multiple entities
Links to More Info: BT1396369
Component: Access Policy Manager
Symptoms:
Importing a metadata file containing an <md:EntitiesDescriptor> element which in turn can contain multiple <EntityDescriptor>
elements fail to import with:
Configuration error: Metadata contains duplicate 'index' (0) in AssertionConsumerService elements. Service Providers must be reconfigured to provide correct metadata.
Alternatively, metadata can be manually edited to have a unique 'index' in the range from 0 to 65535 for each AssertionConsumerService element.
Conditions:
APM acting as the SAML IDP tries to automate the metadata file controlled by a 3rd party vendor and fails to
install even when trying to import manually. Because this is a multiple entities metadata file there will be multiple index values for each EntityDescriptor and they may have the same index number.
Impact:
Saml metadata fails to import, and fails to configure.
Workaround:
None
1395257-3 : Processes that are using libcrypto during their startup are causing high CPU usage
Links to More Info: BT1395257
Component: TMOS
Symptoms:
Upon creating a new connection, the initialization of the OpenSSL library triggers self-tests, resulting in high CPU usage.
Conditions:
Enable FIPS mode and use SIP monitors. Initializing SIP monitors will also initialize the OpenSSL library, causing high CPU consumption.
Impact:
High CPU usage due to the loading of the OpenSSL library whenever a new connection is created.
Workaround:
Disable FIPS mode by setting the environment variable SECURITY_FIPS140_COMPLIANCE to false.
1389401-2 : Peer unit incorrectly shows the pool status as unknown after merging the configuration
Links to More Info: BT1389401
Component: TMOS
Symptoms:
The peer unit incorrectly shows the state of pool members as "checking" after merging the configuration from the terminal.
Note that these are the same symptoms as ID1095217.
Conditions:
This is encountered on BIG-IP releases or Engineering Hotfixes with the fix for ID1297257, if two or more configurations are specified for an already configured pool on the peer device when using the command "tmsh load sys config merge from-terminal".
Following is an example:
Existing pool:
ltm pool http_pool {
members {
member1:http {
address <IP address>
monitor http
}
}
}
tmsh load sys config merge from-terminal:
ltm pool http_pool {
members none
}
ltm pool http_pool {
members replace-all-with {
member1:http {
address <IP address>
monitor http
}
}
}
This may also occur with a similar configuration using the "merge from-file" operation instead of "merge from-terminal".
These symptoms, matching ID1095217, occur in the presence of the fix for ID1297257, which removes the original, incorrect fix for ID1095217.
Impact:
Pool members are marked with a state of "Checking".
Workaround:
Define all object properties at once (in a single configuration block) instead of multiple times (in multiple configuration blocks) when merging the configuration from the terminal.
1388753-2 : FIPS device unable to provision full accelerator cores for FIPS partitions
Links to More Info: BT1388753
Component: Local Traffic Manager
Symptoms:
The issue is that FIPS systems have been reporting an incorrect number of available accelerator cores.
For example, i15820-DF supports a total of 63 accelerator cores, but it is showing maximum 32 while resizing the partition.
[root@gwelb01-tic:Active:Standalone] config # fipsutil ptnresize
Enter Security Officer password:
Enter partition name: PARTITION_1
Enter max keys (1-102235, current 10075): 1
Enter max accel devs (1-32, current 32): 1 --->
Max value should be 63
Conditions:
- BIG-IP platform with an onboard FIPS HSM.
Impact:
Not able to provision the full accelerator dev cores though the platform support.
Workaround:
None
1384509-3 : The ePVA syncookie protection stays activated in hardware
Links to More Info: BT1384509
Component: Advanced Firewall Manager
Symptoms:
Hardware syncookie protection might be activated without TMM reflecting such state. Only the following log will be shown when this happens (even though hardware protection is activated):
warning tmm5[24301]: 01010038:4: Syncookie counter 53 exceeded vip threshold 52 for virtual = 1.1.1.1:443
Normally two following messages should be visible:
warning tmm5[24301]: 01010038:4: Syncookie counter 53 exceeded vip threshold 52 for virtual = 1.1.1.1:443
notice tmm5[24301]: 01010240:5: Syncookie HW mode activated, server name = /Common/test server IP = 1.1.1.1:443, HSB modId = 5
There exist exceptions to this rule. If unsure, please open a support case.
Conditions:
Hardware syncookie protection activated on a TCP/fastL4 profile.
Undisclosed traffic pattern hits virtual server.
Impact:
Hardware syncookie protection stays activated without TMM reflecting the state.
Hardware syncookie protection stays activated until traffic subsides and hardware deativates protection.
Some connections might not be opened properly.
Workaround:
None
1382141-3 : Query string gets stripped when bot defense redirects request via Location header, with versions that have the fix for ID890169★
Links to More Info: BT1382141
Component: Application Security Manager
Symptoms:
The query parameter is missing in the Location header, after upgrading to BIG-IP to the versions that have the fix for ID890169, with a redirect challenge.
This can cause 307 redirect requests from the BIG-IP system.
Conditions:
The bot profile is attached to the virtual server.
Impact:
Dropping query string results in an unrecognized resource request to the server.
Workaround:
None
1380009-2 : TLS 1.3 server-side resumption resulting in TMM crash due to NULL session
Links to More Info: BT1380009
Component: Local Traffic Manager
Symptoms:
TMM core is observed when TLS 1.3 server-side resumes.
Conditions:
- TLS 1.3 handshake
Impact:
TMM cores, traffic is disrupted.
Workaround:
None
1379825 : PEM does not block sites defined to be blocked when webroot DB is not ready and urlcat query lookups has status "Skipped - Webroot License Absent/Expired"
Component: Policy Enforcement Manager
Symptoms:
Url-cat query result is "Skipped - Webroot License Absent/Expired", even after the webroot is licensed.
Conditions:
Webroot database download is in progress.
Impact:
PEM is not able to block categories based on URL categorization.
Workaround:
Enable sys db key "tmm.gpa.urlcat.cloud.only". However, there will be a performance impact.
1379649-2 : GTM iRule not verifying WideIP type while getting pool from TCL command
Links to More Info: BT1379649
Component: Global Traffic Manager (DNS)
Symptoms:
When the pool name is same for different pool types, the GTM iRule cannot segregate the pool types thus giving a wrong DNS response.
Conditions:
-- Both A/AAAA same name WideIP and pools.
-- GTM iRule with pool command pointing to common pool name in different WideIP types.
Impact:
Traffic impact as a non-existent pool member address in DNS response.
Workaround:
None
1378869-1 : tmm core assert on pemdb_session_attr_key_deserialize: Session Rule key len is too short
Links to More Info: BT1378869
Component: Policy Enforcement Manager
Symptoms:
bad PEM session lookup request via MPI
Conditions:
PEM is provisioned.
Impact:
tmm core .
1378069-2 : DNS profile RPS spike every time when there is change in configuration of DNS profile
Links to More Info: BT1378069
Component: Global Traffic Manager (DNS)
Symptoms:
High rps value seen in profile_dns_stat which is not as per the traffic sent.
Conditions:
-- Monitor the rps value under profile_dns_stat when there is a change in the configuration of DNS profile.
Impact:
High RPS value seen.
Workaround:
None
1377421-2 : APMD processing of MCP messages is inefficient
Links to More Info: BT1377421
Component: Access Policy Manager
Symptoms:
When user configures large number of Access Policies and APMD is restarted, it takes extended period of time to complete configuration.
Also, CPU usage is high during this period of time.
Conditions:
- User configures hundreds of Access policies.
- APMD is restarted.
Impact:
APMD and MCPD show high CPU utilization for an extended period of time.
Workaround:
None
1377353 : TMM crashes when iRule uses persistance lookup and attached to Virtual with no pool member
Links to More Info: BT1377353
Component: Local Traffic Manager
Symptoms:
TMM crashes, When the Virtual server is configured with source address persistence profile and does not configure any pool members, and attached iRule has persistence lookup like -
"set persist_record [persist lookup source_addr "[IP::client_addr] any"]"
Conditions:
-virtual servers with source address persistence profile
-virtual servers with no pool member
-Attach an iRule with persistence lookup
Impact:
Not able to use virtual as TMM always crashes on triggering iRule
Workaround:
- Don't use persistence lookup in a irule attached to a VIP with no pool member
(OR)
- Attach a pool member if intended to use the irule
1377301 : Shutdown logs while reboot not shown
Links to More Info: BT1377301
Component: TMOS
Symptoms:
"shutdown -h now" via serial console does not show the shutdown sequence while rebooting.
Conditions:
The issue is intermittent. There are no specific conditions as to when this issue might occur as the RCA is not known.
Impact:
No impact on the functional aspects of BIG-IP.
Workaround:
None
1366765-2 : Monitor SEND string parsing "\\r\\n"
Links to More Info: BT1366765
Component: Local Traffic Manager
Symptoms:
Double backslashes in monitor SEND string results in CR/LF being doubled.
Conditions:
Following is an example of SEND string:
Send "GET / HTTP/1.1\\r\\nHost: nt.gov.au \\r\\nConnection: Close \\r\\n\\r\\n"
Impact:
Monitor logging showed that these are correctly converted to \x0d\x0a apart from the trailing "\\r\\n\\r\\n" and the monitor sends a sequence of "\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a" which is not HTTP protocol compliant.
Workaround:
Removed the extra back-slashes
send "GET / HTTP/1.1\r\nHost: nt.gov.au \r\nConnection: Close \r\n"
Now, the request is closed correctly \r\n\r\n
Execute without \r\n at the end of the SEND string, following is an example:
send "GET / HTTP/1.1\r\nHost: nt.gov.au \r\nConnection: Close"
The above string works correctly.
1366413 : Traffic-type for Protected Object was changed from "other" in version 14 to "unresolved" in version 16★
Links to More Info: BT1366413
Component: Advanced Firewall Manager
Symptoms:
A Protected Object type is identified as "unresolved" after upgraded to v16. In version 14 it was identified as "Other".
Conditions:
Upgrade the BIG-IP system from v14.x to v16.x.
Impact:
The protected object type is identified as "unresolved" when it was previously identified as "other"
Workaround:
None
1366269-3 : NAT connections might not work properly when subscriber-id is confiured.
Links to More Info: BT1366269
Component: Advanced Firewall Manager
Symptoms:
When subscriber-aware NAT is configured or subscriber-id logging is enabled under NAT log profile some NAT connections might not work properly.
Conditions:
- Subscriber-aware NAT or NAT logging with subscriber-id enabled.
Impact:
Some NAT connections fail to complete.
Workaround:
Disable 'subscriber-id' under NAT logging profile.
1366153-3 : "Illegal repeated header violation" is added with blocking enabled, after upgrading to v16+ from earlier versions★
Links to More Info: BT1366153
Component: Application Security Manager
Symptoms:
"Illegal repeated header violation" is added with blocking enabled, after upgrading to v16+ from earlier versions.
Conditions:
Upgrading from pre-v16 to post-v16.
Impact:
False positives after upgrading.
Workaround:
After upgrading, review violation reports and disable "Illegal repeated header violation" as needed.
1365701-1 : Core when flow with looped nexthop is torn down
Links to More Info: BT1365701
Component: Local Traffic Manager
Symptoms:
TMM crashes with "no trailing data (looped flow)" OOPS.
Conditions:
Have to tear down the connflow without tearing down the stream while a connection is pending.
Impact:
Abnormal TMM behavior.
Workaround:
None
1365629-2 : FPS signature and engine update fail to access sys db key proxy.password
Component: Application Security Manager
Symptoms:
FPS signature and engine update via proxy with password authentication fails
Conditions:
FPS signature and engine update via proxy that requires password authentication
Impact:
Automatic updates of FPS signatures and engine do not work when an HTTP proxy is configured.
Workaround:
Manually upload the file
1361021-2 : The management interface media on a BIG-IP Tenant on F5OS systems does not match the chassis
Links to More Info: BT1361021
Component: TMOS
Symptoms:
The management interface media on a BIG-IP tenant running on F5OS systems does not match the media/speed of the management interface on the system controllers.
Running 'tmsh show net interface' reports the media of the management interfaces (i.e. 'mgmt' or '1/mgmt') as "100TX-FD".
Conditions:
BIG-IP tenant running on F5OS systems (rSeries or VELOS).
Impact:
The media is reported as "100TX-FD".
Workaround:
Ignore the speed reported for the tenant's management interface(s), and instead, look at the speed of the management interfaces as reported in F5OS.
While running confd, run the following command to see the correct media settings:
VELOS: show interfaces interface 1/mgmt0
rSeries: show interfaces interface mgmt
1360997-2 : Attack Signature not detected when signature is overridden on first header
Component: Application Security Manager
Symptoms:
When an attack signature is overridden at the header level for a particular header within the security policy and if that signature is first detected on the overridden header, it can result in that signature not being detected on other headers.
For example, let's say that there are two headers named "A-fetch" & "B-fetch" and "Signature ID 200101800 - fetch() (Header)" is overridden for "A-fetch" header.
In this circumstance, if "A-fetch" header is specified ahead of "B-fetch" header in the raw HTTP request header and this signature gets detected as part of "A-fetch" header (it would be overridden, as per policy configuration), it results in this signature not getting detected for "B-fetch" header either.
Conversely, if "B-fetch" header is specified ahead of "A-fetch" header in the raw HTTP request header, then this signature gets detected on "B-fetch" header.
To summarize, if the header on which the signature is overridden is specified first within the request header, then the signature does not get flagged (whenever applicable) on other HTTP headers.
Conditions:
An Attack Signature is overridden at the header level for a particular header within the security policy
Impact:
A signature overridden on any HTTP header within the policy results in a WAF evasion due to it not being detected on other HTTP headers under certain situation.
Workaround:
None.
1360129-2 : Tcpdump filter by dosl7d_attack_monitor has no netmask
Links to More Info: BT1360129
Component: Application Security Manager
Symptoms:
Tcpdump filter by dosl7d_attack_monitor has no netmask that can result no packet captured during an attack, if the virtual server destination is a network address instead of a /32 host address.
Conditions:
Virtual server destination is a network address
e.g : x.x.x.0/24
Impact:
Dosl7d_attack_monitor fails to capture packets of attack that causes users not being able to analyze capture data of the observed attack later.
Workaround:
None
1360005-2 : If service times out, the PINGACCESS filter may not release context in ping_access_agent
Links to More Info: BT1360005
Component: Access Policy Manager
Symptoms:
TMM forwards client request to ping_access_agent for processing. Each request forwarded to ping_access_agent creates a request-specific context within ping_access_agent. When the request processing is completed, this context must be freed, this does occur when the request processing reaches a normal conclusion. If the client connection in TMM fails before the request is fully processed, it is TMM's responsibility to notify ping_access_agent to free the context associated with the connection. If TMM fails to notify, the context is "orphaned" and will never be freed, thus causing ping_access_agent to grow over time as more contexts are orphaned.
Conditions:
Pingaccess configured.
Impact:
Pingaccess agent leaks memory over the period of time.
Workaround:
None
1355309-2 : VLANs and VLAN groups are not automatically saved to bigip_base.conf on first boot or modification of a tenants VLANs or virtual wire
Links to More Info: BT1355309
Component: TMOS
Symptoms:
Standalone/Virtual Wire VLANs are removed when the device is rebooted without saving the configurations.
Conditions:
-- Configuring VLANs, VLAN groups, or virtual wire without saving the configuration
-- The device is rebooted
Impact:
VLAN/VLAN group loss for some or all of them.
Workaround:
Save the configurations on the tenant after removing or adding the virtual wire VLANs.
1354309-3 : IKEv1 over IPv6 does not work on VE
Links to More Info: BT1354309
Component: TMOS
Symptoms:
IKEv1 tunnels over IPv6 does not work on Virtual Edition. BIG-IP responds with UDP port unreachable for incoming Phase 1 packets.
Conditions:
Following conditions must be met:
- IKEv1
- IPv6 peer addresses
- Virtual Edition
Impact:
Unable to establish IPsec tunnel.
Workaround:
None
1354305 : MultiByte in Unicode is not decoded properly
Links to More Info: BT1354305
Component: Application Security Manager
Symptoms:
The metachar values are being changed between the raw request and the violation report.
Conditions:
Enable Illegal Metacharacter violation in Learning and blocking settings and send request with language that is mutlibyte in Unicode.
Impact:
The metachar values are being changed between the raw request and the violation report.
1354145 : Max session timeout countdown timer on webtop is reset when refreshing the Modern Webtop
Links to More Info: BT1354145
Component: Access Policy Manager
Symptoms:
Maximum session timeout countdown timer on webtop is reset when refreshing the Modern Webtop
Conditions:
Using Modern Webtop
Impact:
Not displaying the correct timeout value left on refreshing
Workaround:
None
1353809-1 : HTTP/2 erroneously expects the body length to match the Content-Length in response to HEAD request
Links to More Info: BT1353809
Component: Local Traffic Manager
Symptoms:
HTTP/2 is attempting to enforce the Content-Length sent (legally) by the Apache server, because it is a HEAD, there is no body, but HTTP/2 erroneously expects the body length to match the Content-Length sent.
Conditions:
-- HTTP/2 virtual server
-- Response from the server should contain DATA (0 length) frame for HEAD request
Impact:
BIG-IP sends RESET frame.
Workaround:
None
1352445-2 : Executing 'tmsh load sys config verify', changes Last Configuration Load Status value to 'config-load-in-progress'
Links to More Info: BT1352445
Component: TMOS
Symptoms:
After mcpd starts and successfully loads the config, executing 'tmsh load sys config verify', and thereafter executing 'tmsh show sys mcp-state' results in an incorrect value shown for Last Configuration Load Status.
# tmsh show sys mcp-state
-------------------------------------------------------
Sys::mcpd State:
-------------------------------------------------------
Running Phase running
Last Configuration Load Status config-load-in-progress
End Platform ID Received true
Conditions:
Executing 'tmsh load sys config verify' and then 'tmsh show sys mcp-state' results in MCPD state indicating "Last Configuration Load Status" is "config-load-in-progress" even though the config has successfully loaded.
Impact:
Inaccurate config load state shown by 'tmsh show sys mcp-state' command.
Workaround:
Run 'tmsh load sys config'.
1352213-3 : Handshake fails with FFDHE key share extension
Component: Local Traffic Manager
Symptoms:
SSL handshake fails to complete and various errors show in the LTM logs
01010025:2: Device error: crypto codec Couldn't create an OpenSSL EC group object OpenSSL error:00000000:lib(0):func(0):reason(0)
01010282:3: Crypto codec error: sw_crypto-1 Couldn't initialize the elliptic curve parameters.
01010025:2: Device error: crypto codec No codec available to initialize request context.
Conditions:
An SSL profile uses TLS1.3, and a TLS Client Hello attempts to use FFDHE as part of the key share extension.
Impact:
SSL handshake fails and results in connection failure.
Workaround:
Set the SSL profile to disallow using FFDHE groups.
1350985 : APM policy sync fails after deleting macro ending
Links to More Info: BT1350985
Component: Access Policy Manager
Symptoms:
Policy sync fails with error "01071202:3: Number of rules in macro call (/Common/Doble-sync-fail-tst_mac_authentication_4) must be equal to the number of macro terminalouts."
Conditions:
1)Devices should be in sync-only group.
2)The access policy should have a macro configured with terminals endings.
3)The access policy should be already synced and present on the other device. i.e problem is seen during subsequent policy syncs and not seen during the first sync.
4)The issue is seen only if macro terminal endings are deleted and then policy sync is performed.
Impact:
Policy sync is broken.
Workaround:
Delete the terminal outs even on the other device in the sync group and then perform the policy sync.
1350921-2 : SOCKS profile may not immediately expire connections
Links to More Info: BT1350921
Component: Local Traffic Manager
Symptoms:
SOCKS profile does not immediately expire connections if client sends a TCP reset before server connected.
Conditions:
In some specific conditions where for example the client sends a TCP RST, the connection will stay on the client until the idle timeout expires.
Impact:
Lingering connections until idle timeout expire.
1350417-1 : "Per IP in-progress sessions limit (xxx) exceeded" message occurs before number of "In-Progress session" reaches the limit
Links to More Info: BT1350417
Component: Access Policy Manager
Symptoms:
You may observe the below in /var/log/apm.
warning tmm2[20687]: 01490547:4: Access Profile <AP Name>: Per IP in-progress sessions limit (2048) exceeded for <IP Address>
Conditions:
-- No specific conditions, it happens when Access Profiles are attached to a virtual server.
Impact:
New sessions may be rejected when this message was logged.
Workaround:
Keep large value for " Per IP In-Progress session" limit.
1348945 : BD core is seen while setting "likely_false_positive_mode"
Links to More Info: BT1348945
Component: Application Security Manager
Symptoms:
Bd crashes.
Conditions:
Setting "likely_false_positive_mode" through /usr/share/ts/bin/add_del_internal add likely_false_positive_mode 1 causes bd to crash while sending any request
Impact:
Traffic disrupted while bd restarts.
Workaround:
Set likely_false_positive_mode to default "0"
1348869-1 : Hourly spike in the CPU usage and lasts for fraction of second causing delay in TLS connections
Links to More Info: BT1348869
Component: Local Traffic Manager
Symptoms:
1. Hourly spike in the CPU usage.
2. TMM Idle enforcer gets activated.
Conditions:
-- Clientssl profile assigned to a virtual server and passing traffic
This occurs during normal operation while running an affected software version.
This occurs after applying the db variable fix specified in ID 1306249 at https://cdn.f5.com/product/bugtracker/ID1306249.html.
Impact:
TMM Idle enforcer gets activated and causes a delay in TLS traffic and CPU Usage goes high.
Workaround:
None
1348061-2 : [Dual Stack MGMT] - Upgrade of BIG-IP in HA with Dual stacked mgmt IP causes deletion of peers failover IPv4 unicast address★
Links to More Info: BT1348061
Component: TMOS
Symptoms:
Before the upgrade, 'tmsh show cm failover' output will show the status as 'OK' in all BIG-IPs for both Ipv4 and Ipv6 management IPs configured as failover unicast addresses.
After the upgrade, a few BIG-IPs in the HA cluster stopped sending failover packets to the peer on ipv4 mgmt which caused the output of ''tmsh show cm failover' to show as "Error".
Conditions:
The issue occurs under the following conditions:
-- 3 or more BIG-IPs in the HA cluster.
-- 3 or more Traffic-Group configured.
-- IPv4 and IPv6 management address configured.
-- Upgrade from 14.1.x to the new version or MCPD forceload of BIG-IPs in cluster running 14.1.x or later.
Impact:
BIG-IPs stopped sending failover packets to the peer on ipv4 mgmt. Since only the Ipv4 mgmt address will show as an error but other failover unicast addresses will not be impacted so it should not cause broken failover connectivity.
Workaround:
Delete and re-add the 'management_address' in the failover network in all BIG-IPs and the status will be changed to 'OK'. It is suggested to also add self-ip as a failover unicast address along with management-IP.
1347861-2 : Monitor status update logs unclear for FQDN template pool member
Links to More Info: BT1347861
Component: TMOS
Symptoms:
When the state of an FQDN template node is changed (such as being forced offline by user action), one or more messages similar to the following may appear in the LTM log (/var/log/ltm):
notice mcpd[####]: 01070638:5: Pool /Common/poolname member /Common/nodename:## monitor status unchecked. [ ] [ was unknown for #hrs:##mins:##sec ]
Although such log messages indicate the current state of the FQDN template pool member, the prior status is indicated as "unknown" and does not accurately indicate the prior state of the FQDN template pool member.
Conditions:
This may occur when FQDN nodes and pool members are configured, and When the state of an FQDN template node is changed (such as being forced offline or re-enabled from an offline state by user action).
Impact:
Such messages may confuse users who are attempting to monitor changes in the BIG-IP system by not providing clear information.
Workaround:
The state of an FQDN template pool member is generally determined by the state of the referenced FQDN template node. The FQDN template node contains the configuration used to resolve the FQDN name to the corresponding IP addresses. FQDN template pool members are not involved in this process, and generally only reflect the status of the name resolution process centered on the FQDN template node.
Examining log messages related to to the associated FQDN template node can inform the interpretation of the FQDN template pool member state.
For example, if an FQDN template node is forced offline, messages similar to the following will be logged indicating the FQDN template node state change, which is subsequently reflected in FQDN template pool member state changes:
notice mcpd[####]: 01070641:5: Node /Common/nodename address :: session status forced disabled.
notice mcpd[####]: 01070638:5: Pool /Common/poolname member /Common/nodename:## monitor status forced down. [ ] [ was unknown for #hr:##min:##sec ]
notice mcpd[####]: 01070641:5: Node /Common/nodename address :: session status enabled.
notice mcpd[####]: 01070638:5: Pool /Common/poolname member /Common/nodename:## monitor status unchecked. [ ] [ was unknown for #hr:##min:##sec ]
1347825-2 : Traffic group becomes active on more than one BIG-IP after a long uptime and long HA disconnection time
Links to More Info: BT1347825
Component: TMOS
Symptoms:
Traffic-groups become active/active after a long uptime interval and the HA connection is disconnected for longer than 30 seconds.
Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.
For example:
-- For 4 traffic groups, the interval is ~621 days.
-- For 7 traffic groups, the interval is ~355 days.
-- For 15 traffic groups, the interval is ~165 days.
Conditions:
-- Two or more BIG-IP systems defined in a device group for sync/failover.
-- There is one or more traffic groups configured.
-- The BIG-IP systems have a long uptime.
-- The BIG-IP systems lose their HA connection for more than 30 seconds.
-- The issue is more likely to occur when the watchdog daemon sod uptime, normally the same as system uptime, is above (6.8 years / number of traffic groups ).
Impact:
Outage due to traffic-group members being active on both systems at the same time.
Workaround:
There is no workaround.
Either all the BIG-IP units need to be rebooted on a regular interval, or the BIG-IP units need to be rebooted before they are disconnected from each other for a long time.
1344925-2 : TLS1.3 does not fall back to full handshake when Client Hello is missing the pre_shared_key
Links to More Info: BT1344925
Component: Local Traffic Manager
Symptoms:
BIG-IP sends out a TLS Fatal Error (Handshake Failure) when TLS1.3 Client Hello is missing the 'pre_shared_key' extension when TLS session resumption is expected.
Conditions:
-- TLS1.3 Session resumption
-- Client Hello is missing the 'pre_shared_key' extension (but has a valid 'key_share')
Impact:
BIG-IP resets the connection with TLS Fatal Alert (Handshake Failure) instead of falling back to full TLS handshake.
Workaround:
Don't use TLS1.3 and session resumption.
1341093-2 : MCPD returns configuration error when attaching a client SSL profile containing TLS 1.3 to a virtual server with HTTP/2 profile
Links to More Info: BT1341093
Component: Local Traffic Manager
Symptoms:
A configuration error is seen on BIG-IP as below:
01070734:3: Configuration error: In Virtual Server (/Common/vsname) an http2 profile with enforce-tls-requirements enabled is incompatible with client ssl profile '/Common/PORTAL-3119-cssl-tls13'; cipher ECDHE-RSA-AES128-GCM-SHA256 must be available
Conditions:
- Virtual Server with cipher rule that uses tlsv1_3 ciphers only
- Cipher group
- Client-SSL profile and HTTP/2 profile with enforce-tls-requirements enabled
Impact:
HTTP/2 and Client-SSL Profiles with TLS 1.3 is not supported.
Workaround:
None
1340513-2 : The "max-depth exceeds 6" message in TMM logs
Links to More Info: BT1340513
Component: TMOS
Symptoms:
An error message similar to the following is seen in /var/log/ltm:
err tmmX[XXXXXX]: 01630002:3: (max-depth exceeds 6) ()
Conditions:
These errors may appear in the LTM log once for each TMM that starts up, often after a configuration action such as:
-- Modifying virtual server configuration.
-- Assigning an ASM policy or a bot profile to a virtual server.
-- Running a config merge command.
Impact:
These messages are benign, despite being logged at an "error" level.
1332473-2 : Configuring SNAT Origin IPv6 address through GUI in non RD0 incorectly expands subnet mask to '/32' causes error during configuration load
Links to More Info: BT1332473
Component: TMOS
Symptoms:
The SNAT Origin IPv6 address subnet mask incorrectly expands to '/32' causing an error during configuration load.
Conditions:
-- In GUI, create a SNAT list with Origin Set to IPv6 address.
-- Perform the command tmsh load sys config.
Impact:
Error is observed while loading the configuration (tmsh load sys config).
Workaround:
None
1332401-2 : Errors after config sync with FIPS keys
Links to More Info: BT1332401
Component: TMOS
Symptoms:
Sync failing with unable to config sync FIPS key. An error similar to the following is displayed:
Sync error on bigip1.test.xyz: Load failed from /Common/bigip2.test.xyz 01070712:3: Caught configuration exception (0), unable to synchronize FIPS key (/Common/my_fips_private_key).
Conditions:
Config sync failed after replacing FIPS key (create / import / replace).
Impact:
Unable to configsync between units in an high availability (HA) group.
Workaround:
Please contact technical support.
1331037-3 : The message MCP message handling failed logs in TMM with FQDN nodes/pool members
Links to More Info: BT1331037
Component: TMOS
Symptoms:
When an FQDN node or pool member is created, one or more messages of the following form may appear in the TMM logs (/var/log/tmm*):
notice MCP message handling failed in 0x<hex value>
Conditions:
This may occur when creating an FQDN node or pool member on affected versions of BIG-IP.
Impact:
There is no known impact of this issue, besides the appearance of "notice" level messages in the TMM logs.
Workaround:
None
1330249-3 : Fastl4 can queue up too many packets
Links to More Info: BT1330249
Component: Local Traffic Manager
Symptoms:
-- Excessive xdata memory usage.
-- SOD may kill TMM for being unresponsive.
Conditions:
The issue occurs under the following conditions:
-- fastl4 profile in use.
-- rate-limit is used in virtual.
-- server-side gets stuck trying to connect.
-- lots of incoming clientside packets.
Impact:
Packets can be queued without limit. In the worst case, this can lead to memory exhaustion or SOD killing TMM as it tries to process the packet queue. Traffic is disrupted while TMM restarts.
Workaround:
Do not use rate-limit.
1330213-3 : SIGABRT is sent when single quotes are not closed/balanced in TMSH commands
Links to More Info: BT1330213
Component: TMOS
Symptoms:
When a TMSH command is entered with only one single quote (unbalanced quotes), the TMSH aborts.
For example:
[root@test-mem-bigip:Active:Standalone] config # tmsh -c "list /net | grep 'foo"
terminate called after throwing an instance of 'CLI::SyntaxError'
what(): single quotes are not balanced
Aborted (core dumped)
Conditions:
When only one single quote is used in a TMSH command, the SIGABRT occurs.
For example:
# tmsh -c "list /net | grep 'foo"
or
# tmsh -c "list /net '"
Impact:
TMSH crashes and a core file is generated.
Workaround:
None
1329557-2 : The Attack Types and Violations reported in the incident do not match the incident subtype
Links to More Info: BT1329557
Component: Application Security Manager
Symptoms:
The Attack Types and Violations in the incident are computed incorrectly.
Conditions:
-- Event Correlation is enabled.
-- Incident is generated from the related requests.
Impact:
The incident generated shows incorrect Attack Types and Violations.
Workaround:
None
1329509-2 : TCL error 'ERR_VAL (line 1) invoked from within "HTTP::path"'.
Links to More Info: BT1329509
Component: Local Traffic Manager
Symptoms:
Under specific conditions, when the client accesses an HTTP(S) virtual server, an iRule execution error occurs. Client-side HTTP(S) connection is terminated by RST when an iRule execution error occurs.
err tmm[xxxxx]: 01220001:3: TCL error: /Common/test-rule <HTTP_REQUEST> - ERR_VAL (line 1) invoked from within "HTTP::path"
Conditions:
This issue occurs under the following conditions:
-- HTTP::path command is used on an iRule.
-- The iRule is attached to an HTTP(S) virtual server.
-- Client's HTTP(S) request URI includes square bracket character, "[" (0x5b) or "]" (0x5d).
-- Client's HTTP(S) request URI includes only opening square bracket "[" or only closing square bracket "]", for example, "GET [ HTTP/1.0\r\n\r\n".
Impact:
iRule execution fails with a TCL error such as the following example, and the client will receive TCP RST from the virtual server when iRule execution fails.
err tmm[xxxxx]: 01220001:3: TCL error: /Common/test-rule <HTTP_REQUEST> - ERR_VAL (line 1) invoked from within "HTTP::path"
Workaround:
Add "-normalized" command option to HTTP::path command.
ltm rule /Common/test-rule-normalized {
when HTTP_REQUEST {
if { [HTTP::path -normalized] contains "test" } {
HTTP::respond 200 -content "OK !!!\n"
} else {
HTTP::respond 200 -content "Hit \"else\" statement !!!\n"
}
}
}
Note: Adding "-normalized" command option may change the URI, so testing and verification before applying workaround on production environment is strongly recommended.
1328857-2 : GUI error when accessing hyperlink for associated gtm link object on a virtual server
Links to More Info: BT1328857
Component: Global Traffic Manager (DNS)
Symptoms:
GUI displays "An error has occurred while trying to process your request" while accessing gtm link object on a virtual server.
Conditions:
Trying to access gtm link object under LTM -> Virtual Servers -> virtual server properties.
Impact:
Unable to view gtm link information in GUI.
Workaround:
Modify links through dns -> gslb -> links
1328573 : Illegal repeated header violation is not enforced for cookie header
Links to More Info: BT1328573
Component: Application Security Manager
Symptoms:
When "Allow Repeated Occurrences" is disabled on Cookie header and Illegal Repeated Header violation is enabled in Learning and Blocking settings, the expectation is that any request with multiple Cookie headers will be flagged as alarm/block. However, this does not happen.
Conditions:
1) "Allow Repeated Occurrences" is disabled on Cookie header via Rest.
2) Illegal Repeated Header violation is enabled in Learning and Blocking settings.
Impact:
Illegal requests are allowed.
Workaround:
N/A
1327961-1 : EAM plugin crashes
Links to More Info: BT1327961
Component: Access Policy Manager
Symptoms:
EAM process was restarting and kept coring.
Suspecting this as key collision. The key is generated using ftok and isn't guaranteed to avoid collisions on a large box with 18 TMMs, which creates the opportunity for collisions (more shared memory in use).
Conditions:
Errors come across when EAM plugin intialisation
eam: shmget name:/var/run/tmm.mp.eam16, key:0xff14561e, size:7, total:789184 : Invalid argument
Impact:
Impacts functionality.
Workaround:
Fixed the problem by restarting the BIG-IP
The fact that a reboot clears the condition also supports this - the underlying inode being used to generate key is changed due to the a new version of the key file being created.
1327933-1 : 'tmsh show sys ip-address' command throws 'Syntax Error: Invalid IP address' error when address space is added
Links to More Info: BT1327933
Component: Access Policy Manager
Symptoms:
You may observe 'Syntax Error: Invalid IP address' error when you run
'tmsh show sys ip-address'
Conditions:
-Address space configured.
Impact:
Unable to run 'tmsh show sys ip-address'.
1327649 : Invalid certificate order within cert-chain associated to JWK configuration
Links to More Info: BT1327649
Component: TMOS
Symptoms:
An error occurs while validating the certificate and certificate chain in JSON web key configuration:
General error: 01071ca4:3: Invalid certificate order within cert-chain (/Common/mycert.crt) associated to JWK config (/Common/myjwk). in statement [SET TRANSACTION END]
Conditions:
Issue occurs when the certificate chain contains three or more certificates.
The proper order in issuing:
endpointchild
|
endpoint
|
intermediate
|
ca
Impact:
You are unable to create a policy with key configuration for OAuth when the certificate chain contains more than two certificates.
Workaround:
Note that there is no impact when the certificate chain order is valid and contains only two certificates in the chain.
1326797-3 : The Pool State of an offline pool with one or more user-disabled pool members depends on which pool member was marked down last by its monitor (non-deterministic behaviour)
Links to More Info: BT1326797
Component: Local Traffic Manager
Symptoms:
When you have two or more pool members with one pool member being administratively disabled and the other(s) being enabled, and all pool members are marked down by their monitor, the pool status depends on which pool member was marked down last.
Specifically:
- the disabled pool member is marked down by the monitor last - pool is in "offline/disabled-by-parent" state
- one of the enabled pool members are marked down by monitor last - pool is in "offline/enabled" state
Conditions:
- LTM pool configured with two or more pool members
- One pool member administratively disabled and the other(s) enabled
- All pool members marked down by their monitors
Impact:
When all the pool members are marked down by their monitors, the State of the pool depends on which pool member was last marked down by its monitor.
Workaround:
None
1326721-1 : Tmm crash in Google Cloud during a live migration
Links to More Info: BT1326721
Component: Local Traffic Manager
Symptoms:
When running in Google Cloud and a live migration occurs tmm may crash.
Conditions:
-- Google Cloud
-- ndal virtio driver
-- live migration
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable live migration in GCP.
Use the sock driver.
Related Bug IDs: 1319265, 1322937, 1326721
1325721-3 : Oauth not allowed for old tokens after upgrade to 15.1.9
Links to More Info: BT1325721
Component: Access Policy Manager
Symptoms:
Users are not able to access the Oauth old tokens after the fix for vulnerability that is, removal of hard coded encryption keys in Oauth.
Conditions:
Oauth feature with Opaque tokens configured and upgrade the version to 15.1.9 from previous versions.
Impact:
Not able to use old tokens
Workaround:
From 15.1.9 the Oauth old tokens that were generated and used in earlier versions will not work.
Due to the vulnerability CWE-798 the hard coded key encryption functionality usage has been removed and now the token generation will be dynamic so the old tokens which were used earlier are displayed as inactive when client runs a introspection.
Suggestive workaround is to use purge now option in UI. (Access > Overview > OAuth Reports > Tokens)
users have to remove the older tokens in oauthDB for every reboot.
1325681-2 : VLAN tscookies with fastl4 timestamp preserve and PVA acceleration cause connection problems.★
Links to More Info: K000136894, BT1325681
Component: Advanced Firewall Manager
Symptoms:
Some connections might be reset by the client or server when VLAN timestamp cookies are configured.
One symptom commonly reported is that the virtual server for the email service suddenly stops working after upgrading.
Conditions:
-- Flow accelerated in PVA.
-- VLAN timestamp cookies configured for one side of the connection.
-- Bigproto timestamp preserve option (default).
-- Client and server sending timestamps.
Impact:
Unexpected flow RSTs from client/server due to incorrect timestamp echo received from BIG-IP.
Workaround:
Either:
- Set fastL4 profile option 'tcp-pva-whento-offload' to 'establish'
OR
- Disable VLAN timestamp cookies.
OR:
- Disable tscookie inside tcp-ack-ts DoS vector.
OR
- Change fastL4 timestamp option to rewrite (this disables PVA acceleration).
1325649-2 : POST request with "Expect: 100-Continue" and HTTP::collect + HTTP::release is not being passed to pool member
Links to More Info: BT1325649
Component: Local Traffic Manager
Symptoms:
After upgrading from a BIG-IP version prior to v16.1.0 to BIG-IP v16.1.0 or later, one specific virtual-server is not working as expected and unable to forward the POST request towards the pool member.
Conditions:
1) Upgrade to v16.1.0 or later
2) Send a POST request from client with "Expect: 100-Continue".
3) Attach an irule using http::collect plus http::release to the Virtual Server.
Impact:
Cannot send POST requests from client to server
1325561 : Reboot should be prohibited in the middle of Terraform onboarding and the f5-bigip-runtime-init is not finished
Links to More Info: BT1325561
Component: TMOS
Symptoms:
A reboot occurs when the f5-bigip-runtime-init is not finished.
Conditions:
On Azure, and the VM is using Terraform onboarding.
Impact:
On Azure, the VM sometimes reboots in the middle of Terraform onboarding.
Workaround:
N/A
1325045 : Nexthop of mirrored flow is not updated when standby becomes active
Links to More Info: BT1325045
Component: Local Traffic Manager
Symptoms:
After failover, newly active BIG-IP does not refresh the server nexthop value when a routing change occurs. This is an intermittent issue.
Conditions:
BIG-IP in high availability (HA) scenario with connection mirroring. A network failure triggers a failover and also stops the newly active from reaching the server nexthop. A routing change (eg: bgp peering timeout) occurs which should trigger a recalculation of the server nexthop mac-address.
Impact:
Connection failure until the flow entry is deleted.
Workaround:
Clear the connflow entry from the table.
Remove connection mirroring.
Reconfigure network so that active and standby have equal access to the network in the event of failure.
Use VRRP/HSRP or similar on the downstream network.
1324777-1 : The get_file_from_link in F5::Utils::File should support HTTPS links also when proxy.host DB key is configured
Links to More Info: BT1324777
Component: Application Security Manager
Symptoms:
Import declarative policy is failing because of unsuccessful retrieval of the HTTPS external link for the open API file which is in use in the declarative policy, the response code 400 Bad Request is displayed.
Conditions:
The proxy server is in use and the proxy.host DB key is configured and the declarative policy is using an external HTTPS link for the open API file.
Impact:
Import declarative policy is failing.
Workaround:
Use a local file instead of using the external link.
For example, if you have a file “my_swagger_file.yaml”, you should use 'file-transfer' task to upload the Swagger file to the BIG-IP, and in the JSON policy it will be used like that:
"open-api-files": [
{
"link": "file://my_swagger_file.yaml"
}
]
1324681-3 : Virtual-server might stop responding when traffic-matching-criteria is removed.
Links to More Info: BT1324681
Component: TMOS
Symptoms:
Due to a known issue virtual-server might stop responding to traffic when traffic-matching-criteria (TMC) is removed and ordinary address/port gets defined.
Conditions:
- Disabling traffic-matching-criteria on a virtual-server.
Impact:
Virtual-server stops responding to traffic.
Workaround:
TMM restart will fix this problem.
1324197-3 : The action value in a profile which is in different partition cannot be changed from accept/reject/drop to Don't Inspect in UI
Links to More Info: BT1324197
Component: TMOS
Symptoms:
When trying to change the action value of signature/compliance in an IPS Profile from accept/reject/drop to Don't Inspect in UI, it is not changing. This happens when the IPS Profile is in different partition
Conditions:
1) Create a partition
System > Users > Partitions List > Create > give profile_name > update
2) Move to the new partition created at the top right corner of UI
3) Create IPS Profile
Security > Protocol Security > Inspection Profiles > Add > New > give Profile name > select the services > update action values of signatures and compliances to accept/reject/drop
4) Change the value from action accept/reject/drop to 'Don't Inspect' and commit the changes.
Impact:
Will not be able to change the action value from accept/reject/drop to Don't Inspect in UI when the IPS Profile is in different partition
Workaround:
For signature below command can be used in CLI
modify security protocol-inspection profile /<partition-name>/<profile-name> { services modify { /Common/<service-name> { signature delete { /Common/<signature-name> }}}}
To update the action value of all signatures in a service to Don't Inspect
modify security protocol-inspection profile /<partition-name>/<profile-name> { services modify { /Common/<service-name> { signature delete { all }}}}
For compliance below command can be used in CLI
modify security protocol-inspection profile /<partition-name>/<profile-name> { services modify { /Common/<service-name> { compliance delete { /Common/<complance-name> }}}}
To update the action value of all compliances in a service to Don't Inspect
modify security protocol-inspection profile /<partition-name>/<profile-name> { services modify { /Common/<service-name> { compliance delete { all }}}}
1323081 : Wrong Licensed Date is displayed after license activation
Links to More Info: BT1323081
Component: TMOS
Symptoms:
Sometimes License Date in configuration utility displays incorrect license activation date. The License Date has no significance in BIG-IP logic and creating confusion.
The service check date in license maintains the activation dates.
Conditions:
License activation.
Impact:
Incorrect license activation date displays in configuration utility.
Workaround:
None
1322937-2 : Tmm crash in Google Cloud during a live migration: Assertion `empty xfrag' failed.
Links to More Info: BT1322937
Component: Local Traffic Manager
Symptoms:
When the BIG-IP is involved in a live migration on Google Cloud, it may crash. There may be a log message in /var/log/tmm similar to the following
<13> Jul 19 05:45:53 bigip1 notice lib/c/xbuf.c:1431: xbuf_insert: Assertion `empty xfrag' failed.
Conditions:
Google Cloud VE
Live migration
The Virtio network driver
Impact:
Unexpected traffic disruption
Workaround:
Disable live migration
Related Bug IDs: 1319265, 1322937, 1326721
1322413-2 : FQDN node status changes to Unknown/Unchecked on peer device after config sync
Links to More Info: BT1322413
Component: TMOS
Symptoms:
If changes are made to the configuration of an FQDN node which has a node monitor configured, and the configuration is synced to a device group, ephemeral nodes generated from the FQDN node may show an Availability of "unknown" and a Monitor Status of "unchecked".
Conditions:
This may occur on versions of BIG-IP with fixes for ID724824 and ID1006157, under the following conditions:
-- BIG-IP systems are configured in a device group
-- The device group is configured for Manual Sync (Full or Incremental)
-- One or more FQDN nodes are configured with a node monitor (which could be the Default Node Monitor)
-- A change is made to the configuration of the FQDN node
-- A Full configuration sync is performed (by a Manual sync with the device group configured for a Full sync, or using the "force-full-load-push" keyword:
tmsh run cm config-sync to-group example-group force-full-load-push
Impact:
The affected nodes will be displayed with an Availability of "unknown" and a Monitor Status of "unchecked".
Workaround:
To recover from this condition, remove and re-add the node monitor:
-- Remove the node monitor from the FQDN node configuration (or from default-node-monitor):
tmsh mod ltm node example monitor none
(tmsh mod ltm default-node-monitor rule none)
-- Sync this change to the device group (Incremental sync)
-- Re-add the node monitor to the FQDN node configuration (or to default-node-monitor):
tmsh mod ltm node example monitor my_node_monitor
(tmsh mod ltm default-node-monitor rule my_node_monitor)
-- Sync this change to the device group (Incremental sync)
1322117-3 : FastL4 TCP PVA accelerated connection might not be cleared until idle timeout.
Links to More Info: BT1322117
Component: Local Traffic Manager
Symptoms:
Connection where client is re-using the source port connecting to a server in TIME_WAIT might not be cleared immediately from BIG-IP connection table after the closure.
Conditions:
-- FastL4 PVA acceleration at Embryonic.
-- Client re-using 4-tuple, hitting server in TIME_WAIT.
-- Platform has ePVA (VE, r2xxx, r4xxx have no ePVA)
Impact:
Connection will remain in the BIG-IP connection table until idle-timeout is reached.
Workaround:
Set 'tcp-pva-whento-offload establish' on a fastl4 profile.
1322009-2 : UCS restore fails with ifile not found error
Links to More Info: BT1322009
Component: TMOS
Symptoms:
The loading configuration process failed.
Conditions:
This issue occurs when installing UCS without ifiles.
Impact:
The loading configuration process failed. UCS restore fails with ifile not found error.
Workaround:
Commenting the line `/bin/rm -rf /config/filestore/files_d/Common_d/ifile_d/*` in /usr/local/bin/install_ucs.pm resolves the issue.
1321029-2 : BIG-IP tenant or VE fails to load the config files because the hypervisor supplied hostname is not a FQDN
Component: TMOS
Symptoms:
If a BIG-IP tenant (F5OS) or VE is shut down or rebooted during its initial start, it is possible the system will not become operational when it is started again.
Conditions:
VE or F5OS tenant. The mcpd is forced to load the config from the config files, as opposed to the binary database. The config files are missing.
Impact:
The tenant or VE will not become operational.
Workaround:
None
1320773-2 : Virtual server name caused buffer overflow
Links to More Info: BT1320773
Component: Local Traffic Manager
Symptoms:
Virtual server name caused buffer overflow and TMM core occurs.
Conditions:
- Virtual server is renamed
Impact:
TMM cores, traffic disruption can occur.
Workaround:
None
1319385-2 : Syncookies may always show as enabled if a listener address is changed while syncookies is on
Links to More Info: BT1319385
Component: TMOS
Symptoms:
Syncookies may always show as enabled if a listener source or destination address is changed while syncookies is on.
The stat epva_hwvipstat.fsu_rx_drops will be non zero when this occurs.
Conditions:
Syncookies on
Modifications to the source or destination address
Impact:
Syncookies will be disabled, but the virtual server status will show syncookies enabled.
1319265-3 : Tmm crash observed in GCP after a migration
Links to More Info: BT1319265
Component: Local Traffic Manager
Symptoms:
Tmm may crash in Google Cloud Platform (GCP) after a migration.
The following logs were observed in kern.log
emerg kernel: NMI watchdog: BUG: soft lockup - CPU#3 stuck for 22s! [finish:5055]
warning kernel: [<ffffffffa01a21ff>] virtnet_send_command.constprop.34+0x10f/0x160 [virtio_net]
warning kernel: [<ffffffffa01a274f>] virtnet_set_queues+0x9f/0x100 [virtio_net]
warning kernel: [<ffffffffa01a38bd>] virtnet_probe+0x77d/0x858 [virtio_net]
warning kernel: [<ffffffffa002792f>] virtio_dev_probe+0x1cf/0x2d0 [virtio]
warning kernel: [<ffffffff81456165>] driver_probe_device+0xc5/0x460
warning kernel: [<ffffffff81456500>] ? driver_probe_device+0x460/0x460
warning kernel: [<ffffffff81456543>] __device_attach+0x43/0x50
warning kernel: [<ffffffff81453de5>] bus_for_each_drv+0x75/0xc0
warning kernel: [<ffffffff81455fa0>] device_attach+0x90/0xb0
warning kernel: [<ffffffff814551c8>] bus_probe_device+0x98/0xd0
warning kernel: [<ffffffff81452a6f>] device_add+0x4ff/0x7c0
warning kernel: [<ffffffffa0070370>] ? vp_finalize_features+0x40/0x40 [virtio_pci]
warning kernel: [<ffffffffa0070370>] ? vp_finalize_features+0x40/0x40 [virtio_pci]
warning kernel: [<ffffffff81452d4a>] device_register+0x1a/0x20
warning kernel: [<ffffffffa00273c9>] register_virtio_device+0xb9/0x100 [virtio]
warning kernel: [<ffffffffa006f8b7>] virtio_pci_probe+0xb7/0x140 [virtio_pci]
warning kernel: [<ffffffff8137856a>] local_pci_probe+0x4a/0xb0
warning kernel: [<ffffffff81379ca9>] pci_device_probe+0x109/0x160
warning kernel: [<ffffffff81456165>] driver_probe_device+0xc5/0x460
warning kernel: [<ffffffff81456500>] ? driver_probe_device+0x460/0x460
warning kernel: [<ffffffff81456543>] __device_attach+0x43/0x50
warning kernel: [<ffffffff81453de5>] bus_for_each_drv+0x75/0xc0
warning kernel: [<ffffffff81455fa0>] device_attach+0x90/0xb0
warning kernel: [<ffffffff81454139>] bus_rescan_devices_helper+0x39/0x60
warning kernel: [<ffffffff81454542>] store_drivers_probe+0x32/0x70
warning kernel: [<ffffffff81453a69>] bus_attr_store+0x29/0x30
warning kernel: [<ffffffff81290d22>] sysfs_kf_write+0x42/0x50
warning kernel: [<ffffffff812902f3>] kernfs_fop_write+0xe3/0x160
warning kernel: [<ffffffff81207bf0>] vfs_write+0xc0/0x1f0
warning kernel: [<ffffffff81208a1f>] SyS_write+0x7f/0xf0
warning kernel: [<ffffffff816cf741>] system_call_fastpath+0x48/0x4d
Conditions:
-- Google Cloud Platform
-- Virtio driver
-- A GCP migration is performed
Impact:
Traffic disrupted while tmm restarts.
Workaround:
-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141
Related Bug IDs: 1319265, 1322937, 1326721
1318653 : Upgrading or failover of APM with lot of access policies takes long time to become "really" active
Links to More Info: BT1318653
Component: Access Policy Manager
Symptoms:
When BIG-IP Administrator has lot of access policies, around 300 plus, after upgrade or failover a new unit becomes active. Users accessing one of the access policies experience error "(Your session could not be established. The session reference number: b0745df3. Access policy configuration has changed on gateway. Please login again to comply with new access policy configuration". Also, it takes lot of time, around 25 minutes for all the 347 access policies, to become really active.
Conditions:
After an upgrade or failover the snapshot creation process gets invoked. And while user accesses a virtual server with access policy whose snapshot is not yet created, errors occur mentioning failure in establishing the session.
Impact:
BIG-IP administrator having BIG-IP with a large number of access policies will have to wait for a long time, during and upgrade or failover, for the system to become really active.
Workaround:
-No-
1318625-2 : The gtm_add sync configuration is in the unintended direction with large GTM configuration
Links to More Info: BT1318625
Component: Global Traffic Manager (DNS)
Symptoms:
A wrong GTM configuration was pushed to the sync group members after using the script gtm_add.
Conditions:
-- Race condition to exhibit this behavior with large GTM configuration while performing gtm_add.
-- Following can be seen in GTM debug logs:
011a0200:7: MCP Message queued for resend. 1 backlogged messages.
.
.
.
011a0200:7:MCP Message queued for resend. 1125 backlogged messages.
Impact:
GTM devices loaded with the wrong or unintended configuration.
Workaround:
None
1318377-3 : TMM memory leak when using http+fastl4 profile with 'rtt-from-client/rtt-from-server' enabled.
Links to More Info: BT1318377
Component: Local Traffic Manager
Symptoms:
TMM might experience a memory leak when using FastL4 'rtt-from-client/rtt-from-server' options in conjunction with HTTP profile.
Conditions:
A single virtual server configured with:
-- HTTP profile.
-- Fastl4 profile with 'rtt-from-client/rtt-from-server' enabled.
Impact:
Memory leak in TMM process.
Workaround:
Disable 'rtt-from-client/rtt-from-server' on Fastl4 profile.
1318041-2 : Some OIDs using type as counter instead of expected type as gauge
Links to More Info: BT1318041
Component: TMOS
Symptoms:
While checking via SNMP commands there are number of OIDs in the MIBs that are reporting value as counter that should be gauge/integer
Conditions:
Using the following OIDs:
ltmDosAttackDataStatDropsRate
ltmDosAttackDataStatStatsRate
ltmNetworkAttackDataStatDropsRate
ltmNetworkAttackDataStatStatsRate
ltmVirtualServStatCsMeanConnDur
Impact:
Incorrect Type is seen for some OIDs.
Workaround:
None
1317773-3 : CGNAT / AFM NAT: "Clients Using Max Port Blocks" counter might be inaccurate
Links to More Info: BT1317773
Component: Carrier-Grade NAT
Symptoms:
When using CGNAT or AFM NAT in PBA mode (Port Block Allocation) the value of "Clients Using Max Port Blocks" might be wrong, not reflecting the actual number of total clients who have reached the max port blocks allocated to them.
The value of "Clients Using Max Port Blocks" can be seen in the output of the command "tmsh show ltm lsn" along with other statistics.
Conditions:
- BIG-IP running two or more TMM threads
- BIG-IP provisioned with CGNAT or AFM NAT
- LSN pool using PBA (Port Block Allocation) configured
Impact:
The value of "Clients Using Max Port Blocks" is increased when clients reach the max port blocks allocated to them but is not decreased when the clients don't have any more port blocks allocated.
As such, it keeps increasing over time.
Workaround:
None
1316821-2 : HTTP::disable not allowed after HTTP::respond
Component: Local Traffic Manager
Symptoms:
Rule not processed and ltm logs shows this:
TCL error: /Common/connect-irule <HTTP_REQUEST> - Illegal value. HTTP::disable not supported when responding or retrying (line 1) invoked from within "HTTP::disable"
Conditions:
When an iRule has an HTTP::respond followed by an HTTP::disable, the disable is not allowed.
Impact:
iRule not processed.
Workaround:
N/A
1316481-2 : Large CRL file update fails with memory allocation failure
Links to More Info: BT1316481
Component: TMOS
Symptoms:
When updating a large CRL file in BIG-IP using tmsh, the file may be partially read due to internal memory allocation failure.
Please note that the size of the CRL file causing this issue varies across hardware types, network bandwidth and usage, and system resources.
Conditions:
1. Using tmsh, large CRL file is updated to an existing CRL.
2. This large CRL file is attached to multiple profiles.
3. The tmsh modify command is used multiple time in a short span of time that leads to the memory crunch.
Impact:
When large CRL file is attached to the profile which was partially read due to memory allocation failure, the profile gets successfully updated. Connections to VIP with this profile may have unexpected results. For e.g. client connecting to VIP with a revoked client certificate will succeed as the CRL was only partially read.
Workaround:
1. Dynamic CRL / CRLDP on client-ssl profile can be configured to dynamically verify SSL certificate revocation status.
2. OCSP can be enabled on client-ssl profile to validate SSL certificate revocation status.
1316113-2 : 1nic VE reloads on every reboot
Component: TMOS
Symptoms:
When Virtual Edition (VE) is configured for 1NIC, you will see the following logs on reboot indicating that configuration has been loaded from file:
notice tmsh[12232]: 01420002:5: AUDIT - pid=12232 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all base
notice tmsh[12392]: 01420002:5: AUDIT - pid=12392 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all
Conditions:
- VE configured in 1NIC mode.
- Unit booted either through reboot or power on.
Impact:
This is unlikely to have any impact if the VE is in standalone mode but could result in an unexpected config if the configuration files differ.
If the VE is part of a device-group, then this will result in a commit id update and the units will show 'Changes pending'.
Workaround:
None.
1314769-2 : The error "No Access" is displayed when trying to remove Bundle Manager object from list
Links to More Info: BT1314769
Component: TMOS
Symptoms:
The error "No Access" is displayed when trying to remove a Bundle Manager object from the list using GUI.
Conditions:
When the checkbox next to the Bundle Manager is checked and clicks the Delete button at the bottom of the page, then "No Access" error appears.
Impact:
Unable to delete a Bundle Manager.
Workaround:
The issue has following two workarounds:
- Click on the Bundle Manager and click Delete at the bottom.
or
- Delete the Bundle Manager from TMSH CLI.
1314597-2 : Connection on standby may stay until idle timeout when receiving ICMP error
Links to More Info: BT1314597
Component: Local Traffic Manager
Symptoms:
When a pool member server returns an ICMP error, connections will persist on standby while they have been terminated on active.
Conditions:
When an ICMP error such as port unreachable is returned by a pool member, the packet will be dropped by the standby while the active will process it immediately and terminate the connection.
Impact:
The connection will stay on the standby until the idle timeout expires.
Workaround:
Lower idle timeout will reduce the time before it vanishes.
1312125 : MCPD crash on the changes of Device trust sync only group modification
Links to More Info: BT1312125
Component: Access Policy Manager
Symptoms:
MCPD crashes on policy sync when the APM module is enabled.
Conditions:
This issue occurs after upgrading to BIG-IP version 16.1.3.3 HF build 0.41.3.
Impact:
Unable to introduce a unit into the sync group, which jeopardizes production.
Workaround:
None
1312045 : The graph lines do not match the source translation request value
Links to More Info: BT1312045
Component: Application Visibility and Reporting
Symptoms:
There is a discrepancy between the source address translation request and the graph value.
Conditions:
Security->Reporting: Network Address Translation:Source: Translation
source address translation report details do not match the graph lines.
Impact:
The average source address translation requests value is not displaying properly on the page.
Workaround:
Removing the period value from the merge_formula shows correct results on both environments(Single and Multi slots) from testing results.
Workaround:
===========
In BIG-IP, open /etc/avr/monpd/monp_tmstat_fw_nat_measures.cfg#7 file.
merge_formula=round(sum(src_translation_requests)/period,2)
>>>>
merge_formula=round(sum(src_translation_requests),2)
restart the monpd.
1311997 : Disable the f5_cspm and f5_p words from the AVR cookie disclosure.
Links to More Info: BT1311997
Component: Application Visibility and Reporting
Symptoms:
AVR cookie disclosure shows f5_cspm and f5_p words after changing the avr.cspmcachecookiename cookie name.
Conditions:
While we curl the application used behind the F5 Big IP.
Impact:
Changing the avr.cspmcachecookiename won't disable the f5_cspm and f5_p words from the AVR cookie disclosure.
Workaround:
To selectively disable the AVR f5_cspm injection follow the below document.
https://clouddocs.f5.com/api/irules/AVR__disable_cspm_injection.html
1311977-4 : IPsec interface mode tunnel not sending icmp unreachable fragmentation needed
Links to More Info: BT1311977
Component: TMOS
Symptoms:
When the ESP packet is not fragmented.
Conditions:
- When the ESP packet is not fragmented.
- When the size of the packet is bigger than MTU.
Impact:
This issue causes data loss.
Workaround:
Configure a bigger value for MTU.
1311613-2 : UCS obtained from F5OS tenant with FPGA causes continuous TMM restarts when loaded to BIG-IP
Links to More Info: BT1311613
Component: TMOS
Symptoms:
TMM restarts continuously after loading a UCS file that was taken from an F5OS tenant with FPGA hardware.
Conditions:
The UCS is taken from an F5OS tenant with FPGA hardware (VELOS, r5k, r10k), and loaded to a non-F5OS tenant BIG-IP system (VE, vCMP guest, Hardware)
Impact:
Migrations or moving configurations across dissimilar platforms will not be successful.
Workaround:
Delete the file /config/tmm_velocity_init.tcl and reboot the device if necessary.
Use the following example command:
rm -fv /config/tmm_velocity_init.tcl
1308393-2 : Export security policy XML format fail with "too large and cannot be exported" message
Links to More Info: BT1308393
Component: Application Security Manager
Symptoms:
Extremely large policies may fail to export in XML format.
Conditions:
This is caused when an extremely large security policy is exported in XML format.
Impact:
The policy cannot be exported in XML format.
Workaround:
The policy may be exported in Binary or JSON format.
1307697-1 : IPI not working on a new device - 401 invalid device error from BrightCloud
Links to More Info: BT1307697
Component: Advanced Firewall Manager
Symptoms:
IPI update is failing with below error:
iprepd|ERR|Jun 09 15:52:59.261|9847|getipfile failed with status code: 401: Unauthorized: Invalid or missing credentials OEM, Device, or UID
iprepd|ERR|Jun 09 15:52:59.261|9847|Error code 1029: InvalidUserCredentials
iprepd|ERR|Jun 09 15:52:59.261|9847|Server message: Invalid Device (f5#ipintelligence-c130 from 202.187.110.1)
Conditions:
Only IPI update will stop working.
Impact:
IPI stop working.
Workaround:
No workaround
1307605-1 : AFM does not detect NXdomain attack (for DNS express)
Component: Advanced Firewall Manager
Symptoms:
AFM does not account for NXDOMAIN query when DNS express is in use.
At the device level, NXDOMAIN stats are incorrect.
Conditions:
-- DNS express is enabled
-- NXDOMAIN DoS vector detection is enabled
Impact:
NXDOMAIN attack is not detected.
Workaround:
None
1307385-2 : When blade replacement happens, signature config is lost in bigip.conf when IM is loading on a new blade
Links to More Info: BT1307385
Component: Protocol Inspection
Symptoms:
The bigip.conf file differs before and after blade replacement
Conditions:
It happens when one of the blades is replaced
Impact:
The bigip.conf does not list all the signatures added in the IM which is active
Workaround:
1) Try the command "tmsh save sys config"
2) If step 1 does not resolve the issue then try reloading the IM (Move to Factory Defaults IM and load the IM again). Then the bigip.conf will be updated with all the signatures supported by that IM)
1306557-2 : Incorrect counting of non basic latin characters for min/maxLength
Component: Application Security Manager
Symptoms:
When a string field in the JSON schema has minLength/maxLength constraints, they are incorrectly interpreted as constraints on the number of bytes instead of the number of characters.
Conditions:
JSON profile with a schema that includes a string field with minLength and maxLength constraints.
Impact:
Requests incorrectly blocked, due to interpreting the constraints as byte length rather than character length.
Workaround:
NoneString fields in JSON schema now correctly interpret minLength/maxLength constraints based on character length rather than byte length
1305609-3 : Missing cluster hearbeart packets in clusterd process and the blades temporarily leave the cluster
Links to More Info: BT1305609
Component: Local Traffic Manager
Symptoms:
If two or more clusterd processes experience a long HAL timeout communicating with chmand, then either of those clusterd process will report a lack of cluster heartbeart packets and one or more blades will leave the cluster.
Here are two example log messages that will occur when this issue is encountered.
# slot 3 marking itself as failed because of a partition event where the heartbeat timeout only occurred on the mgmt_bp interface.
err clusterd[21260]: 013a0004:3: Marking slot 3 SS_FAILED due to partition detected on mgmt_bp from peer 4 to local 3
# slot 2 marking slot 1 as failed due to a lack of cluster packets from slot1 on both mgmt and tmm bp interfaces.
err clusterd[29069]: 013a0004:3: Local slot 2: not getting clusterd pkts from slot 1; timed out on mgmt_bp and tmm_bp after 10 seconds. Marking peer slot 1 SS_FAILED
These messages are not unique to this bug. There are other bugs and conditions that can cause clusterd to stop sending/receiving heartbeat packets.
Conditions:
1) Multi-blade chassis with a minimum of 5 blades. More blades increases the chances of encountering this bug.
2) A condition that causes long HAL delays between clusterd and chmand. One condition of long HAL delays that is specific to 14.1.x and prior is a full config sync. However that condition was fixed in 15.1.0 and higher with the changes for ID 721020 and ID 746122.
Impact:
A blade will temporarily leave the cluster but then re-join unless ID 1273161 or something similar also occurs.
If the # of blades leaving the cluster causes the number of online blades to be less then the min-up-members, min-up-members-enabled is set to 'yes' and the chassis is Active a failover will occur.
Workaround:
N/A
1304849-1 : iSeries LCD displays "Host inaccessible or in diagnostic mode"
Links to More Info: BT1304849
Component: TMOS
Symptoms:
On rare occasions, while booting up an iSeries BIG-IP system, the LCD may continuously display "Host inaccessible or in diagnostic mode" message for an extended period of time.
Conditions:
This can occur when booting up an iSeries BIG-IP system.
Impact:
LCD is unusable until the system is rebooted.
Workaround:
Wait for 5 minutes. If the LCD is still displaying the "Host inaccessible or in diagnostic mode" message after the specified time period, reboot the BIG-IP system.
1302925-2 : Failed to load detected bots list , when you clicked on Bot Category
Links to More Info: BT1302925
Component: Application Security Manager
Symptoms:
An error occurs while trying to access the bot event logs.
Conditions:
The bot events logs has N/A bot categories, and you clicked on one of them to see details.
Impact:
After clicking on the N/A bot categories, you will get an error when you click on a specific category in the event logs (for example, if you click on “Search Engine Masquerading” in Bot Categories)
Workaround:
"bigstart restart asm" will allow to click again and see details for a specific category.
But if you click again on the 'N/A' bot category in the events log, it will reproduce again the issue.
1302353 : Duplicate OID index warnings observed in /var/log/ltm
Links to More Info: BT1302353
Component: TMOS
Symptoms:
Run snmpwalk receiving warning msg "Duplicate oid index found: bigip_l2_forward_stat.c:128" in ltm logs
Conditions:
Snmpwalk -v2c -Of -c public localhost .1.3.6.1.4.1.3375.2.1.2.5.1
or
snmpwalk -v2c -Of -c public localhost .1.3.6.1.4.1.3375.2.1.2.5.2
Impact:
Ltm logs with warning message "Duplicate oid index found:"
Workaround:
1.Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh
2.Add the filter by typing the following command:
modify /sys syslog include "filter f_local0 { facility(local0) and not match(bigip_l2_forward_stat); };"
3.Save the changes by typing the following command:
save /sys config
1302101-3 : Sflow receiver flows are not established at TMM startup on sDAG platforms due to sDAG delay
Links to More Info: BT1302101
Component: TMOS
Symptoms:
No sflow data is sent.
Conditions:
Either configure a valid sflow receiver and restart the tmm or, configure a valid sflow receiver reachable via dynamic route on non sDAG platforms and restart the tmm.
Impact:
Sflow data is dropped.
Workaround:
Modify the receiver configuration (any field, including description). This allows triggering an update which will get sflow working.
1301897-3 : DAG transition does not complete when TMM starts in FORCED_OFFLINE mode
Links to More Info: BT1301897
Component: TMOS
Symptoms:
When TMM restarts with force-offline enabled, it comes up waiting for a dag_transition. It never completes because CDP proxy never comes up due to no active traffic group in FORCE_OFFLINE mode.
Conditions:
Restarting TMM with force-offline enabled.
Impact:
Tenants show high CPU and idle enforcer constantly starting or exiting.
Workaround:
Do not perform upgrade/restart in force-offline mode.
1301865-3 : OSPF summary might have incorrect cost when advertised by Standby unit.
Links to More Info: BT1301865
Component: TMOS
Symptoms:
OSPF summary might have incorrect cost when advertised by Standby unit.
Conditions:
- Other protocol redistribution into OSPF causing a summary route injection.
Impact:
Undesired traffic flow towards Standby unit.
Workaround:
Redistribute a summary route from static:
Use:
!
router ospf 1
redistribute static metric-type 1
network 10.10.10.0.32 0.0.0.255 area 0
!
ip route 192.168.0.0/16 Null
Instead of:
!
router ospf 1
redistribute bgp metric-type 1
network 10.10.10.0.32 0.0.0.255 area 0
summary-address 192.168.0.0/16
1301317-2 : Update Check request using a proxy will fail if the proxy inserts a custom header
Links to More Info: BT1301317
Component: TMOS
Symptoms:
Update check fails.
Conditions:
-- Update check is checking for updates
-- A proxy is configured
-- The proxy inserts a header in its response
Impact:
Update check will fail.
Workaround:
Do not add any header in the proxy response.
1300909-2 : Violation details for "HTTP protocol compliance failed" violation are not available if the Block flag is only enabled
Component: Application Security Manager
Symptoms:
Violation details are missing in the event log under the "HTTP protocol compliance failed" violation.
Conditions:
When the "HTTP protocol compliance failed" violation is triggered.
Impact:
Incomplete information is displayed for the violation "HTTP protocol compliance failed".
Workaround:
None
1300665-3 : ASMCSD memory leak if tsconfd.loglevel is set for debug level
Links to More Info: BT1300665
Component: Application Security Manager
Symptoms:
ASMCSD memory size continue to grow and consumes all the available memory and triggers OOM-Killer.
Conditions:
- Debug level set with tsconfd.loglevel
- Changes on policies
Impact:
Memory leak that eventually triggers OOM-Killer.
Workaround:
- Do not set debug with tsconfd.loglevel to avoid the memory leak.
- Restart ASMCSD to clear the memory if the memory leak has been created and the system suffers from memory pressure.
1300645-2 : Wrong violation attribute is reported on a request.
Component: Application Security Manager
Symptoms:
The request violation is reported as learn/alarm/blocked while the system is configured to learn.
Conditions:
Specific request and violation
Impact:
User confusion
Workaround:
None
1299085 : AVR shows Server Latency as 0 for http2 virtual with MRF enabled
Links to More Info: BT1299085
Component: Application Visibility and Reporting
Symptoms:
Statistics ›› Analytics : HTTP : Overview"
AVR shows Server Latency is 0.
Inaccurate reporting for some http2-enabled virtual servers.
Conditions:
Http2 virtual servers with MRF enabled shows server latency as 0
Impact:
Inaccurate reporting for some http2-enabled virtual servers.
Workaround:
No workaround.
1298225 : Avrd generates core when dcd becomes unavailable due to some reason
Links to More Info: BT1298225
Component: Application Visibility and Reporting
Symptoms:
Avrd core file generates.
Conditions:
When avrd is writing to the external device and that device is unavailable temporarily.
Impact:
Potential system impact.
Workaround:
None
1297521-2 : Full sync failure for traffic-matching-criteria with port list update on existing object in certain conditions
Links to More Info: BT1297521
Component: Local Traffic Manager
Symptoms:
Performing a full configuration sync with traffic-matching-criteria (TMC) under specific conditions fails with errors similar to:
err mcpd[5781]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[5781]: 01071488:3: Remote transaction for device group /Common/HA to commit id 41 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..
Conditions:
This may occur on a full-load config sync (not an incremental sync)
Both Active and Standby on sync already
- a traffic-matching-criteria is attached to a virtual server
- the traffic-matching-criteria is using a port-list
- Update the port list (Add new port in the existing list)
Ex:
tmsh modify net port-list /Common/<> { ports replace-all-with { 80 { } 83 { } 84 { } } port-lists none }
Assume port list already with 80,83 and adding new port 84 in the list.
NOTE: No issue observed when we try to update the list with removing the port from the list.
Impact:
Unable to sync configurations.
Workaround:
None
1296409-2 : TMM cored in ping access hudfilter due to ctx pointed to invalid address
Links to More Info: BT1296409
Component: Access Policy Manager
Symptoms:
In the pingaccess, when the HUDCTL_TEARDOWN arrives and is forwarded synchronously down the chain, this causes the flow to be removed and the chain to be torn down. This also causes the CLIENT_CLOSED to be called.
Coincidentally customer has iRule, and happens to need a block matching the size of the just-freed block containing ctx, thus the freed ctx is overwritten with the log message generated due to the debugging TCL variable being "1".
Upon reaching lower filters, the pingaccess attempts to call pmgr_service_update_last_active where the issue occurred.
This issue can be seen in the 1001041 bug.
Conditions:
APM provisioned. Using multiple ping access instances, the
Ping access feature is mainly used for SSO.
Impact:
Unexpected failover occurred which impacted accessing applications.
Workaround:
None
1295353-2 : The vCMP guest is not sending HTTP flow samples to sFlow receiver
Links to More Info: BT1295353
Component: TMOS
Symptoms:
The vCMP clusters without configured slot-specific management-IP addresses will report 0.0.0.0 for: sFlow (Agent Address) resulted in missing HTTP flow samples to sFlow receiver.
Conditions:
- vCMP guest deployed on a chassis with only Cluster IP set, and no individual blade IP addresses configured.
- Configured with an available sFlow receiver.
Impact:
No monitoring information as there were no HTTP flow samples.
Workaround:
- Configure cluster blade IP addresses. For example, to set the slot-specific management IP address on a vCMP guest which runs on a single slot, use a command similar to the following:
tmsh modify sys cluster default members { 1 { address 198.51.100.2 } }
- The HTTP flow samples will be available on a vCMP guest.
1294709-1 : SSL Orchestrator ICAP service changes do not propagate to the GUI/CLI
Links to More Info: BT1294709
Component: SSL Orchestrator
Symptoms:
After changing settings for an existing ICAP service and deploying through SSL Orchestrator, the new changes are not reflected in the ICAP profiles visible through either the GUI or tmsh.
Conditions:
Trying to change settings for an existing ICAP service using SSL Orchestrator
Impact:
You are unable to change ICAP service settings through SSL Orchestrator.
Workaround:
Before deploying the changes, first click "Preview Merge Config". Then after clicking "Deploy", tick the additional "Overwrite Changes" box, and click "Deploy".
1294301 : Tmm core when freeing pool name
Links to More Info: BT1294301
Component: Service Provider
Symptoms:
Tmm crashes.
Conditions:
This can occur while tmm is freeing the pool name.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1294141-3 : ASM Resources Reporting graph displays over 1000% CPU usage
Links to More Info: BT1294141
Component: Application Visibility and Reporting
Symptoms:
The ASM resources graph which is present under Security > Reporting > ASM Resources > CPU Utilization displays over 1000% CPU usage when ASM is under load. The unit is percentage so it should be below 100.
Conditions:
- ASM should be under load and utilizing most of CPU cycles.
Impact:
Reporting graph displays incorrect percent value.
Workaround:
None
1294113-2 : During a DNS attack, summary log shows no attack ID
Links to More Info: BT1294113
Component: Application Visibility and Reporting
Symptoms:
During a DNS attack, the summary log file shows Dos_attack_id="0", instead of the attack ID of the active attack.
Conditions:
An active DNS attack.
Impact:
Summary log files are not correctly identifying an active attack.
Workaround:
No Workaround
1293829-3 : The violation "Illegal cross-origin request" is raised when it is not enabled under learning-blocking settings
Links to More Info: BT1293829
Component: Application Security Manager
Symptoms:
Request with a cross-origin violation, raises a violation when the violation is not enabled.
Conditions:
- URL configured with enable staging and "CORS Enforcement"
- Violation "Illegal cross-origin request" is disabled
- Send a request with an illegal cross-origin header to that URL
Impact:
Although the violation "Illegal cross-origin request" is disabled, still the violation is raised.
Workaround:
None
1293261-3 : Subviolations (e.g., IP in host header violation) are not reported to the policy builder
Component: Application Security Manager
Symptoms:
Evasion Technique and HTTP Protocol Compliance subviolations (e.g., IP in host header violation) are not reported to the policy builder.
Conditions:
When the policy is set to only learn (alarm and block are turned off).
Impact:
Learning suggestions to permanently disable the subviolation is not received.
Workaround:
A user should also enable the alarm to receive learning and suggestions for this subviolation.
1290937 : 'contentWindow' of a dynamically genereated iframe becomes null
Links to More Info: BT1290937
Component: Access Policy Manager
Symptoms:
A web application using iframes may not work/render as expected using Portal Access.
Conditions:
A web application attempts to configure 'contentWindow' for an iframe while the Portal Access feature is in use.
Impact:
Web Application through Portal Access may fails to work/render as expected
Workaround:
Workaround: Using a customized irule/ifile to return un-patched 'contentWindow' from cache-fm*.js file. ifile has modern cache-fm file.
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if {
[HTTP::path] ends_with "/cache-fm-Modern.js"
} {
HTTP::respond 200 content [ifile get cachefmUploadIssueWorkaround]
}
}
1289313-3 : Creation of wideip with alias would cause inconsistent zone data across GTM sync group
Links to More Info: BT1289313
Component: Global Traffic Manager (DNS)
Symptoms:
Loss of resource record.
Conditions:
-- Creation of a wideip with alias
and
-- synchronize-zone-files is set to yes
Impact:
Loss of resource record.
Workaround:
Set synchronize-zone-files to no.
1289009-2 : PA based Hosted content does not add implicit allowed ACL
Links to More Info: BT1289009
Component: Access Policy Manager
Symptoms:
Unable to download the hosted content from Portal Access.
Conditions:
ACLs with a default deny or reject rule
Impact:
Hosted content files are denied by ACL
Workaround:
Add 2 L4 ACLs similar to the rules below:
apm acl /Common/allow-hostedcontent {
acl-order 20
entries {
{
action allow
dst-end-port 8080
dst-start-port 8080
dst-subnet ::1/128
log packet
protocol 6
src-subnet 0.0.0.0/0
}
{
action allow
dst-end-port 8080
dst-start-port 8080
dst-subnet 127.1.1.0/24
log packet
protocol 6
src-subnet 0.0.0.0/0
}
}
1288009-3 : Vxlan tunnel end point routed through the tunnel will cause a tmm crash
Links to More Info: BT1288009
Component: TMOS
Symptoms:
Tmm generates a core file and restarts
Conditions:
A vxlan tunnel is configured and there is a route for the remote end point via the tunnel itself
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not route the tunnel endpoint through the tunnel.
1284897-2 : TMM can crash when it exits while still processing traffic
Links to More Info: BT1284897
Component: Local Traffic Manager
Symptoms:
Unexpected TMM crash during shutdown.
Conditions:
This is a randomly occurring, potentially timing-related issue that might be related to other operations also occurring during shutdown.
Impact:
An unclean tmm exit occurs.
Workaround:
None
1283749-2 : Systemctl start and restart fail to start the vmtoolsd service
Links to More Info: BT1283749
Component: TMOS
Symptoms:
Because of a non-existent dependency, systemctl start and restart failed to start the vmtoolsd service.
Following is the reported error:
# systemctl restart vmtoolsd.service
Failed to restart vmtoolsd.service: Unit not found.
systetmctl stop is not affected.
Conditions:
BIG-IP VE on VMware.
Impact:
Unable to start/restart the vmtoolsd service.
Workaround:
Systemctl restart --ignore-dependencies vmtoolsd.service
or
systemctl start --ignore-dependencies vmtoolsd.service
1283721-2 : Vmtoolsd memory leak
Links to More Info: BT1283721
Component: TMOS
Symptoms:
The Vmtoolsd service leaks memory on VMware BIG-IP VE guests when the Disk Type is IDE or any disk type other than SCSI.
Conditions:
VMware BIG-IP VE guest
Disk type of IDE or another type that is not SCSI.
Impact:
The VE will eventually run out of memory.
Workaround:
1. Create the file /etc/vmware-tools/tools.conf and add the following to the file:
[guestinfo]
# disable scan for disk device info
diskinfo-report-device=false
2. Restart the vmtoolsd service:
systemctl restart --ignore-dependencies vmtoolsd.service
NB "guestinfo" must be in lower case. The workaround will not work if any letter is not lower case including the following "guestInfo" which was the reported workaround in https://github.com/vmware/open-vm-tools/issues/452
1282769-2 : Localdb user can change the password of other user
Component: Access Policy Manager
Symptoms:
The user was able to change the password for another user in the logon page, when local DB authentication was used.
Conditions:
-- At least one user in the local DB instance is forced to change the password
-- the virtual server is tied in with the trusted CA certificates (that is, it would not happen if the virtual server for the SSL-VPN is associated with self-signed certificates).
Impact:
User authentication based on local DB will be impacted.
Workaround:
None
1282421-3 : IS-IS protocol may discard Multi-Topology Reachable IPv6 Prefixes
Links to More Info: BT1282421
Component: TMOS
Symptoms:
IS-IS protocol on the BIG-IP might discard some Multi-Topology Reachable IPv6 Prefixes.
Conditions:
This happens when the IS-IS device in the BIG-IP system is peering with RFC 7794 support for sub-TLVs.
Impact:
Some prefixes are incorrectly installed in a routing table.
Workaround:
None
1281693 : Icons displayed on webtop are different from Storefront server when modified
Links to More Info: BT1281693
Component: Access Policy Manager
Symptoms:
When custom higher resolution images for Citrix resources are edited/modified to 32x32 pixels, they appear blurred on the APM webtop.
Conditions:
When higher resolution images are modified to 32x32 pixels
Impact:
Icons appear blurred on the APM webtop.
Workaround:
Default icon images provided by the Storefront can be used as they are displayed correctly on the APM webtop.
1281433-2 : Missing GTM probes on GTM server when an external monitor is attached to an additional pool
Links to More Info: BT1281433
Component: Global Traffic Manager (DNS)
Symptoms:
Incorrect probe behavior when an external monitor is attached to an additional pool.
Conditions:
On a GTM sync group, try to attach an external monitor to an additional pool.
Impact:
Incorrect GTM server monitoring.
Workaround:
None
1281405 : "fipsutil fwcheck -f" command may not correct result
Links to More Info: BT1281405
Component: Local Traffic Manager
Symptoms:
The "fipsutil fwcheck -f" command output shows as "Firmware upgrade available." even though now Firmware upgrade is not needed.
Conditions:
All FIPS platforms.
Impact:
Only a display issue with no functional impact. If we try to make a firmware upgrade, it may not work.
Workaround:
Use the command without the "-f" option like "fipsutil fwcheck".
1280857-1 : Illegal file type is enabled in Rapid Deployment Template.
Component: Application Security Manager
Symptoms:
The Rapid Deployment Template has a list of illegal filetypes and did not have the Illegal File Type violation enabled, by default.
Conditions:
A new policy is created based on the Rapid Deployment Template.
Impact:
Protection against Illegal File Type browsing is missing, by default.
Workaround:
The violation can be enabled, if required, on any existing policies.
1280813-1 : Illegal URL violation triggered for after upgrade due to due to missing content-profiles in DB
Component: Application Security Manager
Symptoms:
Illegal URL violation is triggered for valid/Allowed URLs.
Conditions:
NA
Impact:
Illegal violation for allowed URL, content profile for that URL is not seen in PLC.PL_OBJECT_CONTENT_PROFILES DB.
Workaround:
- Delete the problematic URL from Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs.
- Recreate the URL again.
- Apply the policy.
1277641-1 : DoS | i-series | After mitigation of bad destination at profile level, bd_hit is not incrementing for host unreachable vector.
Links to More Info: BT1277641
Component: Advanced Firewall Manager
Symptoms:
This is specific to iseries platform.
bd related DoS stats are incrementing but SPVA stat of bd_hit is not incremented.
Conditions:
Sending an ipv6 host unreachable traffic to iseries.
Impact:
You can see the dos stats but not in spva stats.
Workaround:
You can see the stats in dos table.
1274385-3 : BIGIP-DNS GUI delivery summary stats shows incorrect count for "Disabled" GTM listeners
Links to More Info: BT1274385
Component: Global Traffic Manager (DNS)
Symptoms:
Statistics >> Module Stats >> DNS >> Delivery >> Summary - shows the incorrect count for "Disabled" GTM listeners.
Conditions:
One or more virtual servers (which may or may not be GTM (DNS) listeners) exist on the BIG-IP device which are in a disabled state.
These virtual servers incorrectly count towards the count of "Disabled" virtual servers in the GTM Listeners statistics.
Impact:
Unexpected "Disabled" count in the GTM Listeners line in the DNS stats table (in any of the columns)
1273225 : Remove DNS Malformed vector at virtual server Level
Links to More Info: BT1273225
Component: Advanced Firewall Manager
Symptoms:
We are able to configure the DNS malformed at the virtual server level.
Conditions:
Configure the AFM license. See the DNS malformed at the profile level.
Impact:
We should not get option DNS malformed at the virtual server level.
Workaround:
None
1273161-3 : Secondary blades are unavailable, clusterd is reporting shutdown, and waiting for other blades
Links to More Info: BT1273161
Component: Local Traffic Manager
Symptoms:
On a multi-slot chassis, VCMP guest, or F5OS tenant, clusterd can enter a shutdown state causing some slots to become unavailable.
The event that can cause this is called a partition and occurs when clusterd stops receiving heartbeat packets from a slot over the mgmt_bp interface but is still receiving them over the tmm_bp interface.
Here is the error that is logged when this occurs:
Mar 17 10:38:28 localhost err clusterd[4732]: 013a0004:3: Marking slot 1 SS_FAILED due to partition detected on mgmt_bp from peer 2 to local 1
When this occurs, clusterd enters a shutdown state and at times will never recover.
Here is an example, tmsh show sys cluster command where clusterd is in the shutdown yet waiting state:
-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 172.0.0.160/23
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 2
Primary Selection Time 03/17/23 10:38:30
----------------------------------------------------------------------------------
| Sys::Cluster Members
| ID Address Alt-Address Availability State Licensed HA Clusterd Reason
----------------------------------------------------------------------------------
| 1 :: :: unknown enabled false unknown shutdown ShutDown: default/1 waiting for blade 2
| 2 :: :: available enabled true standby running Run
Conditions:
Multi-slot chassis, VCMP guest, or F5OS tenant.
A blade determines there is a partition where it's receiving cluster packets over the tmm+bp interface but not the mgmt_bp interface.
Impact:
The unavailable slots/blades will not accept traffic.
Workaround:
Running tmsh show sys cluster will report the primary slot and all slot statuses.
For all blades reporting shutdown or less likely initializing and "waiting for blade(s)" restart clusterd on that slot with bigstart restart clusterd. Ensure you do not restart clusterd on the primary slot.
1271469-3 : Failed to install ASU file scheduled for install
Links to More Info: BT1271469
Component: Application Security Manager
Symptoms:
Live Update installation scheduled for installation for any specific day at time 12:01 AM to 12:14 AM will fail.
Conditions:
- ASU file installation scheduled at 12:01 AM to 12:14 AM (not automatic or manual installation).
Impact:
BIG-IP will not get latest ASU file updates.
Workaround:
Set the installation time after 12:15 AM.
1271341 : Unable to use DTLS without TMM crashing
Links to More Info: BT1271341
Component: Local Traffic Manager
Symptoms:
The TMM crashes when DTLS is used.
Conditions:
- Using DTLS.
Impact:
TMM core is observed, traffic is disrupted while TMM restarts.
Workaround:
Disable 'allow-dynamic-record-sizing' in the client-ssl profile.
Following is an example:
ltm profile client-ssl /Common/otters-ssl {
allow-dynamic-record-sizing disabled
1270989-3 : REST MemcachedClient uses fixed TMM address 127.1.1.2 to connect to memcached
Links to More Info: BT1270989
Component: TMOS
Symptoms:
The RESTcurl command "restcurl -u admin:admin /mgmt/tm/access/session/kill-sessions" returns a "no route to host" error.
Conditions:
Run RESTcurl commands from a vCMP guest to try to kill the session.
Impact:
Attempting to kill sessions returns a 400 - "no route to host error" error.
Workaround:
None
1270849 : SSL Orchestrator enables "Bypass on Handshake Alert" and "Bypass on Client Certificate Failure" for Client SSL profiles
Links to More Info: BT1270849
Component: SSL Orchestrator
Symptoms:
The client profile options Bypass on Handshake Alert and Bypass on Client Certificate Failure are enabled, these options do not have an impact for Client SSL profiles.
Conditions:
Creating an SSL configuration through the SSL Orchestrator GUI with Bypass on Handshake Alert and Bypass on Client Certificate Failure options enabled from the advance settings.
Impact:
No impact due to these options for Client SSL profiles.
Workaround:
None
1269601-2 : Unable to delete monitor while updating DNS virtual server monitor through transaction
Links to More Info: BT1269601
Component: Global Traffic Manager (DNS)
Symptoms:
Unable to delete monitor while updating DNS virtual server monitor through transaction.
Following message displays:
Command added to the current transaction
Command added to the current transaction
transaction failed: 01070083:3: Monitor /Common/tcp_test is in use.
Conditions:
Using transaction of updating the virtual server monitor and deleting the earlier monitor which was untagged currently.
Following is an example:
echo 'create cli transaction; modify /gtm server generc_serv_test virtual-servers modify { test { monitor none }}; delete /gtm monitor tcp tcp_test; submit cli transaction' | tmsh
Impact:
Unable to delete the monitor.
Workaround:
None
1268373-4 : MRF flow tear down can fill up the hudq causing leaks
Links to More Info: BT1268373
Component: Service Provider
Symptoms:
TMM Memory leaks are observed when MRF flows were torn down at once and the hud queue was full.
Conditions:
When the message queue becomes full.
Impact:
TMM memory leak
Workaround:
None
1267845-3 : ISC's internal_current function asserted because ifa_name was NULL
Links to More Info: BT1267845
Component: Global Traffic Manager (DNS)
Symptoms:
Named restarting.
Conditions:
- MCPD is down, resulting the service restart.
- The slot interfaces are down.
- During restart named unable to find the interface and asserting.
Impact:
No Impact, this issue occurs when the services are restarting.
Workaround:
None
1267269-1 : The wr_urldbd crashes and generates a core file
Links to More Info: BT1267269
Component: Policy Enforcement Manager
Symptoms:
The wr_urldbd crashes and generates a core file.
Conditions:
The munmap function does cross mapping boundaries and it does not fail if the requested unmap contains unmapped memory, i.e. the unmapped segment does not have to be fully mapped
Impact:
Service is interrupted for few minutes and classification does not happen.
Workaround:
None
1256809-2 : The tmctl statistics for IPS library table shows unloaded.
Links to More Info: BT1256809
Component: Protocol Inspection
Symptoms:
In a few scenarios, when upgraded or downgraded the tmctl statistics for IPS library table shows unloaded.
Conditions:
- IM upgrade or downgrade
Impact:
Some of the signatures or compliance will not load into the BIG-IP.
Workaround:
Restarting the TMM will load the library correctly.
Use the following command:
bigstart restart tmm
1253621-1 : Remote logging SSL Orchestrator Audit logs when running in the Appliance mode
Links to More Info: BT1253621
Component: SSL Orchestrator
Symptoms:
In the Appliance mode, access to the advanced shell(bash)/root is removed. In this scenario, SSL Orchestrator writes audit logs to the local file system which is inaccessible in this mode.
Conditions:
BIG-IP system running in the appliance mode.
Impact:
You cannot access SSL Orchestrator Audit logs as the access to shell is restricted.
Workaround:
Configure syslog to write logs from the ssloAudit.log file to the remote logging server.
1. Run the syslog server on the remote destination
2. Log in to tmsh by entering the following command:
tmsh
3. Modify syslog configuration to write the audit logs to syslog server using UDP protocol
modify sys syslog include 'source s_sslo_audit { file("/var/log/restnoded/ssloAudit.log" follow_freq(1) flags(no-parse)); }; destination d_to_secure_syslog { syslog(<remote-server-ip> transport(udp) port(514) ); }; log { source(s_sslo_audit);destination(d_to_secure_syslog); };'
4. To save the configuration, enter the following command:
save /sys config
5. For BIG-IP systems in a high availability (HA) configuration, perform a ConfigSync to synchronize the changes to the other devices in the device group.
1253449-3 : After publishing, the draft LTM policy configuration might not be updated (intermittently) into the bigip.conf
Links to More Info: BT1253449
Component: TMOS
Symptoms:
Publishing LTM draft policy and "save config" operations are not atomic, hence there exists a race condition. When the latter happens first, then the issue is observed otherwise the LTM draft policy is successfully updated into the bigip.conf file.
Conditions:
- Execute the command "tmsh load /sys config current-partition" or the existing system configuration is loaded from bigip.conf after publishing the draft LTM policy.
Impact:
Published LTM draft policies are reverted to the draft state.
Workaround:
Perform any of the below-mentioned steps immediately after successfully publishing an LTM draft policy:
- Execute the command "tmsh save /sys config current-partition" on the BIG-IP shell.
or
Execute curl -sku $COLON_SEPARATED_USERNAME_PASSWORD https://$HOST/mgmt/tm/sys/config/ -X POST -H "Content-type: application/json" -d '{"command":"save"}'
or
Execute curl -sku $COLON_SEPARATED_USERNAME_PASSWORD https://$HOST/mgmt/tm/util/bash -X POST -H "Content-type: application/json" -d '{"command":"run", "utilCmdArgs":"-c \"tmsh save sys config current-partition\""}'
1252093-1 : BIG-IP OpenSSL now supports Extended Master Secret
Links to More Info: BT1252093
Component: TMOS
Symptoms:
FIPS 140-3 certification now requires OpenSSL to use the algorithm that computes the Extended Master Secret instead of the current algorithm computing the (legacy) Master Secret.
If FIPS 140-3 license were not installed and an external OpenSSL client did not support Extended Master secret, the handshake will downgrade to legacy Master Secret and continue without errors.
If FIPS 140-3 license is enabled and any external OpenSSL client did not support Extended Master Secret, OpenSSL will no longer downgrade to legacy master secret and will instead, abort the handshake and report failure.
Conditions:
[1] No conditions if FIPS 140-3 license is not installed.
[2] If FIPS 140-3 license is installed and an external OpenSSL client did not have extended master secret supported.
Impact:
There is no impact to BIG-IP production traffic.
1251173-1 : SNI based redirection using LTM policies is not working in BIG-IP
Links to More Info: BT1251173
Component: Local Traffic Manager
Symptoms:
When an LTM policy uses server-name as the condition to route traffic to different virtual servers, the expected virtual server is not always chosen.
Conditions:
The issue can be seen when the following are true:
1. BIG-IP has more than one virtual server.
2. There is an LTM policy with server-name based conditions and actions.
Impact:
The traffic is routed through a different virtual server than the expected one.
Workaround:
This issue only affects requests involving TLSv1 protocol negotiation. Enforcing usage of TLSv1.1 or higher protocol version can prevent the issue.
1251105-2 : DoS Overview (non-HTTP) - A null pointer was passed into a function
Links to More Info: BT1251105
Component: Advanced Firewall Manager
Symptoms:
In BIG-IP version all 15.1 builds, when protected object filter is selected in Security > DoS overview page, it displays following error:
Error : DoS Overview (non-HTTP) - A null pointer was passed into a function
Schema changes updated in BIG-IP version 15.1.8 which added context_name and context_type to the mcp_network_attack_data_stat_t structure used to report DoS attack stats.
The MCP code that fills in these fields in the structure when responding to the stats request was not inculded, thus an attempt to get the stats, result in detection of a NULL pointer.
Conditions:
Configure a protection profile.
Create a protected object by attaching the protection profile.
Select protected object filter in DoS Overview (non-HTTP) page.
Impact:
This issue avoids usage of GUI partially.
Workaround:
None
1251061-1 : apmd core caused by accessing null issuer from JWT
Links to More Info: BT1251061
Component: Access Policy Manager
Symptoms:
In the JWT configuration, missed adding the JWT to the provider while attempting to validate the issuer causes a NULL pointer.
Conditions:
In the JWT configuration, missed adding the JWT to the provider and configured it as below:
apm aaa oauth-provider /Common/duo_provider {
authentication-uri https://api-c30441f1.duosecurity.com/oauth/v1/authorize
introspect supported
token-uri https://api-c30441f1.duosecurity.com/oauth/v1/token
trusted-ca-bundle /Common/ca-bundle.crt
type custom
}
Impact:
apmd restart with core dump.
Workaround:
Adding correct configuration for JWT.
apm aaa oauth-provider /Common/duo_provider {
authentication-uri https://api-c30441f1.duosecurity.com/oauth/v1/authorize
introspect supported
manual-jwt-config-name /Common/duo_jwt
token-uri https://api-c30441f1.duosecurity.com/oauth/v1/token
trusted-ca-bundle /Common/ca-bundle.crt
type custom
use-auto-jwt-config false
}
The fix is to do proper NULL checks for JWT config before validating the issuer.
1250077-4 : TMM memory leak
Links to More Info: BT1250077
Component: Global Traffic Manager (DNS)
Symptoms:
TMM leaks memory for Domain Name System Security Extensions (DNSSEC) requests.
Conditions:
DNSSEC signing process is unable keep pace with the incoming DNSSEC requests.
Impact:
TMM memory utilization increases over time and could crash due to Out of Memory (OOM) issue.
Workaround:
None
1249929-3 : Diameter MRF sends CER to pool-member even after peer sent DPR and force-offline the pool member
Links to More Info: BT1249929
Component: Service Provider
Symptoms:
If Disconnect Peer Action is configured to force-offline and when server peer sends Disconnect Peer Request (DPR), then MRF force-offline the pool-member as expected. However, MRF continues to send CER towards pool member, which means MRF is trying to connect the forced-offline peer and also it sends DPR towards pool member.
Conditions:
In diameter session profile, Disconnect Peer Action is configured to force-offline.
Impact:
Unnecessary CER and DPR messages towards down pool member.
Workaround:
Set auto-initialization to disabled in diameter peer if it does agree with the requirement.
1245221-1 : ASM Policy IP Intelligence configuration does not seem to synchronize when the device group is set to automatic sync
Links to More Info: BT1245221
Component: Application Security Manager
Symptoms:
Navigate to the Security > Application Security : Security Policies : Policies List > POLICY_NAME path.
In the IP Intelligence tab, click the ON/OFF switch to enable IPI. Therefore, any changes to the Alarm or Block for any category are not synced to the peer device.
Conditions:
Having High Availability (HA) pair in Sync-Failover DG w/ Autosync enabled and ASM sync enabled. Devices licensed with ASM and IPI.
Impact:
changes to the "Alarm" or "Block" for any category - are not synced to the peer device.
Workaround:
Use Manual (not Auto) sync on the DG and push the configuration.
1239297-2 : TMM URL web scraping limit not synced to secondary slot 2 in VIPRION chassis
Links to More Info: BT1239297
Component: Application Security Manager
Symptoms:
Web scraping requests will pass even when the threshold is reached in High Availability (HA) configuration. Some packets are blocked, while some others are passed.
Conditions:
Configure web scraping micro services in high availability (HA) mode in some F5 hardware. Send web scraping requests and check if they are blocked.
Impact:
Web scraping requests can pass even when the requests threshold is reached.
Workaround:
None
1238897-3 : TMM TCL interpreter's non-TMM "compat" memcasechr broken in 64-bit build
Links to More Info: BT1238897
Component: Local Traffic Manager
Symptoms:
The TMM's base TCL interpreter (tmm_tcl) is used both in TMM and in non-TMM environments like APMD. The TMM has it's own implementation of memcasechr which is preferred to the "compat" implementation in the TCL interpreter itself as TMM statically links tmm_tcl while non-TMM usage is dynamically linked.
Conditions:
Following VPE rule does not work (option -nocase):
expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}
Impact:
The memcasechr is broken in 64-bit build.
Following VPE rule does not work (option -nocase):
expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}
Workaround:
Change the VPE rule to the following:
expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}
1235337-1 : The 'JSON profile' with 'JSON schema validation' was not created for the body parameter in the OpenAPI URL
Links to More Info: BT1235337
Component: Application Security Manager
Symptoms:
The 'JSON profile' with 'JSON schema validation' was not created for the OpenAPI parameters with 'body' location and has 'schema' definitions in case the 'schema' type is 'array' (if the type is 'object' and the 'JSON profile' is created properly).
Conditions:
OpenAPI parameter with 'body' location having schema type 'array'.
Impact:
Some OpenAPI parameters will not include JSON content profile validation.
Workaround:
JSON content profile with JSON schema validation can be created manually after creating a security policy from the OpenAPI file.
1232649-1 : Unterminated POST requests never close and consume UMU buffers
Component: Application Security Manager
Symptoms:
When a request is sent with a body smaller than the Content-Length value, the connection is not terminated by BD. If a sufficient number of requests are sent, the long request buffers will become and stay exhausted, preventing further traffic processing.
Conditions:
Many unterminated POST requests are sent to BD.
Impact:
Requests can accmulate, reducing the throughput of BIG-IP.
Workaround:
The number of slow connections can be reduced by reducing the value of the internal BD variable: "max_slow_transactions".
1231697 : Configuration to ignore “URI Parameters” in the A10 category is not retained during upgrade from 16.1.x to higher versions.
Links to More Info: BT1231697
Component: Application Security Manager
Symptoms:
The ignore “URI Parameters” in A10 category configuration is not retained when upgrading from 16.1.x to higher versions.
Conditions:
Configure ignore for "URI Parameter" in A10 Category and upgrade version 16.1.x to a higher version.
Impact:
The ignore “URI Parameters” in A10 category configuration is not retained.
Workaround:
Do not configure ignore option of “URI Parameters” in A10 category while upgrading from 16.1.x to higher versions.
1230833-2 : In the signature advanced mode, the Update button is kept disabled even after some changes in the rule
Component: Application Security Manager
Symptoms:
The Update button is kept disabled when you modify the signature rule string in advance mode.
Conditions:
Using advanced mode, update an existing user-defined signature rule.
Impact:
Additional operation is required to make a change. See the workaround section.
Workaround:
1. Modify the rule string.
2. Change any of the select buttons on the screen, such as Accuracy. At this point, the Update button gets enabled.
3. Revert the change on the select button you did in step 2.
4. The Update button is still kept enabled, click it to apply your change.
1229861-2 : Signature rule : regex "i" modifier should be translated into "nocase", instead of prepending "(?i)"
Links to More Info: BT1229861
Component: Application Security Manager
Symptoms:
The "i" modifier is translated into "(?i)" that does not corresponds with matchCase flag ("Case Sensitive" option in GUI) in the control plane. This may introduce a confusion when user writes a regex with "i" in advanced mode, and switch to simple mode. User would expect "Case Sensitive" option is unchecked to "i", but in GUI it displays as checked. The matching behavior is as configured with "i", case-insensitive.
Conditions:
In advanced mode, configure following pattern with "i" modifier.
re2:"/abc/Vi"; norm;
Impact:
Possible confusion in GUI.
Workaround:
Use "nocase" modifier instead.
1229325-3 : Unable to configure IP OSPF retransmit-interval as intended
Links to More Info: BT1229325
Component: TMOS
Symptoms:
The CLI configuration of OSPF retransmit-interval results in error when retransmit-interval value is less than 5 seconds.
Conditions:
- Configure IP OSPF retransmit-interval.
Impact:
The CLI error even when IP OSPF retransmit-interval value is within range.
Workaround:
None
1226585-2 : Some SSL Orchestrator rest endpoints not loading on startup after BIG-IP is rebooted when it is set to CC/STIP mode
Links to More Info: BT1226585
Component: TMOS
Symptoms:
Restnoded framework availability monitor times out while waiting for the dependencies(/mgmt/tm/*/** APIs/endpoints registration w.r.t all the provisioned modules) that are initialized during the restjavad startup.
Conditions:
STIP Mode is enabled, hence the below DB variables values are set to true,
tmsh list sys db security.commoncriteria
tmsh list sys db security.commoncriteria.stip
Impact:
Certain functionalities in SSL Orchestrator config GUI are not operational or operational in a limited manner.
1226537-2 : Duplicated details are shown in files preview.
Component: Application Security Manager
Symptoms:
Duplicated details are shown in the preview for threat campaigns.
Conditions:
Upload the attached file, or install the latest file after checking for updates.
Impact:
Duplicated details are shown in the preview.
Workaround:
None
1225941-2 : OLH Default Values on Notification and Early Retransmit Settings
Links to More Info: BT1225941
Component: Global Traffic Manager (DNS)
Symptoms:
Online Help description of the 2 settings, Explicit Congestion Notification and Early Retransmit, has incorrect default values.
Conditions:
Online Help description of the 2 settings, Explicit Congestion Notification and Early Retransmit setting is disabled by default.
Impact:
NO
Workaround:
None
1225677-2 : Challenge Failure Reason is not functioning in ASM remote logging
Links to More Info: BT1225677
Component: Application Security Manager
Symptoms:
Challenge Failure Reason is not functioning in ASM remote logging.
Conditions:
Using ASM remote logging.
Impact:
Lack of logging information in ASM remote logger.
Workaround:
None
1224377-2 : [APM] Policy sync is not compatible with Network Acesss address spaces
Links to More Info: BT1224377
Component: Access Policy Manager
Symptoms:
An error is encountered during policy sync:
01b70105:3: System built-in APM resource address-space (/Common/default-all) cannot be modified.
Conditions:
Network Access resource has "default-all" address-space
OR
Network Access resource is configured with an address space that contains "0.0.0.0"
Impact:
Policy Sync failure
Workaround:
As a temporary measure, you can use the following steps
1)Remove the 'default-all' address space from the network access configuration, sync the policy, then add it back on the source and destination devices.
OR
2)Do not use Network Access address space if Policy sync is used as those two features are not compatible.
1224329-1 : No learning suggestion for URL "Override policy allowed methods" attribute
Component: Application Security Manager
Symptoms:
The suggestion to allow a method on a specific URL is not generated as expected on URLs with "Override policy allowed methods" enabled.
Conditions:
Learn Allowed Methods on HTTP URLs" option is enabled in the policy and the specific URL is "Override policy allowed methods
Impact:
No learning suggestion to allow violating the method of the specific URL
Workaround:
None
1223589-3 : Network Map page is unresponsive when a node name has the form "<IPv4>:<port>"
Links to More Info: BT1223589
Component: TMOS
Symptoms:
The Network Map page does not load, the message "Loading..." continuously displayed on the page because the JavaScript throws an exception and does not terminate:
Uncaught (in promise) TypeError: Cannot set properties of undefined (setting 'isNameHighlighted')
at NetworkMapPresenter.clearHighlight (NetworkMapPresenter.js:1417:17)
at NetworkMapPresenter.cardFilter (NetworkMapPresenter.js:1322:14)
at Array.filter (<anonymous>)
at NetworkMapPresenter.filterCards (NetworkMapPresenter.js:1315:51)
at NetworkMapPresenter.filterSortAndGroupCards (NetworkMapPresenter.js:1306:10)
at NetworkMapPresenter._callee18$ (NetworkMapPresenter.js:1162:14)
at tryCatch (runtime.js:65:40)
at Generator.invoke [as _invoke] (runtime.js:303:22)
at prototype.<computed> [as next] (runtime.js:117:21)
at step (fetch.js:461:47)
Conditions:
- Node name should be of the form <IPv4:port>.
- Node should be associated to a pool and then to a virtual server.
Impact:
The Network Map loads all the virtual servers, pools, and nodes, but it throws an exception in the browser and the JavaScript never terminates, the message "Loading..." continuously displayed on the page and the page is unresponsive.
Workaround:
Avoid naming a node as "<IPv4>:<port>".
1217549-3 : Missed ASM Sync on startup
Links to More Info: BT1217549
Component: Application Security Manager
Symptoms:
In few deployment environments, if a device is configured to be part of a device-group before the ASM startup has finished initializing, then it may miss the initial sync from its peer, and not re-request it until another event happens in the system.
Conditions:
Devices are in an auto-sync ASM enabled device-group and a new device is brought into the device-group while initializing the device settings.
Impact:
The devices are out of sync until another action occurs and the sync is requested again.
Workaround:
Restarting ASM on the affected device or causing another sync event will resolve the issue.
1217473-2 : All the UDP traffic is sent to a single TMM
Links to More Info: BT1217473
Component: TMOS
Symptoms:
BIG-IP dataplane's VMXNET3 driver implementation is missing the Receive Side Scaling (RSS) support for the User Datagram Protocol (UDP) available as part of the VMXNET3 version 4.
Conditions:
BIG-IP VE instance is running on a VMWare host and handling UDP traffic.
Impact:
The traffic distribution does not happen evenly across all TMMs but rather all of the UDP traffic is sent to a single TMM.
Workaround:
None
1217365-3 : OIDC: larger id_token encoded incorrectly by APM
Links to More Info: BT1217365
Component: Access Policy Manager
Symptoms:
APM Websso decrypts id_token incorrectly when OIDC id_token is larger than ~5mb. The generated token size can be larger when the user belongs to many groups.
Conditions:
1) configure BIG-IP as oauth client and Resource server and Authorization server as Azure AD
2) configure Azure AD such that it sends a large token.
)access policy start -> oauth client ->scope ->allow
3)create a oauth bearer sso in "passthrough" mode and send token on 4xx response
4)attach sso to access policy
5)attach the access policy to the virtual server
Impact:
Access to applications will fail due to incorrect processing of the access token.
Workaround:
None
1217077-2 : Race condition processing network failover heartbeats with timeout of 1 second
Links to More Info: BT1217077
Component: TMOS
Symptoms:
Unexpected failover or log messages similar to the following:
sod[1234]: 010c0083:4: No failover status messages received for 1.100 seconds, from device bigip02(192.0.0.1) (unicast: -> 192.0.0.2)
Conditions:
- HA configuration network failover configured
- DB variable 'failover.nettimeoutsec' set to a value of 1 second.
Impact:
A failover event could impact traffic flow.
Workaround:
Following recommended practices of configuring network failover addresses using both the Management IP and Self IP addresses will reduce the chances of initiating a failover. Log messages may still be observed.
Setting the DB variable 'failover.nettimeoutsec' to a value of 2 or greater should avoid the issue.
1216053-4 : Regular monitors do not use options from SSL profiles
Links to More Info: BT1216053
Component: Local Traffic Manager
Symptoms:
The HTTPS monitors do not use the options from the SSL profile it is set with.
Conditions:
The HTTPS monitor(s) are set with an SSL profile with Non-default options set.
Impact:
Pool members may be incorrectly marked up or down as the incorrect SSL options are used.
Workaround:
None
1215613-2 : ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address
Links to More Info: BT1215613
Component: TMOS
Symptoms:
In var/log/ltm following error log is available:
0107146f:3: Self-device config sync address cannot reference the non-existent Self IP (10.155.119.13); Create it in the /Common folder first.
Conditions:
- In High Availability (HA) system ConfigSync-IP is set to IPv6 management address.
[root@00327474-bigip1:Standby:Disconnected] config # tmsh list cm device | grep -iE 'cm device|configsync-ip'
cm device 00327474-bigip1.lucas {
configsync-ip 10.155.119.12
cm device 00327474-bigip2.lucas {
configsync-ip 2001:dead:beef::13 <<-------
- Modifying the ConfigSync-IP to IPv4.
tmsh modify cm device 00327474-bigip2.lucas configsync-ip 10.155.119.13
Impact:
Device is not able to configure the ConfigSync-IP for IPv4 once IPv6 is configured.
Workaround:
None
1215165-1 : Support added for Microsoft Azure Managed HSM
Links to More Info: BT1215165
Component: Local Traffic Manager
Symptoms:
Azure Managed HSM integration with BIG-IP is now supported.
Conditions:
Using an Azure Managed HSM as HSM client with BIG-IP.
Impact:
Azure Managed HSM integration with BIG-IP is now supported.
1215161-2 : A new CLI option introduced to display rule-number for policy, rules and rule-lists
Links to More Info: BT1215161
Component: Advanced Firewall Manager
Symptoms:
If a large number of rules and rule-lists are configured, it takes more than 10 minutes to display the output with rule-numbers.
Ex:
tmsh - "list security firewall rule-list"
icrd - "restcurl -u admin /tm/security/firewall/rule-list"
AFM service discovery of BIG-IP fails in BIG-IQ when upgraded to a newer version.
Conditions:
- AFM license is enabled
- Large number of rules and rule-lists are configured
Impact:
AFM service discovery from BIG-IQ fails on upgrade.
Workaround:
-
1213277 : Certificate order manager configuration using DigiCert URL fails in the BIG-IP
Links to More Info: BT1213277
Component: TMOS
Symptoms:
When the certificate order manager is configured using DigiCert's URL a failure occurs with the below error log:
DigiCert request-type:(4) URL:https://www.digicert.com/services/v2/order/certificate/1
Conditions:
Configuring DigiCert certificate order manager in the BIG-IP.
Impact:
DigiCert certificates can not be downloaded.
1211817 : AVRD may crash while modifying the global settings
Links to More Info: BT1211817
Component: Application Visibility and Reporting
Symptoms:
There are two different threads closing the same socket simultaneously.
Conditions:
During the modification of global settings from internal to external.
Impact:
AVRD core generated.
Workaround:
None
1211797-3 : MCPD CPU usage is 100% on updating long address-list through GUI
Links to More Info: BT1211797
Component: TMOS
Symptoms:
- Make sure you have added 10,000+ Address list objects in Shared Objects.
- Navigate to Shared Objects ›› Address Lists ›› MICITT_BlackList and add or delete any address, then click save.
- Browser process becomes un-responsive.
Conditions:
When there are huge number of address list objects in the Shared Objects >> Address Lists, users face challenge in adding or updating entries.
Impact:
Browser process becomes un-responsive.
Workaround:
None
1211437-2 : When mobile cookie is too long, Anti-Bot SDK is failing
Component: Application Security Manager
Symptoms:
When mobile (TS_72) cookie is longer then 511, it get truncated by BIG-IP and cannot be parsed.
Conditions:
- Bot Defense profile is attached to virtual server, with Mobile SDK enabled.
- Application name is long (causing the cookie to be long).
Impact:
Anti-Bot SDK is failing, clients cannot be handled as mobiles.
Workaround:
None
1211369-1 : [Validation] Do not allow AD/LDAP object pointing to the same IP:PORT
Links to More Info: BT1211369
Component: Access Policy Manager
Symptoms:
TMM core
Conditions:
AD and LDAP objects point to the same IP:PORT.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use unique names for AD and LDAP objects and those objects should not point to the same IP:PORT.
1211361-1 : Validate AD/LDAP object names
Links to More Info: BT1211361
Component: Access Policy Manager
Symptoms:
TMM core
Conditions:
AD and LDAP objects have the same names.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use unique names for AD and LDAP objects and those objects should not point to the same IP:port.
1211089-3 : Traffic to IPv6 all nodes address not received by TMM on VE with ixlv driver
Links to More Info: BT1211089
Component: TMOS
Symptoms:
Traffic sent to the IPv6 all nodes multicast address is not seen by TMM.
Conditions:
A virtual environment utilizing TMM's ixlv driver.
Traffic is sent to the IPv6 all nodes multicast address.
Impact:
TMM fails to receive and process traffic to the IPv6 all nodes multicast address.
Workaround:
None
1210569-3 : User defined signature rule disappears when using high ASCII in rule
Component: Application Security Manager
Symptoms:
WebUI display is empty.
Conditions:
When the configured rule has high ASCII (greater than 127) value.
Impact:
Unable to see the rule in webUI.
Workaround:
Use the following steps:
1. Navigate to Security > Options > Application Security > Attack Signatures.
2. Create a new signature in Advanced Edit Mode. After setting, confirm the setting value with the developer tool.
3. Add it to the signature set (backed by actual signature detection confirmation).
4. Remove the old signatures from signature set.
1210053-1 : The cred_stuffing_fail_open Internal Parameter does not cause Leaked Credential violation in case of expiration or error
Component: Application Security Manager
Symptoms:
In case of Leaked Credential server error, there is an internal parameter to raise Leaked Credentials Violation:
cred_stuffing_fail_open (default value is not to raise violation)
Changing the internal parameter value does not trigger the violation.
Conditions:
- ASM is provisioned.
- WAF Policy is attached to virtual server with Credential Stuffing enabled.
- Internal Parameter cred_stuffing_fail_open is set to 0.
- A server error (or timeout) occurred during leaked credential check.
Impact:
Leaked Credential violation is not raised.
Workaround:
None
1210025-1 : Address list discovery task does not trigger apply access policy automatically
Links to More Info: BT1210025
Component: Access Policy Manager
Symptoms:
After discovery task, the Access Policy is not saved automatically.
Conditions:
Dynamic Address Spaces configuration.
Impact:
Unable to use Dynamic Address Spaces.
Workaround:
None
1209589-4 : BFD multihop does not work with ECMP routes
Links to More Info: BT1209589
Component: TMOS
Symptoms:
BFD multihop does not work with ECMP routes. TMMs are unable to agree on session ownership and dropping the session after 30 seconds.
Conditions:
On a multi-TMM box, configure BFD multihop peer reachable over ECMP route.
Impact:
BFD multihop does not work with ECMP routes and BFD session is getting dropped every 30 seconds.
Workaround:
None
1209465 : When vCMP host is rebooted, oldEngineID is not restored on guest
Links to More Info: BT1209465
Component: TMOS
Symptoms:
The oldEngineID is not restored on guest.
Conditions:
- vCMP host rebooted
Impact:
The snmpget and snmpwalk commands are not working.
Workaround:
Use the following steps:
1) Restart the SNMPD to regenerate engine ID.
2) Reboot the vCMP guest after the unclean shutdown recreates both usmUser and engine ID.
3) Recreate the SNMPv3 user from CLI to resolve the usmUser issue.
1208813 : Active connections graph in performance reports in GUI shows only client connections
Links to More Info: BT1208813
Component: Local Traffic Manager
Symptoms:
When looking at performance reports in the GUI, there is a graph for Active Connections. Only a single line graph is graphed for "Connections".
It is not clear if this is ALL connections, client-side or server-side.
Conditions:
Look at any BIG-IP via the Web UI and view the "Performance Reports" section
Impact:
Only the client-side connections are displayed. This causes confusion about the Performance Reports.
Workaround:
None
1205509-2 : Region cache fails to update appropriately after referenced region update
Links to More Info: BT1205509
Component: Global Traffic Manager (DNS)
Symptoms:
GSLB region object containing records which reference other GSLB regions fail to update its cache when the regions referenced by its records are updated.
Conditions:
- GSLB region object containing records which reference other GSLB regions.
- Region cache was not updated correctly after referenced region updates.
Impact:
DNS query resolution fails to return correct results.
Workaround:
Instead of creating two regions for "not regions", use one region and create following topology record:
gtm topology ldns: not region /Common/_usr_gslbRegion_internalNet server: pool /Common/_usr_gslbPool_alpha {
order 2
}
gtm topology ldns: not region /Common/_usr_gslbRegion_internalNet server: pool /Common/_usr_gslbPool_bravo {
order 1
...
}
1205061-2 : DNSSEC keys removed from the configuration before expiration date when iQuery connection goes down
Links to More Info: BT1205061
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC keys removed from the configuration before expiration date.
Conditions:
On a GTM sync group, if the iQuery connection goes down, the DNSSEC keys may be removed from the BIG-IP DNS configuration before expiration date on any BIG-IP DNS device with a gtm.peerinfolocalid value greater than zero.
Impact:
Removing KSK from the configuration before the expiration date can cause an outage if the BIG-IP administrator has not updated the DS record.
Workaround:
None
1205045-4 : WMI monitor does not put pool members into an offline/unchecked state when BIG-IP receives HTTP responses other than 200
Links to More Info: BT1205045
Component: Local Traffic Manager
Symptoms:
With no credentials, WMI monitor status still displays "UP".
Conditions:
With no credentials or stale/expired credentials, the WMI monitor stats displays "UP".
Impact:
The user is misinformed about the status of the WMI monitor.
Workaround:
None
1200941-2 : PA version check causes page reloads
Links to More Info: BT1200941
Component: Access Policy Manager
Symptoms:
PA application reloads the application and it causes issues.
Conditions:
- Load the application in modern JS support (ILX or latest modern JS support).
Impact:
PA application may not work as expected.
Workaround:
Use custom iRule to replace special_object value in application's index page with the value in cache-fm-modern.js or cache-fm-Modern.js.
1199025-2 : DNS vectors auto-threshold events are not seen in webUI
Links to More Info: BT1199025
Component: Advanced Firewall Manager
Symptoms:
No option to see DNS auto-threshold event logs from webUI.
Conditions:
- DNS profile configured with fully automatic mode.
Impact:
DNS auto-threshold event logs are not visible from webUI.
Workaround:
None
1194409-2 : Dropped messages seen in auditforwarder logging
Links to More Info: BT1194409
Component: TMOS
Symptoms:
Dropped message "255 State: PendingSend" is seen.
Conditions:
- Radius is configured.
- Audit forwarder is enabled.
Impact:
Although there is no problem in functionality of Radius, dropped messages are seen which is a false alarm.
Workaround:
None
1191349-2 : The dns_cache_derived_stat show corrupted values.
Links to More Info: BT1191349
Component: Global Traffic Manager (DNS)
Symptoms:
In few scenarios, attributes of dns_cache_derived_stat shows corrupted value. For example, server_max_wait_response as 18446744073709551615.
Conditions:
Checking the tmctl stats for dns_cache_derived_stat.
Impact:
Might create confusion for users.
Workaround:
None
1190777-2 : Unable to add a device to a device trust when the BigDB variable icontrol.basic_auth is set to disable on target device
Component: TMOS
Symptoms:
When the DB variable "icontrol.basic_auth" is set to "disable" on a device, that device cannot be added to a device trust.
The system from which an administrator is attempting to add the new device will log an error:
err devmgmtd[5541]: 015a0000:3: getDeviceInfo failed: iControl authorization failed
Conditions:
DB variable "icontrol.basic_auth" is set to disable
Impact:
Unable to add a device to a device trust.
Workaround:
On the device being added to the trust:
1. Enable basic auth for iControl
tmsh modify /sys db icontrol.basic_auth value enable
2. Restart httpd on the device being added.
bigstart restart httpd
3. Add the device to the trust.
4. If you want mitigate ID1143073 (https://support.f5.com/csp/article/K94221585), disable basic authentication again.
tmsh modify /sys db icontrol.basic_auth value disable
bigstart restart httpd
The dbvar is synchronized if you add the new device to a sync/failover device group, so check each device in the device group.
Use the following to command to check if it's disabled.
# tmsh list /sys db icontrol.basic_auth
sys db icontrol.basic_auth {
value "disable"
}
If any device has basic auth enabled, disable it and restart httpd on all devices in the device group.
1189949-2 : The TMSH sys core is not displaying help and tab complete behavior
Links to More Info: BT1189949
Component: TMOS
Symptoms:
The help and tab complete options are not displayed when TMSH sys core commands are executed.
Conditions:
For example, execute following commands:
tmsh sys core modify tmm-manage ?
tmsh sys core modify tmm-manage TABC
Impact:
The help and tab complete options are not displayed.
Workaround:
None
1189877-4 : The option /dev/random is depreciated from rndc-confgen with the latest BIND 9.16
Links to More Info: BT1189877
Component: Global Traffic Manager (DNS)
Symptoms:
The option /dev/random is deprecated from the rndc-confgen after the BIND upgrade.
The keygen.sysinit scripts using the rndc-confgen with the deprecated option /dev/random leading to the failure in creation of the rndc.key file.
The ZRD daemon waits for the rndc.key but as the key creation failed the daemon waits for the key creation infinitely and will be in a down state.
Conditions:
Upgrade the BIND package from 9.11 to 9.16.
Impact:
The ZRD daemon will be down till the rndc.key is created.
Workaround:
Create the key manually without the deprecated option.
Run the following command:
bigstart stop zrd
rm -f /config/rndc.key
/usr/sbin/rndc-confgen -t /var/named -a -c /config/rndc.key
ln -sf /var/named/config/rndc.key /config/rndc.key
chown -f named:named /var/named/config/rndc.key
bigstart start zrd
1188837 : Server side timewait close state causes long establishment under port reuse on i15820DF
Links to More Info: BT1188837
Component: Local Traffic Manager
Symptoms:
When the server TCP connection is under timewait closing state, if a new client connection is initiated towards the server under the BIG-IP SYN-Cookie mode, the server will respond with ACK instead of SYN+ACK for the SYN received.
The BIG-IP system drops this ACK and retransmit the SYN, till timeout occurs.
Conditions:
- Running an i15820DF BIG-IP system.
- FastL4 profile with syn-cookie-enable set to "enabled".
- New client connection is reusing the port to get to the same server TCP connection.
Impact:
Longer establishment time and retry.
Workaround:
None
1185929-2 : Under rare circumstances, the TCL interpreter can crash TMM after a long time
Links to More Info: BT1185929
Component: Local Traffic Manager
Symptoms:
While using iRules with suspending commands, under rare circumstances, the TCL interpreter can crash TMM after a long time.
Conditions:
Using iRules with suspending commands, such as the 'after' command, defined at https://clouddocs.f5.com/api/irules/after.html#after
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1185605-3 : The iCall EventTriggeredHandler in non-common partition break after scriptd daemon restart
Links to More Info: BT1185605
Component: TMOS
Symptoms:
After scriptd daemon restart triggered, handler information become none/unknown in "show sys icall handler" output for the non-common partition.
Conditions:
1. Create triggered handler in non-common partition.
2. Restart the scriptd daemon or upgrade the device.
Impact:
The iCall Event Triggered Handler in non-common partition is not working after device upgrade from 15.1.2.1 to 15.1.5.1.
Workaround:
Configure iCall in common partition.
1184853-3 : YouTube video not classified in the BIG-IP version 16.1.0
Component: Traffic Classification Engine
Symptoms:
YouTube traffic getting classified as UDP only
Conditions:
-- Traffic classification is enabled
-- YouTube traffic arrives
Impact:
Unable to classify YouTube traffic.
Workaround:
None
1183877-2 : CGNAT related links are unavailable in Statistics section
Links to More Info: BT1183877
Component: Carrier-Grade NAT
Symptoms:
Following webUI links are unavailable:
Statistics >> Analytics >> LSN Pools
Statistics >> Module Statistics >> Carrier Grade Nat
Conditions:
CGNAT enabled and provisioned
Impact:
CGNAT related statistical pages cannot be accessed from Statistics section.
Workaround:
None
1182993 : MCPD returns dossier error 01 after reboot
Links to More Info: BT1182993
Component: TMOS
Symptoms:
-- BIG-IP goes to an Inoperative state
-- /var/log/ltm displays an error:
Dossier error: 01
The license is not operational (expired or digital signature does not match contents).
Conditions:
-- The locking bit of the dossier mac address field is set to 1 for generated license
-- The hardware mac address changes (mac address of hyper-v or VMware or BIG-IP baremetal).
Impact:
The mcpd validation fails, and BIG-IP is set to an Inoperative state.
Workaround:
None
1182729-2 : Java connection establishes from BIG-IP to BIG-IQ Management
Links to More Info: BT1182729
Component: TMOS
Symptoms:
A TCP connection establishes from BIG-IP to BIG-IQ.
Conditions:
When refreshing the stats, BIG-IP also fetches the stats from BIG-IQ, to fetch the stats from BIG-IQ, a Java connection establishes from BIG-IP to BIG-IQ.
Here, the BIG-IQ is discovered in the BIG-IP. If BIG-IP is not discovered in BIG-IQ, there the issue does not exist.
Impact:
An extra Java connection is listed under netstat.
Workaround:
Updating the property "rest.common.device.automatic.refresh.enabled" to "true" from /etc/rest.BIG-IP.properties, the connection does not establish from BIG-IP to BIG-IQ.
Note: We do not have a workaround for SSL Orchestrator. Workaround is not applicable for SSL Orchestrator.
1182305-2 : Descriptions requested for IPS IDs
Links to More Info: BT1182305
Component: Protocol Inspection
Symptoms:
Few inspection IDs of signatures in IPS do not have a complete description.
Conditions:
Navigate to Security > Protocol Inspection and create a profile for any of the services like HTTP, DNS, or FTP and check the inspection IDs mentioned in the description.
Impact:
No functional impact.
Workaround:
None
1169141-3 : Bash tab-completion Issue
Links to More Info: BT1169141
Component: TMOS
Symptoms:
ID830361 introduced a regression in how tab completion works in bash for user directories.
With the fix of CVE-2012-6711 (ID830361), bash tab completion of ~ is auto-completing it to \~, which is resulting in not listing the directories under ~ and working as expected.
Conditions:
This issue is seen on the versions which have fix for ID 830361 (https://cdn.f5.com/product/bugtracker/ID830361.html).
Impact:
Tab-completion of user home directories (~username) in bash does not work.
Workaround:
Do not attempt to tab-complete user home directories (e.g. ~root), and instead type out the path completely.
1169105-1 : Provide download links on BIG-IP for Linux ARM64 VPN Client
Links to More Info: BT1169105
Component: Access Policy Manager
Symptoms:
No download links are available in the welcome page in BIG-IP for Linux ARM64 VPN Client.
Conditions:
- Login to BIG-IP.
Impact:
None
Workaround:
None
1168309-2 : Virtual Wire traffic over trunk interface sometimes fail in Tenant based platforms
Links to More Info: BT1168309
Component: Local Traffic Manager
Symptoms:
Traffic does not flow through the virtual-wire trunk. Traffic through the interface is not impacted.
Conditions:
When there is an overlap between the DID values of the interface and trunk, virtual-wire traffic does not pass through the trunk.
Impact:
Traffic outage might occur.
Workaround:
None
1167953-2 : Issue with UI, while opening rule name in Packet Tester to check the rule for the drop reason
Links to More Info: BT1167953
Component: Advanced Firewall Manager
Symptoms:
Create a Firewall policy and add a rule list to it and simulate a trace using packet tester matching to the rule.
Conditions:
Firewall policy with rule list should be created, AFM should be provisioned.
Impact:
Unable to redirect to the rule on GUI - packet tester.
Workaround:
After simulating a trace using packet tester, see the rule name under virtual server rules and navigate to Security > Network Firewall > RuleLists page and access the rule.
1167949-3 : Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware
Links to More Info: BT1167949
Component: Advanced Firewall Manager
Symptoms:
Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware. It is working as expected on software.
Conditions:
Offloading vectors.
Impact:
Hardware offload is not successful for "IPv6 fragmented" and "IPv6 atomic fragment" vectors.
Workaround:
None
1167609-2 : The messages msg->ref > 0 are seen in TMM logs with websockets/ASM plugin
Links to More Info: BT1167609
Component: Local Traffic Manager
Symptoms:
With web security enabled and ASM policies attached to virtual server, in an unknown scenario, msg->ref > 0 are appearing in TMM logs.
Conditions:
-- ASM is provisioned
-- ASM policy attached to virtual server
-- Web security configured
Impact:
The /var/log/tmm files may be flooded with the messages.
Workaround:
None
1166481-3 : The vip-targeting-vip fastL4 may core
Links to More Info: BT1166481
Component: Local Traffic Manager
Symptoms:
The TMM cores or VIP does not behave as expected.
Conditions:
- fastL4 virtual
- iRule uses virtual command to redirect flows to a second fastL4 virtual
- first virtual configuration is changed before a flow times out
Impact:
Configuration data is freed but continued to be used by the flow, leading to the configuration appearing to be corrupted causing cores or unexpected behavior.
Workaround:
Ensure that there are no active flows for the virtual being changed.
1166261-2 : HTTP/2 should not translate "Host" header to ":authority" pseudo-header in response
Links to More Info: BT1166261
Component: Local Traffic Manager
Symptoms:
BIG-IP inserts ":authority" pseudo-header within client-side response when receiving a server response containing a Host header in the response.
Host header in a HTTP/1.1 response is not in violation of RFC; however, a HTTP/2 response with an ":authority" pseudo-header is in violation of RFC7540.
Conditions:
Virtual server with a HTTP/2 profile applied with client-side context.
This configuration would translate HTTP/2 requests from client-side to HTTP/1.1 on server-side.
Impact:
HTTP/2 response must only have the ":status" pseudo-header in the response.
HTTP/2 responses containing any other pseudo-headers, such as ":authority", is considered malformed and those connections will be rejected.
Workaround:
Consider using an iRule to remove the Host header when it arrives from the server. The following iRule can be created and applied to the virtual server:
when HTTP_RESPONSE {
HTTP::header remove Host
}
1162661-3 : The Bad Actor (BA) hit counter is not updating for ICMP vector during hardware mitigation
Links to More Info: BT1162661
Component: Advanced Firewall Manager
Symptoms:
The hardware mitigation was not proper due to spva ba_hit statistics not generated.
Conditions:
Configure BA with rate limits for ICMP vectors at virtual server level.
Impact:
Attack traffic will get pass through because of ba_hit is not updating.
Workaround:
None
1162221-2 : Probing decision will skip local GTM upon reboot if net interface is not brought up soon enough
Links to More Info: BT1162221
Component: Global Traffic Manager (DNS)
Symptoms:
Resources will be marked timed out.
Conditions:
iQuery connection between local gtmd and big3d is not established before probing decision is made.
Impact:
Resources be marked DOWN unexpectedly.
Workaround:
Modify max-synchronous-monitor-requests to a new value which will trigger probing decision re-evaluation.
1162149-2 : TCP 3WHS being reset due to "No flow found for ACK" while client have received SYN/ACK
Links to More Info: BT1162149
Component: Advanced Firewall Manager
Symptoms:
As a result, some times BIG-IP sending reset ack, resulting into unsuccessful connection.
Conditions:
- It is specific to i7800 series,
- There are no exact reproduction steps.
Impact:
Unable to establish the connection.
Workaround:
None
1161241-5 : BIND default behavior changed from 9.11 to 9.16
Links to More Info: BT1161241
Component: Global Traffic Manager (DNS)
Symptoms:
The default behavior of BIND configurations for minimal-responses and dnssec-validation is changed in BIND 9.16 and leaving the issues for existing test cases and expected behavior.
Conditions:
Upgrade BIND package from version 9.11.36 to 9.16.27.
Impact:
Behavior change for minimal-responses and dnssec-validation.
Workaround:
None
1156149-1 : Early responses on standby may cause TMM to crash
Links to More Info: BT1156149
Component: Service Provider
Symptoms:
TMM cores with an early response and retransmit mechanism and has also happened during a failover event.
The following log entry can be found in /var/log/ltm
err tmm1[20721]: 01220001:3: TCL error: /Common/irule_diameter_e2_3868_be <MR_INGRESS> - Illegal argument (line 1) invoked from within "DIAMETER::is_request"
Conditions:
If the response of the request message reaches before the request on standby box.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1155861-2 : 'Unlicensed objects' error message appears despite there being no unlicensed configuration
Links to More Info: BT1155861
Component: TMOS
Symptoms:
Following error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.
Conditions:
- The primary blade disabled manually using the following TMSH command:
modify sys cluster default members { 1 { disabled } }
Impact:
Failed to load the license on disabled slot from primary slot.
Workaround:
Execute the following command on disabled slot:
rm /var/db/mcpdb.*
bigstart restart mcpd
Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.
or
Execute command "reloadlic" which reloads the license into the current MCPD object.
1154725-4 : Custom or predefined method is not changing the behavior while changing from GET to POST method
Component: Application Security Manager
Symptoms:
Changing the user defined method from GET to POST is not changing the behavior, it will change the behavior
once we delete the user defined method and add it back again.
Conditions:
Configure flows to URLs of Act as Method.
Impact:
Flow enforcement will not match the expected method.
Workaround:
Delete the custom method and recreate again with require GET
or POST method.
1154313-2 : TMM crash due to rrsets structure corruption
Links to More Info: BT1154313
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm crashes.
Conditions:
- DNS module is provisioned
- The DNS-Express (DNSX) feature is configured with at least one DNS zone
- DNSX is used to try to resolve a DNS query received via a DNS listener
- DNSX is enabled as a resolver method in the DNS profile associated with the DNS listener.
- The DNS query is received on one tmm thread while another tmm thread is updating the DNSX database files
The DNSX database files are updated whenever DNSX performs a zone transfer, or when a new zone is added or one removed from the DNSX configuration.
TMM handling dns request while another tmm thread is reloading dns db files (for example, after performing a zone transfer, or when adding/removing a zone from the configuration) This issue primarily affects the DNS module, but it also affects LTM when DNS caching is enabled, such as when using a DNS resolver.(see K12140128)
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1153853-4 : Revision of default value for provision.restjavad.extramb to avoid OOM errors in restjavad
Links to More Info: BT1153853
Component: TMOS
Symptoms:
- restjavad may be out memory as determined from restjavad logs, /var/log/restjavad.X.log, showing 'java.lang.OutOfMemoryError'. This may lead to frequent restjavad restarts and high CPU.
- restjavad may instead, or as well, run many full garbage collection cycles one after another, causing high CPU. This will be shown by frequent logs with [FullGC] in /var/log/restjavad-gc.log.X.current
Conditions:
- Update to affected version: 14.1.5.1-, 15.1.7-15.1.8.2, 16.1.3.1-16.1.3.5, 17.0.0.1-17.0.0.2 or later versions.
- Value of sys db restjavad.useextramb is true.
- Value of sys db provision.restjavad.extramb is 192 or lower than previous restjavad heap size.
- Use of REST API calls that need a lot of memory. Heavy users of REST API, such as SSL Orchestrator, may be very affected.
Impact:
May have problems in TMUI with certain pages or tabs, such as network map with very config or SSLO or iLX related tabs.
Other services that use REST API, internal and external to BIG-IP, may be impacted with low performance or service instability
Workaround:
Before upgrade - if you set sys db restjavad.useextramb to value false before install of new version you will have more restjavad memory, the default 384MB, after upgrade.
tmsh modify sys db restjavad.useextramb value false
If you restart restjavad you can see if that value works before upgrade. If you don't restart then it will come into effect after reboot.
If that no longer has issues after update then leave that setting at false. Otherwise set back to true (no restart) and increase provision.restjavad.extramb as in After upgrade section below.
After upgrade:
Set sys db provision.restjavad.extramb to an appropriate value and restart restjavad.
Run the following command:
tmsh modify sys db provision.restjavad.extramb value X
bigstart restart restjavad
Iterate as necessary.
The value of X is derived by using one of the following formulae:
- When updating from versions before 14.1.4 and 15.1.3, to affected versions, a value that preserves the maximum previous restjavad heap size is:
192MB + 80% of MIN(provision.extramb|2500)
the minimum possible heap size was:
192MB + 20% of MIN(provision.extramb|2500)
The actual restjavad heap size would be between those extremes. SSLO systems would typically need the maximum.
- When updating from 14.1.4-14.1.5, from 15.1.3-15.1.6.1 or from 16.0.x to affected versions:
384MB + 80% of MIN(provision.extramb|2500)
- When updating from 16.1.0-16.1.3 or from 17.0.0.0 to affected versions:
384MB + 90% of MIN(provision.extramb|4000)
1148181 : SSL TLS1.3 connection terminates with "empty persist key" error when SSL persistence is enabled and session tickets are disabled
Links to More Info: BT1148181
Component: Local Traffic Manager
Symptoms:
SSL TLS1.3 handshake fails.
Conditions:
- clientssl profile has TLS1.3 enabled
- clientssl profile has session ticket disabled
- virtual server has SSL Persistence profile applied
Impact:
TLS1.3 SSL handhshakes will fail.
Workaround:
Either disabling persistence in the virtual server or enabling session-ticket in the clientssl profile
1148113-2 : The websocket_ep_send_down_ws_message does an extra websockets_frame release
Links to More Info: BT1148113
Component: Local Traffic Manager
Symptoms:
TMM crashes due to memory corruption.
Conditions:
- MQTT Over Websockets configuration in End-to-End mode
- Server should send sufficient traffic to cause congestion on the client-side
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
1148065-2 : HTTP::header exists and value iRule commands will not return successful even if the header is present
Links to More Info: BT1148065
Component: Local Traffic Manager
Symptoms:
Virtual Servers configured with the fastHTTP profile will always have the iRule commands and HTTP::header exists and value return as not found, even if the header is present.
Conditions:
A virtual server configured with fastHTTP, and an iRule that makes use of either the HTTP::header exists or value commands.
Impact:
The iRules may not perform as expected when the HTTP header is already present, as HTTP::header exists and value will not find it.
Workaround:
None
1145749-4 : Locally defined BIG-IP users can be lost during a failed config-sync
Links to More Info: BT1145749
Component: TMOS
Symptoms:
If a configuration sync to a BIG-IP devices fails, for example, due to an MCPD validation error, locally-defined users on the receiving BIG-IP device may be lost.
This issue applies to locally-defined users (for accessing the management UI or CLI), but does not affect the built-in "admin" or "root" logins.
The users will still be present in /config/bigip_user.conf, but will be missing from /etc/passwd and /etc/shadow, which prevents them from being able to log in to the device.
Messages similar to the following may be seen in /var/log/secure when those users attempt to log in to the BIG-IP device.
"User 'exampleuser' (fallback: false) - not authenticated: User not known to the underlying authentication module"
Conditions:
- A third (or subsequent) BIG-IP device is added to an existing sync group.
- The config-sync operation fails to load the new configuration, for example, because it is performed in the wrong direction, and the new empty device tries to overwrite and remove configuration from the existing ones, which is blocked by non-shared object references.
Impact:
Locally defined users on the receiving BIG-IP device are removed.
Workaround:
Log in as admin or root, and manually reset the passwords on the affected local user accounts. This will repopulate the users into the unix passwd and shadow files.
1144845-4 : GARPs from a newly active unit may be bridged for a brief time while the peer chassis transitions to standby
Links to More Info: BT1144845
Component: Local Traffic Manager
Symptoms:
When a VIPRION chassis goes into Standby there is a brief period of time in which all the blades transition. If GARPs are sent from the newly Active device during this time, they may be bridged.
Conditions:
VIPRION, multiple blades, vlan-groups.
Impact:
Switches / routers may have incorrect ARP information after a failover.
Workaround:
Use proxy exclude list to exclude all virtual addresses.
1144817-2 : Traffic processing interrupted by PF reset
Links to More Info: BT1144817
Component: TMOS
Symptoms:
Traffic between client and server is interrupted.
Conditions:
- E810 NICs are used.
- Reset PF.
Impact:
The BIG-IP instance requires a restart after PF reset to resume traffic processing.
Workaround:
Restart the BIG-IP device.
1144729-4 : PVA stats may be incorrect when PVA offloaded flows have their nexthops changed to a different VLAN
Links to More Info: BT1144729
Component: TMOS
Symptoms:
The PVA stats and corresponding service graph may be inaccurate if there are multiple routes to a destination and those routes are on different VLANS.
Conditions:
Multiple routes to a destination that exist on different VLANS. A flow that changes from one route to another.
Impact:
PVA stats or service graph may show significantly higher numbers than expected.
Workaround:
Disable PVA acceleration for the affected traffic.
Create LTM profile fastl4 and other-pva-offload-direction server-to-client-only.
1144417 : DoS WL allowed in BIG-IP version 16.1.x if it was configured in a previous version 15.1.x
Links to More Info: BT1144417
Component: Advanced Firewall Manager
Symptoms:
BIG-IP is allowing DOS WL is version 16.1.x when it is upgraded from version 15.1.x with existing configuration.
Conditions:
- Upgrade BIG-IP from version 15.1.x.
Impact:
BIG-IP adds WL in version 16.1.x.
Workaround:
Before upgrading to BIG-IP version 16.1.x, delete the WL configuration in version 15.1.x.
1144353 : After creating a "Dynamic Exclude Address Spaces" or "Dynamic LAN Address Spaces" from inside a Network Access List object fails to redirect back to Network Access List object page
Links to More Info: BT1144353
Component: Access Policy Manager
Symptoms:
After creating a "Dynamic Exclude Address Spaces" or "Dynamic LAN Address Spaces" the error "Major problem with Linked Adds, look at log file" is displayed on the page instead of redirecting back to the Network Access List object page.
Conditions:
Should navigate to Address Space creation page using the "+" button beside "Dynamic Exclude Address Spaces" or "Dynamic LAN Address Spaces" fields in the Network Access List object page.
Impact:
NA
Workaround:
Create a "Dynamic Exclude Address Spaces" or "Dynamic LAN Address Spaces" directly from the Access menu (Access ›› Connectivity / VPN : Network Access (VPN) : Address Spaces)
and then select it in the Network Access list object page.
1144329-4 : Traffic Intel does not classify Microsoft app properly
Links to More Info: BT1144329
Component: Traffic Classification Engine
Symptoms:
Some of the Microsoft teams based URLs are marked uncategorized or categorized as SSL and http2 by traffic intelligence categorization.
Conditions:
Geolocation based traffic not classified.
Impact:
Incorrect classification of Microsoft application.
Workaround:
None
1144013-2 : Policy import fails with Lock wait timeout exceeded ASM subsystem error
Links to More Info: BT1144013
Component: Application Security Manager
Symptoms:
On an intermittent basis,Users are encountering the following ASM subsystem error when trying to import their security policy:
/var/log/asm:Jul 28 08:40:18 waf-editor01 crit g_server_rpc_handler.pl[25893]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): DBD::mysql::db do failed: Lock wait timeout exceeded; try restarting transaction at /usr/local/share/perl5/F5/CommonUpgrade/ForeignKeyMismatch.pm line 45.
Conditions:
-- ASM provisioned
-- Import a policy
Impact:
Policy import fails and requires a re-try
Workaround:
Re-try the import, possibly several times
1143833-2 : ILX (iRules LX) may corrupt tmstat (profile statistics) memory
Links to More Info: BT1143833
Component: Local Traffic Manager
Symptoms:
iRulesLX do not show statistics after any changes made on the workspace and reload the plugin.
Conditions:
-- Using iRules LX
Impact:
iRulesLX do not show statistics after any changes made on the workspace and reload the plugin.
Workaround:
None
1143809-1 : Unable to modify SNMP monitors from webUI
Links to More Info: BT1143809
Component: TMOS
Symptoms:
While attempting to modify Interval, Timeout, and other SNMP monitors, following error is displayed:
Error: 'an error occurred while trying to process your request'
Conditions:
Modify SNMP monitor parameters from webGUI.
Impact:
Unable to modify any SNMP monitors from webUI.
Workaround:
Modify the SNMP monitors from TMSH , use the following command :
tmsh modify ltm monitor snmp-dca <monitor-name> cpu-coefficient <value>"
1142445-4 : Multicast handling on wildcard virtual servers leads to TMM memory leak
Links to More Info: BT1142445
Component: TMOS
Symptoms:
Multicast handling on wildcard virtual servers leads to TMM memory leak.
Conditions:
- Multicast license
- Multicast is enabled on a route-domain (ip multicast-routing)
- Wildcard virtual server matching multicast address space.
Impact:
TMM memory usage increasing over time.
Workaround:
None
1142225-2 : Regular and In-TMM HTTPS monitors advertise different cipher suites with SSL profile is set to None
Links to More Info: BT1142225
Component: Local Traffic Manager
Symptoms:
The HTTPS monitors advertise different cipher suites if the SSL profile setting is set to None, irrespective of whether the in-TMM monitoring is enabled.
Conditions:
The Https monitor(s) are set with the default SSL profile of "None".
Impact:
Pool members may be marked down when switching between regular and in-TMM monitoring due to differing cipher suites.
Workaround:
Assign an SSL profile to HTTPS monitors.
1142153-2 : DNS Resource Records for Wide IPs are potentially misleading when creating or deleting a large number of Wide IPs
Links to More Info: BT1142153
Component: Global Traffic Manager (DNS)
Symptoms:
BIND records do not match configured Wide IPs and pools.
Conditions:
If the BIG-IP is a member of a DNS/GTM sync-group and "synchronize-zone-files" is enabled.
Impact:
Resources that are down in GTM do not receive appropriate answers from BIND, and clutter builds up in BIND database over time.
Workaround:
None
1141213-2 : Peer is aborting the connection when PEM client runs diameter traffic over SCTP
Links to More Info: BT1141213
Component: TMOS
Symptoms:
PEM is initiating connection with successful CER/CEA. But, every time the connection gets aborted by the peer and a new connection is opened when diameter traffic is being sent from PEM client over SCTP.
Conditions:
Configure PEM as Gx diameter endpoint and let PEM to connect with MRF Diameter VS.
Impact:
MRF is resetting the PEM connection.
Workaround:
None
1138101-2 : Tunnel connections might not come up when using pool routes
Links to More Info: BT1138101
Component: Local Traffic Manager
Symptoms:
When using a pool route with service-down action set to drop or reset, tunnel flows might not work properly after pool route gateway goes down and comes up.
Conditions:
- Tunnel flow using a pool route for nexthop resolution.
- Pool route with service-action-down set to drop or reset.
- Pool is marked down and then up.
Impact:
Traffic no longer goes through tunnel.
Workaround:
Do not use service-action-down feature.
1137269-4 : MCPD fails to reply if a request is proxied to another daemon and the connection to that daemon closes
Links to More Info: BT1137269
Component: TMOS
Symptoms:
MCPD does not reply to the request if the publisher's connection closes or fails. In this case, when bcm56xxd
is restarted, the perceivable signs of failure are:
- The snmpwalk failing with a timeout and
- The "MCPD query response exceeding" log messages.
Conditions:
1) Configure SNMP on the BIG-IP to run snmpwalk locally on the BIG-IP.
2) From the first session on the BIG-IP, run a snmpwalk in the while loop.
while true;do date; snmpwalk -v2c -c public 127.0.0.1 sysDot1dbaseStat;sleep 2;done
Sample output:
Sat Aug 21 00:57:23 PDT 2021
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatResetStats.0 = INTEGER: 0
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatMacAddr.0 = STRING: 0:23:e9:e3:8b:41
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatNumPorts.0 = INTEGER: 12
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatType.0 = INTEGER: transparentonly(2)
3) From a second session on the BIG-IP restart bcm56xxd
bigstart restart bcm56xxd
4) The snmpwalk will continually report the following:
Timeout: No Response from 127.0.0.1
And snmpd will continually log "MCPD query response exceeding" every 30 seconds in /var/log/ltm.
Impact:
SNMP stopped responding to queries after upgrade.
Workaround:
Restart SNMP.
1137133-2 : Stats rate is showing incorrect data for broadcast, multicast and arp flood vectors
Links to More Info: BT1137133
Component: Advanced Firewall Manager
Symptoms:
A tenant side stats_rate is almost double.
Conditions:
-- Appliance has two ATSEs (rSeries 10k and VELOS )
-- AFM is enabled and licensed and broadcast or multicast packets are sent.
Impact:
Stats_rate is shown as double than sent traffic rate.
If vector is configured and traffic is passing with higher rate than mitigation value, stats_rate and int_drops_rate will be shown as double data rate.
Workaround:
None
1136905-1 : Request for Portal Access Hosted Content are RST with "No available SNAT addr"
Links to More Info: BT1136905
Component: Access Policy Manager
Symptoms:
A RST occurs with the following message in /var/log/apm:
- No available SNAT addr
Conditions:
- Portal Access with Hosted-Content.
Impact:
Unable to access hosted-content resources.
Workaround:
Use the following command:
- tmsh modify sys db ipv6.enabled value false
1136893-2 : Youtube classification fails
Links to More Info: BT1136893
Component: Traffic Classification Engine
Symptoms:
Youtube video is not classified as youtube_video.
Conditions:
Sending Youtube traffic from a browser.
Impact:
ABR not detected for PEM policy streaming rules.
Workaround:
None
1136833-2 : Unparseable request content subviolation override cannot be configured on microservices
Links to More Info: BT1136833
Component: Application Security Manager
Symptoms:
A configuration option is missing for the unparseable request content subviolation override.
Conditions:
The option is missing in the UI and REST.
Impact:
It is not possible to configure an override for this subviolation on a microservice.
Workaround:
An iRule can be used to mitigate this condition. The specific iRule will be different according to the use case, the following is an example (psaudo code):
when ASM_REQUEST_DONE
{
if {[ASM::microservice] eq "/foo/*a/"}
{
if { [HTTP::uri] length > X}
#trigger ASM custom violation
}
1136781-2 : Incorrect parsing of 'bfd notification' CLI in IMI Shell (imish)
Links to More Info: BT1136781
Component: TMOS
Symptoms:
-- Cannot load a file containing 'bfd notifications enable'.
-- After restarting the Advanced Shell services or rebooting, the 'bfd notifications enable' command is missing in the show running-config.
Conditions:
-- In imish, configure "bfd notification enable".
-- Reboot or TMSH restart sys service tmrouted.
-- The "bfd notification enable" is not present in the show running-config.
Impact:
Unable to restore or survive the bfd notification CLI.
Workaround:
None
1136081-5 : HSM sync issue in high availability (HA) setups
Links to More Info: BT1136081
Component: Local Traffic Manager
Symptoms:
FIPS card sync can return error when trying to sync FIPS card in High Availability (HA) setups.
HSMs are initialized with old software are not compatible with HSMs which are initialized with recent software release. If one device in HA pair is replaced and new device is initialized with new software, then HSM sync can fail in few scenarios.
Conditions:
- Replacing a device in HA pair.
Impact:
HA pair will not be able to sync the FIPS keys which can cause the traffic impact if active device goes down.
Workaround:
Following are workaround steps for target device (RMAed or new device in high availability (HA) pair):
1. Downgraded the BIG-IP version to old releases.
2. Execute "tmsh stop sys service all".
3. Execute fipsutil reset.
4. Execute fipsutil init.
5. Execute bigstart restart.
6. Execute the following command to check the FIPS card health:
tmsh show sys crypt fips key
Following is an example output:
-------------------------------------------
FIPS 140 Hardware Device
-------------------------------------------
no private keys found
7. Upgrade the BIG-IP version to latest release where active device is present.
8. Reboot to upgraded volume.
9. Execute the fipscardsyn from source device.
1135425-2 : Created ASM policy does not appear in bigip.conf on the standby
Links to More Info: BT1135425
Component: Application Security Manager
Symptoms:
Policy does not appear under bigip.conf on standby.
Conditions:
Issue observed when creating ASM policies on active device in auto-sync condition.
Impact:
Created policy under Active is not updated in bigip.conf on standby machine.
Workaround:
Explicit 'save sys config'.
1135393-1 : The pfmand support is not available on i15820-DF (D120)
Links to More Info: BT1135393
Component: TMOS
Symptoms:
The vCMP host is not running pfmand, while the vCMP guest is runiing. The guests logs the following error:
"pfmand[5334]: 01660005:4: No connection to hypervisor."
Conditions:
On vCMP guest, it is running the pfmand service and giving following error logs:
"pfmand[5334]: 01660005:4: No connection to hypervisor."
Impact:
No functional impact as device is processing the crypto and compression traffic to Nitrox5 device, but pfmand will not be able to monitor Nitrox5 device.
Workaround:
None
1134441-2 : Inactive policy synced to peer results ASM removed from virtual server only for sync-only DG
Links to More Info: BT1134441
Component: Application Security Manager
Symptoms:
An ASM policy is suddenly detached from a virtual server and deactivated.
Conditions:
-- sync-only device group.
-- ASM sync enabled.
-- A policy is used on device ASM-A (attached to virtual server/device group).
-- The same policy is not used on device ASM-B (not attached to virtual server/device group).
Impact:
Inactive policy is synced to the peer, resulting in ASM being unassigned from the Virtual Server.
Workaround:
To prevent Policy Sweeper from deactivating any ASM policy, create a non-functioning device group and attach the unused ASM policies to that device group.
1134257-2 : TMM cores when pingaccess profile is modified multiple times and configuration is loaded
Links to More Info: BT1134257
Component: Local Traffic Manager
Symptoms:
TMM cores.
Conditions:
- The APM pingaccess profile is configured.
- Before configuration load, modify pingaccess profile multiple times.
Impact:
TMM cores.
Workaround:
None
1132957-1 : Modifying IPsec tunnels tunnel object may result in TMM core
Links to More Info: BT1132957
Component: TMOS
Symptoms:
Changing the configuration of an IPsec interface mode tunnel may result in a TMM core.
Conditions:
- IPsec with ipsec-policy in interface mode.
- Configuration is changed for that tunnel.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Before reconfiguring an IPsec interface mode tunnel, disable the ike-peer associated with the tunnel.
1132949-4 : GUI reported error when changing password after mgmt port was changed
Links to More Info: BT1132949
Component: TMOS
Symptoms:
GUI reports an error, but the password can be changed successfully anyway:
An error has occurred while trying to process your request.
Conditions:
This issue is seen when an SSL port change happens, followed by password change for a given user.
Impact:
The BIG-IP system is unable to provide the following functionality:
1. Gossip Framework : REST high availability (HA) sync framework will not work.
2. Licensing via BIG-IQ
3. selfLinks will be wrong
4. iAppLx, SSL Orchestrator, Access Guided Configuration, AS3 will be affected as these modules depends on Gossip
Workaround:
This issue is seen only when the SSL port is other than 443 (which is default SSL port).
To work around this, keep 443 as SSL port.
1132705-3 : Failed on insert entry to DCC.ACCOUNT_LOGIN_OBJECT_ATTRIBUTES
Component: Application Security Manager
Symptoms:
When importing two policies that have the same url object configured, adding the url parameter to one on of the policies causes apply policy to fail.
Conditions:
1. Both policies use the same url parameter.
2. Type of parameters are different (one can be http and the other can be https for example).
Impact:
Apply policy fails.
Workaround:
Change the name of one of the policies.
1132449-2 : Incomplete or missing IPv6 IP Intelligence database results to connection reset and/or high TMM CPU usage
Links to More Info: BT1132449
Component: Advanced Firewall Manager
Symptoms:
Following IPv4 database load message is present in /var/log/ltm:
015c0010:5: Initial load of IPv4 Reputation database has been completed
Note the absence of:
015c0010:5: Initial load of IPv6 Reputation database has been completed
Some scenarios would result in elevated TMM CPU utilization, for example, when using IPI in global policy.
Conditions:
Failure to download IPv6 database from localdb-ipv6-daily.brightcloud.com.
Impact:
Any of the following:
- TCL error results when IPI is used in an iRule resulting in connection being reset.
- When using IPI in global policy, increased TMM CPU utilization may occur which leads to idle enforcer being triggered, TMM clock advanced messages appearing in LTM logs, or TMM restarting without core when MCPD is unable to communicate with TMM.
Workaround:
Ensure that BIG-IP is able to communicate using https with BrightCloud servers, including localdb-ipv6-daily.brightcloud.com. For more detailed troubleshooting steps, see K03011490 at https://my.f5.com/manage/s/article/K03011490.
Once the IPv6 reputation database has been retrieved and loaded issues should stop.
This line in ltm log shows load has completed:
015c0010:5: Initial load of IPv6 Reputation database has been completed
1128429-5 : Rebooting one or more blades at different times may cause traffic imbalance results High CPU
Links to More Info: BT1128429
Component: Carrier-Grade NAT
Symptoms:
One or more TMMs are consuming more CPU cycles than the other TMMs. The increased CPU usage is caused by a significant number of internal TMM traffic redirections.
Conditions:
- LSN pools enabled.
- The sp-dag configured on the client-side and server-side VLANs (cmp-hash src-ip and cmp-hash dst-ip respectively).
Impact:
Increased TMM CPU usage on one or more TMMs.
Workaround:
- Set up an High Availability (HA) pair of VIPRIONs and make an active VIPRION cluster standby before doing any operation that involves the rebooting, insertion, or removal of one or more blades.
Or if the VIPRION is a stand-alone cluster:
- Stop all external traffic to the VIPRION before rebooting, inserting, or removing one or more blades.
- Restart or reboot all the blades at the same time from the primary, using the following "clsh" command:
"clsh reboot volume <NEW_VOLUME>" or "clsh bigstart restart".
1128405-3 : DNS overall Request/Second counter can be inaccurate
Links to More Info: BT1128405
Component: Global Traffic Manager (DNS)
Symptoms:
In the output of "tmsh show ltm profile dns" (which shows overall stats for all DNS profiles) can indicate an inaccurate value for the "Request/Second" counter.
The counters for individual DNS profiles will have accurate values.
Conditions:
A DNS profile is associated with a virtual server, and then later removed (or switched to use another DNS profile).
Impact:
The overall view showing statistics for DNS Requests/Second is inaccurate.
Workaround:
Reset the profile stats, although this will only be effective until the next time a DNS profile is removed from a virtual server.
1128033-3 : Neuron client constantly logs errors when TCAM database is full
Links to More Info: BT1128033
Component: Local Traffic Manager
Symptoms:
A database held in hardware (TCAM), shared between tenants, has a limit that is exceeded by software in tenants that adds and manages entries in the database.
Symptomatic logs on tenant:
in /var/log/ltm, repeating logs are recorded, following is an example:
err tmm[635]: 01010331:3: Neuron client neuron_client_pva_hwl failed with rule request submit(client connection is busy (has outstanding requests))
in /var/log/tmm, cycles of following group of logs are recorded:
notice neuron_client_negotiate: Neuron client connection established
notice [DDOS Neuron]Neuron daemon started
notice hudproxy_neuron_client_closed_cb: Neuron client connection terminated
notice [DDOS Neuron]Neuron daemon stopped
For F5OS host, in partition /var/F5/partitionX/log/velos.log repeating logs are recorded, following is an example:
tcam-manager[41]: priority="Err" version=1.0 msgid=0x6b01000000000007 msg="ERROR" MSG="TCAM processing Error(-5) executing:TCAM_INSERT for ruleno:0x20000000937"
In the log message, the msgid and ruleno can vary, but the Error(-5) is an indication of this issue.
Conditions:
The BIG-IP system with a rSeries r5xxx, r10xxx, r12xxx or has VELOS blades such as BX110.
The rSeries 2xxx, 4xxx and iSeries platforms are not affected.
Large configurations, on the order of high hundreds of virtual servers, are more likely to encounter issue.
Impact:
The neuron client software will restart and log repeatedly.
Inefficient use of TCAM database.
Workaround:
None
1127881-2 : Deprecate sysClientsslStatFullyHwAcceleratedConns, sysClientsslStatPartiallyHwAcceleratedConns and sysClientsslStatNonHwAcceleratedConns
Links to More Info: BT1127881
Component: TMOS
Symptoms:
SSL Hardware Acceleration MIBs are still in use which are meant to be deprecated.
Conditions:
Run snmpwalk for these MIBS and it's active.
#snmpwalk -c public localhost -v2c F5-BIGIP-SYSTEM-MIB::sysClientsslStatFullyHwAcceleratedConns
F5-BIGIP-SYSTEM-MIB::sysClientsslStatFullyHwAcceleratedConns.0 = Counter64: 0
# snmpwalk -c public localhost -v2c F5-BIGIP-SYSTEM-MIB::sysClientsslStatPartiallyHwAcceleratedConns
F5-BIGIP-SYSTEM-MIB::sysClientsslStatPartiallyHwAcceleratedConns.0 = Counter64: 0
# snmpwalk -c public localhost -v2c F5-BIGIP-SYSTEM-MIB::sysClientsslStatNonHwAcceleratedConns
F5-BIGIP-SYSTEM-MIB::sysClientsslStatNonHwAcceleratedConns.0 = Counter64: 0
Impact:
SSL MIB not up-to-date
Workaround:
None
1127805-2 : Server.crt containing "<" will cause frequent reconnects between local gtmd and big3d
Links to More Info: BT1127805
Component: Global Traffic Manager (DNS)
Symptoms:
Resources flap, frequent reconnects occur between the local gtmd and big3d.
Logs similar to this:
Jul 15 22:56:32 GSLB2 warning gtmd[11773]: 011ae023:4: XML parsing error not well-formed (invalid token) at line 483
Jul 15 05:36:54 GSLB2 notice gtmd[6917]: 011ae01a:5: SSL handshake complete to 10.10.10.10
Jul 15 05:37LB2 notice gtmd[6917]: 011ae01a:5: SSL handshake complete to 10.10.10.10
Jul 15 05:37:24 GSLB2 notice gtmd[6917]: 011ae01a:5: SSL handshake complete to 10.10.10.10
Jul 15 05:37:34 GSLB2 notice gtmd[6917]: 011ae01a:5: SSL handshake complete to 10.10.10.10
Conditions:
Server.crt containing "<"
Impact:
-- GTMs frequently leave/join the GTM sync group
-- Resources are marked up and down.
Workaround:
1. On each GTM, run bigip_add for all defined BIG-IP servers.
Or
2. Remove "<" from the server.crt file.
1127725-1 : Performance drop with the AES_CCM 128 cipher★
Links to More Info: BT1127725
Component: Local Traffic Manager
Symptoms:
On all BIG-IP platforms with Coleto Creek - Intel Crypto and Coleto Creek DH8925CL chip present for Hardware cryptos like i10800, i11800, i5800, i7000, i15800, i4x00 platforms and VIPRION, when AES_CCM 128 ciphers such as TLS_RSA_WITH_AES_128_CCM are used, there will be a performance drop when compared to previous releases.
Conditions:
The AES_CCM 128 algorithm is configured.
Impact:
A performance drop of up to 30% and an increase in CPU utilization occurs.
Workaround:
None
1127241-1 : AS3 tenants don't sync reliably in GTM sync groups.
Links to More Info: BT1127241
Component: Global Traffic Manager (DNS)
Symptoms:
GTM AS3 tenants do not sync across GTM sync groups when using AS3 declarations.
Conditions:
-- GTM sync group.
-- Remove tenant in GTM1.
-- Sync does not happen and the tenant remains in GTM2.
Impact:
GTM sync fails to sync the AS3 tenants.
Workaround:
None
1126181-2 : ZebOS "no log syslog" configuration is not surviving reboot
Links to More Info: BT1126181
Component: TMOS
Symptoms:
ZebOS "log syslog" or "no log syslog" are not surviving reboot according to the user performed operations. Always revert to default setting, which is enabled.
Conditions:
-- Under Configure no log syslog.
-- Perform reboot or upgrade.
Impact:
If syslog logging has been disabled using 'no log syslog', and then ZebOS is restarted. For example, by rebooting or upgrading the BIG-IP, syslog logging will revert to the default setting, which is enabled.
Workaround:
None
1125381-2 : Extraneous warnings recorded in when using only intermediate certificates
Links to More Info: BT1125381
Component: Local Traffic Manager
Symptoms:
When client authentication is enabled on the client SSL profile but the trusted-ca file includes only an intermediate certificate and no CA root cert to build the whole cert chain, although the TLS connection is made, as expected, there is an error message reported.
Conditions:
Trusted-ca includes only inter-cert and no root CA-cert
is configured.
Impact:
Although the TLS handshake succeeds without any issue and the connection is processed, as expected, a confusing warning is reported.
Workaround:
Because the connection is made, you can safely ignore this message.
Note: This issue does not occur if the root CA cert is also configured in the CA-cert bundle.
1125161-2 : Wideip fails to display or delete in the Link Controller GUI.
Links to More Info: BT1125161
Component: Global Traffic Manager (DNS)
Symptoms:
Attempting to display (i.e. click on) a WideIP in the Link Controller GUI returns an error similar to the following example:
General error: Error parsing value of "null" of type "gtm_qtype_t" in statement [SELECT SINGLE *, gtm_pool.name as pool_name FROM gtm_wideip, gtm_pool WHERE (name = '/Common/example.com' AND type = '1' AND pool_name = 'null' AND pool_type = 'null')]
Attempting to delete a Wideip in the Link Controller GUI returns an error similar to the following example (and the delete operation fails):
01020036:3: The requested Pool (A /Common/example.com) was not found.
Conditions:
-- Link Controller system.
-- The Wideip in question has no associated Pool. This is likely the result of improperly creating the Wideip via the tmsh utility, or upgrading the system from an earlier version which caused your configuration to be automatically fixed up (such as creating distinct A and AAAA Wideips from an earlier unique Wideip entry).
Impact:
The GUI cannot be used to display or delete the Wideip.
Workaround:
Link Controller, unlike GTM, does not expose the concept of Pools. Link Controller only exposes WideIPs and Virtual Servers. Pools exist, but are managed automatically by the system on your behalf.
If a WideIPs created using the GUI, the WideIP will be assigned a Pool of the same type and name automatically. This also happens if you initially decide to assign no Virtual Servers to the WideIP (and things work as intended in the BIG-IP GUI).
However, the tmsh utility is not aligned with this Link Controller requirement, and allows you to create WideIPs with no associated Pool.
If you have experienced this issue:
1) Deleted the affected WideIP using the tmsh utility.
2a) Going forward, use the GUI to define more Link Controller WideIPs.
2b) Alternatively, if you must use the tmsh utility to do so, ensure each WideIP you create is assigned an identically named Pool of the same type, even if initially you decide to place no Virtual Servers in the Pool. For example, define something like the following:
gtm pool a /Common/example.com { }
gtm wideip a /Common/example.com {
pools {
/Common/example.com {
order 0
}
}
}
1124793-1 : Space inserted for variable assigned in a custom expression in the GUI
Links to More Info: BT1124793
Component: Access Policy Manager
Symptoms:
A space character is inserted in a Custom Expression in UI
Conditions:
While creating a Custom expression in Variable Assign
Impact:
In some cases the space in the custom expression is propagating to bigip.conf and causing issues due to the extra space.
Workaround:
None
1124733-1 : Unnecessary internal traffic is observed on the internal tmm_bp vlan
Links to More Info: BT1124733
Component: TMOS
Symptoms:
Unnecessary internal traffic can be observed on the internal tmm_bp vlan. It is a UDP broadcast on 62965 port.
Conditions:
Always
Impact:
Unnecessary traffic that does not disrupt normal operation.
Workaround:
None
1124217-1 : Big3d cores on CTCPSocket::TCPReceive and connector
Links to More Info: BT1124217
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d crashes.
Conditions:
Big3d keeps restarting and coring on gtm with a large quantity of monitors configured.
Impact:
Segmentation fault and big3d restarts.
Workaround:
None
1124085-4 : iRules command [info hostname] does not reflect modified hostname
Links to More Info: BT1124085
Component: Local Traffic Manager
Symptoms:
Result from [info hostname] iRules command does not change after modifying system hostname.
Conditions:
- iRules [info hostname] command is being used.
- System hostname is modified.
Impact:
iRules command [info hostname] might reflect incorrect/old hostname
Workaround:
Use $static::tcl_platform(machine) insted of [info hostname]
1123189-2 : De-Provisioning AFM does not disable SYN-ACK cookie generation
Links to More Info: BT1123189
Component: Advanced Firewall Manager
Symptoms:
The AFM de-provision is not in sync with TCP-SYNACK-FLOOD cookies with 'suspicious' enabled mode.
Conditions:
The TCP-SYNACK-FLOOD cookies with 'suspicious' enabled not getting disabled when AFM license is de-provisioned.
Impact:
Cookies (SYNACK) generations is happening even after AFM module is de-provisioned.
Workaround:
None
1123157-3 : Single-page application AJAX does not work properly with page's navigation
Component: Application Security Manager
Symptoms:
When a single-page application is enabled and the page's own navigation is triggered during the display of CAPTCHA, the CAPTCHA frame disappears.
Conditions:
-- Single-page application is enabled in ASM.
-- The single-page application's code performs its own navigation on top of the displayed CAPTCHA.
Impact:
ASM end users may not be able to pass the CAPTCHA challenge and therefore will not be able to access the application.
Workaround:
None
1122153-4 : Zonerunner GUI displaying incorrect error string "RRSig Covers Unsupported Record Type"
Links to More Info: BT1122153
Component: Global Traffic Manager (DNS)
Symptoms:
Zonerunner is displaying incorrect error information when it is unable to parse the value.
Conditions:
Zonerunner displays such errors when it is unable to parse the value when displaying records.
Impact:
The error message suggests it is a DNSSEC issue (RRSig) and is misleading.
Workaround:
None
1122021-3 : Killall command might create corrupted core files
Links to More Info: BT1122021
Component: TMOS
Symptoms:
When killing multiple processes via the 'killall' command, a single corrupted core file is created.
Conditions:
- using killall command
- killing multiple processes
Impact:
Corrupted core file is created.
Workaround:
Kill single specific processes instead
1121937-4 : ZoneRunner GUI is unable to display CAA records with "Property Value" set to ";"
Links to More Info: BT1121937
Component: Global Traffic Manager (DNS)
Symptoms:
If you try to view CAA record in ZoneRunner with "Property Value" set to ";", then "RRSig Covers Unsupported Record Type<none>:1: <none>:1: expected a string" message is displayed in GUI.
Conditions:
- Navigate to DNS :: Zones :: ZoneRunner :: Resource Record List :: Search All Records.
- Click on record of type CAA where the "Property Value" is set to ";".
Impact:
Unable to view or update CAA records through GUI where the "Property Value" is set to ";".
Workaround:
Manually edit or view the BIND configuration from the command line.
1121169-3 : Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use
Links to More Info: BT1121169
Component: TMOS
Symptoms:
On systems where ID1004833 has been fixed, the resizing instructions for /appdata from K74200262 no longer work.
Conditions:
When the jitterentropy-rngd is started by systemd which is the default state of the BIG-IP.
Impact:
A filesystem resize operation may fail with the following error:
# lvreduce --resizefs --size -40G /dev/mapper/vg--db--sda-dat.appdata
Do you want to unmount "/appdata"? [Y|n] y
fsck from util-linux 2.23.2
/dev/mapper/vg--db--sda-dat.appdata is in use.
e2fsck: Cannot continue, aborting.
resize2fs 1.42.9 (28-Dec-2013)
resize2fs: Device or resource busy while trying to open /dev/mapper/vg--db--sda-dat.appdata
Couldn't find valid filesystem superblock.
fsadm: Resize ext3 failed
fsadm failed: 1
Filesystem resize failed.
Workaround:
Unmount /appdata and restart the jitterentropy-rngd, using the following commands:
umount /appdata
systemctl restart jitterentropy-rngd
Then retry the resize operation.
1120529-1 : Illegal internal request in multipart batch request
Links to More Info: BT1120529
Component: Application Security Manager
Symptoms:
Request parser for inner request is intolerant for a linefeed that results in a HTTP Protocol Compliance violation with the following details.
HTTP Validation Bad multipart parameters parsing
Details Illegal internal request in multipart batch request
Conditions:
- multipart/batch(ing) request
- inner requests use LF for end-of-line marker, instead of canonical marker CRLF
Impact:
Request gets blocked
Workaround:
None
1120345-6 : Running tmsh load sys config verify can trigger high availability (HA) failover
Links to More Info: BT1120345
Component: TMOS
Symptoms:
When running tmsh 'load sys config verify' on a config that contains both an high availability (HA) group and a traffic group referencing that high availability (HA) group, this will trigger an high availability (HA) fault and failover.
Conditions:
- Running 2 BIG-IP systems in an high availability (HA) pair
- Run tmsh 'load sys config verify' on a config with the following conditions:
- Config to be verified contains an high availability (HA) group
- Config to be verified also contains a traffic group referencing the high availability (HA) group
Impact:
HA fault and failover. high availability (HA) pair will enter a degraded state.
Workaround:
No workaround currently known, but the failover fault can be cleared by running tmsh 'load sys config' on the system that had 'load sys config verify' run on it.
1116513-1 : Route-domains should not be allowed on name server addresses via the GUI.
Links to More Info: BT1116513
Component: Global Traffic Manager (DNS)
Symptoms:
Route domains are allowed on nameserver address when configuring them via the GUI.
Conditions:
Create a DNS resolver via the GUI and include route domain for nameserver IP address.
Eg : Navigate to Network > DNS Resolvers > DNS Resolver List and can create a DNS resolver name server address with Route domain.
Impact:
Inconsistency between the GUI and TMSH for dns resolver namserver address.
Workaround:
None
1114253-4 : Weighted static routes do not recover from BFD link failures
Links to More Info: BT1114253
Component: TMOS
Symptoms:
If a BFD link fails and recovers, the weighted static route that should be preferred does not populate back into the routing table.
Conditions:
Weighted static routes with BFD configured, this is an example of the affected configuration:
ip route 0.0.0.0/0 10.8.8.4 100
ip route 0.0.0.0/0 10.8.8.34 200
ip static 0.0.0.0/0 10.8.8.4 fall-over bfd
ip static 0.0.0.0/0 10.8.8.34 fall-over bfd
After BFD session to 10.8.8.4 fails and recovers the default route will still be pointing to 10.8.8.34.
Impact:
Incorrect route nexthop.
Workaround:
Re-add route config statements.
1114137-4 : LibUV library for latest bind 9.16
Links to More Info: BT1114137
Component: TMOS
Symptoms:
The latest bind software requires the latest libuv for performance improvements and to support new protocol layers (for example, DNS over TLS).
Conditions:
The latest bind software requires the latest libuv for performance improvements and to support new protocol layers (for example, DNS over TLS).
Impact:
None
Workaround:
None
1112649 : FIPS 140-2/FIPS 140-3 compliant mode is incorrect after upgrade to 16.1.2.2★
Component: TMOS
Symptoms:
After upgrading a BIG-IP system that is licensed for FIPS 140-2 compliant mode or with the full-box FIPS license, the FIPS mode reported is FIPS 140-3 compliant mode, but FIPS 140-2 and FIPS 140-3 mode is not properly enabled.
Also, if you upgrade a BIG-IP system that is licensed for FIPS 140-2 compliant mode or with the full-box FIPS license, and upgrade to version 16.1.2.2 without first re-activating your license, after the upgrade is complete you will be prompted to reboot. After the reboot, FIPS mode will be disabled.
Conditions:
-- BIG-IP system running a software version earlier than 16.1.2.2, regardless of hardware or software platform type
-- The FIPS 140-2 compliant mode or full-box FIPS license is applied
-- Upgrade to version 16.1.2.2
Impact:
After the system reboots, the BIG-IP system reports that FIPS 140-3 compliant mode is enabled, but the FIPS mode is not FIPS 140-2 or FIPS 140-3 compliant in this version.
If you did not re-activate the license prior to upgrade, the BIG-IP system will prompt you to reboot, and then will start with FIPS mode disabled.
Workaround:
If you are upgrading a BIG-IP system that has a FIPS 140-2 compliant mode license applied, do not upgrade to version 16.1.2.2; instead, upgrade to BIG-IP version 16.1.3 or higher if your intention is to upgrade to version 16.x.
1112205-3 : HTTP/2 may garble responses if the client-side stream aborts while response headers are on the wire
Links to More Info: BT1112205
Component: Local Traffic Manager
Symptoms:
If the client-side stream aborts while response headers are on the wire, the subsequent requests may receive a garbled response.
Conditions:
- HTTP2 profile is used on both client and server side.
- The client terminates the stream while the response has not yet reached the BIG-IP system.
Impact:
The client will receive an obscure response
Workaround:
None
1112089-1 : Prevent zrd from rolling back named.conf file in wrong situations
Links to More Info: BT1112089
Component: Global Traffic Manager (DNS)
Symptoms:
The zrd process may roll name.conf back which may cause unexpected changes.
This shows up in the /var/log/gtm file or in the GUI with a message similar to the following:
err zrd[27809]: 01150306:3: Error connecting to named socket 'Connection refused'.
(or)
err zrd[16198]: 01150306:3: Error connecting to named socket 'Connection timed out'.
Conditions:
As of now list include the following scenarios:
-- One of the scenario is seen as part of ID1083405 - see https://cdn.f5.com/product/bugtracker/ID1083405.html
-- Named process isn’t running, updating wide IPs will cause the same symptom.
Impact:
Looking up or modifying zone records may fail. This will affect the other members in the gtm sync group as well.
Workaround:
None
1111361-3 : Refreshing DNS wide IP pool statistics returns an error
Links to More Info: BT1111361
Component: Global Traffic Manager (DNS)
Symptoms:
Refreshing the wide IP pool statistics results in the error message 'An error has occurred while trying to process your request'.
Conditions:
Go to "Statistics > Module Statistics > DNS > GSLB > Wide IPs > Statistic Pools", and click "Refresh".
Impact:
No results are returned, and the error message 'An error has occurred while trying to process your request' is displayed.
Workaround:
None
1110949-2 : Updating certKeyChain of parent SSL profile using iControl does not change the cert and key outside certKeyChain of the child profile
Links to More Info: BT1110949
Component: Local Traffic Manager
Symptoms:
Invalid config after iControl call: the certificate and key of the child profile do not change as expected.
Conditions:
1. The SSL profile should default from a parent profile.
2. iControl REST is used to change the certkeychain of the parent profile.
3. The issue cannot be seen after the first call but from the second call, it's always reproducible.
Impact:
1. The child profile has an incorrect configuration.
2. The older certificate/key can not be deleted as they are still in use in the child profile.
Workaround:
Can use currently deprecated iControl call by using key and cert instead of certkeychain as follows:
curl -k -u admin:admin -H "Content-Type: application/json" -X PATCH https://10.155.75.246/mgmt/tm/ltm/profile/client-ssl/parent.example.com -d '{"key":"/Common/default.key","cert":"/Common/default.crt"}'
1110485-3 : SSL handshake failures with invalid profile error
Links to More Info: BT1110485
Component: Local Traffic Manager
Symptoms:
1. TMM reports SSL handshake failures with reason "hud_ssl_handler:1208: alert(40) invalid profile unknown on VIP"
2. There will be Certificate read errors in the ltm log "reading: Unknown error."
Conditions:
-- The certificates associated with the SSL profile are corrupted by modifying/adding/deleting them manually/Venafi
-- There are frequent unintentional Certificate updates
Impact:
-- The BIG-IP system will not be able process the traffic
-- All traffic to particular virtual servers fails
Workaround:
1. Correct the certificates which are corrupted and make them valid.
2. Deattach/Remove the corresponding SSL profile from all virtual servers to which it is applied.
3. In the GUI open the virtual server and click on update and make sure there are no errors shown on the screen.
4. Now re-apply the SSL profile to the virtual server
1110373-2 : Nitrox device error logs in /var/log/ltm
Links to More Info: BT1110373
Component: Application Visibility and Reporting
Symptoms:
The BIG-IP may log errors similar to the following:
Apr 20 06:22:30 bigip1 crit tmm3[6615]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=4): ctx dropped.
Feb 1 08:53:00 bigip1 crit tmm1[25889]: 01010025:2: Device error: n3-compress1 Zip engine ctx eviction (comp_code=6): ctx dropped.
Conditions:
When AVR is in use, a Nitrox accelerator card is installed in the BIG-IP.
Impact:
If these logs are not occurring frequently and are being caused by AVR they can be safely ignored.
It is difficult to determine whether these messages are related to AVR or part of a hardware problem with the Nitrox. With AVR debugging enabled the following log message can be observed:
<13> 2022-04-22T15:21:30.836+02:00 bigip1 notice AVR: AVR decompression failed (most likely out-of-memory or bad format, err=32)
Workaround:
Disable AVR or hardware compression:
tmsh modify sys db compression.strategy value softwareonly
1110165-3 : Fasthttp connections infrequently fail
Links to More Info: BT1110165
Component: Local Traffic Manager
Symptoms:
BIG-IP can rarely send client payloads to servers before the connection has been fully established.
Conditions:
-- Fasthttp virtual server
-- Cookie persistence enabled
-- The payload is spread across multiple packets
Impact:
Some servers will reset the connection, causing client side HTTP requests to fail.
Workaround:
Use a fastl4/standard virtual server instead.
1108557-1 : DNS NOTIFY with TSIG is failing due to un-matched TSIG name
Links to More Info: BT1108557
Component: Global Traffic Manager (DNS)
Symptoms:
DNS NOTIFY messages are ignored.
Conditions:
The TSIG on the secondary needs to have the same algorithm and secret, but one or more characters in the name must be a different case.
Impact:
Failure to update the zone in a timely fashion.
Workaround:
Remove the offending TSIG on the secondary and re-create it with case matching the primary server.
1107605-1 : TMM crash reported with specific policy settings
Links to More Info: BT1107605
Component: Local Traffic Manager
Symptoms:
TMM crashes when HTTPS request for a non-existent document
Conditions:
1) Virtual server with HTTP Profile
2) LTM Policy with "shutdown connection" for 400/404 response codes
3) Request for non-existent document
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove the policy and use an iRule with the same conditions as in the policy.
1107453 : Performance drop observed in some Ramcache::HTTP tests on BIG-IP i10800 platform
Links to More Info: BT1107453
Component: Local Traffic Manager
Symptoms:
Drop in TPS of around 6.5% observed for Ramcache::HTTP tests.
Conditions:
- BIG-IP i10800 l7-performance-fpga platform
- 5KB file size with 1 Request Per Connection
- 5KB file size with 100 Request Per Connection
Virtual server with the following profiles -
1. http
2. tcp profile with nagle disabled
3. web acceleration profile with following attributes -
- cache-max-age 36000
- cache-object-max-size 1500001
- cache-object-min-size 1
Impact:
Delay in client side response during peak traffic flow due to lowered throughput.
Workaround:
None
1106673-3 : Tmm crash with FastL4 virtual servers and CMP disabled
Links to More Info: BT1106673
Component: Local Traffic Manager
Symptoms:
With CMP disabled, all traffic is forwarded to one TMM thread. A crash occurs when these flows are torn down.
Conditions:
The following is configured on a virtual server:
-- A fastL4 profile
-- CMP is disabled
-- An IPS firewall policy
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Enable CMP on the virtual server.
tmsh modify ltm virtual <virtual_server_name> cmp-enabled yes
1105969-1 : Gratuitous ARP not issued for self-IP on clicking "Update" via the GUI
Links to More Info: BT1105969
Component: Local Traffic Manager
Symptoms:
A gratuitous ARP (GARP) is not issued as per K15858.
Conditions:
After the BIG-IP system is fully started and interfaces are online, select the non-floating self IP address in the Configuration utility and then select Update (without making any changes).
Impact:
You cannot force self-IPs to send a gratuitous ARP post-boot.
Workaround:
None
1105757-3 : Creating CSR with invalid parameters for basic-constraints, tmsh does not generate meaningful errors
Links to More Info: BT1105757
Component: TMOS
Symptoms:
A similar error as below is observed:
Key management library returned bad status: -45, No Error
Conditions:
Creating a CSR
The basic-constraints parameter contains invalid data
Example:
tmsh create sys crypto csr tmsh_csr_lowercase_20861 common-name 'ca:true' key default.key basic-constraints ca:true
Impact:
The error thrown is not meaningful hence it is difficult to identify the invalid parameters.
Workaround:
None
1104553-2 : HTTP_REJECT processing can lead to zombie SPAWN flows piling up
Links to More Info: BT1104553
Component: Local Traffic Manager
Symptoms:
In the execution of a specific sequence of events, when TCL attempts to execute the non-existing event, it follows a path which in turn makes SPAWN flow to become a zombie, which pile up over time showing up on the monitoring system.
Conditions:
-- http2, client-ssl, optimized-caching filters on the virtual server
-- HTTP::respond iRule with LB_FAILED event and set of iRules like HTTP_REQUEST, HTTP_RESPONSE, CLIENTSSL_HANDSHAKE, CACHE_RESPONSE, ASM_REQUEST_BLOCKING
-- send http2 request through the virtual server
Impact:
Clients may not be able to connect to the virtual server after a point in time.
1103953-1 : SSMTP errors in logs every 20 minutes
Links to More Info: BT1103953
Component: TMOS
Symptoms:
An error is logged every 20 minutes to /var/log/maillog
err sSMTP[9797]: Unable to connect to "localhost" port 25.
err sSMTP[9797]: Cannot open localhost:25
The symptoms are similar to what you see in https://support.f5.com/csp/article/K60914243 but the solution in that article will not help. K60914243 talks about 15.x while current issue is on 16.x.
Conditions:
This occurs in one of the following happens
1. You have manually deleted restjavad or restnoded log files with following commands
rm /var/log/restjavad*
rm /var/log/restnonded*
2. One of the restjavad/restnoded log files is small and unable to rotate (rotation fails). This happens when file size does not exceed default "max-file-size"
Impact:
Log rotation for restjavad/restnoded will be stuck. You may see system emails about sSMTP errors every 20 minutes.
Workaround:
This issue subsides if you manually create a file for the stuck log file.
1. Open a command terminal
2. Run # ls -l /var/log/restnoded*
3. If you find that restnonded1.log is missing then manually create it
# touch /var/log/restnoded/restnoded1.log
4. Run # ls -l /var/log/restjavad*.log
5. If you find that restjavad.1.log is missing then manually create it
# touch /var/log/restjavad.1.log
1103833-2 : Tmm core with SIGSEGV in gtmpoolmbr_UpdateStringProc
Links to More Info: BT1103833
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm cored with SIGSEGV.
Conditions:
-- iRule pool command with member which is determined at run-time
-- A pool member is used for the iRule
-- The previous pool member is deleted and then re-created using the same name
-- That pool member is picked again for the next iRule event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use a string command to category the pool member variable like this:
pool dnspool member [string trim $pool_member]
1103477-3 : Refreshing pool member statistics results in error while processing requests
Links to More Info: BT1103477
Component: Global Traffic Manager (DNS)
Symptoms:
Pool member statistics aren't displayed and the page shows an error message 'An error has occurred while trying to process your request'.
Conditions:
-- A GTM pool is configured with one or more pool members.
-- The 'Refresh' button or the timer is used to fetch the pool member statistics again.
Impact:
Refresh does not work as expected.
Workaround:
Although the refresh button or refresh timer is broken, you can refresh the page to see updated statistics.
1103245 : Policies not being applied
Component: Traffic Classification Engine
Symptoms:
When two firewall policies are applied, one at a global level and one at the virtual server context, none of the policies are applied.
Conditions:
Apply two different policies, one at the virtual server context and the other at a global level.
Impact:
Policies are not applied
Workaround:
Attach the required policy either in global level or virtual server context, not in both
1101741-2 : Virtual server with default pool down and iRule pool up will flap for a second during a full config-sync.
Links to More Info: BT1101741
Component: TMOS
Symptoms:
During a full manual config-sync, a virtual server with a default pool which is down and an iRule pool which is up will flap for a second on the receiving unit.
For instance:
Apr 22 13:52:31 bigip-ntr-b.local notice mcpd[7733]: 01071682:5: SNMP_TRAP: Virtual /Common/my_vs has become unavailable
Apr 22 13:52:31 bigip-ntr-b.local notice mcpd[7733]: 010719e7:5: Virtual Address /Common/10.0.0.71 general status changed from GREEN to RED.
Apr 22 13:52:31 bigip-ntr-b.local notice mcpd[7733]: 010719e8:5: Virtual Address /Common/10.0.0.71 monitor status changed from UP to DOWN.
<...>
Apr 22 13:52:32 bigip-ntr-b.local notice mcpd[7733]: 01071681:5: SNMP_TRAP: Virtual /Common/my_vs has become available
Apr 22 13:52:35 bigip-ntr-b.local notice mcpd[7733]: 010719e7:5: Virtual Address /Common/10.0.0.71 general status changed from RED to GREEN.
Apr 22 13:52:35 bigip-ntr-b.local notice mcpd[7733]: 010719e8:5: Virtual Address /Common/10.0.0.71 monitor status changed from DOWN to UP.
Conditions:
-- device-group configured for full manual sync
-- virtual server with default pool down and iRule pool up
-- a config sync is initiated
Impact:
There is no impact to application traffic during the flapping, as the virtual server continues to function correctly even when the unit receiving the config-sync is the Active one.
However, the logs (and the ensuing SNMP traps) may be confusing to BIG-IP Administrators and/or network operators monitoring alarms from the system.
Workaround:
You can work around this issue by configuring the device-group for incremental config-sync instead (either manual or automatic).
1101653-2 : Query Type Filter in DNS Security Profile blocks allowed query types
Links to More Info: BT1101653
Component: Advanced Firewall Manager
Symptoms:
When NXDomain is moved to active/enabled, a query response does not work in the GUI.
Conditions:
NXDomain field is in enable state in filtered-query-type in GUI.
Impact:
The query response fails.
Workaround:
NXDomain field should not be enabled using the GUI.
NXDomain is always response type.
1100721-2 : IPv6 link-local floating self-IP breaks IPv6 query to BIND
Links to More Info: BT1100721
Component: Local Traffic Manager
Symptoms:
A IPv6 link-local floating self-IP breaks IPv6 query to BIND.
Conditions:
1. Create a DNS record in BIND.
2. Create an IPv6 floating self-IP (for example, 2002::139) and place it into traffic-group-1.
3. Create an IPv6 DNS listener using the newly created self-IP (2002::139).
So far a DNS query should be answered properly by BIND and TMM.
4. Create a dummy IPv6 floating self-IP using a link-local IP (for example, fe80::4ff:0:0:202) and place it into traffic-group-1.
Now, the DNS query from outside will be timed out.
Impact:
DNS requests will get timed out.
Workaround:
None
1100249-2 : SNAT with FLOW_INIT firewall rule may core TMM due to wrong type of underlying flow structure
Links to More Info: BT1100249
Component: Local Traffic Manager
Symptoms:
Tmm crashes with SIGSEGV while passing firewall traffic.
Conditions:
-- SNAT + firewall rule
-- FLOW_INIT used in an iRule
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1100081-1 : Error message "http_process_state_prepend - Invalid action:0x10a091" for version 15 and "http_process_state_prepend - Invalid action:0x107061" for versions 16 and 17 appears in the LTM log★
Links to More Info: BT1100081
Component: Access Policy Manager
Symptoms:
The error message "http_process_state_prepend - Invalid action:0x10a091" ("http_process_state_prepend - Invalid action:0x107061") erroneously appears in the /var/log/ltm log file.
The error message "Access encountered error: Access pcb policy result is neither not_started nor inprogress: 3" also appears in the /var/log/apm log file.
Conditions:
An http(s) virtual server that also has an Access profile and per-request-policy configured.
Impact:
There is no impact.
Workaround:
None
1099621-3 : DAG context synchronization debug instrumentation
Links to More Info: BT1099621
Component: TMOS
Symptoms:
The BIG-IP system lacks instrumentation for the exchange of tmm DAG state over the statemirror channels between high availability (HA) peers running on VELOS.
Conditions:
-- High availability (HA) pair running on VELOS
Impact:
When average application response latency increases and health checks flap and the DAG is suspected, instrumentation is unavailable.
Workaround:
None
1099373-2 : Virtual Servers may reply with a three-way handshake when disabled or when processing iRules
Links to More Info: BT1099373
Component: Local Traffic Manager
Symptoms:
Virtual servers may complete a three-way handshake before resetting a connection when they are disabled or when iRules process traffic for disabled virtual servers.
Conditions:
-- Virtual Server with a pool assigned
-- Pool is disabled administratively
Impact:
When a virtual server is marked as disabled and a client attempts to connect to it, tmm will normally send a reset to the first SYN packet. However, if you then administratively disable the pool ( disabled pool members - Not forced offline) tmm will complete the three-way handshake before sending resets. Additionally, when in this state, iRules will process and can pass traffic to pools if the iRule is configured to do that even though the virtual server status is disabled.
Workaround:
Avoid marking pools disabled or use forced offline for virtual servers that you want to administratively disable.
1097853-1 : Session Tracking screen may be missing the scroll bar after saving the configuration
Links to More Info: BT1097853
Component: Application Security Manager
Symptoms:
After pressing the Save button, the page may be refreshed without the ability to scroll down.
Conditions:
1. Go to Security ›› Application Security : Session Tracking screen.
2. Change the configuration, for example choose 'Use individual Login Pages' and move the login URL from available to Selected (under Session Tracking Configuration section).
3. Save.
Impact:
After the page is refreshed, the scroller may be not available.
Workaround:
Refresh the page again, and the scroll bar returns.
1096461-5 : TACACS system-auth Accounting setting has no effect when set to send-to-all-servers/send-to-first-server
Links to More Info: BT1096461
Component: TMOS
Symptoms:
If the destination address is a single server, then the accounting info is sent to only the particular server.
If the destination has multiple servers, then the accounting info is sent to all servers irrespective of the setting "auth tacacs system-auth accounting"
Conditions:
Select multiple destination addresses and change the "auth tacacs system-auth accounting" to send-to-first-server, the accounting information is sent to all the destination servers.
Impact:
You are unable to use send-to-first server functionality
Workaround:
None
1096317-4 : SIP msg alg zombie flows
Links to More Info: BT1096317
Component: Carrier-Grade NAT
Symptoms:
The SIP msg alg can disrupt the expiration of a connflow in a way that it stays alive forever.
Conditions:
SIPGmsg alg with suspending iRule commands attached.
Impact:
Zombie flow, which cannot be expired anymore.
Workaround:
Restart TMM.
1096165-4 : Tmm cored for accessing the pool after the gtm_add or updating topology record
Links to More Info: BT1096165
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm can crash
Conditions:
TMM process fails seconds after the gtm_add command is run or topology records are updated with large number of records.
Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.
Workaround:
Reduce the number of pools and the number of region records.
1095973-3 : Config load failure when Trusted CA Bundle is missing and URL is present in the Bundle Manager
Links to More Info: BT1095973
Component: TMOS
Symptoms:
1. BIG-IP will come up but there will be a config load failure.
2. During the upgrade, config sync issues occur.
Conditions:
1. Bundle Manager contains URL( exclude-url/include-url)
2. Trusted CA Bundle is not populated in the Bundle Manager.
Impact:
1. BIG-IP will be in "Inoperative"/"Not All Devices Synced" state
Workaround:
Add the Trusted CA Bundle (default ca-bundle.crt) to the Bundle Manager.
OR
Remove the URLS (both exclude-url and include-url) from the Bundle Manager.
1095909-1 : MAX_F5_ERROR_STR macro truncating log messages of size more than 1024 macro truncating log messages of size more than 1024
Links to More Info: BT1095909
Component: Access Policy Manager
Symptoms:
Truncated log messages are found in /var/log/apm
Conditions:
APM session variables that are large (e.g., policy_path, configVariableCatalogSessionKey)
Impact:
Some of the APM session variables are missing from /var/log/apm
1095205-4 : Config.auditing.forward.multiple db Variable with value "none" is not working as expected with multiple destination addresses in audit_forwarder.
Links to More Info: BT1095205
Component: TMOS
Symptoms:
When config.auditing.forward.multiple db is set to none, BIG-IP should restrict the system to send it to only one destination when multiple destination addresses are configured.
Conditions:
When configured to "none", logs are broadcasted to all the destination addresses. Working as "broadcast" mode.
Impact:
End user could not use "none" functionality
1093717-1 : BGP4 SNMP traps are not working.
Links to More Info: BT1093717
Component: TMOS
Symptoms:
BGP4 SNMP traps are not working.
Conditions:
--Perform any BGP related event and check for snmp traps.
Impact:
No BGP SNMP traps.
Workaround:
None
1093553-4 : OSPF "default-information originate" injects a new link-state advertisement
Links to More Info: BT1093553
Component: TMOS
Symptoms:
When configured with "default-information originate", the BIG-IP system might inject a new 0.0.0.0 link-state advertisement when receiving a default route from an OSPF neighbor.
This results in two 0.0.0.0 link-state advertisements being advertised from the box.
Conditions:
"default-information originate" is configured.
Impact:
Duplicate link-state advertisements
Workaround:
None
1093545-4 : Attempts to create illegal virtual-server may lead to mcpd crash.
Links to More Info: BT1093545
Component: Local Traffic Manager
Symptoms:
Mcpd crashes after the creation of virtual server with incorrect or duplicate configuration is attempted.
Conditions:
-- One or more attempts to create a virtual server with an illegal configuration are performed (i.e. attempts to create a virtual server that shares a configuration with an existing virtual server or has an incorrect configuration)
Impact:
Mcpd crashes with __GI_abort. Traffic disrupted while mcpd restarts.
Workaround:
None
1093313-2 : CLIENTSSL_CLIENTCERT iRule event is not triggered for TLS1.3 when the client sends an empty certificate response
Links to More Info: BT1093313
Component: TMOS
Symptoms:
When an SSL client connects to the BIG-IP system using TLS 1.3 and sends an empty certificate, the CLIENTSSL_CLIENTCERT iRule event is not triggered.
Conditions:
-- Virtual server configured on BIG-IP with SSL and iRule added
-- Client authentication for client certificates is set to "request"
-- iRule relying on CLIENTSSL_CLIENTCERT
-- A client connects to BIG-IP using TLSv1.3 protocol without a certificate(empty certificate)
Impact:
CLIENTSSL_CLIENTCERT irules aren't triggered.
Workaround:
None
1093061-2 : MCPD restart on secondary blade during hot-swap of another blade
Links to More Info: BT1093061
Component: Local Traffic Manager
Symptoms:
In rare instances, inserting a new blade into a VIPRION system can trigger a config error on another secondary blade due to attempting to delete the old blade's physical disk while it is still "in use":
err mcpd[7965]: 01070265:3: The physical disk (S3F3NX0J902788) cannot be deleted because it is in use by a disk bay (1).
err mcpd[7965]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070265:3: The physical disk (S3F3NX0J902788) cannot be deleted because
This causes MCPD to restart on the secondary blade due to the config error.
Conditions:
-- VIPRION system with at least 3 blades
-- Remove a blade and replace it with a different one
Impact:
-- MCPD restarts on the secondary blade other than the blade that was replaced.
The config error triggering this is due to an issue with the cluster syncing process between blades; however, the config issue is temporary, and should be resolved after mcpd restarts on the secondary blade.
Workaround:
None
1091785-2 : DBDaemon restarts unexpectedly and/or fails to restart under heavy load
Links to More Info: BT1091785
Component: Local Traffic Manager
Symptoms:
While under heavy load, the Database monitor daemon (DBDaemon) may:
- Restart for no apparent reason
- Restart repeatedly in rapid succession
- Log the following error while attempting to restart:
java.net.BindException: Address already in use (Bind failed)
- Fail to start (remain down) after several attempts, leaving database monitors disabled and marking monitored resources Down.
Conditions:
- One or more active GTM and/or LTM database monitors are configured with short probe-timeout, interval and timeout values (for example, 2, 5, or 16 respectively).
- A large number (for example, 2,000) of GTM and/or LTM database monitor instances (combinations of above monitor and pool member) are configured.
- Active GTM and/or LTM database monitors are configured with debug yes and/or count 0.
Impact:
The DBDaemon restarts for no apparent reason.
The DBDaemon fails to start (remain down) after several attempts, leaving database monitors disabled and marking monitored resources Down.
Workaround:
The conditions that are suspected to cause these symptoms include effects of ID1025089. Measures to prevent or reduce occurrences of ID1025089 (by reducing database monitor workload) will likely also prevent or reduce occurrences of these symptoms.
If the DBDaemon fails to restart, the following steps may allow DBDaemon to restart successfully upon the next database monitor probe:
-- Check for a running instance of DBDaemon with the following command:
ps ax | grep -v grep | grep DBDaemon
-- If DBDaemon is running, this command will return a set of parameters including the numerical process ID (PID) at the beginning of the line and a command line that begins with "/usr/lib/jvm/jre/bin/java" and includes the parameter "com.f5.eav.DBDaemon", such as:
24943 ? Ssl 46:49 /usr/lib/jvm/jre/bin/java -cp /usr/lib/jvm/jre/lib/rt.jar:/usr/lib/jvm/jre/lib/charsets.jar:/usr/share/monitors/postgresql-jdbc.jar:/usr/share/monitors/DB_monitor.jar:/usr/share/monitors/log4j.jar:/usr/share/monitors/mssql-jdbc.jar:/usr/share/monitors/mysql-connector-java.jar:/usr/share/monitors/ojdbc6.jar -Xmx512m -Xms64m -XX:-UseLargePages -DLogFilePath=/var/log/DBDaemon-0.log com.f5.eav.DBDaemon 1521 24943 0
-- If a running DBDaemon process is identified, use the "kill" command to terminate the running DBDaemon process:
kill #
(where # is the DBDaemon PID from the above "ps" command)
-- Repeat the above "ps" command to confirm that the DBDaemon process has been terminated. If a new DBDaemon process has not been started (with a different PID), proceed to the next steps.
-- Check the /var/run directory for the presence of any files with names beginning with "DBDaemon", such as:
/var/run/DBDaemon-0.lock
/var/run/DBDaemon-0.pid
/var/run/DBDaemon-0.start.lock
Note: The numeric value in the above example filenames corresponds to the Route Domain of pool members monitored by database monitors. If the database monitors are only applied to pool members in the default route domain (RD 0), that value will be "0" as seen above. If database monitors are applied to pool members in a non-default route domain (RD 7, for example), the numeric value will correspond to that route domain, such as:
/var/run/DBDaemon-7.lock
/var/run/DBDaemon-7.pid
/var/run/DBDaemon-7.start.lock
-- If no DBDaemon process is running, delete any /var/run/DBDaemon* files. It is especially important to delete:
/var/run/DBDaemon-#.start.lock (indicates DBDaemon restart is in progress and that no further restart actions should be attempted)
/var/run/DBDaemon-#.pid (indicates current DBDaemon PID)
-- If the above actions do not result in DBDaemon restarting upon the next database monitor ping, then a complete BIG-IP restart will likely be required to recover from unknown conditions within the Java subsystem that may prevent successful DBDaemon operation:
bigstart restart
or:
reboot
1091509-3 : SAML Artifact resolution service fails to resolve artifacts on same IP after reboot
Links to More Info: BT1091509
Component: Access Policy Manager
Symptoms:
Unable to authenticate, following error message in the APM log will occur:
<DATE> <HOSTNAME> err apmd[13026]: 0149021a:3: /Common/SPTesting_ap:Common:524ba34e: SAML Agent: /Common/SPTesting_ap_act_saml_auth_ag failed to process SAML artifact, error: Failed to resolve Artifact
<DATE> <HOSTNAME> err apmd[13026]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "sendSAMLArtifactResolveRq()" line: 6328 Msg: Failed to connect to artifact resolution service. Error (56): Failure when receiving data from the peer
<DATE> <HOSTNAME> err apmd[13026]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "resolveSAMLArtifact()" line: 6380 Msg: Error resolving artifact
Conditions:
- APM as SP with Artifact Resolution
- ARS service uses internal IP
- Configured serverssl profile for Artifact Resolution Service in IDP connector
Impact:
ARS will fail to resolve and users will not be able to authenticate.
Workaround:
Disable the 'serverssl-profile-name' in the IDP connector configuration.
1091505 : In AGC 8.0 you cannot choose from existing SSL profiles
Links to More Info: BT1091505
Component: iApp Technology
Symptoms:
In AGC, during Zero Trust >> Identity Aware Proxy configuration, in the Virtual Server Properties, the Client SSL Profile has the Use Existing selected by default and the drop-down is used to select a profile.
Profiles created at Local Traffic ›› Profiles : SSL : Client are not available in this drop-down.
Conditions:
You wish to assign a different SSL profile to the virtual server.
Impact:
SSL profiles created at Local Traffic ›› Profiles : SSL : Client are not available in the drop-down in AGC.
Workaround:
Create a SSL profile while in the AGC using the Create New option in drop-down and this will be available in future deployments.
1091021-2 : The BIG-IP system may not take a fail-safe action when the bigd daemon becomes unresponsive.
Links to More Info: BT1091021
Component: Local Traffic Manager
Symptoms:
You may observe LTM monitors malfunctioning on your system. For instance, you may notice some probes are not sent out on the network, and some monitored objects are showing the wrong status.
Conditions:
-- The bigd daemon consists of multiple processes (which you can determine by running "ps aux | grep bigd").
-- One or more of the processes (but not all of them) become disrupted for some reason and stop serving heartbeats to the sod daemon.
Under these conditions, sod will not take any fail-safe action and the affected bigd processes will continue running impaired, potentially indefinitely.
Impact:
LTM monitoring is impacted.
Workaround:
If you suspect this issue is occurring in your system, you can resolve it by killing all bigd processes using the following command:
pgrep -f 'bigd\.[0-9]+' | xargs kill -9
However, this does not prevent the issue from manifesting again in the future if the cause for bigd's disruption occurs again.
Monitoring may become further disrupted as bigd restarts, and a failover may occur depending on your specific configuration.
Another work around is to set only one bigd if that is possible.
modify sys db bigd.numprocs value 1
If only a single bigd is available, sod will detect when it is down.
1090313-3 : Virtual server may remain in hardware SYN cookie mode longer than expected
Links to More Info: BT1090313
Component: TMOS
Symptoms:
A virtual server may remain in hardware SYN cookie mode longer than expected after the SYN flood attack has stopped. The TMSH 'show ltm virtual' command shows that the virtual has already exited SYN Cookie mode, but the SYN packets are still responded from hardware for a few minutes longer.
Conditions:
The problem is a result of a race condition in TMM, so the issue might show up intermittently.
Impact:
Discrepancy between the actual SYN Cookie mode and the reported SYN Cookie mode for a short period of time after a SYN flood attack.
Workaround:
Disable hardware SYN Cookie mode.
1089685-1 : [APM]Webtop loading issue when 'oneconnect' profile is attached to a virtual server
Links to More Info: BT1089685
Component: Access Policy Manager
Symptoms:
The webtop hangs intermittently.
Conditions:
-- Virtual server with 'oneconnect' profile
-- BIG-IP Version v16.1.2.1
Impact:
Unable to use resources on webtop
Workaround:
Removing 'oneconnect' profile from virtual server resolves this issue.
1089293 : Backend password reset is not working in Webtop when sso is disabled.
Links to More Info: BT1089293
Component: Access Policy Manager
Symptoms:
Backend password change does not work if initial credential (username) is different than the credential used for backend VMware servers.
Conditions:
1) Logon to APM webtop with user1
2) Go to VMware server application login with different user like user2, before that set the password reset option for user2 in AD
3) once the password reset is clicked you encounter an error " login to your resource failed)"
Impact:
User is unable to reset password, if the credentials are expired for backend VMware servers.
Workaround:
None
1087981-2 : Tmm crash on "new serverside" assert
Links to More Info: BT1087981
Component: Local Traffic Manager
Symptoms:
TMM cores with "new serverside" assert.
Conditions:
This can occur while passing UDP traffic while tmm is under memory pressure.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1087569-4 : Changing max header table size according HTTP2 profile value may cause stream/connection to terminate
Links to More Info: BT1087569
Component: Local Traffic Manager
Symptoms:
BIG-IP initializes HEADER_TABLE_SIZE to the profile value and thus when it exceeds 4K (RFC default), the receiver's header table size is still at the default value. Therefore, upon receiving header indexes which has been removed from its table, receiver sends GOAWAY (COMPRESSION_ERROR)
Conditions:
-- HTTP2 profile used in a virtual server
-- In the HTTP2 profile, 'Header Table Size' is set to a value greater than 4096
Impact:
Stream/connection is terminated with GOAWAY (COMPRESSION_ERROR)
Workaround:
Issue can be avoided by restoring the header-table-size value to the default of 4096
1087005-2 : Application charset may be ignored when using Bot Defense Browser Verification
Links to More Info: BT1087005
Component: Application Security Manager
Symptoms:
In some cases, when using Bot Defense Browser Verification, the application <meta charset> tag may be ignored.
Conditions:
-- Bot Defense Profile is attached to a virtual server.
-- Bot Defense "Browser Verification" is configured to "Verify Before Access" or "Verify After Access"
-- Backend application uses non-standard charset.
Impact:
Random meta chars are viewed in the web page.
Workaround:
Run the command:
tmsh modify sys db dosl7.parse_html_inject_tags value "after,body"
1086865-2 : GTM sync fails when trying to create/sync a previously deleted partition.
Links to More Info: BT1086865
Component: Global Traffic Manager (DNS)
Symptoms:
GTM synchronization fails when creating a GTM object in a previously deleted folder/partition from another BIG-IP.
Conditions:
GTM object created in a previously deleted folder/partition.
Impact:
GTM Sync failure.
1086473-3 : BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake
Links to More Info: BT1086473
Component: Local Traffic Manager
Symptoms:
When a client attempts to resume the TLS session using the Session-ID in its Client Hello from a previous session, the BIG-IP agrees by using the same Session-ID in its Server Hello, but then proceeds to perform a full handshake (Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done) instead of an abbreviated handshake (Server Hello, Change Cipher Spec, Server Hello Done).
This is a violation of the TLS RFC.
Conditions:
- High availability (HA) pair of two BIG-IP units.
- LTM virtual server with a client-ssl profile.
- Mirroring enabled on the virtual server
Impact:
Client-side TLS session resumption not working.
Workaround:
Disable mirroring on the virtual server
1084901-1 : Updating the firewall rule list for IPv6 with route domain throws an error in the GUI, works from tmsh
Links to More Info: BT1084901
Component: Advanced Firewall Manager
Symptoms:
You are unable to modify IPV6 + Route domain for Network Firewall Rule Lists using the GUI
Conditions:
-- AFM is provisioned
-- IPv6 with route domain is being used in an address list
Impact:
Unable to create/manage Firewall rule lists for IPv6 with a route domain.
Workaround:
Use tmsh to create/manage firewall rule lists for IPv6 with a route domain.
1084133-1 : At device level ICMP frags are not counting for BA and BD
Links to More Info: BT1084133
Component: Advanced Firewall Manager
Symptoms:
BD stats are not counting due to this attack was not opened at BD level.
Conditions:
Configure BD for ICMP at device level.
Impact:
Stats not incrementing and attack will not be detected.
Workaround:
None
1083589-3 : Some connections are dropped on chained IPv6 to IPv4 virtual servers.
Links to More Info: BT1083589
Component: Local Traffic Manager
Symptoms:
IPv6 virtual servers targeting IPv4 virtual servers (for example, using the 'virtual' iRule command) might drop traffic coming from some clients unexpectedly.
Note: See also ID1002945 (https://cdn.f5.com/product/bugtracker/ID1002945.html), which is a closely related issue.
Conditions:
- IPv6 to IPv4 virtual server chaining.
Impact:
Traffic is dropped.
Workaround:
Apply a SNAT with an IPv4 address to the IPv6 virtual server.
1083405-3 : "Error connecting to named socket" from zrd
Links to More Info: BT1083405
Component: Global Traffic Manager (DNS)
Symptoms:
After an mcpd restart, zrd may not be able to re-establish a connection to named. This shows up in the /var/log/gtm file or in the GUI with a message similar to the following:
err zrd[27809]: 01150306:3: Error connecting to named socket 'Connection refused'.
(or)
err zrd[16198]: 01150306:3: Error connecting to named socket 'Connection timed out'.
Conditions:
After an mcpd restart
Impact:
Looking up or modifying zone records may fail.
Workaround:
Restart zrd and named
tmsh restart sys service zrd named
1083053-2 : Apmd memory grows over time in AD auth scenarios
Links to More Info: BT1083053
Component: Access Policy Manager
Symptoms:
Apmd memory grows over time. It is not a memory leak. It is mainly due to memory fragmentation due to memory sharing among apmd threads.
Conditions:
The access policy in use has Active Directory auth as one of the agents
Impact:
Apmd memory grows over time. After it grows beyond a limit, oom killer might kill apmd thereby lead to a traffic disruption.
Workaround:
None
1082197-1 : RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response
Links to More Info: BT1082197
Component: Global Traffic Manager (DNS)
Symptoms:
Synthetic SOA returned by BIG-IP has the MNAME and RNAME fields reversed, resulting in the wrong values being noted as the primary name server and mailbox of administrator, respectively.
Conditions:
-- Set the failure-rcode-response enabled and failure-rcode-ttl on a down WIP.
-- Perform a DNS query.
-- Observe the SOA.
Impact:
Per RFC (rfc1035) the order of the fields is significant and MNAME must come before RNAME. When reversed, consumers of the synthetic SOA will associate the wrong values with the wrong fields.
1082193-3 : TMSH: Need to update the version info for SERVER_INIT in help page
Links to More Info: BT1082193
Component: TMOS
Symptoms:
The SERVER_INIT iRule event was introduced in version 14.0.0. But in tmsh help it is showing as version 13.1.0.
Conditions:
-- Using tmsh to configure an iRule event
-- The BIG-IP version is 13.1.0 and you use tab complete for 'tmsh help ltm rule event SERVER_INIT'
Impact:
The tmsh help makes it appear as if SERVER_INIT is supported in version 13.1.0 when it is not.
Workaround:
None
1082133-3 : iSeries LCD displays "Host inaccessible or in diagnostic mode"
Component: TMOS
Symptoms:
The LCD displays "Host inaccessible or in diagnostic mode" for an extended period of time when platform_check is running.
Conditions:
This will occur when platform_check is running after booting up an iSeries BIG-IP system.
Impact:
LCD is unusable until the system is rebooted.
Workaround:
Wait 5 minutes.
If the LCD is still displaying "Host inaccessible or in diagnostic mode" after this time period, reboot the BIG-IP system.
1080985-1 : Route Domain ID specified in Address list does not take effect on virtual server IP via TMC.
Component: Local Traffic Manager
Symptoms:
An incorrect virtual server is created because of a non-existent virtual address.
Conditions:
-- Address list is created with an IP addresses on a non-default route domain.
-- Traffic matching criteria is created by assigning the above address list without specifying a route domain.
-- Assign the above traffic matching criteria (TMC) object to the virtual server.
Impact:
The virtual server that is created does not function properly due to the incorrect virtual address.
Workaround:
Set the route-domain of the traffic-matching criteria to an appropriate route-domain value.
(tmos)# modify ltm traffic-matching-criteria <TMC_name> route-domain <route_domain_name>.
1080957-4 : TMM Seg fault while Offloading virtual server DOS attack to HW
Links to More Info: BT1080957
Component: Advanced Firewall Manager
Symptoms:
TMM crashes during virtual server DOS attack scenarios.
Conditions:
-- HSB-equipped hardware platforms.
-- The attack is detected on configured virtual server Dos Vector and trying to offload to hardware.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1080925-3 : Changed 'ssh-session-limit' value is not reflected after restarting mcpd
Links to More Info: BT1080925
Component: TMOS
Symptoms:
Change 'ssh-session-limit' field from 'disabled' to 'enable'. Save the config . Restart the mcpd and check the value of the field 'ssh-session-limit'. It appears to be the same 'disabled'.
Conditions:
The issue occurs when MCPD restores the configuration from its binary database file.
Impact:
Enabling and disabling "ssh-session-limit" will have an undesirable effect when creating ssh sessions, and you will not be able to edit the field.
Workaround:
None
1079985-3 : int_drops_rate shows an incorrect value
Links to More Info: BT1079985
Component: Advanced Firewall Manager
Symptoms:
int_drops_rate shows an incorrect value, it shows a cumulative value instead of an avg value, same as int_drops and syncookies.hw_syncookies.
Conditions:
A tcp-halfOpen attack or similar SYN attack where SYNs are flooded into the BIG-IP system.
Impact:
It is difficult to figure out the drop rate per second
Workaround:
None
1079237-1 : After certain configuration tasks are performed, TMM may run with stale SNAT translation parameters.
Links to More Info: BT1079237
Component: Local Traffic Manager
Symptoms:
A SNAT translation object instantiated by performing specific configuration tasks (see Conditions) does not work.
For example:
- Connections might be reset with cause "No available SNAT addr".
- An unexpected IP address might be used to SNAT the outgoing traffic.
Conditions:
This issue is known to occur when one of the following operations is performed:
- Restoring a UCS or SCF archive in which a SNAT translation with a specific name specifies a different IP address or route domain.
- Performing a config-sync between redundant units in which the sender changes a SNAT translation with a specific name to use a different IP address or route domain.
- Performing specific tmsh CLI transactions involving SNAT translation modifications.
Impact:
The system does not use the configured SNAT translation address. Traffic will be impacted as a result (for example, reset connections or incorrect source IP address in outgoing traffic).
Workaround:
Restart TMM (bigstart restart tmm) on affected units.
1079053-1 : SSH Proxy feature is not working in FIPS Licensed platforms
Links to More Info: BT1079053
Component: Advanced Firewall Manager
Symptoms:
AFM SSH is not working when FIPS license is enabled.
Conditions:
When you configure AFM SSH Proxy and enable FIPS License.
Impact:
AFM SSH-related features such as, SCP and SFTP cannot be used.
Workaround:
NA
1078357-2 : HTTP_REJECT processing can lead to zombie SPAWN flows
Links to More Info: BT1078357
Component: Local Traffic Manager
Symptoms:
Due to the presence of a specific set of events in the iRule, the Bloom filter may cause TCL to execute an event that is not implemented in the iRule.
In the execution of a sequence of events, when TCL attempts to execute the non-existing event, it follows a path which in turn makes SPAWN flow to become a zombie.
Conditions:
-- http2, client-ssl, optimised-caching filters on the virtual server
-- HTTP::respond iRule with LB_FAILED event and set of iRules like HTTP_REQUEST, HTTP_RESPONSE, CLIENTSSL_HANDSHAKE, CACHE_RESPONSE, ASM_REQUEST_BLOCKING
-- send http2 request through the virtual server
Impact:
Causes issues with monitoring system
1077789-4 : System might become unresponsive after upgrading.★
Links to More Info: BT1077789
Component: TMOS
Symptoms:
After upgrading, the system encounters numerous issues:
-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.
Conditions:
-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.
Exact conditions that trigger this issue are unknown and could be varied. In the environment in which it occurs, a datagroup is deleted, but an iRule still references it.
Impact:
-- System down, too busy to process traffic.
-- Difficulty logging in over SSH might require serial console access.
Workaround:
Reboot to an unaffected, pre-upgrade volume.
-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.
-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.
Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.
For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.
1077293-2 : APPIQ option still showing in BIG-IP GUI even though its functionality migrated to BIG-IQ.
Links to More Info: BT1077293
Component: TMOS
Symptoms:
AppIQ is still visible in the System :: Configuration screen.
Conditions:
Navigating to the System :: Configuration : AppIQ page.
Impact:
AppIQ appears to be able to be provisioned but it has been removed from the BIG-IP system.
Workaround:
N/A
1076801-4 : Loaded system increases CPU usage when using CS features
Component: TMOS
Symptoms:
When the BIG-IP system is under heavy load, datasyncd might create multiple java obfuscator processes running at the same time, which increases load even more.
Conditions:
-- CPU utilization on the BIG-IP system is high.
And one or more of the following conditions:
-- Bot Defense profile is attached to a virtual server
-- DoS profile with CS/Captcha mitigation is attached to the virtual server
-- ASM policy with brute force configuration is attached to the virtual server
Impact:
System load is increased.
Workaround:
None.
1076477-2 : AFM allows deletion of a firewall policy even if it's being used in a route domain.
Links to More Info: BT1076477
Component: Advanced Firewall Manager
Symptoms:
AFM allows you to delete a firewall policy that is still applied to a route domain.
Conditions:
A firewall policy is created and assigned to a route domain.
Impact:
The firewall policy can be deleted without warning or error.
Workaround:
Before deleting a firewall policy check to make sure it is not being used in any route domain.
1076165-1 : GRPC traffic does not work with DoSL7.
Links to More Info: BT1076165
Component: Application Security Manager
Symptoms:
GRPC trailers are not passing from server to client.
Conditions:
DoSL7 profile is attached to a gRPC virtual server.
Impact:
GRPC traffic is not passing correctly.
Workaround:
N/A
1075545 : Changing the datasyncd activation-epoch results in high CPU usage for 24 hours
Links to More Info: BT1075545
Component: Fraud Protection Services
Symptoms:
Changing the datasync activation time by creating a new datasync profile results in double the amount of obfuscation processes running simultaneously.
Conditions:
Creating a new datasync profile with a different activation-epoch
Impact:
High CPU usage for up to 24 hours
1075469-1 : DNS GUI: Refreshing a DNS Express record sometimes fails to populate the server.
Links to More Info: BT1075469
Component: Global Traffic Manager (DNS)
Symptoms:
Although there are name servers for the non-common partition, the Server field populates as "None".
Conditions:
-- Updating the DNS express record by performing enable/disable operations.
Impact:
DNS express Server is shown as None for a DNS zone record.
Workaround:
Refresh the page and it will display the correct value.
1075045-1 : Proxy initialization failed, Defaulting to DENY, after applying additional profile to a virtual server
Links to More Info: BT1075045
Component: Local Traffic Manager
Symptoms:
Connections are reset when accessing a virtual server, with an F5 reset cause of "Port denied".
Messages in /var/log/ltm:
err tmm[<PID>]: 01010008:3: Proxy initialization failed for <virtual server>. Defaulting to DENY.
err tmm[<PID>]: 01010008:3: Listener config update failed for <virtual server>: ERR:ERR_MEM
Conditions:
-- Virtual server configured with many profiles
-- Adding an additional profile to the virtual server
Impact:
All connections to the virtual server are immediately reset.
Workaround:
Reduce the number of profiles applied to the virtual server.
1074841-1 : Invalid syslog configuration kills syslog-ng after restarting syslog-ng.
Links to More Info: BT1074841
Component: TMOS
Symptoms:
Syslog-ng is stopped after restarting syslog-ng with an invalid syslog configuration.
Conditions:
--Invalid syslog-ng configuration.
--bigstart restart syslog-ng
Impact:
Syslog-ng is stopped.
Workaround:
N/A
1074513-3 : Traffic class validation does not detect/prevent attempts to add duplicate traffic classes to virtual
Links to More Info: BT1074513
Component: TMOS
Symptoms:
Tmm crashes after adding a traffic class.
Conditions:
-- Virtual server with two traffic classes
-- A third traffic class is added via tmsh
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1074053-1 : Delay in displaying the "Now Halting..." message while performing halt from LCD.
Links to More Info: BT1074053
Component: TMOS
Symptoms:
While halting the system from LCD panel, the "Now Halting..." message takes 90 seconds to appear.
Conditions:
Perform the system halt operation from the LCD front panel.
Impact:
Delay in processing the halt operation.
Workaround:
N/A
1073965-1 : IPsec IKEv2 tunnel may report huge "life" for IKE SA.
Links to More Info: BT1073965
Component: TMOS
Symptoms:
The output of "tmsh show net ipsec ike-sa" will report an impossibly high life value.
tmsh show net ipsec ike-sa | grep Life
Life/Active Time: 18446744073709551028/6 seconds
Decrypting the IKE AUTH payload will show something similar to this:
Decrypted Data (160 bytes)
Contained Data (156 bytes)
Payload: Identification - Responder (36)
Payload: Authentication (39)
Payload: Security Association (33)
Payload: Traffic Selector - Initiator (44) # 1
Payload: Traffic Selector - Responder (45) # 1
Payload: Notify (41) - AUTH_LIFETIME
Next payload: NONE / No Next Payload (0)
0... .... = Critical Bit: Not Critical
.000 0000 = Reserved: 0x00
Payload length: 12
Protocol ID: RESERVED (0)
SPI Size: 0
Notify Message Type: AUTH_LIFETIME (16403)
Notification DATA: fffffdb4
Authentication Lifetime: 4294966708 seconds (1193046 hour(s) 18 minute(s) 28 second(s))
Padding (3 bytes)
Pad Length: 3
Conditions:
-- IKEv2
-- BIG-IP is initiator
-- Responder sends very high value (close to maximum possible in 4 byte payload) for Authentication Lifetime in IKE AUTH phase.
Impact:
In general this is not a problem unless the DPD/liveness is disabled and the remote peer silently goes away. Under perfect conditions, the remote peer would send a delete for the IKE SA to the BIG-IP and cause the BIG-IP (as initiator) to start a new IKE SA as required.
Workaround:
Ensure the remote peer sends a more reasonable value such as 1 day for the IKE AUTH lifetime.
Strongswan devices have been observed to send a very high value when configured with an unreasonably low "ikelifetime" (in the order of a few minutes).
1073897-2 : TMM core due to memory corruption
Links to More Info: BT1073897
Component: Local Traffic Manager
Symptoms:
Tmm restarts
Conditions:
Unknown
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1073673-1 : Prevent possible early exit from persist sync
Links to More Info: BT1073673
Component: Global Traffic Manager (DNS)
Symptoms:
When a new GTM is added to the Sync group, it takes a significant amount of time, and the newly added GTM won't become ready.
Conditions:
-- GTMs in a cluster with a large number of persist records
-- A new GTM device is added
Impact:
Clients of the BIG-IP GTM do not receive an answer, and application failures may occur.
Workaround:
None
1073429-1 : Auth partition definition is incorrectly synchronized to peer and then altered.
Links to More Info: BT1073429
Component: TMOS
Symptoms:
An auth partition definition with "device-group none" and "traffic-group none" is incorrectly synchronized to other devices during a full config-sync.
Specifically, the partition is incorrectly synchronized to all other devices that belong to the device-group to which the /Common partition is associated.
Furthermore, the receiving devices incorrectly alter the definition of said partition, in such a way that the definition no longer specifies "device-group none" and "traffic-group none". Instead, this partition will now have inheritance (from the root folder) enabled for both the device-group and traffic-group properties.
Conditions:
Creating an auth partition (for example /Example) which specifies "device-group none" and "traffic-group none" on redundant units, and then issuing a full config sync to the device-group.
Note that even if your device-group is configured to perform incremental syncs, sometimes performing a full sync between devices is a natural and unavoidable event.
Impact:
The definition of an auth partition that was meant to remain local to a given BIG-IP system is incorrectly synchronized to peer devices. Additionally, its device-group and traffic-group properties are altered so that inheritance from the root folder is now enabled.
Initially, this has no other negative consequences, as the configuration objects contained in the "local partition" of the source device are not synchronized. However, a further config sync from the initial receiving device to the initial source device will overwrite the device-group and traffic-group properties there. Once in this state, the unit that contains configuration objects in the "local partition" will synchronize them to the peers during the next config-sync. This can impact the application traffic based on the objects synchronized.
Workaround:
You cannot work around this issue.
However, you may be able to achieve your goal of having a repository for local-only objects by creating a subfolder to the /Common partition rather than creating a new partition.
For example:
tmsh create sys folder /Common/local device-group none traffic-group none
1073273-1 : RESOLVER::name_lookup not returning truncated responses
Links to More Info: BT1073273
Component: Global Traffic Manager (DNS)
Symptoms:
The iRule RESOLVER::name_lookup function will not return DNS answers when the query response is larger than 4096 bytes.
Conditions:
Send a query through RESOLVER::name_lookup where the expected answer returned would be greater than 4096 bytes.
Impact:
Even if there are valid answers to be returned, no answers will be returned if the size of the response packet is greater than 4096 bytes.
1072397-1 : VLAN failsafe failover does not occur in three-node device group
Links to More Info: BT1072397
Component: Local Traffic Manager
Symptoms:
VLAN failsafe fails to activate the next-active device in a device group.
Conditions:
-- Three devices in a sync/failover device group
-- A VLAN goes down on the active device, or is unable to communicate with the device group
Impact:
-- VLAN failsafe does not trigger and the next-active device does not become active
1072173-1 : The BIG-IP system incorrectly presents legacy ways of defining mirroring properties
Links to More Info: BT1072173
Component: TMOS
Symptoms:
The 'sys state-mirroring' section in tmsh, as well as the following db keys, are deprecated and should not be used to define the mirroring properties of a device:
sys db statemirror.ipaddr
sys db statemirror.peeripaddr
sys db statemirror.secondary.ipaddr
sys db statemirror.secondary.peeripaddr
sys db statemirror.state
If you wish to configure the mirroring properties of a BIG-IP device, please use the 'cm' section in tmsh, or use the configuration utility under Device Management > Devices.
Each device only needs to set its own properties, for instance:
tmsh modify cm device bigip-ntr-a.local mirror-ip 10.0.0.60
tmsh modify cm device bigip-ntr-a.local mirror-secondary-ip 192.168.1.60
Conditions:
BIG-IP Administrator configuring mirroring properties.
Impact:
Using one of the deprecated ways to configure mirroring will not achieve the intended result. These may be removed from the product in a future version to avoid confusion and errors.
Workaround:
None
1072081-1 : Imish segmentation fault when running 'ip pim sparse-mode ?' on interface config.
Links to More Info: BT1072081
Component: TMOS
Symptoms:
Imish crahses and produces a core file.
Conditions:
-- Add PIM to a route-domain
-- Run 'ip pim sparse-mode ?' while on imish configuration mode on interface level
Impact:
No real impact.
Workaround:
N/A
1071385-3 : SSL session resumption is incorrectly logging handshake failure messages
Links to More Info: BT1071385
Component: Local Traffic Manager
Symptoms:
Handshake failure messages are logged when the handshake was successful.
Conditions:
-- Client establishes connection with session resumption option
Impact:
Inaccurate information in log.
Workaround:
None
1071021-1 : Some URLs such as *cdn.onenote.net configured in the Office 365 dynamic address space are not processed by APM
Links to More Info: BT1071021
Component: Access Policy Manager
Symptoms:
Dynamic address space parser not accepting few patterns(*cdn.example.net) which are added at the DNS address space field.
Conditions:
When the user configures Office 365 Dynamic Address Space with URLs formats like:
*-admin.sharepoint.com
*cdn.onenote.net
*-files.sharepoint.com
*-myfiles.sharepoint.com
Impact:
Due to the above pattern DNS relay proxy is not compatible with them.
Workaround:
None
1070957-1 : Database monitor log file backups cannot be rotated normally.
Links to More Info: BT1070957
Component: Local Traffic Manager
Symptoms:
Debug log files used by the BIG-IP database monitor daemon (DBDaemon) do not exhibit the log-rotation behavior of other BIG-IP log files.
- The active DBDaemon log file is /var/log/DBDaemon-0.log
- DBDaemon log file size is limited to approximately 5MB. DBDaemon log files are backed up/rotated upon reaching this size.
- Exactly 9 (nine) DBDaemon log file backups are retained (/var/log/DBDaemon-0.log.[1-9])
- DBDaemon log file backups are not compressed.
- DBDaemon log file backup/rotation behavior is not user-configurable.
Conditions:
This issue applies when using BIG-IP database monitors:
-- mssql
-- mysql
-- oracle
-- postrgresql
Impact:
-- DBDaemon log file backups may consume more space under /var/log than desired.
-- When troubleshooting database monitor issues, DBDaemon log file rotation may occur so rapidly that older DBDaemon events may be lost, limiting the ability to capture meaningful diagnostic data.
Workaround:
It may be possible to work around this issue by periodically archiving DBDaemon log files, such as in a script with the following core functionality:
pushd /var/log;tar -czf DBDaemon_$(date +%Y%m%d%H%M).tgz DBDaemon-0.log*;popd
1070953-4 : Dnssec zone transfer could cause numerous gtm sync events.
Links to More Info: BT1070953
Component: Global Traffic Manager (DNS)
Symptoms:
GTM syncs for zone transfers that happen on other GTMs.
Conditions:
Dnssec zone transfer to client on peer GTM in the same GTM sync group.
Impact:
Numerous GTM sync and possible sync storm.
Workaround:
N/A
1070393-1 : The f5_api_com.crt certificate file may be removed by the load sys config command
Links to More Info: BT1070393
Component: TMOS
Symptoms:
The BIG-IP downloads an f5_api_com.crt certificate file when a production BIG-IP license is installed, but a subsequent "load sys config" reverts to the pre-certificate config, and deletes (tidies up) the file.
Conditions:
-- Activate a BIG-IP license in either the GUI or tmsh (this causes the f5 API certificate to be downloaded and installed into the config)
-- Run 'tmsh load sys config'
-- Observe that the f5_api_com.crt object is no longer present in the BIG-IP config.
Impact:
F5_api_com.crt certificate file is not present on the BIG-IP system.
Workaround:
- Ensure that "tmsh save sys config" is run after installing a new BIG-IP license.
- If the certificate has been removed from the BIG-IP configuration, but is still present in the filesystem, you can import it with the expected name (f5_api_com.crt): "tmsh create sys file ssl-cert f5_api_com.crt source-path file:///config/ssl/ssl.crt/f5_api_com.crt"
- If the certificate has been lost, you can re-activate the license, to cause a new API certificate to be pulled down from the F5 license server.
1070181-3 : Secondary MCPD crashes with Configuration error
Links to More Info: BT1070181
Component: Local Traffic Manager
Symptoms:
MCPD crashes with an error:
Configuration error: In Virtual Server (/Common/vip-test) an http2 profile with enforce-tls-requirements enabled is incompatible with client ssl profile '/Common/test-reneg-2'; renegotiation must be disabled
Conditions:
Virtual server with
-> http2 profile - 'enfore-tls-requirements' enabled
-> client-ssl profile 1 - 'renegotiation' disabled
-> client-ssl profile 2 - 'renegotiation' enabled
Impact:
MCPD crashes on the non-active device.
Workaround:
Disable 'enforce-tls-requirements' of http2 profile
1070141-1 : The SNAT Automap and self IP address selection.
Links to More Info: BT1070141
Component: Local Traffic Manager
Symptoms:
When a snat pool member is deleted, POOL_FLAG_HOMOGENEOUS is not re-set properly when the pool member is deleted.
Conditions:
-- SNAT pool with two members in multiple networks
-- One pool member is deleted such that all SNAT pool members are on the same network.
Impact:
The pool is not treated as homogenous after the change. This can cause a potential performance degradation or incorrect selection of SNAT pool members.
Workaround:
N/A
1069137-2 : Missing AWAF sync diagnostics
Links to More Info: BT1069137
Component: Application Security Manager
Symptoms:
Complex issues related to Policy Synchronization over Device Sync Groups are difficult to diagnose.
More detailed logging is needed if errors occur.
Conditions:
Device Group Sync is enabled.
Impact:
Root cause analysis is lengthy and difficult.
Workaround:
Enable debug logs in the environment:
> tmsh modify sys db log.asm.asmconfig.level value debug
> tmsh modify sys db log.asm.asmconfigevent.level value debug
> tmsh modify sys db log.asm.asmconfigverbose.level value debug
1069113-1 : ASM process watchdog should be less aggressive
Links to More Info: BT1069113
Component: Application Security Manager
Symptoms:
During standard operation a process is expected to exit and be restarted once it has exceeded a certain memory limit. As a failsafe, the watchdog forcefully kills the process if it exceeds a higher threshold. But if the handler was running close to the memory limit before a resource-intensive event like a full sync load, this operation could push it over both limits.
Conditions:
An ASMConfig handler is running close to the memory limit before a resource intensive event, like a full sync load.
Impact:
A process may be killed in the middle of a data-integrity sensitive action, like a device-group sync, which can leave the system in a corrupt state.
Workaround:
Modify the memory limits in nwd.cfg to raise it by 100 MB.
To load the configuration change, restart the asm_config_server process.
Impact of workaround: Performing the following procedure should not have a negative impact on your system:
1. Log in to the BIG-IP system command line.
2. To restart the asm_config_server process, type the following command:
"pkill -f asm_config_server"
Note : Restarting the asm_config_server process does not disrupt traffic processing.
The BIG-IP ASM watchdog process automatically restarts the asm_config_server process within 10 to 15 seconds.
1069001 : TMM crash in TLS/SSL processing
Links to More Info: BT1069001
Component: Local Traffic Manager
Symptoms:
TMM crashes with a SIGSEGV.
Conditions:
Unknown.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
1067917-1 : Attaching iRule DOSL7::enable when mitigation is not enabled at dosl7 profile, it is not showing warning in GUI.
Links to More Info: BT1067917
Component: Application Security Manager
Symptoms:
Attaching iRule DOSL7::enable to virtual server when same virtual server attached to dosl7 profile without mitigation enables. It is able to attach iRule the successful but same steps is giving error in 13.1.3.6
"1070151:3: Rule [/Common/<iRulename>] error: Unable to find profile_dos (<dos profile name>) referenced at line 3: [DOSL7::enable <dosl7 profile name>]"
Conditions:
Create dosl7 profile without any mitigation enabled and have iRule
when HTTP_REQUEST {
DOSL7::enable test
}
Attach iRule to virtual server.
Impact:
No warning is shown, but the rule causes an error in the logs and does not apply.
Workaround:
Enable the mitigation in order to attach this DOSL7::enable method.
1067857-7 : HSB completion time out causes unexpected reboot
Links to More Info: BT1067857
Component: TMOS
Symptoms:
A bad_tlp_status message closely follows a completion_time_out_status message in the /var/log/sel file, Following is an example:
CPU 0 PCI/DMI Error B:D.F 0:3.2: corerrsts: bad_tlp_status
CPU 0 PCI/DMI Error B:D.F 0:3.2: rperrsts: error_fatal_nonfatal_received
CPU 0 PCI/DMI Error B:D.F 0:3.2: rperrsts: non_fatal_error_messages_received
CPU 0 PCI/DMI Error B:D.F 0:3.2: uncerrsts: completion_time_out_status
Conditions:
This issue is known to occur on the following platforms:
- i2600
- i2800
- i4600
- i4800
Impact:
The device unexpectedly reboots.
Workaround:
None
1067821-1 : Stats allocated_used for region inside zxfrd is overflowed
Links to More Info: BT1067821
Component: Global Traffic Manager (DNS)
Symptoms:
No visible symptoms.
Conditions:
Large resource record addition and deletion for dns express zones.
Impact:
Internal zxfrd stats are incorrect.
1067653-2 : Ndisc6 is not working with non-default route domain.
Links to More Info: BT1067653
Component: TMOS
Symptoms:
Ndisc6 within a Route-Domain (rdexec <rd-id> ndisc6
<ipv6-address> <interface-name>) does not work if the route domain ID passed is not the default route domain.
Conditions:
A non-default route domain is used and a VLAN is assigned to it.
Impact:
Neighbor discovery for the non-default route domain will not work.
Workaround:
N/A
1067469-4 : Discrepancy in virtual server stats with LRO enabled.
Component: Local Traffic Manager
Symptoms:
The virtual_server_stat table has a discrepancy in clientside.bytes_out and serverside.bytes_in with LRO enabled.
Conditions:
LRO is enabled (sys db tm.tcplargereceiveoffload value "enable").
Impact:
The virtual_server_stat table shows a difference in clientside.bytes_out and serverside_bytes_in when LRO is enabled.
Workaround:
Disable LRO using the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable
After modifying that variable, the virtual server stats need to be reset in order to clear historical stats using the following command: tmsh reset-stats ltm virtual
Otherwise TMM can be restarted to clear the stats.
1067449-2 : PEM Bandwidth Controller policies applied to a user session get stuck with the lowest precedence rule
Links to More Info: BT1067449
Component: Policy Enforcement Manager
Symptoms:
The issue is present with a PEM policy consisting of different Bandwidth Controllers applied to different services, like this one :
pem policy services_BWC {
rules {
rule1 {
classification-filters {
filter0 {
application Application1
}
}
precedence 1
qos-rate-pir-downlink BWC-Application1
qos-rate-pir-uplink BWC-Application1
}
rule2 {
classification-filters {
filter0 {
application Application2
}
}
precedence 2
qos-rate-pir-downlink BWC-Application2
qos-rate-pir-uplink BWC-Application2
}
rule3 {
classification-filters {
filter0 {
application Application3
}
}
precedence 3
qos-rate-pir-downlink BWC-Application3
qos-rate-pir-uplink BWC-Application3
}
}
}
With this policy, the BWC controller applied to a user session would get stuck on the lowest precedence rule, and the application of the correct BWC would depend on the order with which the user visited the Application1, Application2 and Application3 services.
For example, the user visits Application1 first and the BWC-Application1 is correctly applied.
Then the user visits Application2 (on a different transaction/flow): the corresponding rule has a higher precedence, and no BWC at all will be applied because the session is stuck with BWC-Application1.
Likewise, when then the user visits Application3 no BWC at all will be applied because the corresponding rule has an even higher precedence than the Application1 rule.
When the precedence of the rules is the same, the policy gets stuck with the first BWC applied to the user session.
This behaviour makes it impossible to create any meaningful policy with different BWC handlers applied to different classification-filters.
Conditions:
- PEM policy consisting of different Bandwidth Controllers, each one applied to a different service.
Impact:
- Impossible to create a working policy with different BWC handlers applied to different classification-filters.
Workaround:
None.
1067405-3 : TMM crash while offloading / programming bad actor connections to hardware.
Links to More Info: BT1067405
Component: Advanced Firewall Manager
Symptoms:
TMM crashes while passing traffic. From the core analysis, this issue looks specific to some platforms that enabled bad actor detection.
Conditions:
This might occur when bad actor detection is enabled in BIG-IP platforms.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue is platform specific and seen only when BA actor detection is enabled.
1067309-1 : GTMD cored followed by TMM core SIGSEGV due to illegal GTM server reference.
Links to More Info: BT1067309
Component: Global Traffic Manager (DNS)
Symptoms:
TMM, gtmd cores while passing traffic.
Conditions:
A rare race condition between TMM and GTMD occurs while passing traffic.
Impact:
Traffic disrupted while tmm and gtmd restarts.
Workaround:
N/A
1067025-4 : Rate-shaping + immediate timeout causing connection to stall.
Links to More Info: BT1067025
Component: Local Traffic Manager
Symptoms:
Server-side connection stalls if rate-limit is reached for a connection that has a timeout value set to immediate.
Conditions:
-- Rate-limit configured and reached.
-- Profile has immediate timeout configured.
Impact:
No packets are sent to the server.
Workaround:
Configure a timeout value on a protocol profile.
1066397-1 : GTM persists to last resort pool members even when primary pool members become available.
Links to More Info: BT1066397
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Queries are persisted to the last resort pool members after the primary pool comes back.
Conditions:
-- WideIP with persistence enabled
-- Disable primary pool members with the queries answered from the last resort pool
-- Now re-enable the primary pool members
Impact:
DNS Queries are persisted to the last resort pool members after the primary pool comes back.
Workaround:
N/A
1065821-4 : Cannot create an iRule with a newline between event and opening brace.
Links to More Info: BT1065821
Component: TMOS
Symptoms:
POST-ing to the BIG-IP REST API fails when creating an iRule.
Conditions:
iRule body has a newline after the event name.
For example:
"apiAnonymous": "when HTTP_REQUEST\n {...}"
Working:
"apiAnonymous": "when HTTP_REQUEST {...}"
Impact:
The iRule fails to create and you receive a warning about an unknown property.
{
"code": 400,
"message": "\"{\" unknown property",
"errorStack": [],
"apiError": 26214401
}
Workaround:
Format the iRule to not use newlines between the event name and opening brace.
Change from:
"apiAnonymous": "when HTTP_REQUEST\n {...}"
To:
"apiAnonymous": "when HTTP_REQUEST {...}"
1065681-1 : Sensitive data is not masked under certain conditions.
Links to More Info: BT1065681
Component: Application Security Manager
Symptoms:
Sensitive data (or part of it) is visible in the request logs or the remote log.
Conditions:
A parameter that is defined as a JSON profile. That profile has the parse parameters flag set.
Impact:
Sensitive data is visible in the log.
Workaround:
There are 2 possible workarounds:
1. Make the parameter that contains the json a sensitive parameter.
2. In the json profile attached to the parameter, uncheck the parse parameters flag. You will see a tab of sensitive data added in the UI. In that tab, explicitly add the JSON element as a sensitive element.
1065353-1 : Disabling ciphers does not work due to the order of cipher suite.
Links to More Info: BT1065353
Component: Local Traffic Manager
Symptoms:
You are not able to disable a list of ciphers.
Conditions:
The cipher list is given in an order in the tmsh command 'tmm --clientciphers'
Impact:
Inconsistent behavior of the command "tmm --clientciphers".
Workaround:
Reorder the ciphers in the list and pass the reordered list to "tmm --clientciphers".
1065013-4 : Tmm crash with iRuleLX plugin in use
Links to More Info: BT1065013
Component: Local Traffic Manager
Symptoms:
Tmm runs out of memory and crashes.
Conditions:
Exact conditions that trigger this are unknown:
-- iRuleLX provisioned and configured in one or more virtual servers
-- Network traffic is passing
Impact:
Traffic disrupted while tmm restarts.
1064725-4 : CHMAN request for tag:19 as failed.
Links to More Info: BT1064725
Component: Local Traffic Manager
Symptoms:
The following log is seen in /var/log/ltm when a qkview is generated:
warning chmand[6307]: 012a0004:4: CHMAN request (from qkview) for tag:19 failed.
or when a tcpdump capture is started:
warning chmand[792]: 012a0004:4: CHMAN request (from bigpcapq33E5-24) for tag:19 failed
or when get a dossier from GUI/CLI:
warning chmand[4319]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed
or when reboot:
warning chmand[8263]: 012a0004:4: CHMAN request (from mcpd) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from DossierValidator) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from LACPD_USER) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed
Conditions:
Any one of the following:
-- Generate a qkview file from the GUI/CLI
-- Start a tcpdump command from the CLI
-- Get a dossier from GUI/CLI
-- Reboot
Impact:
No functional impact.
Workaround:
None
1064649-2 : Tmm crash after upgrade.★
Links to More Info: BT1064649
Component: Local Traffic Manager
Symptoms:
After upgrading and provisioning the ASM module, TMM starts to crash and core.
Conditions:
-- BIG-IP system is upgraded to version 15.1.4.1.
-- The ARL table is empty (transparent VLAN group) and traffic is passed.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
1064257-2 : Bundled SSL certificates may not get revalidated successfully over OCSP after stapling parameters have been modified.
Links to More Info: BT1064257
Component: TMOS
Symptoms:
Bundled SSL certifcates fail to validate with an OCSP responder, and they are marked invalid in the GUI and tmsh.
Conditions:
1. One or more bundled certificates (containing intermediate certificates in addition to the subject one) are stored on the BIG-IP.
2. The certificates are configured for monitoring over OCSP.
2. The OCSP stapling parameter "Trusted Responders" is set to 'none'.
Impact:
Client SSL traffic may become disrupted if the affected certificates are used to process it.
Workaround:
1. Do not use OCSP status monitoring on subject certificates.
OR
2. Do not use bundled certificates.
OR
3. Set the Trusted Responders OCSP stapling parameter to the certificate of the OCSP responder used by the certificates.
1064205-1 : GSLB virtual server's status can't be changed from the drop-down selection box on its properties page.
Links to More Info: BT1064205
Component: Global Traffic Manager (DNS)
Symptoms:
The status of the GSLB virtual server associated with the GSLB server does not get changed through selection in the drop-down box in front of "Status".
Conditions:
1. Open the properties page of one GSLB virtual server after reaching from DNS ›› GSLB : Servers : Server List ›› Virtual Servers.
2. Change the value in the drop-down box in front of the "Status" field and click the "Update" button.
Impact:
The status of the GSLB virtual server can't be changed from its own properties page.
Workaround:
The status of one or multiple virtual servers can be changed on page DNS ›› GSLB : Servers : Server List ›› Virtual Servers by selecting the desired ones and selecting "Enable" or "Disable" buttons.
1063865-7 : Blade remains in an INOPERATIVE state after being moved to new chassis.
Links to More Info: BT1063865
Component: Local Traffic Manager
Symptoms:
When moving a blade to a new chassis, it can remain in an INOPERATIVE state upon startup. The following errors can be found in /var/log/ltm:
slot2 notice mcpd[7042]: 01071029:5: Master Key not present.
slot2 err csyncd[8163]: 013b0004:3: Unable to subscribe to mcpd, disconnecting...
Conditions:
- Multi-bladed BIG-IP systems
- Move a blade from one chassis to an open slot in the other chassis
Impact:
The moved blade will not properly sync up with the rest of the system, and remain INOPERATIVE.
Workaround:
This occurs due to the master key not being propagated to the moved blade. You can manually circumvent this by doing the following (this assumes slot 1 is primary and slot 2 has the moved blade):
Back up the master keys first (optional):
1. On the primary slot:
cp /config/bigip/kstore/master /var/tmp/master_slot1
2. On the moved slot:
cp /config/bigip/kstore/master /var/tmp/master_slot2
Copy the master key to the moved slot:
1. On the primary slot:
scp /config/bigip/kstore/master root@slot2:/config/bigip/kstore/master
2. On the moved slot:
bigstart restart mcpd
1063829-1 : Zxfrd could run out of memory because zone db files are not efficiently recycled.
Links to More Info: BT1063829
Component: Global Traffic Manager (DNS)
Symptoms:
Zxfrd is killed because of "Out of memory".
Conditions:
Dns express zones are updated continuously.
Impact:
Zxfrd keeps restarting.
Workaround:
Delete zxfrd files and restart zxfrd.
If sys db dnsexpress.hugepages is 0, run:
# rm -rf /shared/zxfrd/*
# bigstart restart zxfrd
If sys db dnsexpress.hugepages is 1, run:
# rm -rf /dev/mprov/zxfrd/*
# bigstart restart zxfrd
1063681-2 : PCCD cored, SIGSEGV in pc::cfg::CMessageProcessor::modify_fqdn.
Links to More Info: BT1063681
Component: Advanced Firewall Manager
Symptoms:
Pccd (Packet Correlation Classification Daemon) generates a core while adding a fqdn during testing.
Conditions:
Conditions to trigger the core are unknown.
Impact:
Pccd crashes and creates a core file.
Workaround:
Restart PCCD
1063609 : "Failed to start Jitterentropy Gatherer Daemon" encountered during boot
Links to More Info: BT1063609
Component: TMOS
Symptoms:
During PXE installation or software upgrade, the following is logged at first-time boot:
[[1;31mFAILED[0m] Failed to start Jitterentropy Gatherer Daemon.
[ 11.071830] See 'systemctl status jitterentropy-rngd.service' for details.systemd-fsck
Conditions:
-- First boot after PXE install.
-- First boot after software upgrade.
Impact:
The device will reboot itself after the first boot after PXE installation or software upgrade.
Workaround:
None
1063597-1 : Memory leak in rewrite in some cases when no pool is selected on virtual server
Links to More Info: BT1063597
Component: TMOS
Symptoms:
In some cases a memory leak may occur in rewrite when none of the pools are selected on a virtual server
Conditions:
-- Rewrite profile added to a virtual server
-- LTM pool not selected
Impact:
Memory allocated to rewrite will not be released resulting in exhaustion of all the available memory and system becoming us-stable
Workaround:
Ensure that a pool is always selected, this can be done by adding a default pool to the virtual server.
1063173-2 : Blob size consistency after changes to pktclass.
Links to More Info: BT1063173
Component: Performance
Symptoms:
Blob size grows after making changes to pktclass that should reduce the size.
Conditions:
Making changes to pktclass.
Impact:
The BIG-IP system premature hits blob size limits while making changes which can result in validation issues preventing the pktclass from loading.
Workaround:
Change sys db key "pccd.alwaysfromscratch" to true.
1062901-1 : The 'trap-source' and 'network' SNMP properties are ineffective, and SNMP traps may be sent from an unintended interface.
Links to More Info: BT1062901
Component: TMOS
Symptoms:
The BIG-IP system sends SNMP traps from an unintended interface (likely a TMM VLAN instead of the management port).
Conditions:
This issue occurs when the configuration:
- Includes a 'trap-source' property which matches the BIG-IP system's management IP address.
- Includes a SNMP trap destination which specifies 'mgmt' as the 'network' property.
- Includes routes to the aforementioned SNMP trap destination via both tmm and the management port (and the routes are such that the tmm one wins).
Impact:
Outgoing snmp traps fail to bind to the management IP address and to leave from the management port. Instead, they will bind to a self-ip matching TMM's route to the destination and leave from a TMM VLAN.
This can cause issues (or not work at all) depending on the configuration of the host system meant to receive the traps and/or of the surrounding network devices.
Workaround:
N/A
1062857-3 : Non-tmm source logs stop populating after a system time change.
Links to More Info: BT1062857
Component: TMOS
Symptoms:
Syslog-ng service functionality leads to failures like no daemon logs being captured in files like
- /var/log/ltm and
- /var/log/messages.
Conditions:
Change the system date and time to future or past, and then reboot the system.
Impact:
Expected TMM logs rest all daemons logs are not captured at /var/log/ltm, due to syslog-ng failure.
Workaround:
None
1062105-3 : For specific configurations (Auto-Added Signature Accuracy and Case Sensitive parent policy), child security policy fails to create.
Links to More Info: BT1062105
Component: Application Security Manager
Symptoms:
1. Creation of child security policy fails when it should not.
2. GUI shows wrong value for Auto-Added Signature Accuracy in creation page of the child policy.
Conditions:
1. Create a parent policy with the following settings:
- Policy is Case Sensitive set to disable.
- Auto-Added Signature Accuracy set to low.
Note: these values are not the default values related to the template used in the policy. For example: Fundamental, Comprehensive, and RDP templates.
2. Try to create a policy using the above parent policy.
Impact:
Creation of child policy
Workaround:
Send REST command with minimumAccuracyForAutoAddedSignatures field under 'signature-settings' and not from the outer level.
1061929-2 : Unable to perform IPI update (through proxy) after upgrade to 15.1.4.★
Links to More Info: BT1061929
Component: Advanced Firewall Manager
Symptoms:
After upgrading, the IPI database fails to update. During system start, iprepd logs an error:
"Cannot connect to host api.bcti.brightcloud.com: No route to host".
Conditions:
IPI update occurs through a proxy server.
Impact:
IPI update fails.
Workaround:
N/A
1061905-3 : Adding peer unit into device trust changes the failover address family.
Links to More Info: BT1061905
Component: TMOS
Symptoms:
In Device Management >> Devices >> [self device] > Failover Network.
Address Family Mode resets back to "IPv4 & IPv6" instead of already set configuration i.e. IPv4 when a new peer unit is added.
Conditions:
-- Add a new device into the device trust.
-- Set both devices to "IPv4".
-- Join the devices in device trust.
Impact:
Inconsistent configuration
Workaround:
Modify the address family to IPv4 manually after adding the peer.
1060833-2 : After handling a large number of connections with firewall rules that log or report translation fields or server side statistics, TMM may crash.
Links to More Info: BT1060833
Component: Advanced Firewall Manager
Symptoms:
TMM crashes.
The 'virt_cnt' column in the tmctl 'string_cache_stat' table continues to grow over time, and diverges significantly from the 'phys_cnt' column.
Conditions:
-- Enforced AFM firewall policies configured in multiple contexts (global, route domain, virtual server)
-- Large number of connections that matches rules in multiple contexts
-- AFM configured in at least one of the following ways:
--+ Stats collection enabled and collecting server-side stats enabled. Stats collection is enabled by default. Collecting server-side statistics ("security analytics settings acl-rules { collect-server-side-stats }") is not enabled by default.
--+ ACL logging enabled, and the logging of translation fields enabled.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
Disable logging and reporting of server-side information in AFM firewall ACLs.
After making these changes, it may be necessary to restart TMM once.
1060769-1 : The /mgmt/tm/sys/performance/all-stats and /mgmt/tm/sys/performance/throughput iControl REST endpoints cannot be successfully parsed by common JSON libraries.
Links to More Info: BT1060769
Component: TMOS
Symptoms:
Because of identically-named key/value pairs in the "entries" object returned by the /mgmt/tm/sys/performance/all-stats and /mgmt/tm/sys/performance/throughput iControl REST endpoints, the output of these endpoints cannot be successfully parsed by common JSON-parsing libraries.
Only the key/value pair appearing last for a given name is returned by common JSON-parsing libraries.
As a result, the In/Out/Service sections of the output, which should show both Throughput(bit) and Throughput(packets) only shows Throughput(packets).
Conditions:
Querying the /mgmt/tm/sys/performance/all-stats or /mgmt/tm/sys/performance/throughput iControl REST endpoints.
Impact:
Common JSON-parsing libraries are unable to extract all of the information contained in the JSON blob (only a subset of the information is returned).
Workaround:
If possible, use the TMSH utility from the CLI of the BIG-IP system to display the complete information.
1060721-2 : Unable to disable auto renew in Certificate order manager via GUI.
Links to More Info: BT1060721
Component: TMOS
Symptoms:
From the GUI, you are unable to disable auto-renew on the certificate order manager.
Conditions:
In the GUI navigate to System > Certificate Management > Traffic Certificate Management > Certificate Order Manager List > Create.
Then select the any certificate Authority items, then disable Auto-renew.
Impact:
In Certificate order manager, auto-renew can not be disabled from the GUI.
Workaround:
Issue the following command from tmsh to disable auto-renew in cert-order manager.
tmsh modify sys crypto cert-order-manager <cert_order_manager_name> auto-renew no
1060541-1 : Increase in bigd CPU utilization from 13.x when SSL/TLS session resumption is not utilized by HTTPS pool members due to Open SSL upgrade
Links to More Info: BT1060541
Component: Local Traffic Manager
Symptoms:
The bigd process uses more CPU than it did in previous versions when HTTPS monitors are used for pool members and the pool members do not resume the SSL/TLS session. This is due to upstream changes in the OpenSSL library.
Conditions:
-- HTTPS monitors.
-- Pool members that do not allow or are not using TLS/SSL session resumption.
Impact:
High CPU utilization.
Workaround:
Ensure the pool members have SSL/TLS session resumption enabled.
1060369-1 : HTTP MRF Router will not change serverside load balancing method
Links to More Info: BT1060369
Component: Local Traffic Manager
Symptoms:
Selecting a different load balancing mechanism (i.e. an iRule or Local Traffic Policy selecting a different pool/node, the "virtual" command, etc) does not work for subsequent HTTP/1.x requests on a keep-alive connection.
Conditions:
-- "HTTP MRF Router" virtual server (virtual server has an "httprouter" profile attached)
-- Virtual server is handling HTTP/1.x traffic
Impact:
Traffic is load-balanced to incorrect destination.
Workaround:
None.
1060181-3 : SSL handshakes fail when using CRL certificate validator.
Links to More Info: BT1060181
Component: TMOS
Symptoms:
Some SSL handshakes are reset with "SSL Handshake timeout exceeded" reset.
Conditions:
Client SSL profile with CRL certificate validator.
Client SSL certificate authentication enabled.
Impact:
SSL handshakes fail.
Workaround:
None
1059849-3 : ASM hostname headers have the route domain incorrectly appended
Links to More Info: BT1059849
Component: Application Security Manager
Symptoms:
When creating an ASM hostname header policy entry in a non-default route domain, ASM incorrectly adds the route domain to the end of the header entry.
Conditions:
ASM policy in a non-default route domain (not rd 0) with a hostname entered as an IP address.
For instance 10.10.10.10 in route domain 5 would be entered internally as:
10.10.10.10%5
BIG-IP version 17 is affected but issue is not reproducible with releases that are affected by ID 1474749. When ID 1474749 is fixed, ID 1059849 will re-surface
Impact:
This causes the host header to fail to match, as the client provides a host header without the route domain.
Workaround:
None
1059421-4 : Bot Signature is not updated when the signature rule is updated.
Component: Application Security Manager
Symptoms:
In some cases, when you update a user-defined Bot Signature rule, the new rule is not applied.
Conditions:
-- Bot Defense profile is attached to virtual server
-- A user-define bot signature is updated
Impact:
Updated signature is not enforced.
Workaround:
-Delete the Bot Signature rule
-Add another Bot Signature rule
-Check to see that all changes are applied
1059293-1 : During DPD config changes, the IKEv2 tunnel may not start.
Links to More Info: BT1059293
Component: TMOS
Symptoms:
One peer does not come up.
Conditions:
Continuously changing the timer values, i.e. phase1, phase2 and DPD values.
Impact:
The BIG-IP system may be unable to establish a tunnel for one peer.
Workaround:
N/A
1058873-2 : Configuring source address as "address list" in a virtual server causes APMD to restart
Links to More Info: BT1058873
Component: Access Policy Manager
Symptoms:
APMD continue to restart with a denied message.
The following errors are logged in /var/log/apm:
01490000:5: ha_util.cpp func: "getTgInfoByVAddrName()" line: 292 Msg: MCP query failed (error 0x1020036)
01490000:3: DeviceHA.cpp func: "checkApmTrafficGroup()" line: 35 Msg: high availability (HA) util returns err 3
01490000:3: ApmD.cpp func: "main_loop()" line: 851 Msg: Check APM traffic group failed
Conditions:
The source or destination address is configured as "address list" in at least one virtual server configured to use APM.
Impact:
Apmd goes into a restart loop. Access traffic disrupted while apmd restarts.
Workaround:
Create a dummy Access Profile and attach it to a dummy virtual server using an unused IP address.
1058789-2 : Virtual addresses are not created from an address list that includes an IP address range.
Links to More Info: BT1058789
Component: TMOS
Symptoms:
The virtual address is listed as offline regardless of the status of the virtual server. This makes understanding virtual-address status very difficult.
Conditions:
Create virtual server using a traffic-matching-criteria (TMC) address list.
Impact:
The virtual addresses are created but the BIG-IP system shows all of them as offline enabled regardless of the status of the virtual server.
Workaround:
None
1058765-2 : Virtual Addresses created from an address list with prefix all say Offline (enabled)
Links to More Info: BT1058765
Component: TMOS
Symptoms:
Virtual Addresses created from an address list with prefix all say Offline (enabled)
Conditions:
Using the prefix in the address-list which is used for virtual server configuration.
Impact:
Improper status of the virtual address.
1058665-1 : Bot signature with a semicolon followed by a space is not detected.
Component: Application Security Manager
Symptoms:
When creating a user-defined Bot Signature, semicolon followed by space cannot be used.
Conditions:
-- Using a user-defined Bot Signature in Simple mode.
-- There is a semicolon followed by a space in the User-Agent or URL sections.
Impact:
The signature is not detected.
Workaround:
Escaping the semicolon in the signature created as "|3B|".
1058645-2 : ipsecalg blocks Sophos ISAKMP negotiation during tunnel setup.
Links to More Info: BT1058645
Component: Advanced Firewall Manager
Symptoms:
Sophos IPsec clients cannot connect to a Sophos firewall when ipsecalg is configured on the forwarding virtual server.
The Sophos client initially attempts to start the tunnel using aggressive mode. The Sophos firewall does not support remote users attempting aggressive mode and responds with Notify Message Type INVALID-PAYLOAD-TYPE. The tunnel setup cannot proceed correctly after that point.
Conditions:
-- Sophos client is installed on remote user devices.
-- Sophos firewall is the remote endpoint in the IPsec tunnel.
Note: The Sophos client and firewall combination is the only known failing use-case.
Impact:
Sophos clients cannot start an IPsec tunnel.
Workaround:
The Sophos client cannot be configured to use main mode instead of starting with aggressive mode. The Sophos firewall does not support aggressive mode for remote user IPsec tunnels.
Therefore, create an iRule and add the iRule to the ipsecalg virtual server. The iRule simply contains this:
when SERVER_DATA {
# Only execute on first server side packet of conflow.
event disable
if { [UDP::payload length] < 40 } { return; }
binary scan [UDP::payload] x8x8cH2cx9x10S payload_type ver exch_type noti_type
# Depending on throughput, the amount of logging here may be problematic
#log local0. "payload_type : $payload_type"
#log local0. "ver : $ver"
#log local0. "exch_type : $exch_type"
#log local0. "noti_type : $noti_type"
if { $payload_type == 11 && $ver == 10 && $exch_type == 5 && $noti_type == 1 } {
log local0. "Closing ipsecalg connection"
after 1 { reject }
}
}
1058349-3 : Requirement of new signatures to detect IMO and Google Duo service.
Component: Traffic Classification Engine
Symptoms:
Google Duo voice call and IMO applications are not blocking.
Conditions:
On Latest IM with PEM policy and TC policy.
Impact:
Traffic throttling will not work on IMO and DUO app.
Workaround:
N/A
1057925-4 : GTP iRule generates a warning.
Links to More Info: BT1057925
Component: TMOS
Symptoms:
Merging GTP config generates a warning.
cat ltm rule GTP_Rate_Limmit {
when CLIENT_DATA {
set gtp_message [GTP::parse [UDP::payload]]
set ie_list [GTP::ie get list -message $gtp_message -type 87]
#set ie_list [GTP::ie get list -type 97 -message $gtp_message]
foreach ie $ie_list {
set fteid_value [lindex $ie 5]
set interface_type [lindex $fteid_value 2]
set ipv4_addr [lindex $fteid_value 4]
log local0. "$fteid_value,$interface_type,$ipv4_addr"
}
}
}
ltm rule GTP_Rate_Limmit {
when CLIENT_DATA {
set gtp_message [GTP::parse [UDP::payload]]
set ie_list [GTP::ie get list -type 87 -message $gtp_message]
foreach ie $ie_list {
set fteid_value [lindex $ie 5]
set interface_type [lindex $fteid_value 2]
set ipv4_addr [lindex $fteid_value 4]
log local0. "$fteid_value,$interface_type,$ipv4_addr"
}
}
}
root@(sr)(cfg-sync Standalone)(Active)(/Common)(tmos)# load sys config merge file gtprule.conf
Merging GTP rule config generates warning.
/var/local/scf/gtprule.conf
There were warnings:
/Common/GTP_Rate_Limmit:4: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid '-type'; expected:-message"93 47][GTP::ie get list -type 87 -message $gtp_message]
Conditions:
This error occurs every the time the GTP config is merged.
Impact:
Config merge shows a warning.
Workaround:
Change
set ie_list [GTP::ie get list -type 87 -message $gtp_message]
to
set ie_list [GTP::ie get list -message $gtp_message -type 87]
1057713-2 : "South Sudan" is missing from the ASM Geolocation Enforcement list.
Component: Application Security Manager
Symptoms:
South Sudan is not available as a selection in ASM's Geolocation Enforcement configuration.
Conditions:
South Sudan was not added into ASM database.
Impact:
There is no way to set the country code for "South Sudan" under 'Allowed Geolocations.'
Workaround:
N/A
1057709-4 : Invalid Certificate for all BIG-IP VE OVA images on vCenter 7.0U2.
Links to More Info: BT1057709
Component: TMOS
Symptoms:
When deploying all BIG-IP VE OVA/OVF images, vCenter 7.0U2 will display an invalid certificate (not trusted) warning message. This is due to enhanced signing certificate verifications for expiry, and other validity checks for the entire chain of the signing certificate against the VECS store (known vCenter issue https://kb.vmware.com/s/article/84240).
Conditions:
Login to vCenter 7.0U2, deploy a BIG-IP VE using an OVF template, select the Local File option, upload the OVA template from your local directory, and then follow the prompts to complete the deployment. In the review details section, "The certificate is not trusted" warning message appears.
Impact:
You can ignore the message and continue with the deployment, or add the missing signing certificate(s) to the VECS store.
Workaround:
To avoid this warning, do the following to add the signing certificate to the VECS store:
1. Get the OVF/OVA signing certificate's chain (root CA and intermediate certificates, if any). You can use any certificate chain resolver to find the missing certificates from the chain.
2. To add the intermediate and root certificates to VECS store:
a. login to vCenter as administrator.
b. From drop-down menu select administration -> Certificates -> Certificate Management.
c. Click ADD next to Trusted Roots Certificates.
d. Browse and select the certificate(s) found in step 1.
1057561 : Occasional Nitrox5 zip engine hang.
Links to More Info: BT1057561
Component: Local Traffic Manager
Symptoms:
Occasionally the Nitrox5 zip engine hangs.
In /var/log/ltm:
crit tmm12[24794]: 01010025:2: Device error: n5-compress1 Nitrox 3, Hang Detected: compression device was reset (pci 09:01.5, discarded 1).
Conditions:
BIG-IP appliance that uses the Nitrox 5 hardware compression chip: i11800.
You can check if your platform has the nitrox5 by running the following command:
tmctl -w 200 compress -s provider
provider
--------
bzip2
lzo
nitrox5 <----
qat-com
zlib
Impact:
The Nitrox5 hardware compression system becomes unavailable and the compression mode switches to software compression. This can lead to high CPU usage.
Workaround:
Disable http compression
1057557-5 : Exported policy has greater-than sign '>' not escaped to '>' with response_html_code tag.
Links to More Info: BT1057557
Component: Application Security Manager
Symptoms:
The greater-than sign '>' is not escaped/converted to '>' with response_html_code tag.
Having an un-escaped greater-than sign can cause issues when re-importing the policy, if the greater-than sign appears in a specific sequence, ']]>'. In other words, if the greater-than sign does not appear in the specific sequence, you can successfully re-import the policy without problem.
The specific sequence can be possible with a custom response page configuration. If you modify the custom response page in the way it has a sequence of characters ']]>', as the greater-than sign is not converted due this issue, the exported policy has the sequence of characters ']]>'. The expected characters are ']]>'
The characters ']]>' in XML is CDATA End delimiter and not allowed. The exported policy causes parser error and can not be re-imported.
Conditions:
This issue occurs if you modify the default custom response page where this specific character sequence is observed ']]>'.
Impact:
The exported policy cannot be re-imported.
Workaround:
This workaround forces the greater-than sign to be escaped to '>' so that that policy can be re-imported without problem.
- make /usr writable
# mount -o remount,rw /usr
- backup
# cp /usr/local/share/perl5/F5/ExportPolicy/XML.pm /usr/local/share/perl5/F5/ExportPolicy/XML.pm.orig
- see this line exists
# grep "gt;" /usr/local/share/perl5/F5/ExportPolicy/XML.pm
$xml =~ s/>/>/g;
- delete the line and verify
# sed -i '/$xml =~ s\/>.*/d' /usr/local/share/perl5/F5/ExportPolicy/XML.pm
- should not see the line
# grep "gt;" /usr/local/share/perl5/F5/ExportPolicy/XML.pm
- move /usr read-only
mount -o remount,ro /usr
- make the change in effect
# pkill -f asm_config_server
1057501-4 : Expired DST Root CA X3 resulting in http agent request failing.
Links to More Info: BT1057501
Component: TMOS
Symptoms:
When the DST Root CA X3 is expired, any HTTP agent request fails with the error:
err tmm2[19302]: Rule /Common/my_rule <HTTP_REQUEST>: Client - <address>, failure :proxyInterstitialPage: FetchError: request to <url> failed, reason: certificate has expired.
Conditions:
The DST Root CA X3 certificate is expired, see
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/.
Impact:
ILX plugins that reply on outbound HTTP client/agent requests to remote servers fail.
Workaround:
Create a /var/tmp/isrgrootx1.pem with contents of https://letsencrypt.org/certs/isrgrootx1.pem.txt.
The Node.js script:
# cat /var/tmp/CustomCA-2.js
var fs = require('fs');
var https = require('https');
var options = {
hostname: 'letsencrypt.org',
port: 443,
path: '/',
method: 'GET',
ca: fs.readFileSync('/var/tmp/isrgrootx1.pem') <<<<<<<<<<<<<<< incorporated CA thus bypassing the CA embedded in the EOL version of Node.js
};
var req = https.request(options, function(res) {
res.on('data', function(data) {
console.log("PASS");
});
});
req.end();
1057305-1 : On deployments that use DPDK, "-c" may be logged as the TMM process/thread name.
Links to More Info: BT1057305
Component: TMOS
Symptoms:
"-c" may be logged as the process/thread name on deployments that use DPDK:
notice -c[17847]: 01010044:5: Gx feature is not licensed
notice -c[17847]: 01010044:5: LTM Transparent feature is licensed
notice -c[17847]: 01010044:5: NAT feature is licensed
Conditions:
- BIG-IP Virtual Edition using XNET with DPDK. This can be AWS, Mellanox, or Cisco eNIC.
Impact:
Confusing logging.
Workaround:
N/A
1057121-3 : MQTT Over Websockets in Websocket Termination mode is not working
Links to More Info: BT1057121
Component: Local Traffic Manager
Symptoms:
Request is not forwarded to server-side, the server-side connection will not be established.
Conditions:
MQTT Over Websockets virtual server configuration in Websockets Termination mode.
Impact:
MQTT Over Websockets in Websocket Termination mode does not work.
Workaround:
None
1057061-2 : BIG-IP Virtual Edition + security-log-profile (HSL) performance issue with Log Translation Fields.
Links to More Info: BT1057061
Component: Advanced Firewall Manager
Symptoms:
When using a security log profile that has Log Translation Fields enabled, CPU usage is unusually high.
Conditions:
-- AFM provisioned
-- One or more security log profiles has “Log Translation Fields” enabled
Impact:
Excessive CPU utilization when compared to the same configuration with Log Translation Fields disabled.
Workaround:
N/A
1056941-2 : HTTPS monitor continues using cached TLS version after receiving fatal alert.
Links to More Info: BT1056941
Component: Local Traffic Manager
Symptoms:
After an HTTPS monitor completes successfully, the TLS version is cached and used for subsequent monitor probes.
If the back end server TLS version changes between monitor polls and no longer allows the cached TLS version, the back end server correctly sends a fatal alert to the BIG-IP in response to the no longer allowed TLS version.
The BIG-IP will continue to use the cached, now prohibited, version in all subsequent probes resulting in a false down resource until the cached information is cleared on the BIG-IP.
Conditions:
ClientSSL profile is changed on backend BIG-IP device's virtual server,
Impact:
BIG-IP continues to send prohibited TLS version and reports the member as down.
Workaround:
-- Delete and re-add pool member.
-- Change HTTPS monitor to any other monitor (including another HTTPS monitor) and then back.
-- Restart bigd with "bigstart restart bigd" - Note that this impacts all monitoring on the BIG-IP.
-- Restart BIG-IP - Note that this impacts all traffic on the BIG-IP.
1055077-1 : Modifying the datacenter does not check GTM server configuration for prober-pool.
Links to More Info: BT1055077
Component: Global Traffic Manager (DNS)
Symptoms:
If GTM is in a bad configuration state, the reload can fail with an error similar to this:
01071b63:3: The prober fallback value for server /Common/server1 cannot be the same as the inherited prober preference value.
Unexpected Error: Validating configuration process failed.
or
01071b62:3: The prober preference value for server /Common/server2 cannot be the same as the inherited prober fallback value.
Unexpected Error: Validating configuration process failed.
Conditions:
1. GSLB server has a prober-pool and inherits the datacenter selected for prober preference or prober fallback (it does not matter which prober configuration has which value).
2. GSLB datacenter is modified such that the prober configuration inherited by the constituent GSLB server is changed from a non-pool method to prober-pool.
This results in the GSLB server having a prober-pool probe configuration manually configured and another prober-pool probe configuration inherited from the GSLB datacenter.
Impact:
Two prober-pool configurations for a GSLB server is a prohibited state. Once this state is reached, any action that tries to validate the configuration (like a configuration load) will fail. This can cause the BIG-IP to fail to load configuration or cause a UCS restore to fail.
Workaround:
Review the configured and inherited prober configuration state of all GSLB servers whose parent GSLB datacenter has a prober-pool configured for it's prober preference or prober fallback. If any GSLB servers are affected, change their prober configuration so that only a single prober-pool configuration exists; or, you can change the parent GSLB server to no longer use the prober-pool method.
1055053-4 : "tmsh load sys config default" does not clear Zebos config files.
Links to More Info: BT1055053
Component: TMOS
Symptoms:
Typing the command: "tmsh load sys config default" does not clear Zebos config files.
Conditions:
- Dynamic routing in use.
- Loading default configuration with "tmsh load sys config default"
Impact:
Zebos configuration files still contain configuration after restoring default config.
Workaround:
Manually delete the Zebos configuration before running "tmsh load sys config default".
1054677-1 : Ng_export fails for users with the 'pager' option enabled in their 'cli preference' configuration.
Links to More Info: BT1054677
Component: Access Policy Manager
Symptoms:
For users with pager enabled, some lines are missing in the ng-export.conf file.
Conditions:
For your CLI preference, the 'pager' option is set to enabled.
Impact:
When 'pager' is set to enabled, you will be unable to export Access policies.
Workaround:
Disable the 'pager' option in 'cli preference' config for the affected user.
1054497-1 : Tmsh command "show sys fpga" does not report firmware for all blades.
Links to More Info: BT1054497
Component: TMOS
Symptoms:
After upgrading or forcing a reload of the configuration, the tmsh command "show sys fpga" does not report the firmware for all blades.
Conditions:
- Mutli-blade VIPRION or vCMP guest.
- Upgrade or forced reload of the configuration
Impact:
The tmsh command "show sys fpga" does not report firmware information for all blades.
Workaround:
Use the following command to restart chmand on the blade that is not reporting the firmware information:
bigstart restart chmand
1053949-3 : AFM SSH proxy offering weak ciphers, the ciphers must be removed
Links to More Info: BT1053949
Component: Advanced Firewall Manager
Symptoms:
AFM SSH Proxy is offering following weak ciphers:
- hmac-sha1
- diffie-hellman-group14-sha1
- 3des-cbc
Conditions:
- Configure virtual server with AFM SSH profile attached.
Impact:
Selection of weak ciphers can break the the encryption scheme.
Workaround:
None
1053605-2 : When you use NAT, the iQuery status displays 'BIGIP' instead of 'BIGIP-DNS'.
Links to More Info: BT1053605
Component: Global Traffic Manager (DNS)
Symptoms:
Use the 'show gtm iquery' command. The 'Server Type' for the connection to its own box may show as "BIGIP" rather than "BIGIP-DNS", even though DNS is provisioned on that device.
# tmsh show gtm iquery
----------------------------------------
Gtm::IQuery: 10.0.0.1
----------------------------------------
Server GTM1
Server Type BIG-IP <--
...
...
...
Note: Other BIG-IP DNS devices in the same sync group will correctly show the status as 'BIGIP-DNS'.
Conditions:
This occurs in the following conditions:
- The gtm server has both an address and a translation defined.
- The BIG-IP running the command is the same device being viewed (that is, it is showing its own status).
For example:
gtm server GTM1 {
devices {
GTM1 {
address { 10.0.0.1 { translation 192.168.1.1 } }
}
}
...
}
Impact:
This is purely cosmetic, and does not affect the operation of the iQuery protocol.
Workaround:
N/A
1053037-7 : MCP error on loading a UCS archive with a global flow eviction policy
Links to More Info: BT1053037
Component: TMOS
Symptoms:
Attempting to load a UCS archive with a global flow eviction policy results in an error like the following.
loaddb[3609]: 01080023:3: Error return while getting reply from mcpd: 0x1070911, 01070911:3: The requested flow_eviction_policy object (/Common/otters) does not exist for global_flow_eviction_policy in ltm (/Common/ltm)
Error 0x1070911 occurred: 01070911:3: The requested flow_eviction_policy object (/Common/otters) does not exist for global_flow_eviction_policy in ltm (/Common/ltm)
Despite this error, restoring the UCS archive continues on, and may succeed.
Conditions:
-- Loading a UCS archive with a non-default global-flow-eviction-policy configured.
-- The existing configuration on the BIG-IP system does not define the same eviction policy.
Impact:
The above mentioned error message is printed to the logs.
It should be safe to ignore the error if the UCS otherwise loads successfully.
Workaround:
Ignore the error message.
1052317-3 : The BIG-IP system does not output the show security nat source-translation command.
Links to More Info: BT1052317
Component: Advanced Firewall Manager
Symptoms:
The tmsh show security nat source-translation command contains no output.
Conditions:
-- Static NAT is enabled
Impact:
An error occurs:
01020002:3: A null pointer was passed into a function.
Workaround:
None
1051589-1 : Missing configuration after upgrade★
Component: Application Security Manager
Symptoms:
After a successful UCS load, some parts of the security configuration are missing.
Conditions:
-- ASM provisioned
-- Limited disk space in /shared
-- Upgrade or create and then install a UCS
Impact:
A device after upgrade or UCS install is missing some of the security configuration.
Workaround:
Clear out disk space in /shared before attempting an upgrade or creating a UCS
1051153-4 : DHCP fails intermittently when the connection is through BIG-IP.
Links to More Info: BT1051153
Component: Local Traffic Manager
Symptoms:
DHCP DISCOVER packets are received, load balanced to the back end DHCP server, a DHCP OFFER reply is received from the server to BIG-IP, but this packet is dropped.
Conditions:
A BIG-IP system is between the DHCP client and DHCP server.
Impact:
DHCP OFFER is never passed on to the client, and as such, the client keeps sending DHCP DISCOVER packets, which are all dropped the same way.
1051125-1 : GTM marks virtual servers offline even when LTM virtual servers are available.
Links to More Info: BT1051125
Component: Global Traffic Manager (DNS)
Symptoms:
GTM virtual servers have a status of offline when they should be marked as available.
Conditions:
-- Sync group of two GTM devices with a large number of virtual servers (2k).
-- All the LTM virtual servers corresponding to GTM Virtual servers are available.
-- Add a third GTM into the sync group.
Impact:
LTM virtual servers are marked offline.
1050661-1 : Warning message with UDP on DOH server side.
Links to More Info: BT1050661
Component: Global Traffic Manager (DNS)
Symptoms:
DOH with server side flow using UDP results in a DoH server that is unable to deliver DNS replies larger than 4096 bytes to the DoH client (a truncated (TC) response will be sent instead).
Conditions:
1. A DNS profile that has all the internal DNS resolution features turned off (gslb, cache, dns-express, local-bind), so that DNS requests are load balanced to the pool
tmsh create ltm profile dns dns-pool-only enable-dns-express no enable-dnssec no enable-gtm no process-rd no use-local-bind no
2. A pool pointing to a DNS server
tmsh create ltm pool dns-pool-only members add {x.x.x.x:53}
3. An LTM virtual server that has TCP on the clientside (DoH server) and UDP on the server-side flow.
tmsh create ltm virtual vs-doh-server destination x.x.x.x:443 ip-protocol tcp profiles add {doh-server tcp { context clientside } udp_gtm_dns { context serverside } http2 http clientssl-secure dns-pool-only }
Trigger by sending a DoH request to the virtual-server for a DNS resource record that is larger than 4096 bytes. A truncated response will be returned to the DoH client. Since the client is already using TCP (and HTTPS) to send the query, it can not retry the query using TCP like a traditional client could do.
Impact:
DNS responses with the TC (truncated) bit are received via the BIG-IP DoH virtual server.
Note that this is correct behavior, per RFC8484, for this configuration.
Workaround:
1. Use TCP on the server-side flow (this is the default if you don't specifically set the serverside to use UDP). The use of TCP will mean that each DNS request requires a TCP 3WHS and 4-way close.
(or)
2. Instead of configuring DNS servers as pool members, configure them as forward-zone nameservers for dns-cache, and enable dns cache in the DNS profile.
(or)
3. Ensure that the configuration is only used when you can be certain that no replies larger than 4096 bytes will ever be provided by the DNS server (pool member)
1050457-1 : The "Permitted Versions" field of "tmsh show sys license" only shows on first boot
Links to More Info: BT1050457
Component: TMOS
Symptoms:
As of BIG-IP Virtual Edition version 15.0.0, running "tmsh show sys license" should show the Permitted Versions. After the system is rebooted, this information is no longer displayed by TMSH.
Conditions:
-- Running the 'tmsh show sys license' command after a reboot
Impact:
Unable to see the permitted versions for the license.
Workaround:
The list of permitted versions can be seen in the /config/bigip.license file, by looking for Exclusive_version:
config # grep Exclusive_version /config/bigip.license
Exclusive_version : 11.6.*
Exclusive_version : 12.*.*
Exclusive_version : 13.*.*
Exclusive_version : 14.*.*
Exclusive_version : 15.*.*
Exclusive_version : 16.*.*
Exclusive_version : 5.*.*
Exclusive_version : 6.*.*
Exclusive_version : 7.*.*
1050413-4 : Drive model HGST HUS722T1TALA604 must be added to pendsect drives.xml
Links to More Info: BT1050413
Component: TMOS
Symptoms:
When using the hard drive model HGST HUS722T1TALA604, the pendsect does not recognize the hard drive and skips during sector checks.
Conditions:
The issue occurs under the following conditions:
-- Using a HGST HUS722T1TALA604 hard drive on a BIG-IP system.
-- Pendsect runs a sector check.
Impact:
Warning messages like the following will be logged to /var/log/messages:
-- warning pendsect[31898]: skipping drive -- Model: HDC WD1005FBYZ-01YCBB2
-- warning pendsect[31898]: No known drives detected for pending sector check. Exiting
Pendsect can't properly check the hard drive.
Workaround:
Give write permissions to modify files:
chmod u+w /etc/pendsect/drives.xml
Open the file and add the following at the end of the file, before default:
<snip>
<HUS722T1TA>
<offset firmware="RAGNWA09">0</offset>
<offset firmware="default">0</offset>
<family> "HA210"</family>
<wd_name>"Ultrastar"</wd_name>
</HUS722T1TA>
<DEFAULT>
<firmware version="default">
<offset>0</offset>
</firmware>
<name> "UNKNOWN"</name>
<family> "UNKNOWN"</family>
<wd_name>"UNKNOWN"</wd_name>
</DEFAULT>
</model>
</drives>
Save and close the file.
Remove write permissions so that no one accidentally modifies this file:
chmod u-w /etc/pendsect/drives.xml
Run the following command and check /var/log/messages to verify no errors are seen:
/etc/cron.daily/pendsect
1050153 : Unknown browscap value sent by the client.
Links to More Info: BT1050153
Component: Access Policy Manager
Symptoms:
APM logs 'Unknown browscap' messages:
Unknown browscap value 'x86_64' sent by the client.
Unknown browscap value 'MacOS' sent by the client.
Conditions:
-- An access policy implements different actions for different platforms
-- Certain APM clients connect
Impact:
'Unknown browscap' messages are logged and certain clients are not classified as expected.
1050089-5 : TMM crash in certain cases
Component: Application Security Manager
Symptoms:
TMM crash in certain cases
Conditions:
Bot defense profile is used in TMM
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1049085-3 : Booting into a newly installed hotfix volume may stall on RAID-capable platforms★
Links to More Info: BT1049085
Component: TMOS
Symptoms:
Upon booting into a RAID volume containing a newly installed instance of BIG-IP system software which is an Engineering Hotfix, the following messages may appear, after which the boot process stalls:
[...]
[ 11.705219] dracut-initqueue[324]: mdadm: Duplicate MD device names in conf file were found.
[ 133.844644] dracut-initqueue[324]: Warning: dracut-initqueue timeout - starting timeout scripts
[ 133.932885] dracut-initqueue[324]: mdadm: Devices UUID-012345678:9abcdef0:12345678:9abcdef0 and UUID-abcdef01:23456789:abcdef01:23456789 have the same name: /dev/md4
[...]
[ *** ] A start job is running for dev-disk...
Conditions:
1) a hardware platform is configured to use RAID for redundancy
2) duplicate RAID array declarations are introduced into /etc/mdadm.conf
3) a hotfix installation is performed to one of the RAID volumes
Impact:
Impossible to boot into the volume of the new installation, it is necessary to physically reboot the device and revert to a previously working volume to rectify the problem.
Workaround:
Instead of installing the hotfix directly, first install the plain base version on which the hotfix is based and boot into it - this will resolve the problem with the duplicate entries in /etc/mdadm.conf.
Then install the hotfix as normal.
1048989-2 : Slight correction of button titles in the Data Guard Protection Enforcement
Links to More Info: BT1048989
Component: Application Security Manager
Symptoms:
A button title read as "Ignored URLs / Enforced URLs" instead of "Ignore URLs / Enforce URLs".
Conditions:
1. On the Security > Application Security > Security Policies > Policies List > <selected_policy> screen, click the Data Guard tab.
2. Look on the Data Guard Protection Enforcement (Wildcards Supported) button fields. The button title should appear as Ignore/Enforce URLs.
Impact:
The title of the button is misleading.
Workaround:
None
1048617-3 : Nice level BigDB paramter is not applied for BD
Component: Application Security Manager
Symptoms:
Nice level BigDB parameter is not applied for BD when BIG-IP is using split-planes
Conditions:
BIG-IP supports split-planes and nice level DB variable is set to non-zero.
Impact:
BD niceness level does not change.
Workaround:
None
1046261-1 : Asynchronous REST task IDs do not persist across process restarts
Links to More Info: BT1046261
Component: TMOS
Symptoms:
If an asynchronous task is started via REST and the iControl REST process(es) restart, the task ID is lost and queries regarding its state will result in "Task not found" responses.
Conditions:
-- Starting an asynchronous process via REST.
-- The iControl REST process(es) restart.
Impact:
Unable to get the status of an asynchronous task. If you are using iControl REST to load a UCS, you will be unable to determine the status of the UCS load.
1045277-4 : The /var partition may become 100% full requiring manual intervention to clear space
Links to More Info: BT1045277
Component: TMOS
Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.
Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.
Conditions:
Process traffic while DoS Dashboard is open
Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.
Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.
Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.
Run the following commands, in sequence:
bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad
Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.
1045065-3 : Enable traffic group modification in source-translation object
Links to More Info: BT1045065
Component: Advanced Firewall Manager
Symptoms:
You are unable to modify the traffic group in an address translation policy using tmsh.
Conditions:
This is encountered if you wish to use tmsh to change the traffic group.
Impact:
Traffic group can be modified in NAT source translation object using tmsh.
Workaround:
None
1044873-1 : Deleted GTM link is not removed from virtual server object and causes load failure.
Links to More Info: BT1044873
Component: Global Traffic Manager (DNS)
Symptoms:
The configuration fails to load with an error:
01070712:3: Values (/Common/Link_to_delete) specified for Virtual Server (/Common/vs1 /Common/HTTPP): foreign key index (explicit_link_FK) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.
Conditions:
-- Create GTM link
-- Assign specific link to any virtual server object
-- Delete link object
-- Run tmsh load sys config gtm-only (or create a sync group and the sync will fail)
Impact:
GTM config fails to load or config sync.
Workaround:
Remove any assigned virtual servers from the link prior to deleting it.
1044281-1 : In some cases, cpcfg does not trigger selinux relabel, leaving files unlabeled
Links to More Info: BT1044281
Component: TMOS
Symptoms:
Under certain circumstances, if a configuration is copied to a boot location that has has already been booted into, files restored by the UCS archive remain unlabeled. After booting to the target volume, the BIG-IP will not function and will have the status "INOPERATIVE".
Conditions:
-- APM is provisioned.
-- Performing a cpcfg copy to another volume.
Impact:
-- APM localdbmgr restarts, and fails to restore configuration from UCS archive
-- Spurious system permissions failures as a result of SELinux
Workaround:
After booting into the affected boot location, force an SELinux relabeling:
# touch /.autorelabel && reboot
1044021-2 : Searching for IPv4 strings in statistics module does not work.
Links to More Info: BT1044021
Component: TMOS
Symptoms:
In Statistics :: Module statistics : Local Traffic : Pools, in "Display Options", if you choose "Statistics Type" as "Pools" and search for some IPv4 ip with partial words, the search will not return expected results.
Conditions:
Searching for an IPv4 address in the "Statistics" module.
Impact:
It is not possible to filter for IPv4 addresses.
Workaround:
None
1043985-1 : After editing an iRule, the execution order might change.
Links to More Info: BT1043985
Component: Local Traffic Manager
Symptoms:
After modification, the iRule execution order may change for events with the same priority.
Conditions:
Virtual server has an iRule that contains multiple events with the same priority.
Impact:
Unexpected behavior can cause virtual server malfunction.
Workaround:
Add desired priorities for iRules that contain the same event.
For example: when <event_name> priority nnn
1043141-1 : Misleading error 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IP
Links to More Info: BT1043141
Component: TMOS
Symptoms:
Loading a UCS file from another BIG-IP results in an error message similar to:
"/usr/bin/tmsh -n -g -a load sys config partitions all platform-migrate" - failed. -- 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
The error message is misleading as the issue is unrelated to master key decryption.
Conditions:
-- Loading a UCS archive from a different BIG-IP.
-- The UCS archive does not contain a ".unitkey" file.
-- The target system does have the correct master key value configured.
-- There is some other MCPD validation issue in the configuration.
Impact:
Platform migration fails with a misleading error message.
Workaround:
Once the issue has happened, you can either:
- Examine the LTM log file for other error messages from MCPD and then correct the configuration issue(s).
OR:
- Re-start MCPD.
For more information, refer K36822000.
1041989-4 : APM Portal Access does not add automatically the / after the URL encoded (after the '$$'), Redirect breaks
Links to More Info: BT1041989
Component: Access Policy Manager
Symptoms:
If the Location header does not end with '/' in direct case, the rewritten URL misses the forward slash character '/'.
APM does not add automatically the / after the URL encoded(after $$)?
e.g https://website Is rewritten as https://apm/f5-w-<hex encoded scheme,host,port>$$ instead of https://apm/f5-w-<hex encoded scheme,host,port>$$/.
If the caption URI is https://website without / at the end, APM will rewrite it as https://apm/f5-w-<hex encoded scheme,host,port>$$/
Conditions:
-- APM Portal Access
-- Redirect response Location header does not end with '/' - after the {scheme://host:port}
Impact:
Missing / after redirection - Page does not load
Workaround:
Add '/' through iRule in redirect response header.
1041889-2 : RRSIG missing for CNAME with RDATA in different zone
Links to More Info: BT1041889
Component: Global Traffic Manager (DNS)
Symptoms:
RRSIG missing for CNAME.
Conditions:
-- CNAME record with RDATA in different zone.
-- One zone dynamically signed.
-- The other zone in local BIND (ZoneRunner) with static DNSSEC records.
Impact:
DNSSEC validation failure.
1041657-1 : PEM and Analytics tabs are displayed when accessing DoH Proxy/Server profiles.
Links to More Info: BT1041657
Component: Global Traffic Manager (DNS)
Symptoms:
The BIG-IP GUI displays the PEM and Analytics tabs for DNS over HTTPS (DoH) Proxy/Server profiles. These tabs should not be present.
Conditions:
This occurs when viewing the DoH proxy or server profile. A PEM and analytics tab is visible when it should not be.
Impact:
Wrong display of PEM and Analytics profile tabs in the GUI.
Workaround:
None.
1041625-5 : Virtual server flapping when the active and standby devices have different configuration.
Links to More Info: BT1041625
Component: Global Traffic Manager (DNS)
Symptoms:
The virtual server status flaps.
Conditions:
1. Virtual server auto discovery enabled.
2. Configured GTM server is configured for high availability (HA).
3. The active and standby devices have different IP addresses for the same virtual server.
Impact:
The virtual server status flaps and traffic might be interrupted.
Workaround:
Make the active and standby devices have the same configuration.
1041317-1 : MCPD delay in processing a query_all message if the update_status bit is set
Links to More Info: BT1041317
Component: TMOS
Symptoms:
When there are a significant number of virtual servers or pools, mcpd can take a several seconds to respond to query_all messages, if the update_status is set to 1 in the message.
Conditions:
Update_status is set to 1 in the message. This could occur, for example, with the following snmp command
snmpget -v2c -c public localhost ltmVsStatusNumber.0
Impact:
While mcpd is busy updating the status for each virtual server or pool, mcpd will not able to to respond to any messages. Control plane operations might timeout.
1041113 : BIG-IP Admin role credentials are not usable for getting device discovered by BIG-IQ
Links to More Info: BT1041113
Component: Device Management
Symptoms:
BIG-IQ is unable to discover BIG-IP with admin role user (not default admin user).
Conditions:
The admin of BIG-IQ is attempting to add a BIG-IP using its an account with admin role (that is not the default admin account).
Impact:
BIG-IQ fails to discover BIG-IP.
Workaround:
Restart the restjavad process on BIG-IP and reattempt device discovery from BIG-IQ.
1040957-1 : The ipother profile can be used with incompatible profiles in a virtual server
Links to More Info: BT1040957
Component: Local Traffic Manager
Symptoms:
The BIG-IP system does not prevent the ipother profile from being used with incompatible profiles in a virtual server.
-- Log messages such as the following in the LTM log file:
err tmm[28670]: 01010008:3: Proxy initialization failed for /Common/example_vs. Defaulting to DENY.
err tmm[28670]: 01010008:3: Listener config update failed for /Common/example_vs: ERR:ERR_ARG
-- Log messages such as the following in TMM's log file:
notice hudchain contains precluded clientside filter: IPOTHER
Conditions:
Creating or modifying a virtual server to use the ipother profile with an incompatible profile.
Impact:
Invalid configuration. TMM traffic passing does not behave the way virtual server configuration dictates it should.
Workaround:
Remove the incompatible profile(s) from the virtual server.
1040477-1 : Drop-Down menu shows white blank items in Reporting : DoS : URL Latencies
Links to More Info: BT1040477
Component: Application Visibility and Reporting
Symptoms:
Drop-Down menu shows white blank items in Reporting : DoS : URL Latencies
Conditions:
- 15.1.2.1 or subsequent v15 releases
- Using Chrome on Windows
Impact:
The drop-down menu is not usable.
Workaround:
None.
1040465-3 : Incorrect SNAT pool is selected
Links to More Info: BT1040465
Component: Local Traffic Manager
Symptoms:
An incorrect SNAT pool is selected when an SSL Forward Proxy is configured and BYPASS is enabled along with an iRule to choose the SNAT pool.
Conditions:
-- Virtual Server has SSL Forward Proxy Deployment with BYPASS enabled
-- iRule configured to decide the SNAT pool members
-- Virtual Server passes the traffic
Impact:
Traffic diverted to incorrect SNAT pool when BYPASS happens.
1040277-4 : Syslog-ng issue may cause logging to stop and possible reboot of a system
Links to More Info: BT1040277
Component: TMOS
Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to logging, even locally, via syslog-ng to stop. CPU use of syslog-ng may increase.
For software version 13.1 only it may lead to BIG-IP unexpectedly rebooting due to host watchdog timeout, typically within hours to day or two after syslog-ng gets hung up.
The cessation of logging happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.
At this time syslog-ng typically spins, using near 100% CPU.
Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.
A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.
Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
The final log will of a broken connection only, usually one minute after the last established/broken pair in the very rare event that syslog-ng hangs.
Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.
Even if it doesn't reboot the loss of logging functionality can cause some daemons to block while logging and thus interrupt service.
Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable. If a remote server is not reachable remove it from the BIG-IP syslog configuration.
If the system has encountered this issue it's important that syslog-ng is restarted if that (or equivalent such as reboot) hasn't already occurred, to resume its normal service and reduce risk of further issues.
bigstart restart syslog-ng
1040153-1 : Topology region returns narrowest scope netmask without matching
Links to More Info: BT1040153
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP returns malformed packets or the narrowest scope not matching the request.
Conditions:
Mixed sub networks with different mask length.
Impact:
Malformed packets.
Workaround:
Do not put mixed subnets in one region.
1040045-3 : Unable to delete trunk member on a VCMP guest
Links to More Info: BT1040045
Component: Local Traffic Manager
Symptoms:
After deleting a trunk member on a VCMP hypervisor, the change may not propagate to the guest.
Conditions:
-- VCMP guest
-- A trunk member that is UP
-- The trunk member is deleted on the hypervisor
Impact:
The guest does not have the current trunk information
Workaround:
Down the interface on the VCMP hypervisor before removing it (tmos)# modify net interface 2/3.1 disabled
(tmos)# modify net trunk trunk_1 interfaces del { 2/3.1 }
1039609-1 : Unable to poll Dynamic routing protocols SNMP OID's on non-default route domain
Links to More Info: BT1039609
Component: TMOS
Symptoms:
You are either:
- unable to extract the dynamic routing protocols configuration information via an SNMP walk or
- dynamic routing protocols configuration information retrieved by SNMP walk belongs instead to the default route-domain
Conditions:
Example taken below is for BGP:
-- Create BGP config in non-default route-domain, establish peer with some router.
-- Create snmp community in non-default route domain
-- Run snmp walk for BGP4 mib (1.3.6.1.2.1.15).
Certain key MIB OIDs from the BGP configuration like bgpPeerRemoteAddr,bgp4PathAttrIpAddrPrefixLen are missing.
Impact:
Dynamic routing protocols SNMP OID polling not working when they are in a non-default route-domain.
1039361-1 : [GraphQL] In case of more than one malformed violation, the first is reported multiple times
Links to More Info: BT1039361
Component: Application Security Manager
Symptoms:
In a scenario where the incoming GraphQL request has more than one malformed violation, the details of the reported malformed violations will include the first reported string only.
Conditions:
GraphQL request has more than one malformed violation.
Impact:
Missing information from Request Log.
1039349-1 : HTTP statistics not updated
Links to More Info: BT1039349
Component: Local Traffic Manager
Symptoms:
HTTP redirect stats are not incremented when a redirect occurs.
Conditions:
The virtual server to which the client will be connecting is configured with "fallback" setting on http profile and pool member is intentionally disabled to get the traffic redirect to another virtual.
Impact:
HTTP statistics are not updated
1039145-1 : Tenant mirroring channel disconnects with peer and never reconnects after failover.
Links to More Info: BT1039145
Component: Local Traffic Manager
Symptoms:
`tmctl -d blade ha_stat` shows missing mirroring connections.
Conditions:
This occurs with high availability (HA) pair. This is a VELOS hardware-specific issue.
Impact:
High availability (HA) mirroring does not function correctly.
Workaround:
N/A
1038117-2 : TMM SIGSEGV with BDoS attack signature
Links to More Info: BT1038117
Component: Advanced Firewall Manager
Symptoms:
TMM core dumped with segmentation fault showing the below stack. Sometimes the crash stack might be different possibly due to memory corruption caused by the stale BDoS entries in sPVA temp table.
#0 0x00007fbb0f05fa01 in __pthread_kill (threadid=?, signo=signo@entry=11) at ../nptl/sysdeps/unix/sysv/linux/pthread_kill.c:61
#1 0x0000000001587e86 in signal_handler (signum=11, info=0x400a254018f0, ctx=0x400a254017c0) at ../kern/sys.c:3837
#2 <signal handler called>
#3 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:164
#4 0x000000000156319b in spva_search_temp_table (p_arg=<synthetic pointer>, spva=0x400a25401e70) at ../base/tmm_spva.c:1827
#5 spva_dyentries_ack_nack_response (status=SPVA_STATUS_SUCCESS, spva=0x400a25401e70) at ../base/tmm_spva.c:1872
#6 spva_read (status=SPVA_STATUS_SUCCESS, spva=...) at ../base/tmm_spva.c:1560
Conditions:
BDoS enabled. The Dynamic BDoS signature created, attack detected, and signature is offloaded to hardware.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable BDoS.
1037645-4 : TMM may crash under memory pressure when using iRule 'AES::key' command
Links to More Info: BT1037645
Component: Local Traffic Manager
Symptoms:
TMM crashes and generates core file.
Conditions:
-- TMM is under memory pressure
-- iRule using 'AES::key' command
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1037617-1 : Switching between bare-metal and vCMP modes can leave HSM with poorly deployed accelerator engine counts
Links to More Info: BT1037617
Component: Performance
Symptoms:
FIPS performance does not reach 10k TPS.
Conditions:
-- i15820 platform with FIPS configured
Impact:
Lower than expected performance, but the system otherwise functions normally.
Workaround:
While vCMP is provisioned, resize the PARTITION_1 partition using:
# fipsutil ptnresize
And when prompted as in the following:
"Enter max accel devs (1-63)"
Enter 63.
1037257-2 : SSL::verify_result showing wrong output for revoked cert during Dynamic CRL check
Links to More Info: BT1037257
Component: Local Traffic Manager
Symptoms:
In logs the result of Dynamic CRL validation using SSL::verify_result is appearing as 0, which is not correct.
Conditions:
1. Use Dynamic CRL
2. Use a REVOKED certificate
Impact:
Incorrect information that certification validation is successful for a revoked certificate is logged.
Workaround:
Static CRL method of certificate validation can be used.
1037153-1 : iRule "log" command to remote destinations may cause TMM to leak memory
Links to More Info: BT1037153
Component: Local Traffic Manager
Symptoms:
TMM leaks memory in the errdefs component.
TMM may leak memory in the xdata and xhead components if the system does not have routes to the specified syslog servers.
Conditions:
-- iRule that uses "log" to target a remote destination, e.g.: "log 192.0.2.1 'log message'"
Impact:
TMM leaks memory.
Eventually, TMM may disrupt legitimate connections as a result of memory pressure, or even crash and restart.
Workaround:
One of the following:
1. Log to local syslog, and configure syslog-ng to log to remote servers.
2. Use High-Speed Logging (https://clouddocs.f5.com/api/irules/HSL.html), instead of the "log" command.
1036969-1 : Chrome sometimes ignores cross-site bot-defense cookies
Links to More Info: BT1036969
Component: Application Security Manager
Symptoms:
Chrome ignores cross-site bot-defense cookies when bot-defense is sending 307 redirect.
Conditions:
A site is using another site/domain resources that are also protected by bot-defense
Impact:
The other site/domain resource will not display correctly on Chrome
Workaround:
iRule work-around based on:https://devcentral.f5.com/s/articles/iRule-to-set-SameSite-for-compatible-clients-and-remove-it-for-incompatible-clients-LTM-ASM-APM.
Or, disabling simple redicret via TMSH:
tmsh modify sys db dosl7.proactive_defense_simple_redirect { value "disable" }
tmsh modify sys db dosl7.proactive_defense_simple_redirect_on_grace { value "disable" }
1036613-3 : Client flow might not get offloaded to PVA in embryonic state
Links to More Info: BT1036613
Component: TMOS
Symptoms:
The client flow is not offloaded in embryonic state, but only is only offloaded once the flow transitions to an established state.
Conditions:
-- FastL4 profile configured to offload TCP connections in embryonic state (this is the default)
-- Clientside and serverside ingress traffic is handled by different TMMs
-- Running on a platform with multiple HSB modules per TMM, i.e.:
--+ BIG-IP i11600 Series
--+ BIG-IP i15600 Series
Impact:
- minor performance degradation;
- PVA traffic counters show unexpectedly high values;
1036557-1 : Monitor information not seen in GUI
Links to More Info: BT1036557
Component: TMOS
Symptoms:
GUI displays "An error has occurred while trying to process your request" when deleting/creating a monitor with the same name under the same transaction.
Conditions:
(a) Create a TCP monitor, then in a single transaction delete the TCP monitor + create an HTTP monitor with same name as the TCP monitor. Example below:
# tmsh create ltm monitor tcp <Name of the monitor>
# echo 'create cli transaction; delete ltm monitor tcp <Name of the monitor> ; create ltm monitor http <Name of the monitor>; submit cli transaction' | tmsh
# tmsh save sys config
This could also occur when reconfiguring an iApp, or changing a configuration via AS3.
(b) Login to the GUI and click on the monitor (GUI > Local Traffic > Monitors > (Monitor created)) you'll see "An error has occurred while trying to process your request"
Impact:
Unable to view monitor parameters in GUI.
Workaround:
Any one of the following workarounds help:
- do not use the same monitor name
- do not perform the delete+create actions on a single transaction
- save and load the configuration:
tmsh save sys config && tmsh load sys config
1036541-4 : Inherited-traffic-group setting of floating IP does not sync on incremental sync
Links to More Info: BT1036541
Component: TMOS
Symptoms:
When a floating IP object is created, and its inherited-traffic-group property is set, this property does not sync to other devices.
Conditions:
This is relevant for any setup with multiple devices in a sync/failover device group.
Impact:
This will impact incremental syncing to other peers in the device group.
Workaround:
Do a full config sync if possible.
1036461-4 : icrd_child may core with high numbers of open file descriptors.
Links to More Info: K81113851, BT1036461
Component: TMOS
Symptoms:
During the config save operation of an iControl REST command or from an AS3 declaration, icrd_child dumps a core.
You may see a 500 error when sending the AS3 declaration:
"Failed to send declaration: /declare failed with status of 500, failed to save BIG-IP config"
Log message similar to the following precedes the core dump message in /var/log/user.log or /var/log/messages:
err icrd_child[24697]: *** buffer overflow detected ***: icrd_child terminated
Conditions:
Device configuration with large number of tenants/partitions is saved through any of the following:
- iControl REST API /mgmt/tm/sys/config
- AS3 declaration with persist property set to true (default)
Impact:
- REST API usage for BIG-IP configuration will be impacted.
- Files in /var/tmp/.config.tmp/ accumulate.
Workaround:
If saving a config through iControl REST API, use the
/mgmt/tm/util/bash endpoint to post the command:
{
"command": "run",
"utilCmdArgs": "-c 'tmsh save sys config'"
}
If posting an AS3 declaration, set persist=false in the AS3 declaration. Once the AS3 has completed the changes, use the bash endpoint described above to ensure the config will persist.
1036265-4 : Overlapping summary routes might not be advertised after ospf process restart.
Links to More Info: BT1036265
Component: TMOS
Symptoms:
Overlapping summary routes might not be advertised after ospf process restarts.
Conditions:
Add an overlapping /32 entry for a summary route and restart ospf process.
Impact:
Summary routes are not advertised.
1036097-4 : VLAN failsafe does not trigger on guest
Links to More Info: BT1036097
Component: TMOS
Symptoms:
VCMP guest VLAN failsafe does not trigger as expected.
Conditions:
-- VCMP host configured
-- VLAN failsafe enabled on a VLAN
-- One or more VCMP guests enabled that use that VLAN.
-- A trunk member of a trunk connected to the vCMP guest is flapping.
Impact:
Since the neighbor messages for the IPv6 link-local addresses continue to be successfully passed from host to guest upon a trunk member change, VLAN failsafe does not trigger even if the upstream switch goes down that's connected to the VLAN.
Workaround:
None
1036093-4 : Tmm sends out neighbor advertisements for the link local addresses even if IPv6 is disabled
Links to More Info: BT1036093
Component: Local Traffic Manager
Symptoms:
When a trunk member state changes and IPv6 is disabled, BIG-IP still sends neighbor advertisements for the link-local addresses on each VLAN
Conditions:
- IPv6 is disabled (ipv6.enabled=false)
- change in a trunk member state occurs
Impact:
Link-local addresses are still in the vaddr hash even after ipv6 is disabled.
1036013-3 : BIG-IP systems may terminate connections prematurely when a TLS close-notify alert is received
Links to More Info: BT1036013
Component: Local Traffic Manager
Symptoms:
When a backend server sends a TLS close-notify alert, BIG-IP may terminate the connection prematurely without forwarding the HTTP response.
Conditions:
ServerSSL receives a TLS Close-notify alert after a TLSv1.3 session is established.
Impact:
Server responses may be dropped.
Workaround:
Use TLSv1.2.
1035757-4 : iRulesLX restart leaves stale files in /var/tmstat/blade/tmplugin_ilx_*
Links to More Info: BT1035757
Component: Local Traffic Manager
Symptoms:
After restarting the ilx plugin, new tmplugin_ilx_rpc_* stat files are being created, but old files are not being deleted.
Over time this may result in the /var/tmstat filesystem being filled and F5 daemons not being able to run correctly and this will affect service.
Conditions:
- ilx configured
- ilx plugin restarted
Impact:
The presence of too many of these leftover files might prevent merged from rolling up stats and providing graphs and cause such errors:
err merged[8523]: 011b0900:3: TMSTAT error tmstat_remerge: Cannot allocate memory.
Over time (several days at least) this may result in the /var/tmstat filesystem being filled and F5 daemons not being able to run correctly and this will affect service.
When the filesystem is full there will be errors similar to this in ltm log:
err diskmonitor[12970]: 011d0004:3: Disk partition /var/tmstat has only 0% free
Workaround:
Delete stale tmplugin_ilx_* files manually
1035741-1 : Wrong default value for lacp-port-priority.
Links to More Info: BT1035741
Component: Local Traffic Manager
Symptoms:
Wrong default value set for lacp-port-priority and also in description of tmsh help interface
Conditions:
Run the following commands to see wrong default value for lacp-port-priority:
--tmsh help interface
-- tmsh list net interface <interface number> lacp-port-priority
Impact:
Confusion with wrong default value seen.
Workaround:
N/A
1035017-6 : Remove unused CA-bundles
Component: TMOS
Symptoms:
Some of the certificate bundles shipped on BIG-IP devices are not used and aren't updated. In particular, there are legacy bundles which aren't needed.
Conditions:
This affects certain internal certificate bundles on the BIG-IP file system:
Impact:
There is a chance that there might be failures when "internal certificates" expires.
Workaround:
None
1034953-3 : In explicit proxy, HTTP_STATCODE missing from syslog
Links to More Info: BT1034953
Component: Local Traffic Manager
Symptoms:
HTTP_STATCODE missing from logs captured using request logging profile when HTTP request is made to explicit proxy virtual server.
Conditions:
- Configure explicit proxy virtual server
- Apply request logging on the same virtual server
- Send HTTP request to connect to a Host via the explicit virtual server
Impact:
HTTP_STATCODE not found in the logs captured from request logging
1034865-1 : CACHE::enable failed on private/no-store content
Links to More Info: BT1034865
Component: Local Traffic Manager
Symptoms:
BIG-IP provides a possibility to cache HTTP responses with RAMCACHE feature. When a response has either "Cache-Control: private" or "Cache-Control: no-store", the CACHE::enable setting allows the content to be cached. This option was removed when a fix to ID 360047 was introduced.
Conditions:
-- A virtual server has a web-acceleration profile without a policy.
-- An iRule has CACHE::enable command, overwriting Cache-Control header's values "no-store" and/or "private".
Impact:
BIG-IP always requests for a response from the origin web server even when a response is cacheable, putting extra load on the origin web server.
1034509-6 : Sensor read errors on VIPRION C2200 chassis
Links to More Info: BT1034509
Component: TMOS
Symptoms:
Due to LOP sensor read errors, the command 'tmsh show sys hardware' can list an RPM of 0 for some chassis fans.
Conditions:
- Running a C2200 VIPRION chassis
- Other conditions unknown
Impact:
Messages such as the following appear in /var/log/ltm:
warning chmand[7629]: 012a0004:4: hal_if_media_poll: media SVC exception: media: getLopReg error
err chmand[7629]: 012a0003:3: getSensorData: sensor read fault for Chassis fan 1, LOP return code -1 : File sensor/LopSensSvc.cpp Line 2315
err chmand[7629]: 012a0003:3: getSensorData: sensor read fault for Chassis fan 2, LOP return code -1 : File sensor/LopSensSvc.cpp Line 2315
err chmand[7629]: 012a0003:3: getSensorData: sensor read fault for Chassis fan 3, LOP return code -1 : File sensor/LopSensSvc.cpp Line 2315
err chmand[7629]: 012a0003:3: getSensorData: sensor read fault for Chassis fan 4, LOP return code -1 : File sensor/LopSensSvc.cpp Line 2315
warning chmand[7629]: 012a0004:4: getLopReg Sock error: send to lopd failed [lopd addr:/var/run/lopdsvr] [client addr:/var/run/hwctl.hal.sock] (errno:2) No such file or directory
warning chmand[7629]: 012a0004:4: GET_STAT failure (status=0xc) page=0x21 reg=0x50
err chmand[7629]: 012a0003:3: getSensorData: sensor read fault for Chassis 3.3V main voltage, LOP return code -1 : File sensor/LopSensSvc.cpp Line 2315
notice chmand[7629]: 012a0005:5: Tmstat::updateSensorTbls: HAL SenSvc error: send to lopd failed [lopd addr:/var/run/lopdsvr] [client addr:/var/run/hwctl.hal.sock] (errno:2) No such file or directory
warning chmand[7629]: 012a0004:4: getChassisPwrSup err: send to lopd failed [lopd addr:/var/run/lopdsvr] [client addr:/var/run/hwctl.hal.sock] (errno:2) No such file or directory
warning chmand[7629]: 012a0004:4: getChassisPwrSup err: send to lopd failed [lopd addr:/var/run/lopdsvr] [client addr:/var/run/hwctl.hal.sock] (errno:2) No such file or directory
Tmsh show sys hardware will list an RPM of 0 for chassis fans affected by the sensor read errors
Workaround:
No workaround currently known.
1034009-4 : CGNAT+Subscriber Discovery - NAT IP with wrong route domain on the CGNAT Log
Links to More Info: BT1034009
Component: Carrier-Grade NAT
Symptoms:
The route domain ID for the translated IP is incorrect in the log message.
Conditions:
This issue will be seen when the different route domain are configured for incoming and outgoing traffic.
Impact:
Log messages will have an incorrect domain-id.
Workaround:
None
1033969-4 : MPLS label stripping needs next protocol indicator
Links to More Info: BT1033969
Component: TMOS
Symptoms:
MPLS label stripping does not participate in the MPLS control-plane, and MPLS does not have a next protocol indicator.
Conditions:
This is encountered when attempting to pass IPv6 packets to GRE-encapsulated MPLS on BIG-IP systems.
Impact:
GRE/MPLS packets with IPv6 traffic encapsulated are not forwarded to the egress VLAN.
Workaround:
None
1033937-1 : HTTP message router stats do not increment for virtual servers and pools
Links to More Info: BT1033937
Component: Local Traffic Manager
Symptoms:
The HTTP MR stats for virtual servers and pools do not increment
Conditions:
- BIG-IP system with HTTP using httprouter and passing traffic.
- View the MRF stats
Impact:
Virtual server and pool stats do not increment.
1033689-1 : BGP route map community value cannot be set to the required range when using AA::NN notation
Links to More Info: BT1033689
Component: TMOS
Symptoms:
The community value for BGP route map entries should allow values of 1-65535 for both components, but it is not allowing 65535 for either component when using AA::NN notation.
Conditions:
-- Using BGP route map community values.
-- Attempting to set one or both components to 65535 with
using AA::NN notation
Impact:
Unable to use the full range of BGP route map community values.
Workaround:
None
1033333-4 : FIPS: importing a stub SSL key file results in 2 keys that share the same FIPS device
Component: TMOS
Symptoms:
The 'tmsh list sys crypto key' command lists multiple keys with the same FIPS ID.
Conditions:
-- BIG-IP using a FIPS HSM
-- Import the stub FIPS key file contents (the filestore certificate_key file object) into the system as a new file object.
Impact:
Two object points to same key stored in the FIPS HSM. If one of the two objects are deleted, the key stored in the HSM will be deleted. This will result in traffic failures, i.e. TLS handshake failures.
Workaround:
Do not create a second MCP SSL key object by importing the stub key file content from the filestore.
1033025-4 : TMM might crash when unsupported bot iRule is used
Links to More Info: BT1033025
Component: Application Security Manager
Symptoms:
TMM crashes.
Conditions:
Bot defense iRule with async commands is attached to virtual server, for example:
when BOTDEFENSE_ACTION
{
after 7000 {
if { ([BOTDEFENSE::device_id] eq "0") }
{
log local0. "Violations Names: [BOTDEFENSE::device_id];"
BOTDEFENSE::action browser_challenge
}
}
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1033021-2 : UI: Partition does not work when clicking through security zones
Links to More Info: BT1033021
Component: Advanced Firewall Manager
Symptoms:
1. Zones UI is not refreshed when the partition changes
2. You are unable to administer zones while using partitions
Conditions:
Change the partition in GUI, then view the corresponding mapped zones.
Impact:
All zones are displayed for every partition instead of just the mapped zones
Workaround:
None
1032921-4 : VCMP Guest CPU usage shows abnormal values at the Host
Links to More Info: BT1032921
Component: TMOS
Symptoms:
CPU usage is represented as 100% for each CPU core, so for instance top may report CPU usage above 100%
for a two CPU system, given that in that case 200% would actually represent the full CPU capacity.
Here for vCMP with 'n' CPUs reporting more than n*100% for CPU utilization.
Conditions:
VCMP provisioned on BIG-IP
Impact:
CPU utilization is incorrectly shown.
Workaround:
NA
1032257-1 : Forwarded PVA offload requests fail on platforms with multiple PDE/TMM
Links to More Info: BT1032257
Component: TMOS
Symptoms:
Forwarded PVA requests use a static bigip_connection that does not have its pva_pde_info initialized, which results in offload failure on platforms that have multiple PDEs per TMM.
Conditions:
Pva_pde_info is not initialized and Forwarded PVA requests occur.
Impact:
Hardware offload does not occur.
1032001-2 : Statemirror address can be configured on management network or clusterd restarting
Links to More Info: BT1032001
Component: TMOS
Symptoms:
- Able to create statemirror address on the same network as management or cluster network.
- Validation issues when attempting to remove a management address.
- Clusterd process restarts constantly.
Conditions:
- Management/cluster address set up with IPv6 and statemirror address is configured with IPv4.
Impact:
- Unable to make configuration changes to the management or cluster address until the statemirror address is removed.
- Clusterd process restarts constantly causing the blade or cluster to report as offline.
1031945-4 : DNS cache configured and TMM is unresponsive in 'not ready' state indefinitely after TMM restart or reboot★
Links to More Info: BT1031945
Component: Global Traffic Manager (DNS)
Symptoms:
Clusterd reports "TMM not ready" right after "Active"
Following is an example:
Jun 23 18:21:14 slot2 notice sod[12345]: Active
Jun 23 18:21:14 slot2 notice clusterd[12345]:
Blade 2 turned Yellow: TMM not ready
All blades are showing 'unavailable'.
Conditions:
- Multiple DNS cache-resolver and/or net DNS resolver objects configured with names that are similar with only difference in letter case, for example, /Common/example-dns-cache and /Common/Example-DNS-cache
- Issue observed after rebooting or upgrading.
Impact:
The system remains inoperative.
Workaround:
- Remove one of the conflicting DNS cache-resolver and/or net DNS resolver objects.
or
- Rename one of the DNS cache-resolver and/or net DNS resolver objects to a name that does not result in a case-insensitive match to another DNS cache-resolver and/or net DNS resolver object name.
1031909-2 : NAT policies page unusable due to the page load time
Links to More Info: BT1031909
Component: Advanced Firewall Manager
Symptoms:
You cannot work with the NAT polices page because the page takes too long to load.
Conditions:
-- The device has a large number of VLANs and virtual servers
-- The device has a large number of NAT policies and partitions
-- From GUI navigate to the NAT policies page
Impact:
NAT policies page takes a long time to load.
1031461-2 : Session awareness entries aren't mirrored to both sides of an active-active deployment.
Component: Application Security Manager
Symptoms:
Session awareness entries aren't mirrored to both sides of an active-active deployment.
session db entries remain in bd (ASM) daemon until manually removed
Conditions:
- ASM provisioned
- Security policy attached to a virtual server
- Session tracking and Login Page enabled in the policy
Impact:
ASM session tracking feature isn't properly functioning on active-active deployment.
1031117-1 : The mcpd error for virtual server profiles incompatible needs to have more details
Links to More Info: BT1031117
Component: TMOS
Symptoms:
The mcpd error message MCPDERR_VIRTUAL_SERVER_INCOMPAT_PROFILE_PROTO currently has text which does not provide detail information.
-The error text should also list which profile is problematic, and the protocol that the virtual server is using. This will help Support pinpoint the issue much faster.
Conditions:
- Configure a virtual server with a profile that is invalid for its protocol.
Impact:
The error text not listing which profile is problematic, and the protocol that the virtual server is using.
Workaround:
None.
1031025-3 : Nitrox 3 FIPS: Upgrade from v12.1.x to v14.1.x results in new .key.exp files for the FIPS keys created before upgrade.★
Links to More Info: BT1031025
Component: TMOS
Symptoms:
During upgrade from v12.1.x to v14.1.x, New ".key.exp" export file is created for the FIPS keys present in the card.
Conditions:
This happens during the upgrade from v12.1.x to v14.1.x for the existing keys with ".key" extension to it in the label.
It occurs only if the key is deleted/not present in the FIPS card (e.g. a faulty card), and BIG-IP has the configuration / metadata for the missing keys.
Impact:
The upgrade fails while loading the configuration.
Workaround:
Delete the missing key's configuration from config file, then perform the upgrade.
1030237-1 : Zxfrd core and continual restart when out of configured space
Links to More Info: BT1030237
Component: Global Traffic Manager (DNS)
Symptoms:
Zxfrd is in restart loop and occasionally cores.
Conditions:
Zxfrd is out of the configured space.
Impact:
Dns express and rpz does not work properly.
Workaround:
1. locate any zone that is suspiciously large and delete that zone from dns zones if unexpected;
2. Allocate more space for zxfrd using dnsexpress huge pages.
tmsh modify sys db dnsexpress.hugepages { value "8000" }
8000 should be adjusted accordingly.
1030093-1 : An http2 to http2 virtual connection with translate-address disabled might only use one stream on the server side.
Links to More Info: BT1030093
Component: Local Traffic Manager
Symptoms:
When there is no pool object available, this issue results in only stream ID 1 succeeding to the server-side. All subsequent streams fail.
Conditions:
With the following configuration:
-- client side HTTP2
-- server side HTTP2
-- HTTP2 MRF enabled
-- translate-address disabled
Impact:
Connection only works for stream 1. All other streams fail.
Workaround:
If you set "translate-address enabled" on the virtual server, then all streams work fine.
1029373-4 : Firefox 88+ raising Suspicious browser violations with bot defense
Links to More Info: BT1029373
Component: Application Security Manager
Symptoms:
Bot-defense might block legal traffic arriving from Firefox version 88
Conditions:
- ASM provisioned
- bot-defense profile assigned on a virtual server
Impact:
Legal traffic is blocked
Workaround:
Tmsh modify sys db botdefense.suspicious_js_score value 60
1029173-4 : MCPD fails to reply and does not log a valid message if there are problems replicating a transaction to PostgreSQL
Links to More Info: BT1029173
Component: TMOS
Symptoms:
In rare circumstances MCPD fails to reply to a request from TMSH, GUI, or any daemon, for example, SNMPD.
Following is an example error message:
Mar 29 00:03:12 bigip1 err mcpd[15865]: 01070734:3: Configuration error: MCPProcessor::processRequestNow: std::exception
If snmpd is the daemon that is impacted you might see this warning message:
warning snmpd[15561]: 010e0004:4: MCPD query response exceeding 270 seconds
Conditions:
- AFM is provisioned.
- MCPD fails to connect PostgreSQL.
Impact:
TMSH command save sys config might be hung.
SNMPD stops replying to SNMP GET requests.
Workaround:
If there are any hung TMSH commands, then quit.
If SNMPD stops responding to SNMP requests, then use the command bigstart restart snmpd to restart SNMPD.
1029069-2 : Non-ASCII characters are not displayed correctly.
Links to More Info: BT1029069
Component: Local Traffic Manager
Symptoms:
1. Add a new address IP with a value that includes non-ASCII characters in the data group list.
2. Go back to GUI->Local Traffic ›› iRules : Data Group List and click it.
The value field does not display entered values.
After clicking update several times you may encounter an error such as:
01070712:3: MCP call 'mcpmsg_set_string_item(m_msg, CID2TAG(cid), val.c_str())' failed with error: 16908375, 01020057:3: The string with more than 65535 characters cannot be stored in a message.
Conditions:
Adding non-ASCII characters to the value field in data group lists.
Impact:
Impacts the functioning of the address record. For example, when the datagroup is called by an iRule.
Workaround:
Do not add non-ASCII characters to the value field.
1028493-1 : Live Update genesis file for Server Technologies installation fails
Links to More Info: BT1028493
Component: Application Security Manager
Symptoms:
Installation of the Live Update genesis file (file included in BIG-IP) fails.
Conditions:
Live Update genesis file version is different than the BIG-IP version.
Impact:
"Server Technologies" will not be properly updated
Workaround:
Install latest "Server Technologies" update manually or upload the latest "Server Technologies" file.
1027961-2 : Changes to an admin user's account properties may result in MCPD crash and failover
Links to More Info: BT1027961
Component: TMOS
Symptoms:
-- The mcpd process fails with a segmentation fault and restarts, leaving a core-dump file.
-- Active sessions in the Configuration Utility report "unable to contact BIG-IP device".
-- Various processes may record entries into the "ltm" log saying "Lost connection to mcpd."
Conditions:
-- Changes to properties of administrative user-login accounts are occurring.
-- A user account being changed has a current, active session in the Configuration Utility GUI.
Impact:
The failure and restart of mcpd will trigger a restart of many other processes, including the TMM daemons, thus interrupting network traffic handling. In high availability (HA) configurations, a failover will occur.
Workaround:
Before making changes to the account properties of an administrative user, where the changes affect the role, make certain that all GUI Configuration Utility sessions opened by that user are logged out.
1027481-3 : The log messages 'error: /bin/haloptns unexpected error -- 768' generated on A110 and D112 platforms
Links to More Info: BT1027481
Component: TMOS
Symptoms:
The message 'error: /bin/haloptns unexpected error -- 768' is logged by system commands, including some startup scripts and the software installation process.
Running /bin/haloptns manually displays the following output:
'Expected 32 bit OPTN field, found field "" instead.'
Conditions:
-- One of the following platforms:
- D112 (10350v-F (FIPS) or 10150s-N (NEBS))
- A110 (VIPRION B4340N (NEBS) blades)
-- The system does not use RAID.
Impact:
Excessive "error: /bin/haloptns unexpected error -- 768" error messages in log files, and command output (for example, "cpcfg").
There is no other impact, and the messages can be ignored.
Workaround:
Ignore the error messages.
1027477-3 : Virtual server created with address-list in custom partition non-RD0 does not create listener
Links to More Info: BT1027477
Component: TMOS
Symptoms:
After creating a virtual-server in a partition with a non RD0 route-domain attached, the virtual address listener does not get associated with the virtual server and the virtual address stays offline.
Conditions:
-- An address list (traffic matching criteria) is used when creating the virtual server in the GUI.
-- The virtual server is created with a route domain other than the default route domain.
Impact:
The virtual address remains in an offline state.
Workaround:
None.
1027237-1 : Cannot edit virtual server in GUI after loading config with traffic-matching-criteria
Links to More Info: BT1027237
Component: TMOS
Symptoms:
After creating a virtual server with a traffic-matching-criteria and then loading the configuration, you are unable to make changes to it in the GUI. Attempting to do so results in an error similar to:
0107028f:3: The destination (0.0.0.0) address and mask (::) for virtual server (/Common/test-vs) must be be the same type (IPv4 or IPv6).
Conditions:
-- A virtual server that has traffic-matching-criteria (i.e., address and/or port lists).
-- The configuration has been saved at least once.
-- Attempting to edit the virtual server in the GUI.
Impact:
Unable to use the GUI to edit the virtual server.
Workaround:
Use TMSH to modify the virtual server.
1026989-1 : More specific dynamic or static routes created for application traffic processing can erroneously replace the route to the management subnet.
Links to More Info: BT1026989
Component: TMOS
Symptoms:
When a dynamic or static route is instantiated for application traffic processing, protection exists at configuration-validation time to ensure that the new route does not overwrite how the management port's subnet is accessed.
To do so, the destination of the new route is compared to the management port's subnet. If the two match, the new route is only instantiated in TMM, but not in the Linux host's routing table.
The issue is this logic fails when the new route is a subset of the management port's subnet. For example, if the new route is to destination 10.215.50.0/25, and the management port's subnet is 10.215.50.0/24, the new route will be added to both TMM and the Linux host, bypassing the aforementioned protection.
Instead, the logic should check for overlapping subnets, not just strict equality.
Conditions:
- A dynamic or static route whose destination partially overlaps with the management port's subnet is added to or learnt by the system.
Impact:
A new and more specific route for part of the management port's subnet is added to the Linux host's routing table.
Part of the management port traffic can fail or be misrouted via a TMM interface.
If multiple routes of this kind are instantiated (e.g. 10.215.50.0/25 + 10.215.50.128/25), the whole management port's subnet can be overtaken.
Workaround:
Redesign your network and then reconfigure the BIG-IP system so that TMM does not need access to the management port's subnet or part of it (thus negating the need to create a route to that destination in the first place).
If this is not possible, you can temporarily resolve the issue by using the `route` or `ip` utility on the Linux host subsystem to manually fix the routing table. However, the issue will occur again the next time the problematic route is loaded or learnt by the system.
1026973-1 : Static routes created for application traffic processing can erroneously replace the route to the management subnet.
Links to More Info: BT1026973
Component: TMOS
Symptoms:
If a static route is added via "tmsh create net route" (or equivalent configuration ingestion system), and this route's destination matches the management port's subnet, the protection that prevents the new route from being propagated to the Linux kernel will initially work, but will fail after mcpd is restarted or the system is rebooted.
Conditions:
- A static route whose destination matches the management port's subnet is added to the system.
- The system is rebooted or mcpd is restarted.
Impact:
The directly-connected route for the management port's subnet appearing in the Linux host's routing table is replaced, or complemented, by a new and unnecessary route.
In either case, management port traffic can fail or be misrouted via a TMM interface.
Workaround:
Align your network and the BIG-IP system so that TMM does not need access to the management port's subnet (thus negating the need to create a route to that destination in the first place).
If this is not possible, you can temporarily resolve the issue by using the `route` or `ip` utility on the Linux host subsystem to manually fix the routing table. However, the issue will occur again the next time mcpd or the system restarts.
1026861-3 : Live Update of Browser Challenges and Anti-Fraud are not cleaned up
Links to More Info: BT1026861
Component: TMOS
Symptoms:
When installing live updates of either Browser Challenges (ASM) or Anti-Fraud (FPS), the update file remains in the system, taking up disk space and increasing config sync size.
Conditions:
Installing Live Update files of either Browser Challenges (part of ASM) or Anti-Fraud (part of FPS).
Impact:
Increased disk size, config size, and config-sync size.
Workaround:
It is possible to manually clean up old, unused Live Update files using TMSH or REST:
tmsh delete security datasync update-file datasync-global/<file>
Important: Use caution, as deleting update-files that are in use could cause the system to go offline or get out of sync. The in-use update files can be observed under the GENERATION PROFILES section of the /var/log/datasyncd.log file.
Note: There is no auto-completion on the 'update-file' keyword.
1026813-7 : LCD IP address is missing from /etc/hosts on iSeries
Links to More Info: BT1026813
Component: Global Traffic Manager (DNS)
Symptoms:
On iSeries platforms, /etc/hosts is missing an entry for the LCD IP address, 127.4.2.2.
Conditions:
Run any iSeries appliance.
Impact:
- BIG-IP generates reverse DNS requests for the LCD.
- /var/log/touchscreen_lcd lists the IP address "127.4.2.2" as the hostname
Workaround:
Add an entry for the LCD to /etc/hosts by modifying the 'remote-host' global settings, by running the following tmsh command:
tmsh modify sys global-settings remote-host add { lcd { addr 127.4.2.2 hostname lcd } }
tmsh save sys config
Or, in the BIG-IP GUI, System >> Configuration : Device : Hosts
1026781-3 : Standard HTTP monitor send strings have double CRLF appended
Links to More Info: BT1026781
Component: Local Traffic Manager
Symptoms:
Standard (bigd-based, not In-TMM) HTTP monitors have a double CRLF appended (\r\n\r\n) to the send string. This does not comply with RFC1945 section 5.1 which states requests must terminate with a single CRLF (\r\n). This non-compliant behavior can lead to unexpected results when probing servers.
Conditions:
Standard bigd (not In-TMM) HTTP monitors
Impact:
Servers probed by these non-RFC-compliant HTTP monitors may respond in an unexpected manner, resulting in false negative or false positive monitor results.
Workaround:
There are several workarounds:
1. If running 13.1.0 or later, switch monitoring from bigd-based to In-TMM. In-TMM monitors properly follow RFC1945 and will send only a single CRLF (\r\n)
2. Remain with bigd-based monitoring and configure probed servers to respond to double CRLF (\r\n\r\n) in a desired fashion
Depending on server configuration, a customized send string, even with the double CRLF, may still yield expected responses.
1026621-1 : DNS cache resolver could not connect to remote DNS server with snatpool if multiple routes exist
Links to More Info: BT1026621
Component: Global Traffic Manager (DNS)
Symptoms:
DNS query could not be resolved properly.
Conditions:
1. dnscache.matchwildcardvip is enabled
2. Multiple possible routes to destination DNS server exist. This can be triggered by either using a gateway pool, or using dynamic routing with multiple equal paths available.
Impact:
Unable to use snatpool for cache resolver.
Workaround:
Ensure only a single route to destination exists, or disable dnscache.matchwildcardvip
NOTE: With dnscache.matchwildcardvip disabled, snatpool will not be used.
1026581-4 : NETFLOW/IPFIX observationTimeMilliseconds Information Element value is not populated correctly.
Links to More Info: BT1026581
Component: TMOS
Symptoms:
When logging Carrier Grade NAT Port Port Block Allocation (CGNAT PBA) events using NetFlow/IPFIX log destinations,
if the AFM module is not enabled, the observationTimeMilliseconds Information Element value is incorrectly reported as zero in reported events.
Conditions:
Using CGNAT PBA, logging to a NetFlow/IPFIX log destination, and AFM is not enabled.
Impact:
CGNAT PBA events containing the observationTimeMilliseconds Information Element will report incorrect values for this field.
Workaround:
1) Enable AFM module, or
2) Enable lsn-legacy-mode in the log profile
1026273-4 : HA failover connectivity using the cluster management address does not work on VIPRION platforms★
Links to More Info: BT1026273
Component: TMOS
Symptoms:
Upon upgrade to an affected version, failover communication via the management port does not work. You may still see packets passing back and forth, but the listener on the receiving end is not configured, and therefore the channel is not up.
Here are a few symptoms you may see:
-- Running 'tmsh show cm failover-status' shows a status of 'Error' on the management network.
-- Running 'tmctl' commands reports the disconnected state:
Example:
$ tmctl -l sod_tg_conn_stat -s entry_key,last_msg,status
entry_key last_msg status
----------------------------- ---------- ------
10.76.7.8->10.76.7.9:1026 0 0 <--- Notice there is no 'last message' and 'status' is 0, which means disconnected.
10.76.7.8->17.1.90.2:1026 1623681404 1
-- Looking at 'netstat -pan | grep 1026 command output, you do not see the management port listening on port 1026:
Example (notice that the management IP from the above example of 10.76.7.9 is not listed):
# netstat -pan | grep 1026
udp 0 0 10.10.10.10:1026 0.0.0.0:* 6035/sod
-- Listing /var/run/ contents shows that the chmand.pid file is missing:
# ls /var/run/chmand.pid
ls: cannot access /var/run/chmand.pid: No such file or directory
Conditions:
-- Running on VIPRION platforms
-- Only cluster management IP address is configured: No cluster member IP addresses are configured
-- Install a software version where ID810821 is fixed (see https://cdn.f5.com/product/bugtracker/ID810821.html)
-- Management IP is configured in the failover configuration
Impact:
If only the management is configured for failover or there are communication issues over the self IP (such as misconfigured port lockdown settings), then the devices may appear to have unusual behavior such as both going active.
Workaround:
-- Configure a cluster member IP address on each individual blade in addition to the Cluster management IP address.
1025965-1 : Audit role users cannot see folder properties under sys-folder
Links to More Info: BT1025965
Component: TMOS
Symptoms:
Users with auditor role cannot create, modify, or delete any data, nor can they view SSL keys or user passwords. Users with the Auditor role have access to all partitions on the system, and this partition access cannot be changed.
Conditions:
Run tmsh command to check the access under sys folder
Impact:
Tmsh does not allow sys folder component for auditor.
no-ref-check, traffic-group, device-group
1025513-1 : PAM Authenticator can cause authorization failure if it fails to lock /var/log/tallylog
Links to More Info: BT1025513
Component: TMOS
Symptoms:
The following JSON content can be seen in the HTTP 401 response. (By looking at the capture or RESTful client)
{"code":401,"message":"Authorization failed: no user authentication header or token detected. Uri:http://localhost:8100/mgmt/tm/ltm/pool/?expandSubcollections=true Referrer:<ip_address> Sender:<ip_address>,"referer":<ip_address>,"restOperationId":12338804,"kind":":resterrorresponse"}
Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message:
PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.
Conditions:
High concurrent authentication attempts may trigger this issue. For example, opening a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), and then closing the connection. If done frequently enough, there is an occasional authentication failure.
Impact:
This intermittent auth issue results in the failure of some auth requests.
Workaround:
Since this is an intermittent authentication failure, wait a few seconds and then attempt to rerun auth request.
For automation tools, please use token-based authentication.
1024905-1 : GTM monitor times out if monitoring a virtual server with translation address
Links to More Info: BT1024905
Component: Global Traffic Manager (DNS)
Symptoms:
GTM monitor flaps between UP and DOWN.
Conditions:
1. GTM configured with two type of IP addresses, one IPv4 with translated address and IPv6 without translated address, or the other way around.
2. The monitored resource is with the translated address of the other type. If step 1, IPV4 translated, then step with IPV4 translated address.
Impact:
Monitor flaps.
Workaround:
Configure both with translated address.
1024553-1 : GTM Pool member set to monitor type "none" results in big3d: timed out
Links to More Info: BT1024553
Component: Global Traffic Manager (DNS)
Symptoms:
A pool member is marked down with a 'none' type monitor attached.
Conditions:
-- GTM pool member with a 'none' monitor configured
Impact:
Setting a pool member to have "none" monitor should result in a blue "checking" status but it may mark the pool member as down/unavailable.
Workaround:
NA.
1024421-2 : At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log
Links to More Info: BT1024421
Component: TMOS
Symptoms:
TMM log shows clock advancing and MPI timeout messages:
notice slot1 MPI stream: connection to node aborted for reason: TCP RST from remote system (tcp.c:5201)
notice slot1 tmm[42900]: 01010029:5: Clock advanced by 6320 ticks
Conditions:
-- pva.standby.flush DB key set to 1 (enabled). The default is 0.
-- Processing high traffic volume for some time
Impact:
Upstream switch could receive flow response from both active and standby units and cause a traffic disturbance.
1024301-1 : Missing required logs for "tmsh modify disk directory" command
Links to More Info: BT1024301
Component: TMOS
Symptoms:
In case of failure of "tmsh modify disk directory" command, log which help to find reason for failure are getting missed.
Conditions:
Attempt to resize some volumes via the "tmsh modify disk directory" command
Impact:
Not able to find failure reason for resize of volumes.
Workaround:
Manually running the resize2fs command, can give the reason for failure.
1024269-1 : Forcing a file system check on the next system reboot does not check all filesystems.
Links to More Info: BT1024269
Component: TMOS
Symptoms:
Forcing a file system check on the next system reboot, as described in K73827442, does not check all filesystems. This should not be the case and is a regression compared to previous BIG-IP versions.
After the reboot, you can inspect which filesystems were checked by running the following command:
journalctl --all --no-pager | grep -i fsck
Conditions:
A BIG-IP Administrator follows the procedure to force a file system check on the next system reboot.
Impact:
Some filesystems will not be fixed, and will continue to be corrupted. This can have a number of negative consequences. For instance, enlarging a filesystem (via the 'tmsh modify sys disk directory' command) can fail when a filesystem is dirty.
Workaround:
You can boot the system from the Maintenance Operating System (MOS), and perform all needed file system check operations from there. To boot the system into MOS, simply type 'mosreboot'. Note that once the system reboots into MOS, you will need video console access (for VE systems) or serial console access (for hardware systems) to be able to run fsck and the reboot the system into a regular BIG-IP boot location.
For more information on MOS, please refer to K14245.
1023817-2 : Misleading "Enabling NAT64 for virtual server with security NAT policy configured is redundant/not required." warning
Links to More Info: BT1023817
Component: TMOS
Symptoms:
While loading the configuration or specifying that NAT64 should be disabled on a virtual server, a warning is displayed or logged:
"Enabling NAT64 for virtual server with security NAT policy configured is redundant/not required."
This warning should only be displayed when a virtual server has both NAT64 enabled and a security NAT policy present, but may occur incorrectly even when NAT64 is disabled.
Conditions:
This warning may be incorrectly generated when all of these conditions are met:
-- a multi-bladed VIPRION
-- virtual servers in the configuration security NAT policies
-- receiving a ConfigSync from a peer, or running "tmsh load sys config" on the primary blade
Impact:
An erroneous warning is logged. It can be safely ignored.
1023529-2 : FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory.
Links to More Info: BT1023529
Component: Local Traffic Manager
Symptoms:
Command "tmsh show sys tmm-traffic" reports non-zero number of current connections but "tmsh show sys connection" shows nothing.
Conditions:
-- A virtual sever with fastL4 profile with infinite timeout enabled and an iRule containing "after" command. Having "-periodic" argument makes the problem more prominent.
-- Aggressive sweeper activated due to low memory conditions.
Impact:
Connections that were supposed to be removed by aggressive sweeper but were waiting for completion of an iRule may end up in a state where they are not reported by "tmsh show sys connection." Because of this issue, these connections cannot be deleted manually using 'tmsh del sys connection", but remain in memory. Their presence can be confirmed by non-zero number of current connections shown by "tmsh show sys tmm-traffic". Because of the infinite timeout setting, they will not timeout by themselves either.
Workaround:
N/A
1023461-2 : Multiple entries for CGNAT when PBA pools allocation is defined: for each request, a new entry is created
Links to More Info: BT1023461
Component: Carrier-Grade NAT
Symptoms:
Two pools are configured, for example:
A: any destination
B: destination 8.8.8.8
1. Making connections and utilizing port block allocation (PBA) pool A works as expected; pools are correctly allocated and released as needed.
2. When a client has active PBA pool A allocated and requests pool B (because of connectivity to specific destination IP), then each subsequent connection request from that client results in new PBA pool B allocation.
Conditions:
Multiple rules are defined to configure PBA.
Impact:
If a request does not belong to the first pool then it will not belong any other, so the system creates a new pool.
Workaround:
None
1023229-1 : False negative on specific authentication header issue
Links to More Info: BT1023229
Component: Application Security Manager
Symptoms:
Blocking does not occur on a specific authentication header issue when a non-default internal parameter is set.
Conditions:
ignore_authorization_header_decode_failure is not set to 0
Impact:
A request with an authentication header issue can pass.
Workaround:
None
1022997-1 : TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC)
Links to More Info: BT1022997
Component: TMOS
Symptoms:
Deployments on AWS that use the sock driver (1NIC, for example) transmit packets with bad checksums when TSO/GSO is required. This causes significant delays as TMM re-segments the packets with correct checksums for retransmission, and may cause some operations to time out (such as configsyncs of large configurations).
Conditions:
-- BIG-IP Virtual Edition (VE) using the sock driver on AWS (all 1NIC deployments use this)
-- TSO/GSO required due to MTU limitations on one or more VLANs
Impact:
-- Delayed packets.
-- Possible timeouts for some operations (configsyncs, for example).
Workaround:
Modify (or create, if not present) the file /config/tmm_init.tcl on the affected BIG-IP systems, and add the following line to it:
ndal force_sw_tcs off 1d0f:ec20
Then restart TMM:
bigstart restart tmm
Note: Restarting TMM will cause a failover (or an outage if there is no high availability (HA) peer available).
1022973-2 : Sessiondb entries related to Oauth module not cleaned up in certain conditions
Links to More Info: BT1022973
Component: Access Policy Manager
Symptoms:
When an OAuth AS is configured with a refresh lifetime of '0', this implies that the refresh token lifetime is infinite. This leads to all sessiondb entries related to this refresh token (including associated access token entries in sessiondb) to have infinite lifetime.
Conditions:
Refresh token lifetime is set to '0'.
Impact:
User will see consistent and persistent increase in memory consumption by TMM, potentially leading to out-of-memory situation.
Workaround:
Do not set refresh token lifetime to '0'.
1022877-3 : Ping missing from list of Types for OAuth Client
Links to More Info: BT1022877
Component: Access Policy Manager
Symptoms:
Ping is missing from the 'Type' dropdown menu in Access ›› Federation : OAuth Client / Resource Server : OAuth Server ›› New OAuth Server Configuration...
Conditions:
-- Affected BIG-IP version
-- Add new Oauth server configuration from Access :: Federation : OAuth Client / Resource Server : OAuth Server :: New OAuth Server Configuration...
Impact:
Oauth client configuration for the server of type 'Ping' cannot be created via GUI
Workaround:
Use tmsh to create the configuration, e.g.:
tmsh create apm aaa oauth-server <server name> provider-name Ping dns-resolver-name <dns-resolver-name>
1022613-1 : Cannot modify Security "global-network" Logging Profile
Links to More Info: BT1022613
Component: Advanced Firewall Manager
Symptoms:
When attempting to update the settings of the Security Logging profile, the window displays a modal dialog box titled "Saving Logging Profile" and never completes the update Action
Conditions:
"global-network" logging profile is selected for update
Impact:
You are unable to update the log settings for the "global-network" profile via UI
Workaround:
Use tmsh
1022421-4 : Pendsec utility incorrectly starts on i2x00/i4x00 platform with NON WD disk
Links to More Info: BT1022421
Component: TMOS
Symptoms:
The pendsec utility recognizes that the disk is a HDD and attempts to run a smart check against it but it does not recognize or support the disk type that is in the system and therefore you will see log messages like this in /var/log/messages when the cron job attempts to run:
May 14 15:34:04 fqdn.device.com notice pendsect[11461]: skipping drive --
May 14 15:34:04 fqdn.device.com notice pendsect[11461]: No known drives detected for pending sector check. Exiting
Conditions:
- i2x00 or i4x00 platform with the Seagate brand HDD
Impact:
Cosmetic
Workaround:
You can mitigate the cosmetic log issue by suppressing the pendsec utility.
Login to BIG-IP using SSH
Navigate to /etc/cron.daily
# cd /etc/cron.daily
Create new directory called suppress
# mkdir suppress
Move the pendsect cron job to suppres
# mv pendsect suppress
1022297-4 : In BIG-IP GUI using "Select All" with filters is not working appropriately for policies
Links to More Info: BT1022297
Component: TMOS
Symptoms:
In BIG-IP GUI using "Select All" with filters is not working appropriately for policies. When you attempt to delete policies after using filtering, all policies are deleted.
Conditions:
In BIG-IP GUI policies page, apply filter and using select all, for an action is selecting all objects and filter not applied.
Impact:
All policies objects are affected for an action, and filter is not applied
1022213-4 : DDOS: BDOS: Warning messages related to high availability (HA) watchdog seen on system bring up
Component: Advanced Firewall Manager
Symptoms:
When the BDoS log message level is set to "Warning", some high availability (HA) watchdog messages are logged:
info bdosd[14184]: BDoS: May 27 03:51:40|loadState|460|HA Watchdog was not found <DNS_CLASS_L>
Conditions:
-- DDoS is used.
-- Dynamic signature is enabled on vectors
-- Default BDoS log level is changed to Warning.
Impact:
Unwanted log messages displayed. They can be safely ignored.
1021925-4 : During bootup AWS BIG-IP endpoint was not licensed when custom gateway configured over management interface
Links to More Info: BT1021925
Component: TMOS
Symptoms:
AWS-based BIG-IP instance with a static IP assigned to the mgmt interface and a custom gateway configured, the box fails to load its license during startup.
Conditions:
BIG-IP configured with static IP address and customize gateway for default route.
Impact:
BIG-IP fails to load license.
Workaround:
Once BIG-IP boots up, execute reloadlic command which installs the license.
1021873-1 : TMM crash in IPIP tunnel creation with a pool route
Links to More Info: BT1021873
Component: TMOS
Symptoms:
In rare circumstances, the Traffic Management Microkernel (TMM) process may produce a core file in the /shared/core directory while processing traffic.
Conditions:
1)Virtual server attached with an ipip encapsulation enabled pool
2)Multiple paths to pool members
(pool route to pool member)
Impact:
Traffic disrupted while tmm restarts.
1021837-3 : When a virtual server has an inline service profile configured, connections will be reset with cause "No server selected"
Links to More Info: BT1021837
Component: Local Traffic Manager
Symptoms:
Connections are reset with "No server selected" cause.
Conditions:
-- An inline service profile ("ltm profile service") attached to a normal virtual server
Impact:
TCP connections are reset
Workaround:
Delete and recreate the virtual server without the inline service profile associated with it.
Simply removing the service profile from the virtual server is not sufficient.
1021609-1 : Improve matching of URLs with specific characters to a policy.
Links to More Info: BT1021609
Component: Application Security Manager
Symptoms:
Request with a URL containing specific characters is not matched to the correct policy.
Conditions:
URL of request contains specific percent-encoded characters.
Impact:
The request will not be matched by an expected policy rule.
Workaround:
Add an additional rule with explicit decoded characters.
1021109-4 : The cmp-hash VLAN setting does not apply to trunked interfaces.
Links to More Info: BT1021109
Component: TMOS
Symptoms:
-- CPU usage is increased.
-- Throughput is reduced.
-- Packet redirections occur (visible when using 'tmctl -d blade tmm/flow_redir_stats')
Conditions:
-- Traffic is received on trunked interfaces.
-- The cmp-hash setting has a non-default value.
-- The platform is BIG-IP Virtual Edition (VE).
Impact:
Performance is reduced. Output from 'tmctl -d blade tmm/flow_redir_stats' shows redirections.
Workaround:
-- Use the default cmp-hash setting.
-- Do not trunk interfaces.
1020277-1 : Mcpd may run out of memory when build image is missing★
Links to More Info: BT1020277
Component: TMOS
Symptoms:
After installing a new blade, if the BIG-IP does not have the appropriate images to install all volumes onto the new blade, it can get stuck waiting to install. This may cause mcpd to eventually run out of memory.
Running "tmsh show sys software" shows a message similar to this for a prolonged period of time:
HD1.2 3 BIG-IP 12.1.3.5 0.0.10 no waiting for product image (BIG-IP 12.1.3)
Conditions:
-- Installing a new blade into a chassis-based system.
-- Missing BIG-IP image(s) necessary to update all volumes on the new blade.
Impact:
Mcpd eventually runs out of memory and cores.
Workaround:
Either delete the affected volume if it is no longer necessary, or copy the appropriate BIG-IP image to /shared/images.
1020149-4 : Bot Defense does not support iOS's WKWebView framework
Links to More Info: BT1020149
Component: Application Security Manager
Symptoms:
When using the Bot Defense Profile, mobile apps which use iOS's WKWebView framework may get blocked from accessing the website.
Conditions:
-- Using the Bot Defense Profile
-- Mobile apps which use iOS's WKWebView framework try to access the website
Impact:
Mobile apps which use iOS's WKWebView framework may get blocked from accessing the website.
Workaround:
None
1020109-1 : Subnet mask property of virtual addresses not displayed in management GUI
Links to More Info: BT1020109
Component: TMOS
Symptoms:
You cannot determine the subnet mask for a displayed virtual address using only the BIG-IP management GUI.
Conditions:
-- A virtual address (automatically created by any virtual server) exists in the configuration.
-- Using the management GUI.
Impact:
Potential difficulty in troubleshooting and verifying config due to having to use other methods (accessing the CLI) to check a virtual address's netmask.
Workaround:
Use tmsh to determine the subnet mask.
1020089-1 : MCP validation should prevent defining multiple virtual servers with the same virtual address but with different subnet masks
Links to More Info: BT1020089
Component: TMOS
Symptoms:
Multiple virtual servers with the same virtual address but with different subnet masks are allowed.
Conditions:
Creation of multiple virtual servers with the same virtual address but with different subnet masks.
Impact:
Latest virtual server instantiation implicitly and silently modifies the subnet mask of the virtual address, making the system not behave as the user thinks or intended.
Workaround:
None.
1020069-1 : Equinix SmartKey HSM is not working with nethsm-partition 'fortanix'
Links to More Info: BT1020069
Component: Local Traffic Manager
Symptoms:
Setting up the Equinix SmartKey HSM with nethsm-partition 'fortanix' (or anything other than 'auto') pkcs11d logs an error:
err pkcs11d[21535]: 01680040:3: netHSM: Failed to find partition with label 'fortanix' on the netHSM.
Conditions:
Configuring a nethsm-partition other than 'auto'.
Impact:
BIG-IP does not connect to the HSM and SSL traffic is disrupted.
Workaround:
Use the nethsm-partition 'auto'
tmsh create sys crypto fips nethsm-partition 'auto'
1020005-1 : OOM errors after upgrade and VE instance unresponsive★
Links to More Info: BT1020005
Component: TMOS
Symptoms:
VE is unstable or unresponsive and Out of Memory (OOM) errors after the upgrade.
Conditions:
- Configuration failures during upgrades.
Impact:
VE instance may go unstable or unresponsive.
Workaround:
Resolve configuration error and load the configuration where provisioning will setup enough memory to host.
1019793-2 : Image2disk does not work on F5OS BIG-IP tenant.★
Links to More Info: BT1019793
Component: TMOS
Symptoms:
Image2disk fails to recognize the correct disk to install and installation fails.
Conditions:
This occurs with BIG-IP tenants that are running in F5OS partitions.
Impact:
Installation fails.
Workaround:
None
1019749-2 : Enabling DHCP for management should not be allowed on vCMP guest
Links to More Info: BT1019749
Component: TMOS
Symptoms:
Options to enable DHCP for the management interface are available on vCMP guests.
Conditions:
-- BIG-IP vCMP guest running on an appliance
Impact:
VCMP guest can be configured with options that are incompatible with VCMP operation.
This might result in a loss of management IP in the guest after a reboot
Workaround:
Do not attempt to DHCP on the management interface of a vCMP guest.
1019709-1 : Modifying mgmt-dhcp options should not be allowed on VCMP guest
Links to More Info: BT1019709
Component: TMOS
Symptoms:
Option to modify mgmt-dhcp to dhcpv4 or dhcpv6 is available on VCMP guest.
Conditions:
This is encountered with the following tmsh command
modify sys global-settings mgmt-dhcp
Values:
dhcpv4 dhcpv6 disabled enabled
Impact:
VCMP guest can be configured with options that are incompatible with VCMP operation.
This might result in a loss of management IP in the guest after a reboot
Workaround:
N/A
1019641-3 : SCTP INIT_ACK not forwarded
Component: Local Traffic Manager
Symptoms:
After SCTP link down/up (not physical IF link down up), SCTP session can't be established.
Conditions:
-- CMP forwarding enabled (source-port preserve-strict)
-- The BIG-IP system is encountering heavy traffic load
-- A connection is deleted from the connection table
Impact:
Flow state can become out of sync between TMMs
Workaround:
Once the problem occurs, execute "tmsh delete sys connection", and the SCTP session will be re-established.
1019481-1 : Unable to provision PEM on VELOS platform
Links to More Info: BT1019481
Component: Policy Enforcement Manager
Symptoms:
Unable to provision PEM on VELOS platform
Conditions:
When trying to provision PEM
Impact:
PEM functionality cannot be achieved
Workaround:
Change sys db provision.enforce value to false and load sys config
1019453-1 : Core generated for autodosd daemon when synchronization process is terminated
Links to More Info: BT1019453
Component: Advanced Firewall Manager
Symptoms:
Autodosd cores on SIGSEGV.
Conditions:
-- AFM DoS vectors configured
-- This can occur during normal operation but the specific conditions that trigger it are unknown
Impact:
Autodosd is restarted, but up to 15 seconds of history may be lost.
Workaround:
None
1019285-1 : Systemd hangs and is unresponsive
Links to More Info: BT1019285
Component: TMOS
Symptoms:
When memory is exhausted on the system and systemd tries to fork to start or stop a service, systemd fails and enters "freeze" mode.
Conditions:
Following log messages can be seen in the daemon.log log file:
err systemd[1]: Failed to fork: Cannot allocate memory
crit systemd[1]: Assertion 'pid >= 1' failed at src/core/unit.c:1997, function unit_watch_pid(). Aborting.
emerg systemd[1]: Caught <ABRT>, cannot fork for core dump: Cannot allocate memory
emerg systemd[1]: Freezing execution.
Impact:
Systemd does not provide service anymore.
Workaround:
Reboot the system to restore the systemd services.
1019261-1 : In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile.
Links to More Info: BT1019261
Component: In-tmm monitors
Symptoms:
HTTPS monitors with SSL profile set to None (default) will not use the default ServerSSL profile of "serverssl" when In-TMM monitoring is enabled. Instead, another internal ServerSSL profile is used which has different values from "serverssl".
Conditions:
-- In-TMM monitoring is enabled
-- HTTPS monitor(s) with SSL profile field is set to the default of "None"
Impact:
The TLS settings for the HTTPS monitor monitor probes will not match those of the ServerSSL "serverssl" profile and may cause unexpected behavior such as utilizing TLS 1.3 (disabled by default in the "serverssl" profile) or random session IDs.
Workaround:
Specify a ServerSSL profile in every HTTPS monitor when using In-TMM monitoring.
Attaching the profile "serverssl" will result in the same behavior that SSL Profile "none" should provide, given that the "serverssl" profile should be the default.
1019129-4 : Changing syslog remote port requires syslog-ng restart to take effect
Links to More Info: BT1019129
Component: TMOS
Symptoms:
Modified remote port in syslog configuration takes effect only after restart of the syslog-ng.
Conditions:
-- Configure the remote syslogs and allow some time to pass.
-- Change the local IP or remote port in syslog config.
Impact:
Change does not occur until you reboot or restart syslog-ng.
Workaround:
To cause the change to occur, restart syslog-ng:
bigstart restart syslog-ng
1018765-1 : Changing the sshd port breaks some BIG-IP utilities on a multi-bladed system
Links to More Info: BT1018765
Component: Local Traffic Manager
Symptoms:
After using "sys sshd port" to change the default port for sshd, some utilities may no longer work properly on the BIG-IP, such as:
"tmsh reboot slot ..."
or
qkview
or
any command using clsh
or
ssh slot<slot number>
Conditions:
-- Chassis system with multiple blades.
-- Default sshd port was modified.
Impact:
Unable to run commands on secondary blades.
Workaround:
-- Reconfigure SSHD to run on the default port, 22.
or
-- Specify an explicit port when using ssh and log in to each blade to run the desired commands, e.g. "ssh -p 40222 slot2"
1018673-1 : Virtual Edition systems replicate host traffic to all TMMs when a multicast MAC address is the traffic's nexthop
Links to More Info: BT1018673
Component: TMOS
Symptoms:
When BIG-IP Virtual Edition receives a host packet that has a multicast MAC address as its nexthop, it will disaggregate this by forwarding it to all TMMs. This results in all TMMs egressing the packet.
Conditions:
-- BIG-IP Virtual Edition
-- A route is configured to a multicast MAC address
-- Host traffic (e.g. non-TMM monitors, ping, etc.) is routed to the multicast MAC address
Impact:
Extraneous packets are egressed from the BIG-IP.
Workaround:
Partial workaround for the case of monitors: use in-TMM monitors where possible. Otherwise, there is no workaround for this.
1018165-1 : GUI display of DHCPv6 profile not correct for virtual server in non-default route-domain
Links to More Info: BT1018165
Component: TMOS
Symptoms:
A virtual server created in a non-default route-domain with a DHCPv6 profile shows as using a DHCPv4 profile 'None' in the GUI.
Conditions:
-- Virtual server using a DHCPv6 profile.
-- Virtual server must be in a non-default route-domain.
-- Using the GUI to view the virtual server.
Impact:
Incorrect view of the configuration.
Workaround:
None
1017897-1 : Self IP address creation fails with 'ioctl failed: No such device'
Links to More Info: BT1017897
Component: TMOS
Symptoms:
Creating a self IP address after a route-domain using TMSH reports an error:
01070712:3: Cannot get device index for Backend in rd2 - ioctl failed: No such device.
Conditions:
Using tmsh, create a Trunk, create a VLAN on the trunk, create a route-domain, then create a self IP address.
Impact:
Self IP address creation fails after route-domain creation.
Unable to run declarative-onboarding declaration.
Workaround:
Add a short delay after modifying/creating the route domain before creating the self IP address.
Note: Self IP address should be created after route-domain creation.
1017885-5 : Wildcard server-name does not match multiple labels in FQDN
Links to More Info: BT1017885
Component: Local Traffic Manager
Symptoms:
Wildcard server-name does not match multiple labels in FQDN
for example: *.domain.com matches a.domain.com or a.bc.domain.com, but it does not match domain.com but here multiple labels(a.bc.domain.com) are not matched to the wildcard (*.domain.com).
Conditions:
Client-ssl is configured with a wildcard server-name with the virtual server configured with multiple client-ssl profiles. The correct ssl profile (and therefore certificate) is chosen based on SNI from the client Hello.
Impact:
Generates default profile/certificate when trying to match with multiple labels using wildcard, when it should generate correct certificate matched to the wildcard in server name.
Workaround:
Add additional SAN values to the certificate with the relevant second-level domain elements, for example:
When serving "site.test.example.com" using a certificate that matches just *.example.com, add a second SAN element to the certificate of *.test.example.com
1017857-1 : Restore of UCS leads to incorrect UID on authorized_keys★
Links to More Info: BT1017857
Component: TMOS
Symptoms:
After restoring a UCS from a different BIG-IP device, the admin user is unable to log in via SSH using SSH public key authentication.
Conditions:
-- Create a UCS on one BIG-IP system where a UCS archive has been restored in the past (including by an upgrade)
-- Import the UCS to a different BIG-IP system and load it
Impact:
You are unable to log in as the admin user via SSH using key-based authentication.
NOTE: Password authentication works without any issues.
Workaround:
Change the owner of /home/admin/.ssh/authorized_keys to 'root', by running the following command:
chown root /home/admin/.ssh/authorized_keys
This command can also be run via iControl REST using the /mgmt/tm/util/bash endpoint.
1017801-1 : Internal listeners (cgc, ftp data, etc) all share the same listener_key stats
Links to More Info: BT1017801
Component: Local Traffic Manager
Symptoms:
Internal stats are not accurate because they are shared across multiple listener types
Conditions:
This can occur when multiple virtual server types are in use and passing traffic.
Impact:
Internal listener stats are not accurate.
1017261-7 : Configuraton update triggers from MCP to ASM are ignored
Links to More Info: BT1017261
Component: Application Security Manager
Symptoms:
If a stale/incorrect but running PID is present in /var/ts/var/install/ucs_install.pid, then ASMConfig will think it is in the middle of a UCS or Sync load event and ignore updates from MCP.
Conditions:
A UCS load event such as an upgrade or a config sync is interrupted and ASM is not restarted until another process reuses the process id from the upgrade.
Impact:
Updates from MCP are ignored which can cause:
* Missed sync events
* Missed updates for logging or pool configuration
* Missing security policies
Workaround:
Delete /var/ts/var/install/ucs_install.pid
1017149-1 : User-defined bot sigs that are created in tmsh don't overlap staged factory bot sigs
Component: Application Security Manager
Symptoms:
User-defined bot signatures that are created in tmsh are not enforced if there are similar factory bot signatures even when they are staged.
Conditions:
User-defined bot signature is created in tmsh and is matched also by staged factory bot signature.
Impact:
User-defined signature is not enforced correctly
Workaround:
Define user-defined bot signature using the GUI and if signature domain are needed but can't be configured by the GUI, define the domain in tmsh after the signature is created with:
tmsh mod security bot-defense signature <sig_name> domains replace-all-with { domains }
1017029-5 : SASP monitor does not identify specific cause of failed SASP Registration attempt
Links to More Info: BT1017029
Component: Local Traffic Manager
Symptoms:
On affected BIG-IP versions, upon startup, the SASP monitor sends a single Registration Request to the SASP GWM (Group Workload Manager) to initiate monitoring of configured LTM pool members. This Registration Request contains all configured LTM pools (SASP Groups) and members (SASP Group Members).
If an error is encountered by the SASP GWM with one of the SASP Groups in the request, the registration of all groups fails.
However, the GWM does not provide any indication of *which* Group or member does not match the GWM configuration, hindering troubleshooting efforts.
The current BIG-IP behavior does not allow identification of the specific pool/member or monitor that is misconfigured and thus responsible for the failed SASP Registration attempt.
Conditions:
This behavior occurs on affected BIG-IP versions when the LTM SASP monitor is configured to monitor members of multiple LTM pools, and when BIG-IP start/restarts/reboots or the configuration is loaded.
Impact:
If a single Registration Request fails, the GWM terminates the connection with the Load Balancer (BIG-IP SASP monitor). This behavior is defined by the SASP protocol and SASP GWM implementation.
As a result, the SASP monitor will mark all pool members DOWN that are monitored by the SASP monitor, halting traffic from flowing to all pools monitored by the SASP monitor.
When an error occurs during registration of the LTM pools (SASP Groups), the GWM does not provide any indication of *which* Group or member does not match the GWM configuration.
Since a single error message is returned by the SASP GWM for the entire Registration Request (for all SASP Groups), the SASP monitor cannot indicate which Group (pool/member) or monitor caused the error.
This hinders efforts to troubleshoot the cause of the failure, while all traffic has stopped flowing to the SASP-monitored pools.
Workaround:
To diagnose this issue, first enable saspd debug logging:
tmsh mod sys db saspd.loglevel value debug_msg
(Optional alternative values include deep_debug and debug, but provide less detail.)
With saspd debug logging enabled, a message like the following in /var/log/monitors/saspd.log confirms that an error occurred during the Registration step:
SASPProcessor::processRegistrationReply: received error registering workloads with GWM ##.##.##.###:3860: 69 'InvalidGroup'
If the above message is found to confirm this issue, the primary path to resolution should be for the BIG-IP administrator to very carefully compare the BIG-IP pool/member and sasp monitor configuration with the SASP GWM configuration, to identify any mismatches or inconsistencies between the configurations.
On the BIG-IP system, to help isolate the misconfigured LTM pool(s)/member(s) causing the SASP Registration failure:
1. Remove the sasp monitor from configured LTM pools/members one at a time, and observe whether any pool members still monitored by the sasp monitor are marked UP.
2. Add the sasp monitor back to configured LTM pools/members one at a time, in the same order as removed, except for the last LTM pool/member from which it was removed.
3. Save and reload the configuration, and check whether the LTM pools/members monitored by the sasp monitor are still marked UP.
4. Repeat as necessary if there appear to be multiple LTM pools/members causing a SASP Registration failure.
Alternately, it may be possible to choose a different monitor (using a more fault-tolerant protocol) to monitor the status of affected pool members.
1016921-3 : SSL Connection mirroring - session resumption does not occur on standby when the session ticket is enabled
Links to More Info: BT1016921
Component: Local Traffic Manager
Symptoms:
Eight-second delays occur on traffic through an SSL connection mirroring virtual server, and errors occur on the standby device:
crit tmm7[11598]: 01010025:2: Device error: crypto codec Couldn't create an OpenSSL EC group object OpenSSL error:0906D06C:PEM
err tmm7[11598]: 01010282:3: Crypto codec error: sw_crypto-7 Couldn't initialize the elliptic curve parameters.
crit tmm7[11598]: 01010025:2: Device error: crypto codec No codec available to initialize request context.
Conditions:
All of these conditions:
-- SSL connection mirroring enabled
-- Session tickets are enabled
-- High availability (HA) environment
and one of the following:
-- Running BIG-IP v14.1.4.1 or above (in the v14.1.x branch)
or
-- Engineering hotfix applied to v14.x/v15.x that has the ID760406 fix (see https://cdn.f5.com/product/bugtracker/ID760406.html)
Impact:
SSL traffic is significantly delayed and errors are thrown on the standby device.
Workaround:
Any one of the following could prevent the problem.
-- client-ssl profile cache-size 0.
-- client-ssl profile session-ticket disabled (default).
-- disable SSL connection mirror on virtual server.
1016909-1 : BIG-IP iRule commands FLOW::this or FLOW::peer can create zombie flows.
Links to More Info: BT1016909
Component: Local Traffic Manager
Symptoms:
Keeping a variable reference to FLOW::this or FLOW::peer in iRules can result in zombie connection flows that are never removed.
TMM memory use for 'connflow' and 'tclrule_pcb' are high, and do not match the number of current connections reported by the system.
Conditions:
-- iRule that uses FLOW::this or FLOW::peer, and stores the result of one of those commands into a variable.
Impact:
Increased memory use in TMM, which can eventually result in a TMM crash or traffic disruption while connections are removed using the connection sweeper.
Workaround:
Do not retain the result of 'FLOW::this' or 'FLOW::peer' in a variable in an iRule. Instead, either:
1. Use the variable directly, i.e.:
log local0.warning: "The flow is [FLOW::this]"
2. Unset the variable when done, i.e.:
set flow [FLOW::this]
log local0.warning: "The flow is $flow"
unset flow
If a system is already affected by this issue, the only way to free that memory is to restart TMM.
1016589-1 : Incorrect expression in STREAM::expression might cause a tmm crash
Links to More Info: BT1016589
Component: Local Traffic Manager
Symptoms:
Tmm restarts and generates a core file
Conditions:
An iRule uses STREAM::expression that contains certain strings or is malformed.
Stream expressions use a string representing a series of search/replace or search components. If there is more than one search-only component, this might cause tmm to crash.
The delimiter character used is the first character of each component search/replace pair. This example uses the '@' character as the delimiter, but it is malformed.
Given
STREAM::expression "@dog@dot@cat@car@uvw@xyz@"
This would be interpreted as three items:
search for "dog" replace with "dot"
search for "at@"
search for "r@uvw@xyz@"
This string should likely be:
STREAM::expression "@dog@dot@@cat@car@@uvw@xyz@"
Which would be interpreted as
search for "dog" replace with "dot"
search for "cat" replace with "car"
search for "uvw" replace with "xyz"
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure that strings in STREAM::expression iRule statements do not have more than one search-only component and are well formed.
1016481-1 : Special JSON characters in Dom Signatures breaks configuration
Links to More Info: BT1016481
Component: Fraud Protection Services
Symptoms:
FPS modules malfunction.
Conditions:
Unescaped special JSON characters used in Dom Signatures.
Impact:
FPS client-side JS unable to load configuration JSON.
Workaround:
Manually escape all special JSON characters in Dom Signatures.
1016433-2 : URI rewriting is incorrect for "data:" and "javascript:"
Links to More Info: BT1016433
Component: Local Traffic Manager
Symptoms:
In case of LTM rewrite, HTML content having attribute values like "javascript:", "mailto:", "data:" etc are incorrectly rewritten as URI. This can cause web applications to fail.
Conditions:
-- LTM rewrite profile in URI translation mode.
-- HTML contents of web application contains attribute values like "javascript:abc", "data:" etc.
Impact:
Incorrect URI rewriting may cause web application to fail.
1015817-1 : Flows rejected due to no return route do not increment rejection stats
Links to More Info: BT1015817
Component: Local Traffic Manager
Symptoms:
When flows are rejected due to no return route being present, the BIG-IP does not increment the appropriate statistics to indicated this.
Conditions:
Flows are rejected due to no return route.
Impact:
There is no indication of the real problem when viewing the statistics.
1015793-1 : Length value returned by TCP::payload is signed and can appear negative
Links to More Info: BT1015793
Component: Local Traffic Manager
Symptoms:
When an iRule uses TCP::collect, if the amount of received data being buffered exceeds 2147483647 octets, the value returned from [TCP::payload length] will appear as a negative integer.
Conditions:
An iRule has been written to use TCP::collect with a very high-volume input stream.
Impact:
The unanticipated negative value may confuse the iRule's logic, with unpredictable effects. In extreme cases, a disruption of the TMM could occur.
Workaround:
Convert the result of "TCL::payload length" to an unsigned integer before using it, e.g.:
set curlen [expr { 0xffffffff & [TCP::payload length] }]
Note: the amount of accumulated payload still must not exceed 4,294,967,295 bytes (2^32-1).
1015501-3 : Changes to DHCP Profile are not used by tmm
Links to More Info: BT1015501
Component: Policy Enforcement Manager
Symptoms:
After changing the authentication settings of a DHCP profile, the old authentication settings are still used.
Conditions:
Modify ltm profile dhcpv4 Discovery_DHCPv4_profile authentication { enabled true virtual RadiusAAA }
Impact:
New connections use existing listeners.
Workaround:
Restart tmm.
Impact of workaround: traffic disrupted while tmm restarts.
1015453-1 : In few circumstances, the Local Traffic menu in System > Configuration is inaccessible in the GUI
Links to More Info: BT1015453
Component: TMOS
Symptoms:
The Local Traffic menu in System > Configuration is inaccessible in the GUI.
Conditions:
-- LTM is licensed or provisioned.
-- GTM is licensed or provisioned.
-- AFM, DNS, and DoS are not provisioned.
-- Other modules (such as APM) are provisioned
Impact:
Unable to configure SYN cookies.
Workaround:
Use TMSH to configure SYN cookies.
1015117-5 : Headers are corrupted during modification/insertion if a mix of end-of-line markers <CRLF> and <LF> are used
Links to More Info: BT1015117
Component: Local Traffic Manager
Symptoms:
HTTP header corruption occurs after insertion/modification using an iRule in HTTP Headers which contain mixed end-of-line markers <CRLF> and <LF>.
Conditions:
- HTTP virtual server
- An iRule, policy or profile inserts an HTTP Request header - Such as x-forwarded-for
- An HTTP request contains some lines that end with <CRLF> and some that end with <LF>
Impact:
Inserted headers get concatenated in such a way that the HTTP request header gets corrupted.
Workaround:
Use HTTP headers with proper end-of-line markers in compliance with HTTP RFC
1015093-1 : The "iq" column is missing from the ndal_tx_stats table
Links to More Info: BT1015093
Component: TMOS
Symptoms:
When viewing the ndal_tx_stats statistics table, the "iq" column is not present.
Conditions:
-- BIG-IP Virtual Edition.
-- Viewing statistics tables.
Impact:
Missing statistic; less information available.
1014761-2 : [DNS][GUI] Not able to enable/disable pool member from pool member property page
Links to More Info: BT1014761
Component: Global Traffic Manager (DNS)
Symptoms:
You are unable to enable/disable DNS pool members from the pool member property page.
Conditions:
Making changes via the DNS pool member property page.
Impact:
You can submit the changes but the changes do not persist.
Workaround:
1. tmsh
or
2. enable/disable pool member from list of pool members instead of 'general properties' page
1014633-4 : Transparent / gateway monitors may fail if there is no route to a node
Links to More Info: BT1014633
Component: Local Traffic Manager
Symptoms:
Transparent or gateway monitors may fail.
Conditions:
-- Transparent or gateway monitor configured.
-- Route does not exist to destination.
Impact:
The monitor fails and the node / pool member is marked unavailable.
Workaround:
Add a route to the destination.
1014609-1 : Tunnel_src_ip support for dslite event log for type field list
Links to More Info: BT1014609
Component: Advanced Firewall Manager
Symptoms:
When storage-format is set to None the dslite_dst_ip and dslite_src_ip fields are displayed; however, the field list only displays dslite_dst_ip and you are unable to configure dslite_src_ip.
Conditions:
-- AFM configured
-- You are configuring a logging profile and are choosing fields from the field list
Impact:
The dslite_src_ip field cannot be selected in the logging profile when choosing fields from the field list.
Workaround:
Do not choose fields from the field list and dslite_src_ip will be logged.
1014361-2 : Config sync fails after provisioning APM or changing BIG-IP license
Links to More Info: BT1014361
Component: TMOS
Symptoms:
Clustered high availability (HA) devices cannot establish ConfigSync connection, and the prompt status reports disconnected.
MCPD is logging a message similar to this repeatedly, even though all TMMs are up and running:
err mcpd[4247]: 0107142f:3: Can't connect to CMI peer 192.0.2.1, TMM outbound listener not yet created
Conditions:
This can occur under either of the following conditions:
-- Some provisioning operations (i.e. provisioning APM), when TMM restarts during the provisioning. This has primarily been seen with BIG-IP instances running in Google Cloud.
-- Changing the license of a BIG-IP VE when the new license changes the number of TMM instances that will run on the BIG-IP (i.e. upgrading from a 1Gbps to 3Gbps VE license)
Impact:
BIG-IP devices are not able to perform ConfigSync operations.
Workaround:
Restart MCPD on the affected system.
Note: This will disrupt traffic while system services restart.
1014285-5 : Set auto-failback-enabled moved to false after upgrade★
Links to More Info: BT1014285
Component: TMOS
Symptoms:
In a traffic group, auto-failback-enabled is changed from true to false after config save and upgrade.
During the upgrade, the following log can be observed:
info: Warning: Invalid configuration - Traffic Group has high availability (HA) Group "test_HA_Group" assigned and auto-failback-enabled set to true. Resetting auto-failback-enabled to false.
Conditions:
-- auto-failback-enabled is set to true and high availability (HA) groups are configured and assigned to traffic-group
-- The device is upgraded.
Impact:
Auto-failback-enabled is set from true to false and auto failback is disabled.
Workaround:
After upgrade, set the auto-failback-enabled to true.
1013937-1 : In-TMM HTTP and HTTPS monitors require RFC-compliant send strings to work.
Links to More Info: BT1013937
Component: Local Traffic Manager
Symptoms:
Pool members that should be marked UP are incorrectly marked DOWN. No monitor traffic is seen on the wire.
If pool member monitor logging is enabled, an entry similar to the following example can be seen in the logs:
[0][1399] 2021-02-11 11:11:34.709360: ID 44 :TMM::handle_message(TMA_Message<tma_msg_args_notify>*): tmm monitor failed to connect [ tmm?=true td=true tr=false tmm_mid=0:1 addr=::ffff:192.168.10.100:80 srcaddr=none ]
If tma debug logging is enabled, an entry similar to the following example can be seen in the logs:
Feb 11 11:12:14 bigip1.local debug tmm[2259]: 01ad0019:7: Monitor Agent TMM 0: received probe response: MID 1, reason TMA_RESULT_FAIL(Probe response lost due to transient failure), info 0
Conditions:
- In-tmm monitoring is enabled (the bigd.tmm db key is set to enable).
- A HTTP or HTTPS monitor has been configured with a send string which is not RFC-compliant. For instance, the following string incorrectly includes a space before the Host header:
"GET / HTTP/1.1\r\n Host: example.com\r\nConnection: Close\r\n\r\n"
Impact:
Pool member monitoring is impacted and unreliable.
Workaround:
Ensure that you specify a send string which is fully RFC-compliant (for instance, in the example above, remove the space before the Host header).
1013777-4 : An error is encountered when enabling reset-learning to all the signatures of a protocol inspection profile in the GUI.
Links to More Info: BT1013777
Component: Protocol Inspection
Symptoms:
An error is displayed in the GUI when reset-learning is applied to all the signatures of a protocol inspection profile in the GUI.
The actual error is “414 Request-URI Too Long” because the HTTP request URI length generated in this case exceeds the system limit.
Conditions:
-- "Reset-learning" action is applied to all signatures and compliances of a protocol inspection profile.
-- Once a certain number of signatures are selected, The GUI throws a “414 Request-URI Too Long” error.
Impact:
- Bulk "reset-learning" action can't be applied from the GUI when the "414 Request-URI Too Long" is returned.
Workaround:
- The TMSH command "delete security protocol-inspection learning-stats <profile-name>" can be used to apply reset-learning to all the signatures of a protocol inspection profile.
1013597-2 : `HTTP2::disable serverside` can reset flows
Links to More Info: BT1013597
Component: Local Traffic Manager
Symptoms:
If `HTTP2::disable serverside` is called on a flow that has no HTTP2 configured on the server-side then it can incorrectly report an error and RST the flow.
Conditions:
1) iRule calls `HTTP2::disable serverside` on HTTP_REQUEST.
2) No HTTP2 configured on server-side.
3) server-side has already handled a flow.
Impact:
Traffic interruption, potential for a core (see ID1012533). Traffic disrupted while tmm restarts.
Workaround:
Don't call `HTTP2::disable serverside` if there is no HTTP2 on server-side.
1013209-5 : BIG-IP components relying on ca-bundle.crt may stop working after upgrade★
Links to More Info: BT1013209
Component: Local Traffic Manager
Symptoms:
After upgrading, the BIG-IP system components may stop working due to missing CA certificates in ca-bundle.crt.
Conditions:
CA cert which is expired/will expire in 6 months (or 182 days) after upgrade is removed from ca-bundle.crt.
Impact:
The BIG-IP components such as TMM, APM etc. may stop working due to missing CA certificates in ca-bundle.crt.
Workaround:
Download the blended-bundle.crt from the F5 download site. It is located at
https://downloads.f5.com/esd/product.jsp?sw=Certificate-Authority-Bundle&pro=Certificate-Authority-Bundle
1012601-4 : Alarm LED and LCD alert cleared prematurely on startup for missing PSU input
Links to More Info: BT1012601
Component: TMOS
Symptoms:
Occasionally when starting up a BIG-IP system, if one PSU is connected but not supplying power, the corresponding amber alarm LED and "PSU status input lost" alert in the LCD menu can be incorrectly cleared after selecting System -> Power On from the LCD menu.
Conditions:
-- iSeries platforms
-- The BIG-IP device is powered on with one PSU connected and not supplying power
Impact:
The alarm LED is incorrectly turned off, and navigating to alerts on the LCD menu no longer shows a "PSU status input lost" alert after powering on.
Workaround:
Before powering on the BIG-IP device, check the alarm LED and navigate to alerts on the LCD screen. If there is a "PSU status input lost" alert, the corresponding power LED should be amber.
If the power LED is still amber after powering the system on but the alarm LED and LCD alert are cleared, please disregard the alarm LED and LCD in this case. The amber power LED is correct, and the PSU is still not supplying power.
Additionally, if you are logged into the console, running "bigstart restart chmand" will force a new "PSU status input lost" alert to be generated on the LCD and should also correct the alarm LED color to amber.
1012493-5 : Systemauth.primaryadminuser set to anything but 'admin' causes internal error for mcp-state check
Links to More Info: BT1012493
Component: TMOS
Symptoms:
When polling the endpoint /mgmt/tm/sys/mcp-state you get an error:
{
"code": 500,
"message": "MCP Session terminated",
"errorStack": [],
"apiError": 32768003
}
Conditions:
-- A user other than 'admin' polls /mgmt/tm/sys/mcp-state
Impact:
An error is returned for users that are not the admin user. Systems which are subject to special security rules that require disabling the admin user may lose functionality in iControl/REST.
Workaround:
You can use either of these workarounds:
-- Make the API call as user "admin"
-- Use tmsh
tmsh show sys mcp-state
1012449-1 : Unable to edit custom inband monitor in the GUI
Links to More Info: BT1012449
Component: TMOS
Symptoms:
Attempting to edit a custom inband monitor in the GUI results in an error:
An error has occurred while trying to process your request.
Conditions:
Editing a custom inband monitor in the GUI.
Impact:
Unable to make changes to inband monitors in the GUI.
Workaround:
Use TMSH to modify the monitor, for example:
tmsh modify ltm monitor inband <monitor name> ...
1012413-1 : Tmm performance impact for DDoS vector on virtual server when hardware mitigation is enabled
Links to More Info: BT1012413
Component: Advanced Firewall Manager
Symptoms:
When a DoS profile is attached to a virtual server, the mitigation limit is set to the system limit and not the HSB limit. This causes more packets to be handled by software. Depending on attack size, it could pass up to 200% of the set mitigation limit. This can impact tmm performance.
Conditions:
-- Dos profile is configured on virtual server.
-- Hardware platform that has HSB
-- Hardware mitigation is enabled
Impact:
Tmm performance may be degraded.
Workaround:
None
1012061-1 : Link Controller auto-discovery does not remove deleted virtual servers
Links to More Info: BT1012061
Component: Global Traffic Manager (DNS)
Symptoms:
Removed virtual servers are still displayed as available in link controller configuration.
Conditions:
1. GTM server representing Link Controller is configured for high availability (HA)
2. There is no working iQuery session with one of the units
Impact:
Virtual servers linger in bigip_gtm.conf configuration after they are deleted.
Workaround:
Make sure that there is at least one working iQuery channel with all devices configured under GTM server object.
1012049-1 : Incorrect virtual server list returned in response to status request
Links to More Info: BT1012049
Component: TMOS
Symptoms:
Returned list of virtual servers shows all virtual servers rather than no servers, or a specific list of servers.
Conditions:
-- Navigate through the GUI to Local Traffic :: Virtual Servers : Virtual Server List page.
-- Click the 'Status' drop down and select a status that returns no virtual servers or a specific subset of the virtual servers.
-- Modify the resulting request to insert ' --' url-encoded.
Impact:
The returned list shows all virtual servers instead of the ones specifically queried.
Workaround:
None
1012009-3 : MQTT Message Routing virtual may result in TMM crash
Links to More Info: BT1012009
Component: Local Traffic Manager
Symptoms:
The BIG-IP system provides an option to use Message Routing virtual servers for MQTT traffic. It uses a different approach to associate a client side and a server side than a standard virtual server. In some instances, a server side is incorrectly handled.
Conditions:
-- A Message Routing virtual with MQTT protocol.
-- A client attempts to reconnect.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1011889-6 : The BIG-IP system does not handle DHCPv6 fragmented traffic properly
Links to More Info: BT1011889
Component: Local Traffic Manager
Symptoms:
In the following two scenarios, packets may get dropped by the BIG-IP device.
- [client MTU 1500]<--->(vlan1)<--->[MTU 1500BIG-IP MTU 9000]<--->(vlan2)<--->[MTU 1500server]
If the response from the server is large enough to be fragmented, the BIG-IP system is not able to process the packets.
- [client MTU 1500]<--->(vlan1)<--->[MTU 1500BIG-IP MTU 9000]<--->(vlan2)<--->[MTU 9000server]
Large response coming in a single packet is not fragmented properly on the client-side, then packets may be dropped.
Conditions:
DHCPv6 MTU size is greater than or equal to 1500.
Impact:
Packets are dropped, traffic is disrupted.
1011265-3 : Failover script cannot read /config/partitions/ after upgrade★
Links to More Info: BT1011265
Component: TMOS
Symptoms:
After upgrading, failover does not work correctly. An error is encountered in /var/log/audit/log:
type=AVC msg=audit(1617263442.711:206): avc: denied { read } for pid=17187 comm="active" name="partitions" dev="dm-11" ino=259 scontext=system_u:system_r:f5config_failover_t:s0 tcontext=system_u:object_r:f5config_t:s0 tclass=dir
Conditions:
-- High availability (HA) environment configured
-- Devices are upgraded to version 14.1.4
-- A failover occurs
Impact:
Failover does not complete. Floating IP addresses do not move to the active device.
Workaround:
Tmsh modify sys db failover.selinuxallowscripts enable
1011133 : Protocol Inspection compliance check 10208 gtp_disallowed_message_types does not take GTP version into account
Links to More Info: BT1011133
Component: Protocol Inspection
Symptoms:
GTP version 1 and GTP version 2 disagree on message type designations, so blocking a given message type has a different meaning depending on the GTP version.
Conditions:
Compliance check 10208 is configured in an environment where different versions of GTP traffic might be encountered.
Impact:
The device might drop GTP message types that are not intended to be dropped.
Workaround:
If the environment supports/expects only GTP version 1 or version 2 traffic, use compliance check 10223 gtp_disallowed_version to exclude all traffic from the unexpected GTP type to eliminate the message type ambiguity.
1011081-3 : Connection lost to the Postgres client during the BIG-IP bootup process
Links to More Info: BT1011081
Component: TMOS
Symptoms:
During the boot process of BIG-IP, mcpd loses the connection to the Postgres with FATAL error with a "Broken Pipe" error.
Conditions:
-- BIG-IP devices are configured in high availability (HA).
-- BIG-IP configuration has the keys configured in Postgres Database.
Impact:
Mcpd loses the connection to the Postgres with FATAL error with a "Broken Pipe" error
1010785-3 : Online help is missing for CRL in client SSL profile and server SSL profile
Links to More Info: BT1010785
Component: TMOS
Symptoms:
Help tab does not show any documentation for CRL in client SSL profile and server SSL profile.
Conditions:
This can be seen in the online help for the client SSL and server SSL profiles.
Impact:
There are no online help instructions to configure CRLs.
Workaround:
None
1010761-3 : Missing TMSH help description for client-ssl profile 'CRL'
Links to More Info: BT1010761
Component: TMOS
Symptoms:
Running the command "tmsh help ltm profile client-ssl" shows that certificate revocation list (CRL) is not present/described.
Conditions:
Run tmsh help ltm profile client-ssl
Impact:
The CRL is not present/described.
Workaround:
None
1010717-1 : Default DoS profile creation from tmsh is incorrectly interpreted by DoS profile GUI
Links to More Info: BT1010717
Component: Anomaly Detection Services
Symptoms:
Creating a DoS profile from tmsh makes the Bados feature appear to be enabled in the GUI, which is incorrect.
Conditions:
Create DoS profile from tmsh, and not from GUI.
Impact:
Inconsistency between the DoS profile and what you see in the GUI.
Workaround:
Disable BADOS in the GUI after creating a DoS profile from tmsh.
1010341-4 : Slower REST calls after update for CVE-2021-22986
Links to More Info: BT1010341
Component: TMOS
Symptoms:
As a result of changes were introduced to increase security around the REST API, REST calls that use HTTP basic authentication may take longer to execute that they did previously.
Conditions:
- REST API calls
- HTTP basic authentication used for the REST calls
Impact:
- Degraded performance of the REST API
Workaround:
Update automation scripting to use token based authentication, which is both faster and more secure than HTTP basic authentication
1010209-1 : BIG-IP configuration allows literal CR and LF characters in LTM monitor send and recv strings
Links to More Info: BT1010209
Component: Local Traffic Manager
Symptoms:
It is possible, using REST or tmsh (vi the 'tmsh edit' command) to embed literal carriage return (CR) or line feed (LF) characters in an mcpd object's parameters, rather than the two-byte sequence \r or \n. This can be done with a monitor send or receive string. When the configuration is loaded, the CR characters are stripped off of the strings, resulting in invalid HTTP in the monitor strings.
Conditions:
-- Using HTTP monitors.
-- Embedding literal CR/LF characters in the monitor's send or receive string.
Impact:
Monitors stop working; pool members being monitored are considered inaccessible.
Workaround:
Do not use embedded unprintable characters in monitor send or receive strings.
1009921-3 : 'SSL::verify_result' iRule command may return incorrect value when combined with dynamic CRL check
Links to More Info: BT1009921
Component: Local Traffic Manager
Symptoms:
'SSL::verify_result' iRule command may return '0' (validation check success) even if the client certificate has already been revoked. The expected return value on a revoked certificate is '23' (certificate revoked).
Conditions:
-- Dynamic CRL check is configured on the client SSL profile.
-- An iRule checks client certificate validity by 'SSL::verify_result' command. Here is example.
when HTTP_REQUEST {
set cert [SSL::cert 0]
set cert_string [X509::verify_cert_error_string [SSL::verify_result]]
set code [SSL::verify_result]
if { [SSL::verify_result] == 0 }{
log local0. "success $cert_string $code" return
}
else {
log local0. "failed $cert_string $code" HTTP::respond 403 content "<html>Invalid client certificate:</html>\n" }
}
Note: SSL::cert command is in fact the trigger for the behavior as it causes a rebuild of the certificate chain and fetches the status from the cache, which is 0. The reason it is 0 in the cache is that, when dynamic CRLs are used, the system verifies the cert, receives a code 23 (revoked), but the system does not update the SSL session cache with the result.
Impact:
The iRule 'SSL::verify_result' command may return unexpected values. Traffic can be unexpectedly load-balanced to the backend pool member when the end user client requests the virtual server with the revoked certificate.
Workaround:
You can use any of the following workarounds:
-- Remove the SSL::cert command from the iRule (it is not needed in HTTP_REQUEST since the system still has the verify result in runtime code).
-- Set cache-size 0 (zero) on client SSL profiles:
# tmsh modify ltm profile client-ssl [client-ssl profile name] cache-size 0
-- Use authentication frequency 'always' on client SSL profiles:
# tmsh modify ltm profile client-ssl [client-ssl profile name] authenticate always
1009337-2 : LACP trunk down due to bcm56xxd send failure
Links to More Info: BT1009337
Component: TMOS
Symptoms:
Lacp reports trunk(s) down. lacpd reports having trouble writing to bcm56xxd over the unix domain socket /var/run/uds_bcm56xxd.
Conditions:
Not known at this time.
Impact:
An outage was observed.
Workaround:
Restart bcm56xxd, lacpd, and lldpd daemons.
1008233-1 : The gtm_add command fails but reports no error
Links to More Info: BT1008233
Component: Global Traffic Manager (DNS)
Symptoms:
Running the command 'gtm_add' does not add the local GTM to the remote GTM sync group, and it does not display an error message.
Conditions:
The remote GTM has a GTM iRule that references an LTM datagroup that does not exist on the local GTM.
Impact:
The gtm_add command fails silently.
Workaround:
Add the remote LTM datagroup to the local LTM.
1008169-1 : BIG-IP systems disconnect the DIAMETER transport connection if it receives an answer message without a Result-Code AVP
Links to More Info: BT1008169
Component: Service Provider
Symptoms:
If the BIG-IP system receives a DIAMETER answer message without a Result-Code AVP (and/or Experimental-Result-Code AVP), it terminates the connection at the transport (L4) level.
Conditions:
-- Using DIAMETER.
-- Processing an answer message that is missing both Result-Code and Experimental-Result-Code AVPs.
Impact:
The connection is terminated without properly notifying the DIAMETER peer.
Workaround:
None
1007909-1 : Tcpdump with :p (peer flow) flag does not capture forwarded between TMMs
Links to More Info: BT1007909
Component: TMOS
Symptoms:
When using tcpdump with the :p flag, it does not capture all packets that are processed by multiple TMMs.
Conditions:
Traffic flows are handled by multiple TMMs, e.g., one of the following:
-- 'preserve strict' set on virtual servers
-- a CMP-demoted virtual server
-- Service Provider (SP) DAG configured, but using custom mappings for some client IP addresses, or some traffic flows using VLANs without SPDAG configured.
Impact:
Causes confusion since there will be packets missing from tcpdump captures.
Workaround:
Use a packet capture filter to capture clientside and serverside flows directly, without relying on the peer flow flag (":p").
1007869-1 : Upgrade from v14.1.x to v15.1.2.1 or later fails for app-tunnel, RDP and config migration★
Links to More Info: BT1007869
Component: Access Policy Manager
Symptoms:
Config load fails with the following error.
01070712:3: Failed: name (/Common/<customization resource name>) Cache path (/config/filestore/files_d/Common_d/customization_group_d/:Common:<customization resource name with revision>) does not exist and there is no copy in trash-bin to restore from.
Unexpected Error: Loading configuration process failed.
An upgraded config may show RDP resources missing from the Advanced resource assign agent:
# tmsh list apm policy agent resource-assign
apm policy agent resource-assign test-simple-ap-01_act_full_resource_assign_ag {
rules {
{
portal-access-resources { /Common/test-pa-01 }
remote-desktop-resources { /Common/test-rdp-01 } !!! this line may go missing in v15.1.2.1 !!!
webtop /Common/test-full-wt-01
}
}
}
Conditions:
Upgrade to v15.1.2.1 or later with AppTunnel and RDP resources.
Impact:
The configuration fails to load following the upgrade.
Workaround:
Modify the revision numbers resources, customization path for missing webtop links.
Example:
=======
(1) The following AppTunnel config causes config loading failure:
01070712:3: Failed: name (/Common/Example_resource_app_tunnel_customization) Cache path (/config/filestore/files_d/Common_d/customization_group_d/:Common:Example_resource_app_tunnel_customization_1) does not exist and there is no copy in trash-bin to restore from.
(2) Modify as follows:
In TMSH:
#cp /config/filestore/files_d/Common_d/customization_group_d/\:Common\:Example_resource_app_tunnel_customization_1 /config/filestore/files_d/Common_d/customization_group_d/\:Common\:Example_resource_app_tunnel_customization_2
In bigip.conf under customization configuration:
Rename Example_resource_app_tunnel_customization_1 to Example_resource_app_tunnel_customization_2 (modifying revision numbers from _1 to _2)
#tmsh load sys config
(3) For a missing RDP resource: use VPE to edit access profiles and find the appropriate 'Advanced Resource Assign' agents. Add the appropriate RDP resources in the 'Advanced Resource Assign' agent.
==============
1006857-1 : Adding a source address list to a virtual server in a partition with a non-default route domain fails.
Links to More Info: BT1006857
Component: Local Traffic Manager
Symptoms:
Adding a source address list to a virtual server in a partition with a non-default route domain fails with an error similar to:
0107176c:3: Invalid Virtual Address, the IP address 10.10.10.20%2 already exists.
Conditions:
-- A partition with a non-default route domain.
-- A virtual server and address list in said partition.
-- Modifying the virtual server to use the address list as its source address.
Impact:
Unable to use a source address list in a partition with a non-default route domain.
Workaround:
Manually create a traffic-matching-criteria object in TMSH with the desired configuration, and then create the virtual server using that traffic-matching-criteria.
Steps to help with this process can be found in F5 solution article K41752699.
1006449-1 : The default size of the subagent object cache may lead to slow SNMP response time and high mcpd CPU use★
Links to More Info: BT1006449
Component: TMOS
Symptoms:
After upgrading from a 13.1.x release to a later release (such as 15.1.x), BIG-IP CPU utilization increases and SNMP is slow to respond.
Conditions:
SNMP client repeatedly polls BIG-IP for OIDs in multiple tables over a short period of time.
Impact:
SNMP queries take an unusually long time to return data, and BIG-IP CPU utilization is higher.
Workaround:
To the file /config/snmp/bigipTrafficMgmt.conf, add one line with the following content:
cacheObj 16
This could be accomplished by executing the following command line from bash:
# echo "cacheObj 16" >> /config/snmp/bigipTrafficMgmt.conf
After the above config file has been modified and saved, the "snmpd" daemon must be restarted, using one of two command variants:
(on a BIG-IP appliance or VE system)
# bigstart restart snmpd
(on a a multi-slot VIPRION or vCMP guest)
# clsh bigstart restart snmpd
(However, this adjustment will be lost when the BIG-IP software is next upgraded.)
1006345-4 : Static mac entry on trunk is not programmed on CPU-only blades
Links to More Info: BT1006345
Component: TMOS
Symptoms:
More traffic egressing out from primary link of lacp when there is DLFs (destination lookup failures) since static mac is not present on CPU-only blades
Conditions:
Static mac configured on trunk on all platforms except i4000, i850/i2000, 2000/2200, 4000/4200,4100
Impact:
DLFs (destination lookup failures) will cause the first interface in the trunk to egress all DLF'd traffic
1005309-4 : Additional Tcl variables showing information from the AntiBot Mobile SDK
Links to More Info: BT1005309
Component: Application Security Manager
Symptoms:
When using the Bot Defense iRules together with the AntiBot Mobile SDK, there are several variables missing. These missing variables would be useful for correct troubleshooting and pattern matching.
Conditions:
Using the AntiBot Mobile SDK together with Bot Defense iRules
Impact:
Some variables that are required for troubleshooting and pattern matching of the AntiBot Mobile SDK are missing.
Workaround:
None
1005181-4 : Bot Defense Logs indicate the mobile debugger is used even when it is not
Links to More Info: BT1005181
Component: Application Security Manager
Symptoms:
When using the AntiBot Mobile SDK, the Bot Defense Request Log may indicate that the mobile debugger is enabled, even when it is not.
Conditions:
Using the AntiBot Mobile SDK with the Bot Defense Profile
Impact:
Request log is showing an incorrect value.
Workaround:
None
1004953-5 : HTTP does not fall back to HTTP/1.1★
Links to More Info: BT1004953
Component: Local Traffic Manager
Symptoms:
After upgrading, the BIG-IP system's HTTP profile no longer falls back to HTTP/1.1 if a client sends a corrupted URI.
Conditions:
-- Client sends a corrupted URI (for example a URI containing a space).
Impact:
The BIG-IP system treats the URI as an HTTP/0.9 request (as per RFC) and forwards only the first request line. In previous releases, the BIG-IP system treated the URI as a HTTP/1.1 request.
Workaround:
None.
1004845-1 : Accessing attribute using attributeNode value does not work with Portal Access
Links to More Info: BT1004845
Component: Access Policy Manager
Symptoms:
URI normalization issue when using attributeNode to access attribute values.
Conditions:
Using attributeNode to access attribute value in web applications
Impact:
Web application does not work as expected.
Workaround:
Use custom iRule to fix this issue. There is no generic iRule for this issue, but here is a sample iRule:
XXXX is the file which usage attributeNode.
when REWRITE_REQUEST_DONE {
if {
[HTTP::path] ends_with "XXXX"
} {
# log "URI=([HTTP::path])"
# Found the file to modify
REWRITE::post_process 1
}
}
when REWRITE_RESPONSE_DONE {
set strt [string first {<script>try} [REWRITE::payload]]
if {$strt > 0} {
REWRITE::payload replace $strt 0 {
<script>
(function (){
var old_F5_Inflate_value = F5_Inflate_value;
F5_Inflate_value = function (o,sw,incr,v) {
if (o && o.ownerDocument) {
if (o.name == 'action') {
if (o.ownerElement) {
F5_Inflate_action(o.ownerElement,incr,v);
}
}
}
return old_F5_Inflate_value.apply(this,arguments)
}
})();
</script>
}
}
}
1004801-2 : In the violation details for Max Parameter Protocol Compliance, the incorrect number of parameters is shown.
Links to More Info: BT1004801
Component: Application Security Manager
Symptoms:
Incorrect number of parameter is shown in the violation details for Max Parameter Protocol Compliance.
Conditions:
Alarm or block flag is enabled on Max Parameter Protocol Compliance violation, and the request contains more than the maximum specified.
Impact:
Request event displays inaccurate number of parameters: the maximum number, plus 1 (e.g., if you specify 7, the maximum shown will be 8).
This occurs because the system stops parsing parameters when the violation is triggered, which occurs when receiving a request with more than the value specified in Max Parameter Protocol. So if you enable the alarm or block flag on requests with 5 parameters, a request with more than 5 parameters will be alarmed/blocked, and the number reported will be 6. If the system receives requests with more than 6 parameters, the number of parameters is still reported as 6.
Workaround:
None
1004609-6 : SSL forward proxy virtual server may set empty SSL session_id in server hello.
Links to More Info: BT1004609
Component: Local Traffic Manager
Symptoms:
End user clients are unable to establish a TLS connection. Further investigation indicates that the Session ID length field is set to 0, but there is no session ID.
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 59
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 55
Version: Version: TLS 1.2 (0x0303)
Random: aa957f92a5de4cedcf9750b60b3efab6b345da6c32189e93…
Session ID Length: 0 <=== !!!
.....
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
.....
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
.....
Conditions:
-- SSL forward proxy virtual server.
-- This can occur intermittently with normal HTTPS traffic. It occurs more frequently if the session cache's cache-timeout value is set to a low value.
Impact:
After receiving the invalid server hello message from the BIG-IP system, the client may generate unexpected_message (10) TLS alerts and the client may terminate SSL connection.
Workaround:
None
1004517-1 : BIG-IP tenants on VELOS cannot install EHFs
Links to More Info: BT1004517
Component: TMOS
Symptoms:
BIG-IP tenants created on VELOS using v14.1.4 software earlier than v14.1.4.3 cannot accept engineering hotfixes (EHF).
Conditions:
Installing EHF updates to BIG-IP tenants on VELOS running BIG-IP v14.1.4 software earlier than v14.1.4.3.
Impact:
EHF installation fails.
Workaround:
None
1004469-1 : SNMP OID ltmSipsessionProfileStatVsName and ltmSiprouterProfileStatVsName returns empty string
Links to More Info: BT1004469
Component: TMOS
Symptoms:
SNMP polling fails for ltmSipsessionProfileStatVsName and ltmSiprouterProfileStatVsName.
Conditions:
Run the snmpwalk for ltmSipsessionProfileStatVsName :
[root@d1:Active:Standalone] tmp # snmpwalk -c public localhost ltmSipsessionProfileStatVsName
F5-BIGIP-LOCAL-MIB::ltmSipsessionProfileStatVsName."/Common/test-sip"."" = STRING:
F5-BIGIP-LOCAL-MIB::ltmSipsessionProfileStatVsName."/Common/sipsession"."" = STRING:
F5-BIGIP-LOCAL-MIB::ltmSipsessionProfileStatVsName."/Common/sipsession-alg"."" = STRING:
----------
Run the snmpwalk for ltmSiprouterProfileStatTable
[root@ltm1:Active:Standalone] config # snmpwalk -c public localhost ltmSiprouterProfileStatTable
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatName."/Common/siprouter"."" = STRING: /Common/siprouter
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatName."/Common/siprouter-alg"."" = STRING: /Common/siprouter-alg
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatVsName."/Common/siprouter"."" = STRING:
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatVsName."/Common/siprouter-alg"."" = STRING:
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatTotMessgesIn."/Common/siprouter"."" = Counter64: 0
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatTotMessgesIn."/Common/siprouter-alg"."" = Counter64: 0
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatTotMessagesInRetry."/Common/siprouter"."" = Counter64: 0
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatTotMessagesInRetry."/Common/siprouter-alg"."" = Counter64: 0
Impact:
Returns empty. Cannot extract the virtual server name of a SIP session and SIP router profile through SNMP.
Workaround:
None
1004445-5 : Warning not generated when maximum prefix limit is exceeded.
Links to More Info: BT1004445
Component: Local Traffic Manager
Symptoms:
No warnings are given when the maximum prefix limit is exceeded.
Conditions:
BGP neighbor has a maximum-prefix warning configured
Impact:
If the limit is exceeded, no warnings are given. This can cause unexpected behavior.
Workaround:
None
1003629 : PAYG license becomes invalid when swapping associated NICs for instances in both Azure and AWS.
Links to More Info: BT1003629
Component: TMOS
Symptoms:
If swapping management and data plane NICs using the onboarding Terraform template, you will receive a, “License is not operational (expired or digital signature does not match contents)” message.
Conditions:
- A multi-NIC instance deployed in Azure or AWS using a PAYG license.
- Use the onboarding Terraform template to swap the management (1st NIC) and the data plane NICs.
Impact:
After swapping NICs and rebooting the instance, BIG-IP cannot successfully validate the PAYG license.
Workaround:
Due to Azure and AWS metadata service calls restricted to using the primary IP address, avoid swapping NICs, as it is currently NOT supported in those Clouds.
1003469-1 : The BIG-IP GUI fails to reset the statistics for an IPv6 pool member and returns an error.
Links to More Info: BT1003469
Component: TMOS
Symptoms:
When trying to reset the statistics for an IPv6 pool member using the GUI, the operation fails and the system returns one of the following errors (depending on the software version in use):
01030010:3: eXtremeDB - search operation failed
Unable to complete request
Conditions:
This issue occurs when you attempt to use the BIG-IP GUI to:
-- Reset the statistics of one or more IPv6 pool members you have selected individually.
-- Reset the statistics of all pools by using the 'Select All' checkbox (provided the system contains IPv6 pool members).
Impact:
Inability to reset the statistics using the GUI.
Workaround:
You can use the tmsh utility to reset the pool member's statistics from the CLI. Example command:
tmsh reset-stats ltm pool my-pool members { 2001:DB8::1.80 }
1003233-2 : SNMP Polling can cause inconsistencies in gtm link stats.
Links to More Info: BT1003233
Component: Global Traffic Manager (DNS)
Symptoms:
If the uplink router does not allow SNMP polling, and snmp_link monitor is applied, then GTM stats becomes inconsistent.
Conditions:
The router is not being probed using SNMP.
Impact:
Status values will be inconsistent.
Workaround:
N/A
1003225-2 : 'snmpget F5-BIGIP-LOCAL-MIB::ltmWebAccelerationProfileStat* returns zeroes
Links to More Info: BT1003225
Component: TMOS
Symptoms:
The values returned during an SNMP get are incorrect for the ltmWebAccelerationProfileStat.
The values should match what is displayed by running the tmsh command.
Conditions:
Performing an SNMP get:
snmpget -v 2c -c public localhost F5-BIGIP-LOCAL-MIB::ltmWebAccelerationProfileStatCacheSize.\"/Common/test\"
Impact:
The system reports inaccurate information for ltmWebAccelerationProfileStat stats.
Workaround:
None
1002969-4 : Csyncd can consume excessive CPU time★
Links to More Info: BT1002969
Component: Local Traffic Manager
Symptoms:
Following a configuration change or software upgrade, the "csyncd" process becomes always busy, consuming excessive CPU.
Conditions:
-- occurs on a multi-blade VIPRION chassis or VELOS tenant
-- may occur with or without vCMP
-- may occur after configuring F5 Telemetry Streaming, but may also occur in other circumstances
-- large numbers of files are contained in one or more of the directories being sync'ed between blades
Impact:
The overuse of CPU resources by "csyncd" may starve other control-plane processes. Handling of payload network traffic by the data plane is not directly affected.
Workaround:
To mitigate the processing load, identify which directory or directories contain excessive numbers of files being replicated between blades by "csyncd". If this replication is not absolutely needed (see below), such a directory can be removed from the set of directories being sync'ed.
For example: if there are too many files being generated in the "/run/pamcache" directory (same as "/var/run/pamcache"), remove this directory from the set being acted upon by "csyncd" by running the following commands to comment-out the associated lines in the configuration file.
[Note it is better to follow the more complete workaround from ID 1103369, https://cdn.f5.com/product/bugtracker/ID1103369.html ]
# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"
# clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"
# clsh "bigstart restart csyncd"
If the problem was observed soon after the installation of F5 Telemetry Streaming, the configuration can be adjusted to make csyncd ignore the related files in a subdirectory of "/var/config/rest/iapps". Run the following commands:
# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"
# clsh "sed -i '/\/var\/config\/rest\/iapps/a \ \ \ \ \ \ \ \ ignore f5-telemetry' /etc/csyncd.conf"
# clsh "bigstart restart csyncd"
----
The impact of disabling replication for the pamcache folder is that in the event of a primary blade failover, the new primary blade would not be aware of the existing valid auth tokens, so the user (eg, a GUI user, or a REST script already in progress at the time of the failover) would need to authenticate again.
The impact of disabling replication for a folder under the /var/config/rest/iapps is that in the event of a primary blade failover, the new primary blade would not be aware of the iApps LX package, so the user would need to install the iApps LX package on the new primary blade.
1002417-2 : Switch L2 forwarding entries learnt on multi-blade trunk in one blade needs to be synchronized to other blades of that trunk
Links to More Info: BT1002417
Component: TMOS
Symptoms:
In a chassis, when the switch needs to forward a packet where the destination MAC address does not exist in the L2 forwarding table (DLF, destination lookup failure), the packet is forwarded to blade one and flooded there. This can lead to interfaces on blade one being more heavily used.
Conditions:
Altering of trunk vlan memberships after failovers will lead to traffic imbalance on egress ports.
Impact:
It may lead to an out of bandwidth condition on interfaces.
1002345-4 : Transparent monitor does not work after upgrade★
Links to More Info: BT1002345
Component: In-tmm monitors
Symptoms:
Pool state changes from up to down following an upgrade.
Conditions:
A transparent monitor is configured to use the loopback address.
You are using BIG-IP Virtual Edition with a TAP interface handling linux host traffic.
Impact:
The pool is marked down.
Workaround:
None
1001129-1 : Maximum Login Failures lockout for root and admin
Component: TMOS
Symptoms:
The root/admin account does not lock out when multiple login failures occur.
Conditions:
Local accounts such as root and admin occur multiple login failures.
Impact:
The root or admin account is not locked out. Other accounts are locked out after multiple login failures.
Workaround:
None
1001101-1 : Cannot update/display GTM/DNS listener route advertisement correctly
Links to More Info: BT1001101
Component: Global Traffic Manager (DNS)
Symptoms:
Not able to update/display GTM/DNS listener route advertisement correctly.
Conditions:
Operating from the GUI GTM/DNS listener page.
Impact:
Not able to manage route advertisement from GUI GTM listener page.
Workaround:
Instead of GTM/DNS GUI, use LTM virtual address operations to manage GTM/DNS listener route advertisement.
1000325-1 : UCS load with 'reset-trust' may not work properly if base configuration fails to load★
Links to More Info: BT1000325
Component: TMOS
Symptoms:
When loading a UCS archive using the 'reset-trust' option, if the system fails to load the base configuration from the UCS archive, the system may fail to regenerate new device trust certificates and keys.
This can result in subsequent issues, including configuration load failures after an upgrade, such as:
01070712:3: Values (/Common/dtca.key) specified for trust domain (/Common/Root): foreign key index (key_fk) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.
Conditions:
-- Loading a UCS file using the 'reset-trust' option.
-- The system fails to load the base configuration (bigip_base.conf) in the UCS archive for any reason.
-- The base configuration is corrected, and subsequently loaded (e.g., with 'tmsh load sys config').
Impact:
-- The system does not regenerate critical device trust keys and certificates.
-- After a subsequent upgrade, the BIG-IP system goes to INOPERATIVE state, and reports this error:
01070712:3: Values (/Common/dtca.key) specified for trust domain (/Common/Root): foreign key index (key_fk) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.
Workaround:
Remove trust-domain from the bigip_base.conf file and reload the configuration.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Technical Support website: http://www.f5.com/support/
- The MyF5 website: https://my.f5.com/manage/s/
- The F5 DevCentral website: http://devcentral.f5.com/