Applies To:
Show VersionsBIG-IP APM
- 17.0.0
BIG-IP Link Controller
- 17.0.0
BIG-IP Analytics
- 17.0.0
BIG-IP LTM
- 17.0.0
BIG-IP PEM
- 17.0.0
BIG-IP AFM
- 17.0.0
BIG-IP DNS
- 17.0.0
BIG-IP FPS
- 17.0.0
BIG-IP ASM
- 17.0.0
BIG-IP Release Information
Version: 17.0.0.1
Build: 4.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
The blue background highlights fixes |
Known Issues in BIG-IP v17.0.x
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1036057-5 | 3-Major | BT1036057 | Add support for line folding in multipart parser. | 17.0.0.1 |
1025261-4 | 3-Major | BT1025261 | restjavad uses more resident memory in control plane after software upgrade | 17.0.0.1 |
1006921-8 | 3-Major | iRules Hardening | 17.0.0.1 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1101705-1 | 1-Blocking | BT1101705 | RSA-KEX ciphers list are removed from httpd configuration in FIPS mode since these are non-approved ciphers for FIPS 140-3 certification | 16.1.3, 17.0.0.1 |
989517-4 | 2-Critical | BT989517 | Acceleration section of virtual server page not available in DHD | 17.0.0.1 |
957637-4 | 2-Critical | BT957637 | The pfmand daemon can crash when it starts. | 17.0.0.1 |
940225-5 | 2-Critical | BT940225 | Not able to add more than 6 NICs on VE running in Azure | 16.1.3, 17.0.0.1 |
1108181-5 | 2-Critical | BT1108181 | iControl REST call with token fails with 401 Unauthorized | 16.1.3, 17.0.0.1 |
919357-9 | 3-Major | iControl REST hardening | 17.0.0.1 | |
886649-6 | 3-Major | BT886649 | Connections stall when dynamic BWC policy is changed via GUI and TMSH | 16.1.3, 17.0.0.1 |
1091345-1 | 3-Major | BT1091345 | The /root/.bash_history file is not carried forward by default during installations. | 17.0.0.1 |
1089849-1 | 3-Major | BT1089849 | NIST SP800-90B compliance | 16.1.3, 17.0.0.1 |
1087621-3 | 3-Major | BT1087621 | IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload | 17.0.0.1 |
1083537-1 | 3-Major | BT1083537 | FIPS 140-3 Certification | 16.1.2.2, 17.0.0.1 |
1066673-7 | 3-Major | BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions | 17.0.0.1 | |
1061481-4 | 3-Major | BT1061481 | Denied strings were found in the /var/log/ folder after an update or reboot | 16.1.3, 17.0.0.1 |
1042737-5 | 3-Major | BT1042737 | BGP sending malformed update missing Tot-attr-len of '0. | 17.0.0.1 |
1024661-4 | 3-Major | SCTP forwarding flows based on VTAG for bigproto | 17.0.0.1 | |
740321-5 | 4-Minor | iControl SOAP API does not follow current best practices | 17.0.0.1 | |
1090569-2 | 4-Minor | BT1090569 | After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV | 17.0.0.1 |
1080317-4 | 4-Minor | BT1080317 | Logged hostname not consistent when hostname contains "." | 17.0.0.1 |
1071621-2 | 4-Minor | BT1071621 | Increase the number of supported traffic selectors | 17.0.0.1 |
1067105-5 | 4-Minor | BT1067105 | Racoon logging shows incorrect SA length. | 17.0.0.1 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1104493-2 | 2-Critical | Client-side abort during server-side establishment may cause tmm to behave abnormally in HTTP MRF proxy | 17.0.0.1 | |
1074517-4 | 2-Critical | BT1074517 | Tmm may core while adding/modifying traffic-class attached to a virtual server | 17.0.0.1 |
922413 | 3-Major | BT922413 | Excessive memory consumption with ntlmconnpool configured | 17.0.0.1 |
748886-5 | 3-Major | BT748886 | Virtual server stops passing traffic after modification | 17.0.0.1 |
1106289-1 | 3-Major | TMM may leak memory when processing sideband connections. | 17.0.0.1 | |
1091761-5 | 3-Major | Mqtt_message memory leaks when iRules are used | 17.0.0.1 | |
1084013-5 | 3-Major | TMM does not follow TCP best practices | 17.0.0.1 | |
1082505-1 | 3-Major | BT1082505 | TLS ciphersuites including RSA-KEX are non-approved ciphers for FIPS 140-3 certification | 16.1.3, 17.0.0.1 |
1082225-6 | 3-Major | BT1082225 | Tmm may core while Adding/modifying traffic-class attached to a virtual server. | 17.0.0.1 |
1022453-5 | 3-Major | BT1022453 | IPv6 fragments are dropped when packet filtering is enabled. | 17.0.0.1 |
1006157-7 | 3-Major | BT1006157 | FQDN nodes not repopulated immediately after 'load sys config' | 17.0.0.1 |
1104073-1 | 4-Minor | BT1104073 | Use of iRules command whereis with "isp" or "org" options may cause TCL object leak. | 17.0.0.1 |
1063637-5 | 4-Minor | NTLM library hardening | 17.0.0.1 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1091249-1 | 3-Major | BT1091249 | BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address. | 17.0.0.1 |
1084673-1 | 4-Minor | BT1084673 | GTM Monitor "require M from N" status change log message does not print pool name | 17.0.0.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
886533-4 | 3-Major | BT886533 | Icap server connection adjustments | 17.0.0.1 |
1085729-1 | 3-Major | bd may crash while processing specific request | 17.0.0.1 | |
1084257-1 | 3-Major | New HTTP RFC Compliance check for incorrect newline separators in headers | 17.0.0.1 | |
1082461-1 | 3-Major | BT1082461 | The enforcer cores during a call to 'ASM::raise' from an active iRule | 17.0.0.1 |
1078765-5 | 3-Major | BT1078765 | Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer. | 17.0.0.1 |
1062493-5 | 3-Major | BT1062493 | BD crash close to it's startup | 17.0.0.1 |
1056957-2 | 3-Major | BT1056957 | An attack signature can be bypassed under some scenarios. | 17.0.0.1 |
1030133-1 | 3-Major | BD core on XML out of memory | 17.0.0.1 | |
1014973-6 | 3-Major | BT1014973 | ASM changed cookie value. | 17.0.0.1 |
948241-5 | 4-Minor | Count Stateful anomalies based only on Device ID | 17.0.0.1 | |
947333-1 | 4-Minor | BT947333 | Irrelevant content profile diffs in Policy Diff | 17.0.0.1 |
1073625-1 | 4-Minor | BT1073625 | Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled. | 17.0.0.1 |
1058297-1 | 4-Minor | Policy history values for 'max Size Of Saved Versions' and for 'min Retained Files In Dir' is reset during upgrade&start; | 17.0.0.1 | |
1040513-4 | 4-Minor | BT1040513 | The counter for "FTP commands" is always 0. | 17.0.0.1 |
1014573-5 | 4-Minor | Several large arrays/objects in JSON payload may core the enforcer | 17.0.0.1 | |
1029689-1 | 5-Cosmetic | BT1029689 | Incosnsitent username "SYSTEM" in Audit Log | 17.0.0.1 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1097821-1 | 3-Major | BT1097821 | Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified | 14.1.5, 16.1.3, 17.0.0.1 |
1063641-5 | 4-Minor | NTLM library hardening | 17.0.0.1 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1093621-5 | 2-Critical | Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP | 17.0.0.1 | |
1103233-1 | 4-Minor | Diameter in-tmm monitor is logging disconnect events unnecessarily | 17.0.0.1 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
977153-6 | 3-Major | BT977153 | Packet with routing header IPv6 as next header in IP layer fails to be forwarded | 17.0.0.1 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1090649-4 | 3-Major | BT1090649 | PEM errors when configuring IPv6 flow filter via GUI | 17.0.0.1 |
1084993-5 | 3-Major | BT1084993 | [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching | 17.0.0.1 |
911585-6 | 4-Minor | BT911585 | PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval | 17.0.0.1 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
832133-6 | 3-Major | BT832133 | In-TMM monitors fail to match certain binary data in the response from the server. | 17.0.0.1 |
Cumulative fix details for BIG-IP v17.0.0.1 that are included in this release
989517-4 : Acceleration section of virtual server page not available in DHD
Links to More Info: BT989517
Component: TMOS
Symptoms:
Cannot use Advanced Menu to create a virtual server for HTTP/2 on systems with DHD licenses. This occurs because the Acceleration section is not available.
You can via TMSH then it works, but at as soon as you use the GUI to modify the virtual server, it loses the HTTP/2 configuration.
Conditions:
The Acceleration section is not visible in case 'DoS' is provisioned (available with the DHD license).
Impact:
1) You are unable to use the GUI to modify any parameters of the Acceleration table in the virtual server page.
2) Loss of configuration items if making changes via the GUI.
Workaround:
A virtual server with parameters present in the Acceleration table can still be created using TMSH. However, do not edit that virtual server in the GUI, or the Acceleration parameters will be lost.
Fix:
The Acceleration table is now visible, and there is no loss of configuration items if making changes via the GUI.
Fixed Versions:
17.0.0.1
977153-6 : Packet with routing header IPv6 as next header in IP layer fails to be forwarded
Links to More Info: BT977153
Component: Advanced Firewall Manager
Symptoms:
BIG-IP systems fail to follow RFC 5095, which specifies the traffic should be forwarded.
Conditions:
This symptom is found when the following conditions are met:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
This failure in forwarding ICMP error message prevents the BIG-IP AFM product from completing certification.
Workaround:
None.
Fixed Versions:
17.0.0.1
957637-4 : The pfmand daemon can crash when it starts.
Links to More Info: BT957637
Component: TMOS
Symptoms:
The pfmand process crashes and writes out a core file during bootup (or if the process is manually restarted by an Administrator for any reason) on certain platforms.
The crash may happen more than once, until the process finally settles and is able to start correctly.
Conditions:
-- Platforms i4000/i2000/i4800/i2800/i4600/i2600/i850.
Impact:
Network connection lost while pfmand restarts.
Workaround:
None
Fix:
The issue causing the pfmand daemon to occasionally crash has been resolved.
Fixed Versions:
17.0.0.1
948241-5 : Count Stateful anomalies based only on Device ID
Component: Application Security Manager
Symptoms:
Currently when Device ID is enabled, the BIG-IP system counts stateful anomalies on both IP and Device ID. When a client has a proxy (without XFF), and many requests arrive with the same IP, this can cause false positives
Conditions:
- Bot Defense profile is attached to a virtual server.
- Bot Defense profile has "Browser Verification" set to "Verify After Access" or "Device ID Mode" set to "Generate After Access".
Impact:
False positives may occur in case of a proxy without XFF
Workaround:
None
Fix:
Stateful anomalies are no longer counted on IP when Device ID is enabled
Fixed Versions:
17.0.0.1
947333-1 : Irrelevant content profile diffs in Policy Diff
Links to More Info: BT947333
Component: Application Security Manager
Symptoms:
Defense attributes' grayed out values are shown in the policy diff even if "any" is selected
Conditions:
-- Import a policy
-- Perform a policy diff
Impact:
Policy diff showing irrelevant diffs
Workaround:
None
Fix:
Removed grayed out diffs from policy diff content profile section
Fixed Versions:
17.0.0.1
940225-5 : Not able to add more than 6 NICs on VE running in Azure
Links to More Info: BT940225
Component: TMOS
Symptoms:
Azure BIG-IP Virtual Edition (VE) with more than 6 NICs fails to boot.
Conditions:
-- Standard_DS4_v2 Azure instance type.
-- Mellanox ConnectX-3 ethernet controller.
-- A greater-than-2-NIC template is used, for example https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/standalone/n-nic/existing-stack/byol with "numberOfAdditionalNics" set.
-- Accelerated networking is enabled on two or more NICs.
Impact:
Not able to boot BIG-IP VM with 8 NICs, which should be supported for Standard_DS4_v2 instance type:
8 vCPU
28 GiB
8 Max NICs
Adding more NICs to the instance makes the device fail to boot.
Workaround:
None
Fixed Versions:
16.1.3, 17.0.0.1
922413 : Excessive memory consumption with ntlmconnpool configured
Links to More Info: BT922413
Component: Local Traffic Manager
Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.
Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.
Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.
Workaround:
None.
Fix:
When an NTLM Conn Pool profile is attached to a virtual server, it no longer causes memory pressure on a large number connections with NTLM authentication.
Fixed Versions:
17.0.0.1
919357-9 : iControl REST hardening
Component: TMOS
Symptoms:
Under certain conditions iControl REST does not follow current best practices.
Conditions:
- Authenticated administrative user
- iControl REST requests
Impact:
iControl REST does not follow current best practices.
Workaround:
None
Fix:
iControl REST now follows current best practices.
Fixed Versions:
17.0.0.1
911585-6 : PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval
Links to More Info: BT911585
Component: Policy Enforcement Manager
Symptoms:
PEM sessions go to a stale state and the Credit Control Request (CCRi) is not sent.
Conditions:
-- PEM is configured and passing normal PEM traffic.
-- Using BIG-IP Virtual Edition (VE)
Impact:
Session is not established.
Workaround:
None.
Fix:
Enhanced application to accept new sessions under problem conditions.
Fixed Versions:
17.0.0.1
886649-6 : Connections stall when dynamic BWC policy is changed via GUI and TMSH
Links to More Info: BT886649
Component: TMOS
Symptoms:
Connections stall when dynamic BWC policy is changed via GUI and TMSH.
Conditions:
Issue is seen when you have a dynamic bandwidth control policy configured, and you make a change to the policy via the GUI and TMSH.
Impact:
Connection does not transfer data.
Workaround:
Restart TMM. Delete the relevant configuration, create a new configuration, and apply it.
Fixed Versions:
16.1.3, 17.0.0.1
886533-4 : Icap server connection adjustments
Links to More Info: BT886533
Component: Application Security Manager
Symptoms:
Request getting to the ICAP server takes a long time to process (several seconds), which makes the whole transaction slower than expected. When testing the connection to the ICAP server itself, you determine that it is fast.
Conditions:
This happens especially with large file uploads that are mixed with smaller file uploads. The smaller uploads are waiting for the bigger upload.
Impact:
Slow responses to specific requests.
Workaround:
None.
Fix:
This release provides greater responsiveness of the internal queue to the ICAP thread.
Fixed Versions:
17.0.0.1
832133-6 : In-TMM monitors fail to match certain binary data in the response from the server.
Links to More Info: BT832133
Component: In-tmm monitors
Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system still marks them DOWN.
Conditions:
This issue occurs when all of the following conditions are met:
-- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).
-- One (or more) of your TCP or HTTP monitors specifies a receive string using HEX encoding, in order to match binary data in the server's response.
-- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.
Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.
Workaround:
You can use either of the following workarounds:
-- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.
-- Do not monitor the application through a binary response (if the application allows it).
Fixed Versions:
17.0.0.1
748886-5 : Virtual server stops passing traffic after modification
Links to More Info: BT748886
Component: Local Traffic Manager
Symptoms:
A virtual server stops passing traffic after changes are made to it.
Conditions:
-- Virtual server is using a port-list or address-list
-- High availability (HA) environment with multiple traffic groups
-- A change is made to the virtual server
Impact:
Every time you make changes to the virtual server, the traffic-group for the virtual address is changed, and traffic goes down.
Fixed Versions:
17.0.0.1
740321-5 : iControl SOAP API does not follow current best practices
Component: TMOS
Symptoms:
Under certain conditions, the iControl SOAP API fails to follow current best practices.
Conditions:
- Authenticated user
- iControl SOAP request
Impact:
iControl SOAP does not follow current best practices
Workaround:
None
Fix:
iControl SOAP (iControlPortal.cgi) now follows current best practices.
Fixed Versions:
17.0.0.1
1108181-5 : iControl REST call with token fails with 401 Unauthorized
Links to More Info: BT1108181
Component: TMOS
Symptoms:
For a short period after creating or refreshing a token, iControl REST calls may fail with a 401 Unauthorized error and an HTML body content, or a 401 F5 Authorization Required error and a JSON body content.
When using F5 Ansible modules for BIG-IP, the modules may fail with an error "Expecting value: line 1 column 1 (char 0)".
AS3 may return an error, "AS3 API code: 401".
Conditions:
-- REST call using valid token.
-- Can commonly occur on the call after a token has been refreshed or a Token list has been requested.
Impact:
iControl REST calls may temporarily fail (typically less than 1 second) after the creation or refresh of an iControl REST token.
Workaround:
After being issued a token or refreshing a token, wait a second before attempting to use it.
If this does not work, request a new token.
No workaround exists for AS3 or F5 Ansible BIG-IP modules.
Fix:
A race condition on a PAM file update has been resolved. Tokens should remain valid.
Fixed Versions:
16.1.3, 17.0.0.1
1106289-1 : TMM may leak memory when processing sideband connections.
Component: Local Traffic Manager
Symptoms:
The xdata memory subsystem in TMM is affected by a memory leak. If left unchecked, TMM may eventually crash being unable to allocate any more memory.
Conditions:
The system is configured with iRules employing sideband connections. Special undisclosed network traffic from the target servers is required to trigger this issue.
Impact:
If TMM crashes, redundant units will fail-over. Standalone units will suffer a momentary outage while TMM restarts.
Workaround:
None.
Fix:
TMM now follows best practices for sideband connection handling.
Fixed Versions:
17.0.0.1
1104493-2 : Client-side abort during server-side establishment may cause tmm to behave abnormally in HTTP MRF proxy
Component: Local Traffic Manager
Symptoms:
This is due to early abort on client-side during serverside connection establishment.
Conditions:
- http vs with an httprouter profile
- irule to reject the connection
Impact:
- abnormal tmm behavior
Fixed Versions:
17.0.0.1
1104073-1 : Use of iRules command whereis with "isp" or "org" options may cause TCL object leak.
Links to More Info: BT1104073
Component: Local Traffic Manager
Symptoms:
When iRules command whereis is being used with "isp" or "org" options and underlying GEOIP database(s) have not been loaded,
cur_allocs for tcl memory increases over time and does not return to the prior level.
Conditions:
- iRules command whereis is used with "isp" or "org" options
- The underlying GEOIP database(s) have not been loaded
Impact:
Cur_allocs for tcl memory increases over time and does not return to the prior level.
Workaround:
Load the underlying GEOIP database(s) before using "isp" or "org" options of the iRules command whereis.
Fixed Versions:
17.0.0.1
1103233-1 : Diameter in-tmm monitor is logging disconnect events unnecessarily
Component: Service Provider
Symptoms:
Errors are logged to /var/log/ltm:
err tmm[20104]: 01cc0006:3: Peer (<peer>) connection state has changed: disconnected
Conditions:
A diameter in-tmm monitor is configured
Impact:
Debug logs are logged at the error level.
Workaround:
None
Fix:
Log level has been changed to the debug level for the peer disconnected log.
Fixed Versions:
17.0.0.1
1101705-1 : RSA-KEX ciphers list are removed from httpd configuration in FIPS mode since these are non-approved ciphers for FIPS 140-3 certification
Links to More Info: BT1101705
Component: TMOS
Symptoms:
- RSA-KEX ciphers list are removed from httpd configuration when FIPS mode is enabled since these are non-approved ciphers for FIPS 140-3 certification.
- Mandatory fix for FIPS 140-3 Certification.
Conditions:
- BIG-IP versions 16.1.3 and above.
- Applies to systems requiring FIPS 140-3 Certification.
- FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device.
- https connections are established using the RSA-KEX based ciphers
Impact:
- BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be running a FIPS 140-3 certified configuration.
- https connection using RSA KEX ciphers will not be successful when FIPS 140-3 license is installed in the device.
Workaround:
None
Fix:
Apply this fix to ensure that the system is compliant with FIPS 140-3 Certification.
Fixed Versions:
16.1.3, 17.0.0.1
1097821-1 : Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified
Links to More Info: BT1097821
Component: Access Policy Manager
Symptoms:
Creating an APM policy image file with source_path attribute fails.
Conditions:
APM provisioned
Impact:
You are unable to use the source_path attribute for creating APM customization image files.
Workaround:
Copy the image file to one of the directories of /var/config/rest/, /var/tmp/, /shared/tmp/ and use local_path instead of source_path.
E.g. create apm policy image-file test.jpg local-path /var/tmp/<file name>
Fixed Versions:
14.1.5, 16.1.3, 17.0.0.1
1093621-5 : Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP
Component: Service Provider
Symptoms:
Certain SIP messages can cause excessive memory use under when SIP is used over TCP.
Conditions:
Using a SIP Profile with a TCP connection
Impact:
Tmm memory grows considerably and it may not be freed.
Workaround:
No workaround.
Fix:
The traffic pattern no longer causes excessive memory usage.
Fixed Versions:
17.0.0.1
1091761-5 : Mqtt_message memory leaks when iRules are used
Component: Local Traffic Manager
Symptoms:
Mqtt_message memory leaks when iRules like insert_after, insert_before, and respond are used.
Conditions:
Basic mqtt virtual server with any of the below rules ->insert_after
>insert_before
>respond
Impact:
Memory leak occurs and TMM may crash
Workaround:
NA
Fix:
There is no longer a memory leak with iRules usage
Fixed Versions:
17.0.0.1
1091345-1 : The /root/.bash_history file is not carried forward by default during installations.
Links to More Info: BT1091345
Component: TMOS
Symptoms:
By default, the /root/.bash_history file is not included in the UCS archives. As such, this file is not rolled forward during a software installation.
Conditions:
Performing a BIG-IP software installation.
Impact:
This issue may hinder the efforts of F5 Support should the need to determine what was done prior to a software installation arise.
Workaround:
None
Fixed Versions:
17.0.0.1
1091249-1 : BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address.
Links to More Info: BT1091249
Component: Global Traffic Manager (DNS)
Symptoms:
As BIG-IP DNS and Link Controller systems connect with one another (or with monitored BIG-IP systems) over iQuery, you may notice:
-- Log messages that specify IPv6 translation addresses non-existent in your configuration and often meaningless (as in not pertaining to some of the more common IPv6 address spaces). For example:
debug gtmd[24229]: 011ae01e:7: Creating new socket to connect to 2001::1 (a06d:3d70:fd7f:0:109c:7000::)
-- If you restart the gtmd daemon, the IPv6 translation address mentioned above between parenthesis changes to a new, random meaningless value.
-- The GTM portion of the configuration fails to synchronize.
Conditions:
IPv6 translation addresses are in use in relevant objects.
Impact:
The logs are misleading and the GTM portion of the configuration may fail to synchronize.
Workaround:
If possible, do not use IPv6 translation addresses.
Fix:
IPv6 translation addresses now function as designed.
Fixed Versions:
17.0.0.1
1090649-4 : PEM errors when configuring IPv6 flow filter via GUI
Links to More Info: BT1090649
Component: Policy Enforcement Manager
Symptoms:
An error occurs while configuring an IPv6 flow filter using the GUI:
0107174e:3: The source address (::) and source netmask (0.0.0.0) addresses for pem flow info filter (filter0) must be be the same type (IPv4 or IPv6).
Conditions:
Configuring an IPv6 flow filter using the GUI
Impact:
You are unable to configure the IPv6 flow filter via the GUI
Workaround:
The error does not occur when using tmsh.
Fix:
Modified the IPv6 Validation. Able to create IPV6 flow filter after the fix
Fixed Versions:
17.0.0.1
1090569-2 : After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV
Links to More Info: BT1090569
Component: TMOS
Symptoms:
Some SSL handshakes are fail when using the CRL certificate validator and tmm crashes.
Conditions:
-- TLS virtual server
-- The virtual server passes network traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm crash related to the CRL certificate validator.
Fixed Versions:
17.0.0.1
1089849-1 : NIST SP800-90B compliance
Links to More Info: BT1089849
Component: TMOS
Symptoms:
Common Criteria and FIPS 140-3 certifications require compliance with NIST SP800-90B; this completes that compliance.
Conditions:
This applies to systems requiring Common Criteria and/or FIPS 140-3 compliance.
Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be using a Common Criteria and/or FIPS 140-3 certified configuration.
Workaround:
None
Fix:
Apply this fix to ensure that the system is compliant with NIST SP800-90B.
Fixed Versions:
16.1.3, 17.0.0.1
1087621-3 : IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload
Links to More Info: BT1087621
Component: TMOS
Symptoms:
The tunnel stops working after initially starting with no problem.
The BIG-IP will send a bad KE (Key Exchange) Payload when rekeying the IKE SA with ECP.
Conditions:
-- IKEv2
-- ECP PFS
-- Peer attempts to re-key IKE SA (CREATE_CHILD SA) over existing IKE SA.
Impact:
IPsec tunnels stop working for periods of time.
Workaround:
Do not use ECP for PFS.
Fix:
ECP will work correctly when rekeying.
Fixed Versions:
17.0.0.1
1085729-1 : bd may crash while processing specific request
Component: Application Security Manager
Symptoms:
bd crashes while processing specific request.
Conditions:
- "Attack Signature False Positive Mode" is not "Disabled"
- bd receives an undisclosed request during handling of other traffic.
Impact:
bd crashes
Workaround:
Set "Attack Signature False Positive Mode" to "Disabled".
Fix:
bd handles the request correctly.
Fixed Versions:
17.0.0.1
1084993-5 : [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching
Links to More Info: BT1084993
Component: Policy Enforcement Manager
Symptoms:
E2e id and h2h id in Re-Authorisation Answer from PEM to OCS is not matching with Re-Authorisation Request from OCS to PEM.
Conditions:
Diameter-endpoint configuration. PCEF(PEM) communicating over gy interface with OCS for quota information.
Impact:
OCS will not be able to determine for which RAR it got RAA. This is catastrophic for billing.
Workaround:
None
Fix:
There was conversion issue in PEM, fixed it.
Fixed Versions:
17.0.0.1
1084673-1 : GTM Monitor "require M from N" status change log message does not print pool name
Links to More Info: BT1084673
Component: Global Traffic Manager (DNS)
Symptoms:
The number of probes that are succeeding is changing in between different windows in which the "N" number of probes were sent.
Conditions:
- GTM/DNS is provisioned
- A "require M from N" monitor rule is assigned to a gtm pool or an individual gtm pool member.
Impact:
The log written to provide information on the changing number of successful probes does not contain information about the pool member.
Workaround:
None
Fixed Versions:
17.0.0.1
1084257-1 : New HTTP RFC Compliance check for incorrect newline separators in headers
Component: Application Security Manager
Symptoms:
ASM is not enforcing incoming HTTP requests headers ending with LF('\n')
Conditions:
Any HTTP request with LF('\n') as the only header separator will pass ASM without enforcement
Impact:
Invalid requests according to RFC might pass through ASM enforcement
Fix:
HTTP requests with LF('\n') as the only header separator are enforced, and "Unparsable request content" is reported
Fixed Versions:
17.0.0.1
1084013-5 : TMM does not follow TCP best practices
Component: Local Traffic Manager
Symptoms:
Under certain conditions, with specific configurations in place, TMM does not follow best practices for TCP connections.
Conditions:
- HTTP virtual server with f5-tcp-progressive configured as the client-side TCP profile.
- Software SYN cookies.
Impact:
TMM does not follow best practices for TCP connections.
Workaround:
None
Fix:
TMM now follows best practices for TCP connections when f5-tcp-progressive is in use.
Fixed Versions:
17.0.0.1
1083537-1 : FIPS 140-3 Certification
Links to More Info: BT1083537
Component: TMOS
Symptoms:
For FIPS 140-3 Certification
Conditions:
This applies to systems requiring FIPS 140-3 Certification.
Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be running a FIPS 140-3 certified configuration.
Workaround:
None
Fix:
Apply this fix to ensure that the system is compliant with FIPS 140-3 Certification.
Fixed Versions:
16.1.2.2, 17.0.0.1
1082505-1 : TLS ciphersuites including RSA-KEX are non-approved ciphers for FIPS 140-3 certification
Links to More Info: BT1082505
Component: Local Traffic Manager
Symptoms:
TLS ciphersuites including RSA KEX are non-approved ciphers as per FIPS 140-3 certification standard
Conditions:
- BIG-IP versions 16.1.3 and above
- FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device.
- f5-fips cipher-group is associated with SSL profiles
- Connections are established using the RSA-KEX based ciphers
Impact:
SSL handshake will not be successful.
Workaround:
Create a custom cipher-group including all the required cipher strings and associate with the SSL profiles.
Fix:
For FIPS 140-3 certification, TLS ciphersuites including RSA-KEX are reported as non-approved ciphers in fips mode, also these cipher strings have been removed from the f5-fips cipher group.
Fixed Versions:
16.1.3, 17.0.0.1
1082461-1 : The enforcer cores during a call to 'ASM::raise' from an active iRule
Links to More Info: BT1082461
Component: Application Security Manager
Symptoms:
In the case of 'ASM::raise' call execution from an iRule that contains a list length greater than 100, the enforcer (bd) will core.
Conditions:
A call to 'ASM::raise' with a list length greater than 100 from an iRule.
Impact:
Traffic disrupted while bd restarts.
Workaround:
While constructing the iRule, make sure that the list passed into 'ASM::raise' contains fewer than 100 elements.
Fix:
Fixed an enforcer core.
Fixed Versions:
17.0.0.1
1082225-6 : Tmm may core while Adding/modifying traffic-class attached to a virtual server.
Links to More Info: BT1082225
Component: Local Traffic Manager
Symptoms:
Tmm may core with 'tmm SIGSEGV' while performing addition/updating of traffic class attached to a virtual server.
Conditions:
-- Some Traffic classes have been removed from the virtual server.
-- A new traffic class is attached to the virtual server, or modification of the existing traffic class is triggered.
Impact:
Traffic disrupted while tmm restarts.
The traffic class might not be applied as expected.
Workaround:
None
Fixed Versions:
17.0.0.1
1080317-4 : Logged hostname not consistent when hostname contains "."
Links to More Info: BT1080317
Component: TMOS
Symptoms:
Messages which are logged to journald use the configured hostname while sylog-ng uses the hostname (machine name) and truncates it starting at the first '.'. As we're using a mix of logging directly to syslog-ng (e.g., /var/run/tmm.pipe) and from journald, this results in hostnames being inconsistent when it contains '.'; i.e., "my.hostname" is logged as "my" by syslog-ng and "my.hostname" by journald. This can make it difficult for log analysis tools to work with the log files.
Conditions:
When hostname contains '.'
Impact:
Not in readable state as some logs contains truncated hostname and some contain full hostname
Fixed Versions:
17.0.0.1
1078765-5 : Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer.
Links to More Info: BT1078765
Component: Application Security Manager
Symptoms:
A BD core may occur due to enforcement of 200004390 200004389 signatures with the combination of Arcsight remote logger enabled.
Conditions:
The request must contain 200004390 200004389 signatures with the combination of Arcsight remote logger attached to the virtual server.
Impact:
The enforcer may crash.
Workaround:
Disable 200004390 200004389 signatures.
Fix:
200004390 200004389 are now signatures enforced successfully.
Fixed Versions:
17.0.0.1
1074517-4 : Tmm may core while adding/modifying traffic-class attached to a virtual server
Links to More Info: BT1074517
Component: Local Traffic Manager
Symptoms:
Tmm may core while adding/modifying traffic-class attached to a virtual server
Conditions:
-- Traffic class is attached to a virtual server.
-- Add an existing traffic class to a virtual server.
-- Afterwards, a new traffic class is attached to the virtual server, or modification of the existing traffic class is triggered.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.0.0.1
1073625-1 : Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled.
Links to More Info: BT1073625
Component: Application Security Manager
Symptoms:
ASM policy import is successful on Active unit and it syncs to standby device, but "Apply changes" is displayed on the standby device policies page.
Conditions:
1. XML policy with learning enabled imported via TMSH.
2. Autosync with incremental sync enabled on device-group with ASM sync enabled.
Impact:
The peer (standby) unit needs to have the policies applied manually even though everything is set to auto-sync
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0.1
1071621-2 : Increase the number of supported traffic selectors
Links to More Info: BT1071621
Component: TMOS
Symptoms:
There is an imposed limit of 30 traffic selectors that can be attached to an IPsec policy / IKEv2 ike-peer.
Conditions:
-- IKEv2
-- More than 30 traffic selectors required on one IPsec policy / ike-peer.
Impact:
No more than 30 traffic selectors can be added to a single IPsec policy / ike-peer.
Workaround:
None
Fix:
The behavior of sys db ipsec.maxtrafficselectors has changed.
Max traffic selectors associated to an ike-peer is increased from 30 to 100.
ipsec.maxtrafficselectors can not be set to "0" to indicate there is no limit.
When the sys-db variable is non-zero, the limit is enforced.
Fixed Versions:
17.0.0.1
1067105-5 : Racoon logging shows incorrect SA length.
Links to More Info: BT1067105
Component: TMOS
Symptoms:
Debug2 logs incorrect "total SA" length in racoon.log.
Conditions:
-- IKEv1 tunnels in use
-- ikedaemon in debug2 mode
Impact:
Troubleshooting is confused by misleading information about the SA payload length.
Workaround:
None. This is a cosmetic / logging issue.
Fix:
Clarified the log message to indicate what the logged length actually covers.
Fixed Versions:
17.0.0.1
1066673-7 : BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions
Component: TMOS
Symptoms:
In specific situations the BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions
Conditions:
BIG-IP Configuration Utility and iControl REST are in use
Impact:
The BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions
Fix:
The BIG-IP Configuration Utility now follows best practices for managing active sessions.
Fixed Versions:
17.0.0.1
1063641-5 : NTLM library hardening
Component: Access Policy Manager
Symptoms:
Under certain conditions the NTLM library does not follow current best practices
Conditions:
Websso NTLM use cases.
Impact:
The NTLM library does not follow best practices.
Fix:
The NTLM library now follows best practices.
Fixed Versions:
17.0.0.1
1063637-5 : NTLM library hardening
Component: Local Traffic Manager
Symptoms:
Under certain conditions the NTLM library does not follow current best practices
Conditions:
NTLM http/https monitors use cases.
Impact:
The NTLM library does not follow best practices.
Fix:
The NTLM library now follows best practices.
Fixed Versions:
17.0.0.1
1062493-5 : BD crash close to it's startup
Links to More Info: BT1062493
Component: Application Security Manager
Symptoms:
BD crashes shortly after startup.
Conditions:
FTP or SMTP are in use. Other causes are unknown.
Impact:
Traffic disrupted while bd restarts.
Workaround:
No workaround except removal of the FTP/SMTP protection.
Fix:
Crashes close to startup coming from SMTP or FTP were fixed.
Fixed Versions:
17.0.0.1
1061481-4 : Denied strings were found in the /var/log/ folder after an update or reboot
Links to More Info: BT1061481
Component: TMOS
Symptoms:
Denied strings error message were found in /var/log/dmesg and /var/log/messages files after update or reboot.
For example, the string "denied" was found:[ 5.704716] type=1401 audit(1636790175.688:4): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:f5_jitter_entropy_t:s0
Conditions:
After update or reboot, check the following log files:
/var/log/dmesg and /var/log/messages.
Impact:
Error strings are observed in /var/log/dmesg and /var/log/messages.
Workaround:
None.
Fix:
No error strings are observed.
Fixed Versions:
16.1.3, 17.0.0.1
1058297-1 : Policy history values for 'max Size Of Saved Versions' and for 'min Retained Files In Dir' is reset during upgrade&start;
Component: Application Security Manager
Symptoms:
The values for "minRetainedFilesInDir" and "maxSizeOfSavedVersions" in /etc/ts/tools/policy_history.cfg
are set back to default after an upgrade.
Conditions:
-- Non-default values for "minRetainedFilesInDir" and for "maxSizeOfSavedVersions"
-- An upgrade occurs
Impact:
After upgrade, the values in the configuration file are set back to default.
Workaround:
Update the values after the upgrade is complete.
Fix:
The usage of the configuration file /etc/ts/tools/policy_history.cfg is deprecated.
New internal config items have been added:
"policy_history_min_retained_versions" and "policy_history_max_total_size"
The internal variables are preserved during the upgrade.
Fixed Versions:
17.0.0.1
1056957-2 : An attack signature can be bypassed under some scenarios.
Links to More Info: BT1056957
Component: Application Security Manager
Symptoms:
An attack signature is not detected.
Conditions:
A specific condition.
Impact:
False negative - attack is not detected.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0.1
1042737-5 : BGP sending malformed update missing Tot-attr-len of '0.
Links to More Info: BT1042737
Component: TMOS
Symptoms:
BIG-IP might send a malformed BGP update missing Tot-attr-len of '0 when performing a soft reset out.
Conditions:
-- Multiple traffic groups configured.
-- A BGP soft reset occurs.
Impact:
BGP peering resets.
Fixed Versions:
17.0.0.1
1040513-4 : The counter for "FTP commands" is always 0.
Links to More Info: BT1040513
Component: Application Security Manager
Symptoms:
On the FTP Statistics page, the "FTP Commands" value is always zero.
Conditions:
FTP security is applied and "FTP commands violations" is enforced.
Impact:
The FTP security does not show violations statistics regarding the FTP commands.
Workaround:
None
Fix:
"FTP commands statistics" now shows an accurate value in the UI.
Fixed Versions:
17.0.0.1
1036057-5 : Add support for line folding in multipart parser.
Links to More Info: BT1036057
Component: Application Security Manager
Symptoms:
RFC 2616 allowed HTTP header field values to be extended over multiple lines by preceding each extra line with at least one space or horizontal tab. This was then deprecated by RFC 7230.
The multipart parser of ASM does not support the multiple line header, so these requests cause false positives.
Conditions:
Multiline header in multipart request
Impact:
False positives.
Workaround:
None
Fix:
Introduced a new ASM internal parameter: multipart_allow_multiline_header
Note: default value is 0 (disabled)
Note: enabling/disabling the feature requires asm restart that triggers the unit going offline for a short time period. If the unit is a part of a high availability (HA) cluster, failover to the other unit will occur. If it is a standalone unit, traffic disruption until the unit comes back to online.
- Enable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 1
# bigstart restart asm
- Disable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 0
# bigstart restart asm
Behavior Change:
Introduced a new ASM internal parameter: multipart_allow_multiline_header
Note: default value is 0 (disabled)
Note: enabling/disabling the feature requires asm restart that triggers the unit going offline for a short time period. If the unit is a part of a high availability (HA) cluster, failover to the other unit will occur. If it is a standalone unit, traffic disruption until the unit comes back to online.
- Enable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 1
# bigstart restart asm
- Disable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 0
# bigstart restart asm
Fixed Versions:
17.0.0.1
1030133-1 : BD core on XML out of memory
Component: Application Security Manager
Symptoms:
Missing error handling in lib xml parser.
Conditions:
XML parser going out of memory.
Impact:
ASM traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.0.0.1
1029689-1 : Incosnsitent username "SYSTEM" in Audit Log
Links to More Info: BT1029689
Component: Application Security Manager
Symptoms:
The Security Policy Auto Log in ASM displays the system component that triggered the event. The component name is sometimes shown as 'SYSTEM', other times shown as 'System'
Conditions:
The value is "SYSTEM" when Apply Policy was initiated locally.
The value is "System" when Apply Policy was initiated by the peer unit
Impact:
Component name inconsistency causing confusion
Workaround:
None
Fixed Versions:
17.0.0.1
1025261-4 : restjavad uses more resident memory in control plane after software upgrade
Links to More Info: BT1025261
Component: TMOS
Symptoms:
restjavad immediately reserves more memory and the process size (as shown by RSS) increases.
(Note the process name displays as 'java', but there are multiple independent Java process on the system. The parent process of restjavad is 'runsv restjavad', and the command line arguments may have 'logging' in them.)
For restjavad with default size, the increase is usually 200-300MB.
The increase will be particularly apparent where restjavad.useextramb is set to the value true and provision.extramb is set to a high value but restjavad hadn't required much extra memory previously.
Conditions:
After upgrading to a BIG-IP version with the fix for ID776393, where more memory has been allocated for restjavad.
Impact:
The memory Resident Set Size (RSS) of the restjavad process will be larger than needed, possibly constricting other processes in the control plane.
Workaround:
If restjavad.useextramb is set to value true you may find that if only a small amount of restjavad memory was required (~192MB or less) that it can be set to false.
This is because the default size of restjavad has increased by 192MB.
Restart restjavad after the change.
Fix:
A new sys DB variable, provision.restjavad.extramb has been introduced to allow finer grained control of restjavad memory.
It only takes effect if sys db restjavad.useextramb is true.
It can be used to set restjavad heap size both above and below default heap size of 384MB
Behavior Change:
A new sys DB variable, provision.restjavad.extramb has been introduced to allow finer grained control of restjavad memory.
It is particularly useful if you need restjavad to be slightly bigger and also need a much larger provision.extramb without most of that being taken by restjavad.
It only has effect if sys db restjavad.useextramb is set to value true, otherwise default memory amounts are used.
It sets the heap size, defaults to, and has minimum value of 192MB.
If the value of provision.restjavad.extramb is set above a cap value then the heap size will be set to the cap value. Currently that is 384 MB + 80% of provision.extramb.
So with restjavad.useextramb set to true you can set restjavad heap size from 192MB to 384 MB + 80% of provision.extramb by use of provision.restjavad.extramb
After changing value of provision.restjavad.extramb restart restjavad to enable the change in memory size:
bigstart restart restjavad
or
clsh bigstart restart restjavad on multi-blade systems.
Fixed Versions:
17.0.0.1
1024661-4 : SCTP forwarding flows based on VTAG for bigproto
Component: TMOS
Symptoms:
Sometimes SCTP traffic is unidirectionally dropped on one link after an SCTP link down occurs.
Conditions:
-- SCTP configured and BIG-IP is passing traffic
-- A link goes down
Impact:
Flow creation on the wrong TMM and some traffic is dropped.
Workaround:
Disable SCTP flow redirection.
tmm.sctp.redirect_packets == disable
Fixed Versions:
17.0.0.1
1022453-5 : IPv6 fragments are dropped when packet filtering is enabled.
Links to More Info: BT1022453
Component: Local Traffic Manager
Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.
Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.
Impact:
Some or all of the fragments of an IPv6 packet are lost.
Workaround:
Disable packet filtering
Fixed Versions:
17.0.0.1
1014973-6 : ASM changed cookie value.
Links to More Info: BT1014973
Component: Application Security Manager
Symptoms:
ASM changes the value of a cookie going to the server.
Conditions:
Specific conditions.
Impact:
Domain cookie will reach the server with a wrong value. Can cause different malfunctions depending on the application.
Workaround:
Change the following db variable:
tmsh modify sys db asm.strip_asm_cookies (https://support.f5.com/csp/article/K30023210) value false.
There is no need to restart asm.
Add an iRule without the use of strip_asm_cookies:
https://support.f5.com/csp/article/K13693.
Fix:
Original cookies not being deleted/modified after the removing of TS cookies in ASM.
Fixed Versions:
17.0.0.1
1014573-5 : Several large arrays/objects in JSON payload may core the enforcer
Component: Application Security Manager
Symptoms:
Requests with JSON payload that consists of more than one object with elements, such as a couple of large arrays, may cause the enforcer to crash.
Conditions:
Each of the objects/arrays in JSON payload has to consist lesser amount of elements than defined in the "Maximum Array Length" JSON profile attribute.
Impact:
Large enough arrays may cause performance decrease, in addition, the enforcer may crash.
Workaround:
Set "Maximum Array Length" to a lower value than the requests array length.
Fix:
Added internal param "count_overall_child_elements_in_json" to control "Maximum Array/Object Elements" behaviour:
0 (default) - retain current behaviour (check max elements in each array/object separately);
1 - count overall elements in all arrays/objects.
Fixed Versions:
17.0.0.1
1006921-8 : iRules Hardening
Component: Local Traffic Manager
Symptoms:
Under certain conditions iRules do not follow current best practices.
Conditions:
Use of iRules with the pool or node commands.
Impact:
iRules do not follow current best practices.
Workaround:
N/A.
Fix:
iRules now follows current best practices.
Behavior Change:
Database variable 'tmm.tcl.rule.node.allow_loopback_addresses' was created to toggle whether or not to allow loopback addresses for iRule node command; "true" will restore previous behavior and enable loopback connections.
The default value is "false".
Fixed Versions:
17.0.0.1
1006157-7 : FQDN nodes not repopulated immediately after 'load sys config'
Links to More Info: BT1006157
Component: Local Traffic Manager
Symptoms:
A DNS query is not sent for configured FQDN nodes until the TTL value expires.
Conditions:
This occurs when 'load sys config' is executed.
Impact:
Name addresses do not resolve to IP addresses until the TTL expires.
Workaround:
You can use either of the following workarounds:
-- Change the default TTL value to be fewer than 300 seconds (the default value is 3600 seconds).
-- Restart dynconfd daemon:
tmsh restart sys service dynconfd
Fixed Versions:
17.0.0.1
Known Issues in BIG-IP v17.0.x
TMOS Issues
ID Number | Severity | Links to More Info | Description |
1120433-1 | 1-Blocking | BT1120433 | Removed gtmd and big3d daemon from the FIPS-compliant list |
979045-5 | 2-Critical | BT979045 | The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms |
950201-5 | 2-Critical | BT950201 | Tmm core on GCP |
842669-7 | 2-Critical | BT842669 | Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log |
737692-7 | 2-Critical | BT737692 | Handle x520 PF DOWN/UP sequence automatically by VE |
1110893-5 | 2-Critical | BT1110893 | Some portions of the BIG-IP GUI do not work when accessed behind an HTTP proxy |
1105901-1 | 2-Critical | BT1105901 | Tmm crash while doing high-speed logging |
1097193-4 | 2-Critical | BT1097193 | Unable to SCP files using WinSCP or relative path name |
1095217-2 | 2-Critical | BT1095217 | Peer unit incorrectly shows the pool status as unknown after upgrade to version 16.1.2.1 |
1093717-5 | 2-Critical | BT1093717 | BGP4 SNMP traps are not working. |
1085597-2 | 2-Critical | BT1085597 | IKEv1 IPsec peer cannot be created in config utility (web UI) |
1077789-5 | 2-Critical | BT1077789 | System might become unresponsive after upgrading.&start; |
1075905-4 | 2-Critical | BT1075905 | TCP connections may fail when hardware SYN Cookie is active |
992865-4 | 3-Major | BT992865 | Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances |
992053-7 | 3-Major | BT992053 | Pva_stats for server side connections do not update for redirected flows |
988745-5 | 3-Major | BT988745 | On reboot, 'could not find platform object' errors may be seen in /var/log/ltm |
966949-7 | 3-Major | BT966949 | Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node |
950153-4 | 3-Major | BT950153 | LDAP remote authentication fails when empty attribute is returned |
945413-5 | 3-Major | BT945413 | Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync |
930393-1 | 3-Major | BT930393 | IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration |
925469-4 | 3-Major | BT925469 | SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo |
921149-7 | 3-Major | BT921149 | After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy |
908453-6 | 3-Major | BT908453 | Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly |
879969-9 | 3-Major | BT879969 | FQDN node resolution fails if DNS response latency >5 seconds |
775845-7 | 3-Major | BT775845 | Httpd fails to start after restarting the service using the iControl REST API |
769741-5 | 3-Major | BT769741 | TCP connection between mcp and tmm may get stalled |
760982-4 | 3-Major | BT760982 | An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios |
760354-16 | 3-Major | BT760354 | Continual mcpd process restarts after removing big logs when /var/log is full |
755207-4 | 3-Major | BT755207 | Large packets silently dropped on VE mlxvf5 devices |
566995-5 | 3-Major | BT566995 | bgpd might crash in rare circumstances. |
1128169-2 | 3-Major | BT1128169 | TMM core when IPsec tunnel object is reconfigured |
1127881-1 | 3-Major | BT1127881 | Deprecate sysClientsslStatFullyHwAcceleratedConns, sysClientsslStatPartiallyHwAcceleratedConns and sysClientsslStatNonHwAcceleratedConns |
1125733-5 | 3-Major | BT1125733 | Wrong server-side window scale used in hardware SYN cookie mode |
1123885-1 | 3-Major | BT1123885 | A specific type of software installation may fail to carry forward the management port's default gateway. |
1123149-1 | 3-Major | BT1123149 | Sys-icheck fail for /etc/security/opasswd |
1122441-6 | 3-Major | BT1122441 | Upgrade expat library to the latest version(2.4.8) to fix CVE's. |
1122021-4 | 3-Major | BT1122021 | Killall command might create corrupted core files |
1121517-1 | 3-Major | BT1121517 | Interrupts on Hyper-V are pinned on CPU 0 |
1120685-1 | 3-Major | BT1120685 | Unable to update the password in the CLI when password-memory is set to > 0 |
1120345-7 | 3-Major | BT1120345 | Running tmsh load sys config verify can trigger high availability (HA) failover |
1113961-2 | 3-Major | K43391532, BT1113961 | BIG-IP 16.1.3 VE with FIPS 140-3 May Fail to start in AWS-China |
1113385-5 | 3-Major | BT1113385 | Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP |
1112537-1 | 3-Major | BT1112537 | LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete. |
1111629-5 | 3-Major | BT1111629 | Messages with "Failed Read: User, referer" are logged in /var/log/httpd/httpd_errors |
1111421-4 | 3-Major | BT1111421 | TMSH/GUI fails to display IPsec SAs info |
1106489-1 | 3-Major | BT1106489 | GRO/LRO is disabled in environments using the TMM raw socket "sock" driver. |
1103953-2 | 3-Major | BT1103953 | SSMTP errors in logs every 20 minutes |
1102849-4 | 3-Major | BT1102849 | Less-privileged users (guest, operator, etc) are unable to run top level commands |
1100409-5 | 3-Major | Valid connections may fail while a virtual server is in SYN cookie mode. | |
1100321-4 | 3-Major | BT1100321 | MCPD memory leak |
1093973-8 | 3-Major | BT1093973 | Tmm may core when BFD peers select a new active device. |
1093553-5 | 3-Major | BT1093553 | OSPF "default-information originate" injects a new link-state advertisement |
1093313-1 | 3-Major | BT1093313 | CLIENTSSL_CLIENTCERT iRule event is not triggered for TLS1.3 when the client sends an empty certificate response |
1091725-5 | 3-Major | BT1091725 | Memory leak in IPsec |
1090313-4 | 3-Major | BT1090313 | Virtual server may remain in hardware SYN cookie mode longer than expected |
1086517-3 | 3-Major | BT1086517 | TMM may not properly exit hardware SYN cookie mode |
1085837-3 | 3-Major | BT1085837 | Virtual server may not exit from hardware SYN cookie mode |
1081649-3 | 3-Major | BT1081649 | Remove the "F5 iApps and Resources" link from the iApps->Package Management |
1081641-5 | 3-Major | BT1081641 | Remove Hyperlink to Legal Statement from Login Page |
1080925-4 | 3-Major | BT1080925 | Changed 'ssh-session-limit' value is not reflected after restarting mcpd |
1080297-5 | 3-Major | BT1080297 | ZebOS does not show "log syslog" in the running configuration, or store it in the startup configuration |
1077533-4 | 3-Major | BT1077533 | BIG-IP fails to restart services after mprov runs during boot. |
1077405-1 | 3-Major | BT1077405 | Ephemeral pool members may not be created with autopopulate enabled. |
1076801-5 | 3-Major | BT1076801 | Loaded system increases CPU usage when using CS features |
1076785-3 | 3-Major | BT1076785 | Virtual server may not properly exit from hardware SYN Cookie mode |
1063237-6 | 3-Major | BT1063237 | Stats are incorrect when the management interface is not eth0 |
1040277-6 | 3-Major | BT1040277 | Syslog-ng issue may cause logging to stop and possible reboot of a system |
1036613-6 | 3-Major | BT1036613 | Client flow might not get offloaded to PVA in embryonic state |
1032257-5 | 3-Major | BT1032257 | Forwarded PVA offload requests fail on platforms with multiple PDE/TMM |
1029105-2 | 3-Major | BT1029105 | Hardware SYN cookie mode state change logs bogus virtual server address |
1024421-4 | 3-Major | BT1024421 | At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log |
1019829-4 | 3-Major | BT1019829 | Configsync.copyonswitch variable is not functioning on reboot |
1009337-3 | 3-Major | BT1009337 | LACP trunk down due to bcm56xxd send failure |
964533-6 | 4-Minor | BT964533 | Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs. |
936501-7 | 4-Minor | BT936501 | Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled |
929173-5 | 4-Minor | BT929173 | Watchdog reset due to CPU stall detected by rcu_sched |
915141-6 | 4-Minor | BT915141 | Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown' |
658943-6 | 4-Minor | BT658943 | Errors when platform-migrate loading UCS using trunks on vCMP guest |
1121169-4 | 4-Minor | BT1121169 | Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use |
1114253-5 | 4-Minor | BT1114253 | Weighted static routes do not recover from BFD link failures |
1101741-1 | 4-Minor | BT1101741 | Virtual server with default pool down and iRule pool up will flap for a second during a full config-sync. |
1100609-1 | 4-Minor | BT1100609 | Length Mismatch in DNS/DHCP IPv6 address in logs and pcap |
1096461-1 | 4-Minor | BT1096461 | TACACS system-auth Accounting setting has no effect when set to send-to-all-servers/send-to-first-server |
1095973-4 | 4-Minor | BT1095973 | Config load failure when Trusted CA Bundle is missing and URL is present in the Bundle Manager |
1095205-5 | 4-Minor | BT1095205 | Config.auditing.forward.multiple db Variable with value "none" is not working as expected with multiple destination addresses in audit_forwarder. |
1089005-5 | 4-Minor | BT1089005 | Dynamic routes might be missing in the kernel on secondary blades. |
1082193-4 | 4-Minor | BT1082193 | TMSH: Need to update the version info for SERVER_INIT in help page |
1077293-3 | 4-Minor | BT1077293 | APPIQ option still showing in BIG-IP GUI even though its functionality migrated to BIG-IQ. |
1076897-5 | 4-Minor | BT1076897 | OSPF default-information originate command options not working properly |
Local Traffic Manager Issues
ID Number | Severity | Links to More Info | Description |
1112349-5 | 1-Blocking | BT1112349 | FIPS Card Cannot Initialize |
999669-4 | 2-Critical | BT999669 | Some HTTPS monitors are failing after upgrade when config has different SSL option&start; |
949137-8 | 2-Critical | BT949137 | Clusterd crash and vCMP guest failover |
922737-3 | 2-Critical | BT922737 | TMM crash |
632553-7 | 2-Critical | K14947100, BT632553 | DHCP: OFFER packets from server are intermittently dropped |
1113549-2 | 2-Critical | BT1113549 | System boots into an inoperative state after installing engineering hotfix with FIPS140-2/140-3 License&start; |
1110813-4 | 2-Critical | Improve MPTCP retransmission handling while aborting | |
1110205-3 | 2-Critical | BT1110205 | SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown |
1100249-1 | 2-Critical | BT1100249 | SNAT with FLOW_INIT firewall rule may core TMM due to wrong type of underlying flow structure |
1099545-1 | 2-Critical | BT1099545 | Tmm may core when PEM virtual with a simple policy and iRule is being used |
1091021-1 | 2-Critical | BT1091021 | The BIG-IP system may take no fail-safe action when the bigd daemon becomes unresponsive. |
1087469-3 | 2-Critical | BT1087469 | iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate. |
1087217-3 | 2-Critical | BT1087217 | TMM crash as part of the fix made for ID912209 |
1078741-3 | 2-Critical | BT1078741 | Tmm crash |
1073897-1 | 2-Critical | BT1073897 | TMM core due to memory corruption |
1063653-3 | 2-Critical | BT1063653 | TMM Crash while processing traffic on virtual server. |
1060369-2 | 2-Critical | BT1060369 | HTTP MRF Router will not change serverside load balancing method |
966785-4 | 3-Major | BT966785 | Rate Shaping stops TCP retransmission |
947125-8 | 3-Major | BT947125 | Unable to delete monitors after certain operations |
945189-6 | 3-Major | BT945189 | HTTPS monitor fails due to missing ECDHE-RSA-AES256-CBC-SHA&start; |
932461-6 | 3-Major | BT932461 | Cert update on server SSL profile on HTTPS monitor: BIG-IP not using the updated certificate. |
928445-7 | 3-Major | BT928445 | HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2 |
912293-6 | 3-Major | BT912293 | Persistence might not work properly on virtual servers that utilize address lists |
901569-5 | 3-Major | BT901569 | Loopback traffic might get dropped when VLAN filter is enabled for a virtual server. |
887265-5 | 3-Major | BT887265 | BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration&start; |
878641-4 | 3-Major | BT878641 | TLS1.3 certificate request message does not contain CAs |
739475-7 | 3-Major | BT739475 | Site-Local IPv6 Unicast Addresses support. |
1126329-1 | 3-Major | BT1126329 | SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT&start; |
1115041-2 | 3-Major | BT1115041 | BIG-IP does not forward the response received after GOAWAY, to the client. |
1113181-1 | 3-Major | BT1113181 | Self-IP allows no traffic following a modification from "Allow Custom (Include Default)" to "Allow Custom". |
1112385-4 | 3-Major | BT1112385 | Traffic classes match when they shouldn't |
1112205-1 | 3-Major | BT1112205 | HTTP/2 may garble responses if the client-side stream aborts while response headers are on the wire |
1111473-5 | 3-Major | BT1111473 | "Invalid monitor rule instance identifier" error after sync with FQDN nodes |
1110949-3 | 3-Major | BT1110949 | Updating certKeyChain of parent SSL profile using iControl does not change the cert and key outside certKeyChain of the child profile |
1109953-5 | 3-Major | BT1109953 | TMM may crash if a data-group is used when an SSL Forward Proxy Bypass/Intercept list contains extremely long entry |
1109833-2 | 3-Major | BT1109833 | HTTP2 monitors not sending request |
1107605-2 | 3-Major | BT1107605 | TMM crash reported with specific policy settings |
1106673-4 | 3-Major | BT1106673 | Tmm crash with FastL4 virtual servers and CMP disabled |
1105969-4 | 3-Major | BT1105969 | Gratuitous ARP not issued for non-floating self-IP on clicking "Update" via the GUI |
1104553-3 | 3-Major | BT1104553 | HTTP_REJECT processing can lead to zombie SPAWN flows piling up |
1102429-1 | 3-Major | BT1102429 | iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases. |
1101181-4 | 3-Major | BT1101181 | HTTP request payload not forwarded by BIG-IP when serverside is HTTP/2 and HTTP MRF router is enabled on virtual server |
1099373-3 | 3-Major | BT1099373 | Virtual Servers may reply with a three-way handshake when disabled or when processing iRules |
1099229-5 | 3-Major | BT1099229 | SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present |
1097473-5 | 3-Major | BT1097473 | BIG-IP transmits packets with incorrect content |
1096893-3 | 3-Major | BT1096893 | TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection |
1093061-1 | 3-Major | BT1093061 | MCPD restart on secondary blade during hot-swap of another blade |
1091969-4 | 3-Major | BT1091969 | iRule 'virtual' command does not work for connections over virtual-wire. |
1091785-1 | 3-Major | BT1091785 | DBDaemon restarts unexpectedly and/or fails to restart under heavy load |
1088597-1 | 3-Major | BT1088597 | TCP keepalive timer can be immediately re-scheduled in rare circumstances |
1088173-3 | 3-Major | BT1088173 | With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile |
1087569-5 | 3-Major | BT1087569 | Changing max header table size according HTTP2 profile value may cause stream/connection to terminate |
1086473-4 | 3-Major | BT1086473 | BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake |
1084965-4 | 3-Major | BT1084965 | Low visibility of attack vector |
1083621-5 | 3-Major | BT1083621 | The virtio driver uses an incorrect packet length |
1083589-4 | 3-Major | BT1083589 | Some connections are dropped on chained IPv6 to IPv4 virtual servers. |
1081813-3 | 3-Major | BT1081813 | A rst_stream can erronously tear down the overall http2 connection. |
1077553-4 | 3-Major | BT1077553 | Traffic matches the wrong virtual server after modifying the port matching configuration |
1076577-4 | 3-Major | BT1076577 | iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg' |
1070957-4 | 3-Major | BT1070957 | Database monitor log file backups cannot be rotated normally. |
1070789-1 | 3-Major | BT1070789 | SSL fwd proxy invalidating certificate even through bundle has valid CA |
1068673-4 | 3-Major | BT1068673 | SSL forward Proxy triggers CLIENTSSL_DATA event on bypass. |
1065353-2 | 3-Major | BT1065353 | Disabling ciphers does not work due to the order of cipher suite. |
1063977-4 | 3-Major | BT1063977 | Tmsh load sys config merge fails with "basic_string::substr" for non-existing key. |
1060989-1 | 3-Major | Improper handling of HTTP::collect | |
1060021-3 | 3-Major | BT1060021 | Using OneConnect profile with RESOLVER::name_lookup iRule might result in core. |
1056941-3 | 3-Major | BT1056941 | HTTPS monitor continues using cached TLS version after receiving fatal alert. |
1040465-2 | 3-Major | BT1040465 | Incorrect SNAT pool is selected |
1026781-4 | 3-Major | BT1026781 | Standard HTTP monitor send strings have double CRLF appended |
1025089-6 | 3-Major | BT1025089 | Pool members marked down by database monitor due to stale cached connection |
1023529-4 | 3-Major | BT1023529 | FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory. |
1002969-5 | 3-Major | BT1002969 | csyncd can consume excessive CPU time&start; |
1000561-6 | 3-Major | BT1000561 | HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side |
1000069-5 | 3-Major | BT1000069 | Virtual server does not create the listener |
990173-7 | 4-Minor | BT990173 | Dynconfd repeatedly sends the same mcp message to mcpd |
929429-9 | 4-Minor | BT929429 | Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed |
1124085-5 | 4-Minor | BT1124085 | iRules command [info hostname] does not reflect modified hostname |
1122377-1 | 4-Minor | BT1122377 | If-Modified-Since always returns 304 response if there is no last-modified header in the server response |
1121349-1 | 4-Minor | BT1121349 | CPM NFA may stall due to lack of other state transition |
1107453-1 | 4-Minor | BT1107453 | Performance drop observed in some Ramcache::HTTP tests on BIG-IP i10800 platform |
1103617-5 | 4-Minor | BT1103617 | 'Reset on Timeout' setting might be ignored when fastl4 is used with another profile. |
1103117-1 | 4-Minor | BT1103117 | iAppLX extension using express with httpserver script leaves lingering client-side flow on HTTP requests. |
1101369-5 | 4-Minor | MQTT connection stats are not updated properly | |
1093545-5 | 4-Minor | BT1093545 | Attempts to create illegal virtual-server may lead to mcpd crash. |
1035757-5 | 4-Minor | BT1035757 | iRulesLX restart leaves stale files in /var/tmstat/blade/tmplugin_ilx_* |
Global Traffic Manager (DNS) Issues
ID Number | Severity | Links to More Info | Description |
940733-6 | 2-Critical | BT940733 | Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt&start; |
931149-4 | 2-Critical | BT931149 | Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings |
1103833-1 | 2-Critical | BT1103833 | Tmm core with SIGSEGV in gtmpoolmbr_UpdateStringProc |
966461-8 | 3-Major | BT966461 | Tmm memory leak |
1127805-1 | 3-Major | BT1127805 | Server.crt containing "<" will cause frequent reconnects between local gtmd and big3d |
1124217-5 | 3-Major | BT1124217 | Big3d cores on CTCPSocket::TCPReceive and connector |
1116513-4 | 3-Major | BT1116513 | Route-domains should not be allowed on name server addresses via the GUI. |
1111361-4 | 3-Major | BT1111361 | Refreshing DNS wide IP pool statistics returns an error |
1108557-5 | 3-Major | BT1108557 | DNS NOTIFY with TSIG is failing due to un-matched TSIG name |
1108237-1 | 3-Major | BT1108237 | Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM. |
1100197-1 | 3-Major | BT1100197 | GTM sends wrong commit_id originator for iqsyncer to do gtm group sync |
1096165-5 | 3-Major | BT1096165 | Tmm cored for accessing the pool after the gtm_add command is run |
1078669-1 | 3-Major | iRule command “RESOLVER::name_lookup” returns null for TCP resolver with TC (truncated) flag set. | |
1073677-2 | 3-Major | BT1073677 | Add a db variable to enable answering DNS requests before reqInitState Ready |
1070953-5 | 3-Major | BT1070953 | Dnssec zone transfer could cause numerous gtm sync events. |
1060145-4 | 3-Major | BT1060145 | Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2. |
1040153-4 | 3-Major | BT1040153 | Topology region returns narrowest scope netmask without matching |
1125161-3 | 4-Minor | BT1125161 | Wideip fails to display or delete in the Link Controller GUI. |
1121937-5 | 4-Minor | BT1121937 | ZoneRunner GUI is unable to display CAA records with "Property Value" set to ";" |
1067821-5 | 4-Minor | BT1067821 | Stats allocated_used for region inside zxfrd is overflowed |
1054717-4 | 4-Minor | BT1054717 | Incorrect Client Summary stats for transparent cache. |
1122153-5 | 5-Cosmetic | BT1122153 | Zonerunner GUI displaying incorrect error string "RRSig Covers Unsupported Record Type" |
Application Security Manager Issues
ID Number | Severity | Links to More Info | Description |
1105341-1 | 0-Unspecified | BT1105341 | Decode_application_payload can break exponent notation in JSON |
1113161-1 | 2-Critical | After upgrade, Learning and Blocking Settings page is not loading because some policies are still pointing to deleted factory Negsig sets&start; | |
1098609-2 | 2-Critical | BT1098609 | BD crash on specific scenario |
1095185-1 | 2-Critical | BT1095185 | Failed Configuration Load on Secondary Slot After Device Group Sync |
1117245-1 | 3-Major | BT1117245 | Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file |
1113881-1 | 3-Major | Headers without a space after the colon trigger an HTTP RFC violation | |
1112805-5 | 3-Major | BT1112805 | ip_address_intelligence field is not populated with value in ArcSight remote log when source IP is IPv4 |
1110281-1 | 3-Major | BT1110281 | Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable |
1105485 | 3-Major | BT1105485 | Emulated Interaction Events occurs when using Bot Defense Profile and Datasafe keylogger protection feature |
1100669-2 | 3-Major | BT1100669 | Brute force captcha loop |
1099193-1 | 3-Major | Incorrect configuration for "Auto detect" parameter is shown after switching from other data types | |
1095041-1 | 3-Major | BT1095041 | ASM truncates cookies that contain a space in the name and TS cookie as part of cookie list. |
1089853-1 | 3-Major | "Virtual Server" or "Bot Defense Profile" links in Request Details are not working | |
1088849-1 | 3-Major | BT1088849 | Inconsistent behavior while sending malformed request to /TSbd URLs |
1085661-2 | 3-Major | BT1085661 | Standby system saves config and changes status after sync from peer |
1080613-4 | 3-Major | BT1080613 | "Installation of Automatically Downloaded Updates" configuration in LiveUpdate is lost during the first tomcat restart, after upgrading to versions having the fix of ID907025.&start; |
1077281-1 | 3-Major | Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages | |
1072165-5 | 3-Major | BT1072165 | Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format |
1070833-3 | 3-Major | BT1070833 | False positives on FileUpload parameters due to default signature scanning |
1069137-1 | 3-Major | BT1069137 | Missing AWAF sync diagnostics |
1067589-4 | 3-Major | BT1067589 | Nsyncd memory leak. |
1065681-2 | 3-Major | BT1065681 | Sensitive data is not masked under certain conditions. |
1029373-3 | 3-Major | BT1029373 | Firefox 88+ raising Suspicious browser violations with bot defense |
1023229-5 | 3-Major | BT1023229 | False negative on specific authentication header issue |
1021609-5 | 3-Major | BT1021609 | Improve matching of URLs with specific characters to a policy. |
1017557-5 | 3-Major | BT1017557 | ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN |
1120529-2 | 4-Minor | BT1120529 | Illegal internal request in multipart batch request |
1113753-1 | 4-Minor | Signatures might not be detected when using truncated multipart requests | |
1111793-1 | 4-Minor | New HTTP RFC Compliance check for incorrect newline separators between request line and first header | |
1108657-2 | 4-Minor | No notification about disabled "Virus detected" violation in case of enabling "Anti-Virus Protection" | |
1087005-1 | 4-Minor | BT1087005 | Application charset may be ignored when using Bot Defense Browser Verification |
1084857-1 | 4-Minor | BT1084857 | ASM::support_id iRule command does not display the 20th digit |
1083513-3 | 4-Minor | BT1083513 | BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd |
1076825-2 | 4-Minor | BT1076825 | "Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases. |
1048445-4 | 4-Minor | BT1048445 | Accept Request button is clickable for unlearnable violation illegal host name |
1035361-7 | 4-Minor | BT1035361 | Illegal cross-origin after successful CAPTCHA |
1021637-5 | 4-Minor | BT1021637 | In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs |
1020717-5 | 4-Minor | BT1020717 | Policy versions cleanup process sometimes removes newer versions |
1003765-3 | 4-Minor | BT1003765 | Authorization header signature triggered even when explicitly disabled |
1048989-1 | 5-Cosmetic | Slight correction of button titles in the Data Guard Protection Enforcement | |
1041469-1 | 5-Cosmetic | Request Log Page: Line break in the middle of the word in the note next to Block this IP Address |
Application Visibility and Reporting Issues
ID Number | Severity | Links to More Info | Description |
1111189-1 | 3-Major | BT1111189 | Listing errors in tmsh and installation failures when the configuration includes an AVR scheduled-report. |
Access Policy Manager Issues
ID Number | Severity | Links to More Info | Description |
831737-4 | 2-Critical | BT831737 | Memory Leak when using Ping Access profile |
1122473-5 | 2-Critical | BT1122473 | TMM core |
1082581-3 | 2-Critical | Apmd sees large memory growth due to CRLDP Cache handling | |
796065-3 | 3-Major | BT796065 | PingAccess filter can accumulate connections increasing memory use. |
1108109-5 | 3-Major | BT1108109 | APM policy sync fails when access policy contains customization images&start; |
1050165-2 | 3-Major | BT1050165 | APM - users end up with SSO disabled for their session, admin intervention required to clear session |
1037877-5 | 3-Major | BT1037877 | OAuth Claim display order incorrect in VPE |
1079441-4 | 4-Minor | BT1079441 | APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries |
1028081-2 | 4-Minor | BT1028081 | [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page |
Service Provider Issues
ID Number | Severity | Links to More Info | Description |
1116941-2 | 4-Minor | Need larger Content-Length value supported for SIP |
Advanced Firewall Manager Issues
ID Number | Severity | Links to More Info | Description |
1106273-4 | 2-Critical | BT1106273 | "duplicate priming" assert in IPSECALG |
1080957-5 | 2-Critical | BT1080957 | TMM Seg fault while Offloading virtual server DOS attack to HW |
990461-6 | 3-Major | BT990461 | Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade&start; |
1079985-2 | 3-Major | BT1079985 | int_drops_rate shows an incorrect value |
926425-6 | 4-Minor | BT926425 | Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts |
1084901-2 | 4-Minor | BT1084901 | Updating the firewall rule list for IPv6 with route domain throws an error in the GUI, works from tmsh |
1003377-4 | 4-Minor | BT1003377 | Disabling DoS TCP SYN-ACK does not clear suspicious event count option |
Policy Enforcement Manager Issues
ID Number | Severity | Links to More Info | Description |
1091565-2 | 2-Critical | Gy CCR AVP:Requested-Service-Unit is misformatted/NULL | |
924589-6 | 3-Major | BT924589 | PEM ephemeral listeners with source-address-translation may not count subscriber data |
1108681-5 | 3-Major | BT1108681 | PEM queries with filters return error message when a blade is offline |
1093357-5 | 3-Major | BT1093357 | PEM intra-session mirroring can lead to a crash |
1089829-4 | 3-Major | BT1089829 | PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers |
Carrier-Grade NAT Issues
ID Number | Severity | Links to More Info | Description |
1096317-5 | 3-Major | BT1096317 | SIP msg alg zombie flows |
Anomaly Detection Services Issues
ID Number | Severity | Links to More Info | Description |
1060409-5 | 4-Minor | BT1060409 | Behavioral DoS enable checkbox is wrong. |
Traffic Classification Engine Issues
ID Number | Severity | Links to More Info | Description |
1117297-2 | 4-Minor | BT1117297 | Wr_urldbd continuously crashes and restarts&start; |
iApp Technology Issues
ID Number | Severity | Links to More Info | Description |
889605-1 | 3-Major | BT889605 | iApp with Bot profile is unavailable if application folder includes a subpath |
1004697-4 | 3-Major | BT1004697 | Saving UCS files can fail if /var runs out of space |
In-tmm monitors Issues
ID Number | Severity | Links to More Info | Description |
1107549-1 | 2-Critical | BT1107549 | In-TMM TCP monitor memory leak |
1104037-1 | 2-Critical | BT1104037 | Tmm crash after changing "connection.vlankeyed" to disabled on system with L2 wire |
1110241-1 | 3-Major | BT1110241 | in-tmm http(s) monitor accumulates unchecked memory |
1046917-5 | 3-Major | BT1046917 | In-TMM monitors do not work after TMM crashes |
SSL Orchestrator Issues
ID Number | Severity | Links to More Info | Description |
969297-2 | 3-Major | BT969297 | Virtual IP configured on a system with SelfIP on vwire becomes unresponsive |
1095145-4 | 4-Minor | BT1095145 | Virtual server responding with ICMP unreachable after using /Common/service |
Known Issue details for BIG-IP v17.0.x
999669-4 : Some HTTPS monitors are failing after upgrade when config has different SSL option&start;
Links to More Info: BT999669
Component: Local Traffic Manager
Symptoms:
Some HTTPS monitors are failing after upgrade when the config has different SSL option properties for different monitors.
Conditions:
-- Individual SSL profiles exist for different HTTPS monitors with SSL parameters.
-- A unique server SSL profile is configured for each HTTP monitor (one with cert/key, one without).
Impact:
Some HTTPS monitors fail. Pool is down. Virtual server is down.
Workaround:
None
992865-4 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances
Links to More Info: BT992865
Component: TMOS
Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.
Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
+ BIG-IP i11000 series (C123)
+ BIG-IP i15000 series (D116)
Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.
Workaround:
None
992053-7 : Pva_stats for server side connections do not update for redirected flows
Links to More Info: BT992053
Component: TMOS
Symptoms:
Pva_stats for server side connections do not update for the re-directed flows
Conditions:
-- Flows that are redirected to TMM.
-- Server flows are offloaded to PVA.
Impact:
PVA stats do not reflect the offloaded flow.
Workaround:
None
990461-6 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade&start;
Links to More Info: BT990461
Component: Advanced Firewall Manager
Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.
Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.
Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.
Workaround:
Manually update the SYN cookie threshold values after an upgrade.
990173-7 : Dynconfd repeatedly sends the same mcp message to mcpd
Links to More Info: BT990173
Component: Local Traffic Manager
Symptoms:
If dynconfd sends a single message to mcpd containing two or more operations, and one of the operations fails mcpd validation, dynconfd repeatedly sends same message to mcpd.
An example of two operations in one mcp message would be an ephemeral node creation and an ephemeral pool member creation in a single mcp message.
Conditions:
This can occur when:
-- Using FQDN nodes and FQDN pool members.
-- There is an additional issue where the message from dynconfd fails validation within mcpd (e.g., a misconfiguration in which the monitor assigned to the pool is configured with a wildcard destination and the pool member is added to the pool with a port of '0' or 'any'.
Impact:
By repeatedly resending the same messages, which fail repeatedly, dynconfd causes increased mcpd CPU utilization.
This might cause the population of ephemeral nodes and pool members to fail and become out of sync with what the DNS server is resolving.
Workaround:
Examine the LTM logs for mcpd error messages indicating failed attempts to create ephemeral nodes or ephemeral pool members, and resolve the cause of the failed node or pool-member creation.
988745-5 : On reboot, 'could not find platform object' errors may be seen in /var/log/ltm
Links to More Info: BT988745
Component: TMOS
Symptoms:
During a reboot, several error messages are logged in /var/log/ltm:
-- err mcpd[9401]: 01070710:3: Database error (0), get_platform_obj: could not find platform object - sys/validation/Platform.cpp, line 188.
-- err chmand[6578]: 012a0003:3: hal_mcp_process_error: result_code=0x1070710 for result_operation=eom result_type=eom
Conditions:
This occurs when either of the following conditions is met:
-- A fresh installation of a BIG-IP system.
-- A reboot after forcing the mcpd process to reload the BIG-IP configuration,
Impact:
There is no functional impact to these error messages.
Workaround:
None.
979045-5 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms
Links to More Info: BT979045
Component: TMOS
Symptoms:
After installing an Engineering Hotfix version of BIG-IP v14.1.0 or later, certain BIG-IP hardware systems. The Trusted Platform Module (TPM), status is showing as INVALID.
Conditions:
This may occur:
-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
- ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
- ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
- ID963017 (https://cdn.f5.com/product/bugtracker/ID963017.html)
-- The issue is observed only on the following platforms:
- i11600 / i11800
- i11400-DS / i11600-DS / i11800-DS
Impact:
The TPM status INVALID indicates that the system integrity is compromised when it is actually valid.
Workaround:
None.
969297-2 : Virtual IP configured on a system with SelfIP on vwire becomes unresponsive
Links to More Info: BT969297
Component: SSL Orchestrator
Symptoms:
Virtual IP ARP does not get resolved when a SelfIP is configured on a virtual-wire.
Conditions:
Issue happens when a SelfIP address is configured and a Virtual IP address is configured for a Virtual Server.
Impact:
The virtual server is unreachable.
Workaround:
None
966949-7 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node
Links to More Info: BT966949
Component: TMOS
Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.
Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230
This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.
Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.
Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")
966785-4 : Rate Shaping stops TCP retransmission
Links to More Info: BT966785
Component: Local Traffic Manager
Symptoms:
When rate shaping is applied to a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.
Conditions:
This issue occurs when both of the following conditions are met:
-- Virtual server configured with a rate shaping.
-- Standard type of virtual server.
Impact:
The BIG-IP system does not retransmit unacknowledged data segments.
Workaround:
None
966461-8 : Tmm memory leak
Links to More Info: BT966461
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm leaks memory for DNSSEC requests.
Conditions:
NetHSM is configured but disconnected.
or
Internal FIPS card is configured and tmm receives more DNSSEC requests than the FIPS card is capable of handling.
Impact:
Tmm memory utilization increases over time.
Workaround:
None
964533-6 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.
Links to More Info: BT964533
Component: TMOS
Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.
Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.
Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.
There is no impact other than additional log entries.
Workaround:
None.
950201-5 : Tmm core on GCP
Links to More Info: BT950201
Component: TMOS
Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.
TMM panic with this message in a tmm log file:
panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.
Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141
-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.
Note: Using either workaround has a performance impact.
950153-4 : LDAP remote authentication fails when empty attribute is returned
Links to More Info: BT950153
Component: TMOS
Symptoms:
LDAP/AD Remote authentication fails and the authenticating service may crash.
The failure might be intermittent.
Conditions:
LDAP/AD server SearchResEntry includes attribute with empty or NULL value.
This can be seen in tcpdump of the LDAP communication in following ways
1. No Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue:
2. 1. NULL Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue: 00
Impact:
Logging in via the GUI will fail silently
Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log
The logs will be similar to :
info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000]
info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0
Workaround:
There is no Workaround on the LTM side.
For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue
949137-8 : Clusterd crash and vCMP guest failover
Links to More Info: BT949137
Component: Local Traffic Manager
Symptoms:
Clusterd crashes and a vCMP guest fails over.
Conditions:
The exact conditions under which this occurs are unknown. It can occur during normal operation.
Impact:
Memory corruption and clusterd can crash, causing failover.
Workaround:
None.
947125-8 : Unable to delete monitors after certain operations
Links to More Info: BT947125
Component: Local Traffic Manager
Symptoms:
Unable to delete monitor with an error similar to:
01070083:3: Monitor /Common/my-mon is in use.
Conditions:
-- Monitors are attached directly to pool members, or node-level monitors exist.
-- Performing an operation that causes the configuration to get rebuilt implicitly, such as "reloadlic".
Impact:
Unable to delete object(s) no longer in use.
Workaround:
When the system gets into this state, save and reload the configuration:
tmsh save sys config && tmsh load sys config
945413-5 : Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync
Links to More Info: BT945413
Component: TMOS
Symptoms:
The BIG-IP system constantly downloads the certificate bundle if the CA-bundle manager config includes a URL.
Symptoms are different depending on if BIG-IP systems is in a manual or automatic sync device group.
Manual sync device groups will not stay in sync.
Automatic sync device groups will constantly sync.
Conditions:
The CA-bundle manager is configured.
Impact:
The keymgmtd and mcpd process gets into a loop that causes constant config changes and if the ca-bundle-manager includes a URL, the BIG-IP system constantly downloads the bundle.
945189-6 : HTTPS monitor fails due to missing ECDHE-RSA-AES256-CBC-SHA&start;
Links to More Info: BT945189
Component: Local Traffic Manager
Symptoms:
After upgrade, the 'DEFAULT' cipher in the server SSL profile attached to the HTTPS monitor does not include the ECDHE-RSA-AES256-CBC-SHA cipher suite in the Client Hello.
Conditions:
After upgrade, HTTPS monitor cipherlist is read from server SSL profile ciphers and set to DEFAULT after upgrade.
Impact:
1. Upgrade breaks the SSL pool monitoring.
2. It is also possible that the pools monitoring succeeds but with unexpected ciphers from the 'DEFAULT' list which may cause increased resource usage or unexpectedly weaker encryption.
Note: The ciphers negotiated between the HTTPS backend being monitored and the server SSL profile will still belong to the 'DEFAULT' list.
Workaround:
BIG-IP provides ways to customize the cipher string used by the server SSL profile.
Via the configuration utility:
https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-ltm-configuring-custom-cipher-string-for-ssl-negotiation/configuring-a-custom-cipher-string-for-ssl-negotiation.html
Via tmsh commands:
https://support.f5.com/csp/article/K65292843
940733-6 : Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt&start;
Links to More Info: BT940733
Component: Global Traffic Manager (DNS)
Symptoms:
The system fails during the boot-up process, reports a libcrypto validation error, and the system halts. The console will show this error:
Power-up self-test failures:
OpenSSL: Integrity test failed for libcrypto.so
This occurs after one of the following:
-- Upgrading a FIPS-enabled BIG-IP system, booting to a volume running an earlier software version
-- Running big3d_install from a BIG-IP GTM configuration to a BIG-IP LTM
On a FIPS-licensed BIG-IP LTM configuration, when checking the big3d version you may see something similar to this:
/shared/bin/big3d -V
fips.c:204:f5_get_library_path: failed to dlopen libcrypto.so.1.0.2za
./big3d version big3d Version 17.0.0.0.0.22 for linux
Conditions:
-- FIPS-licensed BIG-IP system.
-- Upgrade.
-- Boot into a volume running an earlier version of the software.
Another way to encounter the issue is:
-- FIPS-licensed BIG-IP LTM.
-- BIG-IP DNS (GTM) device running a higher software version than the LTM.
-- Run big3d_install from a BIG-IP GTM-configuration pointing to FIPS-licensed BIG-IP LTM configuration.
Impact:
System boots to a halted state or big3d may continuously restart.
Workaround:
Before booting to the volume with the earlier version, delete /shared/bin/big3d.
Note: This issue might have ramifications for DNS/GTM support. DNS/GTM is not FIPS-certified.
If the target software volume has already experienced this issue (the system boots to a halted state), addition to deleting /shared/bin/big3d, follow the instructions in K25205233: BIG-IP System halted while booting. Halt at boot after FIPS Integrity Check Result FAIL :: https://support.f5.com/csp/article/K25205233 .
For additional information, see K29290121: Rollback after upgrade or big3d_install may cause FIPS to halt system on boot :: https://support.f5.com/csp/article/K29290121.
936501-7 : Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled
Links to More Info: BT936501
Component: TMOS
Symptoms:
When attempting to Export/Import a file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf via SCP, you receive an error dialog:
"file not allowed"
Conditions:
-- fips140 or common criteria mode enabled
-- Export/Import file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf
Impact:
Import/Export file using scp tool from/to the BIG-IP file path(s) /var/local/ucs or /var/local/scf not allowed when fips140 or cc mode enabled even if the file is encrypted.
Workaround:
None
932461-6 : Cert update on server SSL profile on HTTPS monitor: BIG-IP not using the updated certificate.
Links to More Info: BT932461
Component: Local Traffic Manager
Symptoms:
If you overwrite the certificate that is configured on the server SSL profile and used with the HTTPS monitor, the BIG-IP system still uses an old certificate.
After you update the certificate, the stored certificate is incremented, but monitor logging indicates it is still using the old certificate.
Conditions:
--Create a pool with an HTTPS pool member.
--Create an HTTPS monitor with cert and key.
--Assign the HTTPS monitor to the HTTPS pool.
--Update the certificate via GUI or tmsh.
Impact:
The monitor still tries to use the old certificate, even after the update.
Workaround:
Use either of the following workarounds:
-- Restart bigd:
bigstart restart bigd
-- Modify the server SSL profile cert key, set it to 'none', and switch back to the original cert key name.
The bigd utility successfully loads the new certificate file.
931149-4 : Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings
Links to More Info: BT931149
Component: Global Traffic Manager (DNS)
Symptoms:
RESOLV::lookup returns an empty string.
Conditions:
The name being looked up falls into one of these categories:
-- Forward DNS lookups in these zones:
- localhost
- onion
- test
- invalid
-- Reverse DNS lookups for:
- 127.0.0.0/8
- ::1
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 0.0.0.0/8
- 169.254.0.0/16
- 192.0.2.0/24
- 198.51.100.0/24
- 203.0.113.0/24
- 255.255.255.255/32
- 100.64.0.0/10
- fd00::/8
- fe80::/10
- 2001:db8::/32
- ::/64
Impact:
RESOLV::lookup fails.
Workaround:
Use a DNS Resolver ('net dns') and RESOLVER::name_lookup / DNSMSG:: instead of RESOLV::lookup:
1. Configure a local 'net dns' resolver, replacing '192.88.99.1' with the IP address of your DNS resolver:
tmsh create net dns-resolver resolver-for-irules answer-default-zones no forward-zones add { . { nameservers add { 192.88.99.1:53 } } }
2. Use an iRule procedure similar to this to perform PTR lookups for IPv4 addresses:
proc resolv_ptr_v4 { addr_v4 } {
# Convert $addr_v4 into its constituent bytes
set ret [scan $addr_v4 {%d.%d.%d.%d} a b c d]
if { $ret != 4 } {
return
}
# Perform a PTR lookup on the IP address $addr_v4, and return the first answer
set ret [RESOLVER::name_lookup "/Common/resolver-for-irules" "$d.$c.$b.$a.in-addr.arpa" PTR]
set ret [lindex [DNSMSG::section $ret answer] 0]
if { $ret eq "" } {
# log local0.warn "DNS PTR lookup for $addr_v4 failed."
return
}
# Last element in '1.1.1.10.in-addr.arpa. 600 IN PTR otters.example.com'
return [lindex $ret end]
}
-- In an iRule, instead of:
RESOLV::lookup @192.88.9.1 $ipv4_addr
Use:
call resolv_ptr_v4 $ipv4_addr
930393-1 : IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration
Links to More Info: BT930393
Component: TMOS
Symptoms:
-- IPsec tunnel does not start.
-- Remote IPsec networks unavailable.
Conditions:
-- Using IKEv1 and one of the following:
+ Performing an upgrade.
+ IPsec tunnel reconfiguration generally involving a change to, or addition of, a traffic-selector.
Impact:
IPsec tunnel is down permanently.
Workaround:
-- Reconfigure or delete and re-create the traffic selectors associated with the IPsec tunnel that does not start.
Special Notes:
-- This occurs rarely and does not happen spontaneously, without intentional changes (reconfiguration or upgrade).
-- A BIG-IP reboot or a restart of tmipsecd does not resolve this condition.
-- This symptom might also occur due to a genuine misconfiguration.
-- After major version upgrades, default ciphers can change, double-check the encryption and authentication ciphers for the tunnel.
929429-9 : Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed
Links to More Info: BT929429
Component: Local Traffic Manager
Symptoms:
Whenever you create Oracle or SQL (mssql, mysql or postgresql) database monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.
Conditions:
-- Create an Oracle or SQL database LTM monitor.
-- Add a pool member to the Oracle or SQL database monitor created.
-- Platform FIPS is licensed.
Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.
Workaround:
None.
929173-5 : Watchdog reset due to CPU stall detected by rcu_sched
Links to More Info: BT929173
Component: TMOS
Symptoms:
Rcu_sched detected CPU stall, which can cause vCMP host reboot. The device reboots without core and records "Host Watchdog timeout."
Typically there will logs in kern.log similar to:
err kernel: : [526684.876928] INFO: rcu_sched detected stalls on CPUs/tasks: ...
Conditions:
Host undergoing a watchdog reset in a vCMP environment.
Impact:
CPU RCU stalls and host watchdog reboots
928445-7 : HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2
Links to More Info: BT928445
Component: Local Traffic Manager
Symptoms:
HTTPS monitor state is down when server_ssl profile cipher string has the value 'TLSv1_2'.
-- configured cipherstring TLSv1_2/TLSv1_1 is rejected by OpenSSL.
Conditions:
-- Pool member is attached with HTTPS monitor.
-- Monitor is configured with an SSL profile.
-- The configured server_ssl profile has cipher string as DEFAULT:!TLSv1_2.
Impact:
Pool status is down.
Workaround:
-- Enable 'in-tmm' monitoring.
-- Use SSL options available in the server SSL profile to disable TLSv1_2 or TLSv1_1 instead of cipher string.
-- Use the same cipher string with cipher group / cipher rule that is attached to the SSL profile.
926425-6 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
Links to More Info: BT926425
Component: Advanced Firewall Manager
Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection continue to be unsupported until hardware SYN cookies are disabled.
Conditions:
SYN Cookie activated on Neuron-capable platforms:
+ VIPRION B4450N blade
+ BIG-IP iSeries devices (ix800) except the i850, ix2800, and ix4800:
-- BIG-IP i5800 Series
-- BIG-IP i7800 Series
-- BIG-IP i11800 Series
-- BIG-IP i15800 Series
Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.
Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options are not taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.
Workaround:
You can use any of the following to clear the HSB issue:
-- Restart neurond.
-- Restart TMM,
-- Reboot the device.
925469-4 : SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo
Links to More Info: BT925469
Component: TMOS
Symptoms:
When using the Certificate Order Manager to request new Multi-Domain certificate from the Sectigo Certificate Authority (CA), the request the BIG-IP sends is missing the field 'subjectAltName'.
Conditions:
-- Certificate Order Manager is configured to send requests to the Comodo/Sectigo CA.
-- Configure a new key with Subject Alternative Name (SAN).
Impact:
The BIG-IP system sends a request to the Sectigo CA that is missing the 'subjectAltName' field. That makes Certificate Order Manager not suitable for requesting Multi-Domain certificates.
Workaround:
There is no workaround other than not using Certificate Order Manager for Multi-Domain certificates.
924589-6 : PEM ephemeral listeners with source-address-translation may not count subscriber data
Links to More Info: BT924589
Component: Policy Enforcement Manager
Symptoms:
When a PEM profile is associated with a protocol that can create dynamic server-side listeners (such as FTP), and source-address-translation is also enabled on the virtual server, traffic on that flow (for example ftp-data) is not associated with the subscriber, and is therefore not counted or categorized.
Conditions:
-- Listener configured with PEM and FTP profiles
-- Some form of source address translation is enabled on the listener (for example, SNAT, Automap, SNAT Pool)
Impact:
Inaccurate subscriber traffic reporting and classification.
Workaround:
None.
922737-3 : TMM crash
Links to More Info: BT922737
Component: Local Traffic Manager
Symptoms:
TMM crashes with a sigsegv while passing traffic
Conditions:
Virtual server with a Connector profile that redirects to an internal virtual server on the same BIG-IP system
Impact:
Traffic disrupted while tmm restarts.
921149-7 : After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy
Links to More Info: BT921149
Component: TMOS
Symptoms:
All Bandwidth Controller (BWC) stats are 0 (zero) even though traffic is passing.
Conditions:
-- A BWC policy is attached to a virtual server.
-- The virtual server with the attached BWC policy is modified.
Impact:
The system disassociates the BWC policy from the virtual server. Traffic is no longer throttled according to the policy rules.
Workaround:
To reattach the policy, detach the Bandwidth Controller policy from the virtual server, and then reapply it.
915141-6 : Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'
Links to More Info: BT915141
Component: TMOS
Symptoms:
Availability status of virtual server can be left 'available' even if the corresponding pool's availability becomes 'unknown'.
Conditions:
- Pool member is configured as an FQDN node.
- You set monitor to 'none' with the pool.
Impact:
Inconsistent availability status of pool and virtual server.
Workaround:
Set the FQDN node to 'force offline', and then 'enable'. This triggers virtual server's status updates and syncs to pool.
912293-6 : Persistence might not work properly on virtual servers that utilize address lists
Links to More Info: BT912293
Component: Local Traffic Manager
Symptoms:
-- Connections to the virtual server might hang.
-- Increased tmm CPU utilization.
Conditions:
-- A virtual server is configured with a traffic-matching-criteria that utilizes a source-address-list and/or destination-address-list.
-- The virtual server utilizes certain persistence one of the following persistence types:
+ Source Address (but not hash-algorithm carp)
+ Destination Address (but not hash-algorithm carp)
+ Universal
+ Cookie (only cookie hash)
+ Host
+ SSL session
+ SIP
+ Hash (but not hash-algorithm carp)
Impact:
-- High tmm CPU utilization.
-- Stalled connections.
Workaround:
Enable match-across-virtuals in the persistence profile.
Note: Enabling match-across-virtuals might might affect the behavior of other virtual servers in the configuration that utilize persistence.
908453-6 : Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly
Links to More Info: BT908453
Component: TMOS
Symptoms:
When a trunk is configured with a name longer than 32 characters on a vCMP host, guests update the working-mbr-count for the trunk incorrectly when another trunk on the host changes. This might result in vCMP guests failing over unexpectedly.
Conditions:
-- Trunk configured with a name longer than 32 characters on vCMP host.
-- Trunk made available to guests for high availability (HA) Group scoring.
-- At least one other trunk configured on vCMP host.
-- Interface state changes in any other trunk.
Impact:
The vCMP guests may fail over unexpectedly.
Workaround:
Do not use trunk names longer than 32 characters.
901569-5 : Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.
Links to More Info: BT901569
Component: Local Traffic Manager
Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow.
Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.).
Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server.
Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue.
889605-1 : iApp with Bot profile is unavailable if application folder includes a subpath
Links to More Info: BT889605
Component: iApp Technology
Symptoms:
iApp with Bot profile is unavailable if the application folder includes a subpath. If the subpath is not present then iApp with bot profile is available.
Conditions:
1) Create default "Bot Protection" or "Web Application Comprehensive Protection" with an enabled "Bot Defense" use case in WGC without a virtual server.
2) Go to "iApps >> Application Services: Applications" and refer to the created iApp.
Impact:
iApp cannot be loaded when tried to open through iApps >> Applications view in TMUI.
Workaround:
View the configuration created from Guided configuration as mentioned: iApps >> Application Services >> Applications LX menu
887265-5 : BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration&start;
Links to More Info: BT887265
Component: Local Traffic Manager
Symptoms:
When booting to a boot location for the first time, the system does not come on-line.
Conditions:
-- There is a large configuration.
-- VLAN failsafe is configured, and the failsafe-action is something other than failover.
-- The BIG-IP system is an appliance.
Impact:
BIG-IP processes continually restart (VLAN failsafe-action failover-restart-tm), or the BIG-IP system continually reboots (VLAN failsafe-action reboot)
Workaround:
Either disable VLAN failsafe or set the failsafe-action to failover during an upgrade.
879969-9 : FQDN node resolution fails if DNS response latency >5 seconds
Links to More Info: BT879969
Component: TMOS
Symptoms:
When resolving FQDN names for FQDN nodes/pool members, pending DNS requests are timed out after 5 seconds with no response from the DNS server.
If there is a persistent latency of 5 seconds or greater in the DNS server responses, FQDN name resolution will fail and ephemeral nodes/pool members will not be created.
Conditions:
- BIG-IP using FQDN nodes/pool members
- Persistent latency of 5 seconds or greater in the DNS server responses
Impact:
Ephemeral pool members may not be created, thus no traffic will be sent to the intended pool members.
Workaround:
Resolve any persistent latency issues that might cause delays of 5 seconds or more in DNS server responses.
878641-4 : TLS1.3 certificate request message does not contain CAs
Links to More Info: BT878641
Component: Local Traffic Manager
Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4
Conditions:
TLS1.3 and client authentication
Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected
842669-7 : Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log
Links to More Info: BT842669
Component: TMOS
Symptoms:
Systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log. Bare ')' being logged to /var/log/user.log., for example:
cat /var/log/user.log
[...]: Deleting file /shared/core/*.core.*
[...]: Deleting file /shared/core/*.core.*
[...] )
[...] )
Conditions:
This occurs when the system logs syslog messages containing embedded newlines, such as
- The cron process tries and fails to send an email because of output from a cron script.
- Modifying the syslog 'include' configuration
- Applying ASM policy configuration change
- GTM.debugprobelogging output from big3d
- iqsyncer mcpd message debug output (log.gtm.level=debug)
Impact:
The logging subsystem accepts syslog messages with embedded newlines, and writes first line to the appropriate file, and remaining lines to /var/log/user.log.
Workaround:
View the logs using journalctl
831737-4 : Memory Leak when using Ping Access profile
Links to More Info: BT831737
Component: Access Policy Manager
Symptoms:
The memory usage by pingaccess keeps going up when sending request with expired session cookie to a virtual server with PingAccess Profile.
Conditions:
1. BIG-IP virtual server that contains PingAccess Profile.
2. Request sent with expired session cookie.
Impact:
Memory leak occurs in which ping access memory usage increases.
796065-3 : PingAccess filter can accumulate connections increasing memory use.
Links to More Info: BT796065
Component: Access Policy Manager
Symptoms:
Currently the maximum http header count value for ping access is 64. The connection to the backend is aborted if there are more than 64 headers.
Conditions:
1. Ping access is configured.
2. The HTTP header count is more than 64.
Impact:
Connection is aborted by the BIG-IP system users are unable to access the backend.
Workaround:
None
775845-7 : Httpd fails to start after restarting the service using the iControl REST API
Links to More Info: BT775845
Component: TMOS
Symptoms:
After restarting httpd using the iControl REST API, httpd fails to start, even with a subsequent restart of httpd at the command line.
Similar to the following example:
config # restcurl -u admin:admin /tm/sys/service -X POST -d '{"name":"httpd", "command":"restart"}'
{
"kind": "tm:sys:service:restartstate",
"name": "httpd",
"command": "restart",
"commandResult": "Stopping httpd: [ OK ]\r\nStarting httpd: [FAILED]\r\n(98)Address already in use: AH00072: make_sock: could not bind to address n.n.n.n:n\nno listening sockets available, shutting down\nAH00015: Unable to open logs\n"
}
config # tmsh restart sys service httpd
Stopping httpd: [ OK ]
Starting httpd: [FAILED]
Conditions:
Restarting httpd service using iControl REST API.
Impact:
Httpd fails to start.
Workaround:
To recover from the failed httpd state, you can kill all instances of the httpd daemon and start httpd:
killall -9 httpd
tmsh start sys service httpd
769741-5 : TCP connection between mcp and tmm may get stalled
Links to More Info: BT769741
Component: TMOS
Symptoms:
TMM may get stuck at start-up and does not transition to ready state.
Conditions:
The exact conditions remain unknown, however, the likelihood of this occurring increases with the number of TMMs.
Impact:
TMM does not complete startup, getting stuck on cmp_mpi. Traffic disrupted while tmm is offline.
Workaround:
1. Make the following modifications to profile tcp _mcptcp in /usr/lib/tmm/tmm_base.tcl:
Change this:
rcvwnd 4194304
To this:
rcvwnd 131072
2. To apply the changes, run the following command:
bigstart restart tmm
760982-4 : An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios
Links to More Info: BT760982
Component: TMOS
Symptoms:
Soft out reset does not work for the default route.
Conditions:
-- BGP enabled
-- A route configuration change is made and 'clear ip bgp <IP-addr> soft in/out' is executed
Impact:
A default-route is not propagated in Network Layer Reachability Information (NLRI) by 'soft out' request.
Workaround:
None
760354-16 : Continual mcpd process restarts after removing big logs when /var/log is full
Links to More Info: BT760354
Component: TMOS
Symptoms:
The BIG-IP device suddenly stops passing traffic. You might see errors similar to the following:
err mcpd[15230]: 01070596:3: An unexpected failure has occurred, TAP creation failed (tmm): Permission denied - net/validation/routing.cpp, line 168, exiting...
Conditions:
This might occur when when /var/log is full and then you remove big logs.
Impact:
The mcpd process restarts continuously. This occurs because tmm blocks mcpd from restarting after /var/log fills up.
Workaround:
Empty the contents of big size log files under /var/log and reboot the BIG-IP system.
If that does not resolve the problem, restart all processes (bigstart restart) or reboot the box.
755207-4 : Large packets silently dropped on VE mlxvf5 devices
Links to More Info: BT755207
Component: TMOS
Symptoms:
Jumbo frames are disabled by default for Mellanox ConnectX-4 and ConnectX-5 devices using the mlxvf5 driver (i.e., many BIG-IP Virtual Edition (VE) configurations). Packets larger than 1500 bytes are silently dropped. Only packets up to 1500 bytes are supported when jumbo framers are disabled.
Conditions:
BIG-IP VE with SR-IOV using Mellanox ConnectX-4 or ConnectX-5 NICs.
Typically this represents VE configurations running on private Cloud environments such as VMware, KVM, OpenStack, and others.
Note: You can determine your environment by running the following commands:
# tmctl -d blade tmm/device_probed
# tmctl -d blade xnet/device_probed
Configurations exhibiting this issue either:
1. reports a value of 'mlxvf5' in the driver_in_use column in tmm/device_probed, and possibly reports 'tmctl: xnet/device_probed: No such table.'
2. reports a value of 'xnet' in the driver_in_use column in tmm/device_probed, and a value of 'mlxvf5' in the driver_in_use column in xnet/device_probed.
Impact:
Packets larger than 1500 bytes are dropped without a warning.
Workaround:
Enable jumbo frames and then restart tmm.
1. Add the following line to /config/xnet_init.tcl:
drvcfg mlxvf5 jumbo_support 1
2. Restart tmm:
bigstart restart tmm
Important: There are two possible mlxvf5 drivers. It is possible to enable jumbo frames only for the xnet-based driver.
Important: Enabling jumbo frames causes a performance loss for 1500-byte-size packet, but offers higher throughput at lower CPU usage for larger packets. Note that 1500 bytes is the most common size for internet packets.
739475-7 : Site-Local IPv6 Unicast Addresses support.
Links to More Info: BT739475
Component: Local Traffic Manager
Symptoms:
No reply to Neighbor Advertisement packets.
Conditions:
Using FE80::/10 addresses in network.
Impact:
Cannot use FE80::/10 addressees in network.
Workaround:
N/A
737692-7 : Handle x520 PF DOWN/UP sequence automatically by VE
Links to More Info: BT737692
Component: TMOS
Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that is passed to the BIG-IP-VE). If an x520 device's PF is set down and then up, tmm does not recover traffic on that interface.
Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.
Impact:
VE does not process any traffic on that VF.
Workaround:
Reboot VE.
658943-6 : Errors when platform-migrate loading UCS using trunks on vCMP guest
Links to More Info: BT658943
Component: TMOS
Symptoms:
During platform migration from a physical BIG-IP system to a BIG-IP vCMP guest, the load fails with one of these messages:
01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.
01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.
Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest.
Impact:
The platform migration fails and the configuration does not load.
Workaround:
You can use one of the following workarounds:
-- Remove all trunks from the source configuration prior to generation of the UCS.
-- Before loading the UCS archive onto the target BIG-IP, edit the archive and remove the trunk configuration from ./config/bigip_base.conf, and then repack the UCS.
-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.
632553-7 : DHCP: OFFER packets from server are intermittently dropped
Links to More Info: K14947100, BT632553
Component: Local Traffic Manager
Symptoms:
With a DHCP relay virtual server, OFFER packets from DHCP server are intermittently not forwarded to the client and dropped on BIG-IP system.
Conditions:
It is not known exactly what triggers this condition, but it occurs intermittently when the DHCP relay virtual server is in use.
Impact:
Client machines joining the network do not receive DHCP OFFER messages.
Workaround:
Manually delete the serverside to force it to be recreated by the next DHCP request.
For example, if the flow to the DHCP server 10.0.66.222 is broken, issue the following tmsh command:
tmsh delete sys connection ss-server-addr 10.0.66.222 cs-server-port 67
566995-5 : bgpd might crash in rare circumstances.
Links to More Info: BT566995
Component: TMOS
Symptoms:
Under unspecified conditions and in rare cases, bgpd might crash. Although bgpd restarts right away, routing table might be impacted.
Conditions:
The conditions under which this occurs are not known.
Impact:
This might impact routing table and reachability.
Workaround:
None known.
1128169-2 : TMM core when IPsec tunnel object is reconfigured
Links to More Info: BT1128169
Component: TMOS
Symptoms:
TMM may core when a "tunnel tunnels" object related to an IPsec interface is reconfigured.
For example, a command that changes the IP address of the object may lead to a core:
# tmsh modify net tunnels tunnel my-ipsec-tunnel remote-address 1.2.3.4
Conditions:
-- IPsec IKEv1 or IKEv2.
-- Tunnel is in "interface" mode.
-- Tunnel object is reconfigured while the tunnel is up.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure the tunnel is down before reconfiguring it.
-- Set the IKE-Peer config state to disabled.
-- Delete an established IKE SA and IPsec SA related to that peer.
For example:
# tmsh modify net ipsec ike-peer <Name> state disabled
# tmsh delete net ipsec ike-sa peer-ip <IP>
# tmsh delete net ipsec ipsec-sa dst-addr <IP>
"Name" is the specific name given to the ike-peer config object.
"IP" is the address configured to use for the remote peer.
Then make the desired changes and enable the IKE-Peer.
# tmsh modify net ipsec ike-peer <name> state enabled
1127881-1 : Deprecate sysClientsslStatFullyHwAcceleratedConns, sysClientsslStatPartiallyHwAcceleratedConns and sysClientsslStatNonHwAcceleratedConns
Links to More Info: BT1127881
Component: TMOS
Symptoms:
SSL Hardware Acceleration MIBs are still in use which are meant to be deprecated.
Conditions:
Run snmpwalk for these MIBS and it's active.
#snmpwalk -c public localhost -v2c F5-BIGIP-SYSTEM-MIB::sysClientsslStatFullyHwAcceleratedConns
F5-BIGIP-SYSTEM-MIB::sysClientsslStatFullyHwAcceleratedConns.0 = Counter64: 0
# snmpwalk -c public localhost -v2c F5-BIGIP-SYSTEM-MIB::sysClientsslStatPartiallyHwAcceleratedConns
F5-BIGIP-SYSTEM-MIB::sysClientsslStatPartiallyHwAcceleratedConns.0 = Counter64: 0
# snmpwalk -c public localhost -v2c F5-BIGIP-SYSTEM-MIB::sysClientsslStatNonHwAcceleratedConns
F5-BIGIP-SYSTEM-MIB::sysClientsslStatNonHwAcceleratedConns.0 = Counter64: 0
Impact:
SSL MIB not up-to-date
Workaround:
None
1127805-1 : Server.crt containing "<" will cause frequent reconnects between local gtmd and big3d
Links to More Info: BT1127805
Component: Global Traffic Manager (DNS)
Symptoms:
Resources flap, frequent reconnects occur between the local gtmd and big3d.
Logs similar to this:
Jul 15 22:56:32 GSLB2 warning gtmd[11773]: 011ae023:4: XML parsing error not well-formed (invalid token) at line 483
Jul 15 05:36:54 GSLB2 notice gtmd[6917]: 011ae01a:5: SSL handshake complete to 10.10.10.10
Jul 15 05:37LB2 notice gtmd[6917]: 011ae01a:5: SSL handshake complete to 10.10.10.10
Jul 15 05:37:24 GSLB2 notice gtmd[6917]: 011ae01a:5: SSL handshake complete to 10.10.10.10
Jul 15 05:37:34 GSLB2 notice gtmd[6917]: 011ae01a:5: SSL handshake complete to 10.10.10.10
Conditions:
Server.crt containing "<"
Impact:
-- GTMs frequently leave/join the GTM sync group
-- Resources are marked up and down.
Workaround:
1. On each GTM, run bigip_add for all defined BIG-IP servers.
Or
2. Remove "<" from the server.crt file.
1126329-1 : SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT&start;
Links to More Info: BT1126329
Component: Local Traffic Manager
Symptoms:
SSL Orchestrator sends a TLS client hello instead of the expected HTTP CONNECT, leading to a failure in the client environment after an upgrade.
Conditions:
SSL Orchestrator in explicit proxy mode with proxy chaining enabled
Impact:
The exit proxy gives an HTTP 5xx error in response to the unexpected TLS Client Hello.
Workaround:
None
1125733-5 : Wrong server-side window scale used in hardware SYN cookie mode
Links to More Info: BT1125733
Component: TMOS
Symptoms:
Client enables Window Scale in the first SYN packet with a specific factor value, however the BIG-IP system disables Window Scale in its SYN/ACK response.
Instead, disabling the Window Scale TCP option in both peer BIG-IPs, TMM honors the Window Scale presented by the client in the first SYN, whereas client assumes Window Scale is disabled. This will cause BIG-IP to send data payload bytes exceeding the client's Windows Size.
Conditions:
Below conditions must be met in order to match this issue:
- Client and server enables timestamp TCP option.
- Client enables Window Scale TCP option.
- SYN Cookie HW is activated in BIG-IP.
Impact:
This can cause performance issues because some packets could need to be retransmitted.
In rare cases where client TCP stack is configured to abort connection when it receives window overflow the connection will be RST by client.
Workaround:
The preferred workaround is changing to Software SYN Cookie mode.
1125161-3 : Wideip fails to display or delete in the Link Controller GUI.
Links to More Info: BT1125161
Component: Global Traffic Manager (DNS)
Symptoms:
Attempting to display (i.e. click on) a WideIP in the Link Controller GUI returns an error similar to the following example:
General error: Error parsing value of "null" of type "gtm_qtype_t" in statement [SELECT SINGLE *, gtm_pool.name as pool_name FROM gtm_wideip, gtm_pool WHERE (name = '/Common/example.com' AND type = '1' AND pool_name = 'null' AND pool_type = 'null')]
Attempting to delete a Wideip in the Link Controller GUI returns an error similar to the following example (and the delete operation fails):
01020036:3: The requested Pool (A /Common/example.com) was not found.
Conditions:
-- Link Controller system.
-- The Wideip in question has no associated Pool. This is likely the result of improperly creating the Wideip via the tmsh utility, or upgrading the system from an earlier version which caused your configuration to be automatically fixed up (such as creating distinct A and AAAA Wideips from an earlier unique Wideip entry).
Impact:
The GUI cannot be used to display or delete the Wideip.
Workaround:
Link Controller, unlike GTM, does not expose the concept of Pools. Link Controller only exposes WideIPs and Virtual Servers. Pools exist, but are managed automatically by the system on your behalf.
If a WideIPs created using the GUI, the WideIP will be assigned a Pool of the same type and name automatically. This also happens if you initially decide to assign no Virtual Servers to the WideIP (and things work as intended in the BIG-IP GUI).
However, the tmsh utility is not aligned with this Link Controller requirement, and allows you to create WideIPs with no associated Pool.
If you have experienced this issue:
1) Deleted the affected WideIP using the tmsh utility.
2a) Going forward, use the GUI to define more Link Controller WideIPs.
2b) Alternatively, if you must use the tmsh utility to do so, ensure each WideIP you create is assigned an identically named Pool of the same type, even if initially you decide to place no Virtual Servers in the Pool. For example, define something like the following:
gtm pool a /Common/example.com { }
gtm wideip a /Common/example.com {
pools {
/Common/example.com {
order 0
}
}
}
1124217-5 : Big3d cores on CTCPSocket::TCPReceive and connector
Links to More Info: BT1124217
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d crashes.
Conditions:
Big3d keeps restarting and coring on gtm with a large quantity of monitors configured.
Impact:
Segmentation fault and big3d restarts.
Workaround:
None
1124085-5 : iRules command [info hostname] does not reflect modified hostname
Links to More Info: BT1124085
Component: Local Traffic Manager
Symptoms:
Result from [info hostname] iRules command does not change after modifying system hostname.
Conditions:
- iRules [info hostname] command is being used.
- System hostname is modified.
Impact:
iRules command [info hostname] might reflect incorrect/old hostname
Workaround:
Use $static::tcl_platform(machine) insted of [info hostname]
1123885-1 : A specific type of software installation may fail to carry forward the management port's default gateway.
Links to More Info: BT1123885
Component: TMOS
Symptoms:
After performing a specific type of software installation, the unit returns on-line without the management port's default gateway.
Conditions:
-- A software installation that does not carry forward the entirety of the BIG-IP system's configuration is performed. For example, this is achieved by running "image2disk --format=volumes <...>", or by using the live-install subsystem after disabling the liveinstall.saveconfig and liveinstall.moveconfig db keys. This type of installation, however, does carry forward the management port's configuration (IP address, subnet mask, and default gateway).
-- In addition to the default gateway, the management port is configured with additional static routes (for example, to a log server, dns server, etc.).
-- When mcpd is queried for the management routes, the default gateway is not the first entry in mcpd's reply (this is something outside of your control that entirely depends on the name of the objects and how the config was loaded).
Impact:
On Virtual Edition systems, this issue coupled with the removal of autolasthop from the management port means you will not be able to connect to the BIG-IP system's management port from non-directly connected clients after the installation.
On all systems, this issue means the BIG-IP system will not be able to initiate connections to non-directly connected systems over the management port after the installation.
Note: If the system is configured for dual-stack (IPv4 and IPv6) this issue can affect either (or both) stack.
Workaround:
After the issue has occurred, you can connect to the affected BIG-IP system by means of serial console or video console and apply the default gateway again.
If you are trying to prevent this issue, you can remove all management routes except the default one before performing this type of installation.
1123149-1 : Sys-icheck fail for /etc/security/opasswd
Links to More Info: BT1123149
Component: TMOS
Symptoms:
In common criteria mode, when password-memory is set to > 0 and create the user and login from CLI causes the system integrity check to failed
An error message may be logged "ERROR: S.5...... c /etc/security/opasswd (no backup)"
Conditions:
--- common criteria mode enabled
--- password-memory set to > 0 in password-policy configuration
--- create a new user and login first time using CLI
--- run sys-icheck
Impact:
System integrity check failure when common criteria mode is enabled
Workaround:
None
1122473-5 : TMM core
Links to More Info: BT1122473
Component: Access Policy Manager
Symptoms:
Multiple TMM panics because of a race condition between urldb and TMM.
Conditions:
There seems to be some scenario probably related to boot time timings which allows urldb to create a file, thus preventing TMM from using it, causing the TMM to crash
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1122441-6 : Upgrade expat library to the latest version(2.4.8) to fix CVE's.
Links to More Info: BT1122441
Component: TMOS
Symptoms:
For more information see:
https://support.f5.com/csp/article/K19473898
https://support.f5.com/csp/article/K91589041
https://support.f5.com/csp/article/K23421535
https://support.f5.com/csp/article/K23231802
Conditions:
For more information see:
https://support.f5.com/csp/article/K19473898
https://support.f5.com/csp/article/K91589041
https://support.f5.com/csp/article/K23421535
https://support.f5.com/csp/article/K23231802
Impact:
The following CVEs impact BIG-IP modules.
CVE-2021-45960, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852, CVE-2022-25235, CVE-2022-25236, CVE-2022-23515, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2021-46143.
For more information see:
https://support.f5.com/csp/article/K19473898
https://support.f5.com/csp/article/K91589041
https://support.f5.com/csp/article/K23421535
https://support.f5.com/csp/article/K23231802
Workaround:
N/A
1122377-1 : If-Modified-Since always returns 304 response if there is no last-modified header in the server response
Links to More Info: BT1122377
Component: Local Traffic Manager
Symptoms:
Requests sent with an If-Modified-Since header always return a 304 Not Modified response
Conditions:
The Last Modified header is not included in the origin server response headers.
Impact:
When the Last Modified header is not present in the response, its default value i.e., Thu, 01 Jan 1970 00:00:00 GMT, is used and 304 Not Modified is sent to the client.
Workaround:
Add the Last-Modified header to the response headers using iRule
when HTTP_RESPONSE priority 1 {
set time [clock format [clock seconds] -gmt 1 -format "%a, %d %b %Y %H:%M:%S %Z"]
HTTP::header insert Last-Modified $time
log local0.debug "Inserting Last-Modified header as $time"
}
1122153-5 : Zonerunner GUI displaying incorrect error string "RRSig Covers Unsupported Record Type"
Links to More Info: BT1122153
Component: Global Traffic Manager (DNS)
Symptoms:
Zonerunner is displaying incorrect error information when it is unable to parse the value.
Conditions:
Zonerunner displays such errors when it is unable to parse the value when displaying records.
Impact:
The error message suggests it is a DNSSEC issue (RRSig) and is misleading.
Workaround:
None
1122021-4 : Killall command might create corrupted core files
Links to More Info: BT1122021
Component: TMOS
Symptoms:
When killing multiple processes via the 'killall' command, a single corrupted core file is created.
Conditions:
- using killall command
- killing multiple processes
Impact:
Corrupted core file is created.
Workaround:
Kill single specific processes instead
1121937-5 : ZoneRunner GUI is unable to display CAA records with "Property Value" set to ";"
Links to More Info: BT1121937
Component: Global Traffic Manager (DNS)
Symptoms:
If you try to view CAA record in ZoneRunner with "Property Value" set to ";", then "RRSig Covers Unsupported Record Type<none>:1: <none>:1: expected a string" message is displayed in GUI.
Conditions:
- Navigate to DNS :: Zones :: ZoneRunner :: Resource Record List :: Search All Records.
- Click on record of type CAA where the "Property Value" is set to ";".
Impact:
Unable to view or update CAA records through GUI where the "Property Value" is set to ";".
Workaround:
Manually edit or view the BIND configuration from the command line.
1121517-1 : Interrupts on Hyper-V are pinned on CPU 0
Links to More Info: BT1121517
Component: TMOS
Symptoms:
CPU 0 utilization is higher relative to other CPUs.
Conditions:
BIG-IP is deployed on a Hyper-V platform.
Impact:
Performance is degraded.
1121349-1 : CPM NFA may stall due to lack of other state transition
Links to More Info: BT1121349
Component: Local Traffic Manager
Symptoms:
The CPM NFA string state machines may stall due to missing data.
Conditions:
-- HTTP virtual server with LTM policy and iRule
Impact:
LTM policy rule does not trigger on HTTP URI path condition
Workaround:
Change rule from "HTTP URI path contains" to "HTTP URI full string contains"
1121169-4 : Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use
Links to More Info: BT1121169
Component: TMOS
Symptoms:
On systems where ID1004833 has been fixed, the resizing instructions for /appdata from K74200262 no longer work.
Conditions:
When the jitterentropy-rngd is started by systemd which is the default state of the BIG-IP.
Impact:
A filesystem resize operation may fail with the following error:
# lvreduce --resizefs --size -40G /dev/mapper/vg--db--sda-dat.appdata
Do you want to unmount "/appdata"? [Y|n] y
fsck from util-linux 2.23.2
/dev/mapper/vg--db--sda-dat.appdata is in use.
e2fsck: Cannot continue, aborting.
resize2fs 1.42.9 (28-Dec-2013)
resize2fs: Device or resource busy while trying to open /dev/mapper/vg--db--sda-dat.appdata
Couldn't find valid filesystem superblock.
fsadm: Resize ext3 failed
fsadm failed: 1
Filesystem resize failed.
Workaround:
Unmount /appdata and restart the jitterentropy-rngd, and then retry the resize operation.
1120685-1 : Unable to update the password in the CLI when password-memory is set to > 0
Links to More Info: BT1120685
Component: TMOS
Symptoms:
A BIG-IP system with password-memory enabled will fail to update the user password in the first login using the CLI
Conditions:
Password-memory set to > 0 in password-policy configuration
Impact:
Not able to update the user password in the first login using the CLI.
Workaround:
Create the user using the GUI and log in from the GUI.
1120529-2 : Illegal internal request in multipart batch request
Links to More Info: BT1120529
Component: Application Security Manager
Symptoms:
Request parser for inner request is intolerant for a linefeed that results in a HTTP Protocol Compliance violation with the following details.
HTTP Validation Bad multipart parameters parsing
Details Illegal internal request in multipart batch request
Conditions:
- multipart/batch(ing) request
- inner requests use LF for end-of-line marker, instead of canonical marker CRLF
Impact:
Request gets blocked
Workaround:
None
1120433-1 : Removed gtmd and big3d daemon from the FIPS-compliant list
Links to More Info: BT1120433
Component: TMOS
Symptoms:
The gtmd is not able to establish a secure connection to big3d due to failure in handshake because no common ciphers were found between big3d and gtmd in FIPS mode.
Conditions:
-- BIG-IP versions 16.1.3 and above
-- FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device.
-- Connections are established between big3d and gtmd in FIPS mode.
Impact:
SSL handshakes fail between big3d and gtmd because no common ciphers are present.
Workaround:
None
1120345-7 : Running tmsh load sys config verify can trigger high availability (HA) failover
Links to More Info: BT1120345
Component: TMOS
Symptoms:
When running tmsh 'load sys config verify' on a config that contains both an high availability (HA) group and a traffic group referencing that high availability (HA) group, this will trigger an high availability (HA) fault and failover.
Conditions:
- Running 2 BIG-IP systems in an high availability (HA) pair
- Run tmsh 'load sys config verify' on a config with the following conditions:
- Config to be verified contains an high availability (HA) group
- Config to be verified also contains a traffic group referencing the high availability (HA) group
Impact:
HA fault and failover. high availability (HA) pair will enter a degraded state.
Workaround:
No workaround currently known, but the failover fault can be cleared by running tmsh 'load sys config' on the system that had 'load sys config verify' run on it.
1117297-2 : Wr_urldbd continuously crashes and restarts&start;
Links to More Info: BT1117297
Component: Traffic Classification Engine
Symptoms:
Malloc failed while wr_urldb is started
Conditions:
Intermittently reproduced when rebooting to a new version or after restarting wr_urldbd
Impact:
Wr_urldbd crashes.
Workaround:
- Stop the wr_urldbd to stabilize(#bigstart stop wr_urldbd)
-- Update the customdb(i.e. delete or add custom urls) on the backend server
-- Start wr_urldbd to download and load the new DB(#bigstart start wr_urldbd)
1117245-1 : Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file
Links to More Info: BT1117245
Component: Application Security Manager
Symptoms:
You only see this message in /var/log/tomcat/liveupdate.log file. No other log messages are written, causing troubleshooting capability with LiveUpdate.
liveupdate.script file is corrupted, live update repository initialized with default schema
This error is emitted during tomcat startup.
/var/log/tomcat/catalina.out
java.io.FileNotFoundException: /usr/share/tomcat/logs/liveupdate.log (Permission denied)
Conditions:
You are running on a version which has a bug fix for ID907025. For more information see https://cdn.f5.com/product/bugtracker/ID907025.html
Impact:
Losing troubleshooting capability with LiveUpdate
Workaround:
chown tomcat:tomcat /var/log/tomcat/liveupdate.log
bigstart restart tomcat
1116941-2 : Need larger Content-Length value supported for SIP
Component: Service Provider
Symptoms:
SIP MRF sends error 413 when the content_length value in the SIP message is greater than 65535 (0xff).
Conditions:
The SIP content_length has to be greater than 65535 (0xff) on SIP MRF configuration
Impact:
The SIP messages with content_length greater than 65535 can't be processed by the BIG-IP successfully because of the hard coded constraint on the SIP content_length
Workaround:
None
1116513-4 : Route-domains should not be allowed on name server addresses via the GUI.
Links to More Info: BT1116513
Component: Global Traffic Manager (DNS)
Symptoms:
Route domains are allowed on nameserver address when configuring them via the GUI.
Conditions:
Create a DNS resolver via the GUI and include route domain for nameserver IP address.
Eg : Navigate to Network > DNS Resolvers > DNS Resolver List and can create a DNS resolver name server address with Route domain.
Impact:
Inconsistency between the GUI and TMSH for dns resolver namserver address.
Workaround:
None
1115041-2 : BIG-IP does not forward the response received after GOAWAY, to the client.
Links to More Info: BT1115041
Component: Local Traffic Manager
Symptoms:
After receiving a GOAWAY from the server followed by data on the same stream, the BIG-IP system does not forward that data to the client but rather sends RESET_STREAM.
Conditions:
1. Configure an NGINX server to handle two streams per connection
2. Virtual server with http2 profile
3. Send more than two requests on the same connection
Impact:
The client does not get a proper response
Workaround:
None
1114253-5 : Weighted static routes do not recover from BFD link failures
Links to More Info: BT1114253
Component: TMOS
Symptoms:
If a BFD link fails and recovers, the weighted static route that should be preferred does not populate back into the routing table.
Conditions:
Weighted static routes with BFD configured, this is an example of the affected configuration:
ip route 0.0.0.0/0 10.8.8.4 100
ip route 0.0.0.0/0 10.8.8.34 200
ip static 0.0.0.0/0 10.8.8.4 fall-over bfd
ip static 0.0.0.0/0 10.8.8.34 fall-over bfd
After BFD session to 10.8.8.4 fails and recovers the default route will still be pointing to 10.8.8.34.
Impact:
Incorrect route nexthop.
Workaround:
Re-add route config statements.
1113961-2 : BIG-IP 16.1.3 VE with FIPS 140-3 May Fail to start in AWS-China
Links to More Info: K43391532, BT1113961
Component: TMOS
Symptoms:
BIG-IP 16.1.3 VE with FIPS 140-3 may fail to start in AWS-China
Conditions:
Running BIG-IP 16.1.3 VE with FIPS 140-3 with 16.1.3 in AWS China region
Impact:
BIG-IP 16.1.3 VE with FIPS 140-3 may fail to start in AWS-China
Workaround:
Upgrade to 16.1.3.1 when it is available.
1113881-1 : Headers without a space after the colon trigger an HTTP RFC violation
Component: Application Security Manager
Symptoms:
An "Unparsable request content" violation is detected for valid headers without a space after the headers name ':'
Conditions:
Any header without a space between the ':' and the header value will trigger "Unparsable request content"
Impact:
Requests that suppose to pass are blocked by ASM enforcer
Workaround:
The client has to send headers with space after ':'
1113753-1 : Signatures might not be detected when using truncated multipart requests
Component: Application Security Manager
Symptoms:
On special cases when sending long requests that include a multipart section, signatures that should be detected in the multipart body might not be detected.
Conditions:
1. WAF-policy is attached to virtual server.
2. Signatures are enabled in the WAF policy.
3. Signatures contain special characters, i.e. ;"=\n
4. Request is longer than the value in max_raw_request_len.
5. Sending a multipart request.
Impact:
Signature is not detected.
Workaround:
None
1113549-2 : System boots into an inoperative state after installing engineering hotfix with FIPS140-2/140-3 License&start;
Links to More Info: BT1113549
Component: Local Traffic Manager
Symptoms:
BIG-IP persistently starts up in an inoperative state after installing an engineering hotfix with a console error similar to:
*** FIPS or Common Criteria power-up self-test failure.
*** This system has been placed in an error state.
*** To recover return to the grub menu and select another volume
*** or reinstall the system.
***
*** On many devices pressing the escape key followed by the (
*** key will bring up a menu which allows the system to be restarted.
Power-up self-test failures: <number>
Unmounting file systems
System halting.
Conditions:
- First boot after installing an engineering hotfix.
- FIPS 140-2 or FIPS140-3 license.
Impact:
You are unable to boot the BIG-IP system into an operational state after applying an engineering hotfix, and you are required to boot to a known good volume. For more information about FIPS mode previnting system boot, see https://support.f5.com/csp/article/K52534643
Workaround:
None
1113385-5 : Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP
Links to More Info: BT1113385
Component: TMOS
Symptoms:
REST tokens which are present in /var/run/pamcache on BIG-IP are not deleted after token expiration when there are a large number of tokens.
Conditions:
When a large number of tokens are generated.
Impact:
Disk space exhausted on the BIG-IP system.
Workaround:
Try to remove token files from /var/run/pamcache manually.
# rm -f /var/run/pamcache/*
1113181-1 : Self-IP allows no traffic following a modification from "Allow Custom (Include Default)" to "Allow Custom".
Links to More Info: BT1113181
Component: Local Traffic Manager
Symptoms:
Although a Self-IP address appears configured correctly (for example, when this is inspected using the WebUI or the tmsh utility), the Self-IP address does not allow through any traffic. Effectively, the Self-IP address behaves as if it was set to "Allow None".
Conditions:
The port-lockdown setting of the Self-IP address was recently modified from "Allow Custom (Include Default)" to "Allow Custom".
Impact:
The Self-IP does not allow through any traffic, whereas it should allow through the traffic in your custom list of ports and protocols.
Workaround:
You can work around this issue by temporarily setting the affected Self-IP to "Allow None" and then again to "Allow Custom", specifying your desired custom list of ports and protocols.
1113161-1 : After upgrade, Learning and Blocking Settings page is not loading because some policies are still pointing to deleted factory Negsig sets&start;
Component: Application Security Manager
Symptoms:
Learning and Blocking Settings page is not loading
Conditions:
Some policies are using factory sets which were deleted in later versions, and an upgrade was performed.
Impact:
When trying to open "Security ›› Application Security : Policy Building : Learning and Blocking Settings" page, GUI is stuck on 'loading' status
Workaround:
Run this mysql in the BIG-IP in order to fix the database, it will remove all unreferenced policy sets from the system:
mysql -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password(user => q{root})'` -e "delete from PLC. PL_POLICY_NEGSIG_SETS where set_id not in (SELECT set_id from PLC.NEGSIG_SETS);"
1112805-5 : ip_address_intelligence field is not populated with value in ArcSight remote log when source IP is IPv4
Links to More Info: BT1112805
Component: Application Security Manager
Symptoms:
The key used for the ip_address_intelligence field is mapped to an IPv6 Address in the latest CEF standard.
Conditions:
-- IP Intelligence is enabled.
-- An ArcSight remote logger is configured.
-- A HTTP transaction is carried out with a malicious Source IP Address
Impact:
The ip_address_intelligence field value is not populated in the ArcSight remote log
Workaround:
None
1112537-1 : LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete.
Links to More Info: BT1112537
Component: TMOS
Symptoms:
Upon attempting to delete a LTM or GTM monitor, the system returns an error similar to the following example, even though the monitor being deleted is no longer in use anywhere:
01070083:3: Monitor /Common/my-tcp is in use.
Conditions:
-- The configuration was loaded from file (for example, as restoring a UCS archive would do).
-- A BIG-IP Administrator deletes all objects using the monitor, and then attempts to delete the monitor itself.
Impact:
LTM or GTM monitor no longer in use anywhere cannot be deleted from the configuration.
Workaround:
Run one of the following sets of commands (depending on the affected module) and then try to delete the monitor again:
tmsh save sys config
tmsh load sys config
tmsh save sys config gtm-only
tmsh load sys config gtm-only
1112385-4 : Traffic classes match when they shouldn't
Links to More Info: BT1112385
Component: Local Traffic Manager
Symptoms:
Traffic classes may match when they should not.
Conditions:
* Fix for ID1074505 is present (without that fix this bug is hidden).
* Traffic class uses none (or equivalently all 0s) for source-address.
Impact:
Traffic is not categorized properly.
Workaround:
Specify a source address, e.g.
ltm traffic-class /Common/blah {
source-address 1.1.1.1
source-mask none
...
}
Note that because the mask is none this won't have any effect (other than working around this bug).
1112349-5 : FIPS Card Cannot Initialize
Links to More Info: BT1112349
Component: Local Traffic Manager
Symptoms:
Initializing the FIPS card for the first time which contains the FIPS firmware CNN35XX-NFBE-FW-1.1-02 may cause the below error and will not be able to initialize the card:
Enter new Security Officer password (min. 0, max. 0 characters):
ERROR: Too long input (max.: 0 characters)
ERROR: Failed to read password
ERROR: INITIALIZATION FAILED!
Conditions:
First time initialization of new device with "tmsh run util fips-util -f init" command which contains the FIPS firmware CNN35XX-NFBE-FW-1.1-02
Impact:
FIPS card cannot be used for the FIPS key traffic and will not be able to re-initialize.
Workaround:
None
1112205-1 : HTTP/2 may garble responses if the client-side stream aborts while response headers are on the wire
Links to More Info: BT1112205
Component: Local Traffic Manager
Symptoms:
If the client-side stream aborts while response headers are on the wire, the subsequent requests may receive a garbled response.
Conditions:
- HTTP2 profile is used on both client and server side.
- The client terminates the stream while the response has not yet reached the BIG-IP system.
Impact:
The client will receive an obscure response
Workaround:
None
1111793-1 : New HTTP RFC Compliance check for incorrect newline separators between request line and first header
Component: Application Security Manager
Symptoms:
ASM does not enforce incoming HTTP requests where the request line and the first header are separated with a line feed ('\n').
Conditions:
Any HTTP request with a line feed only at the end of the request line will not be enforced.
Impact:
Invalid requests might pass through ASM enforcement.
Workaround:
None
1111629-5 : Messages with "Failed Read: User, referer" are logged in /var/log/httpd/httpd_errors
Links to More Info: BT1111629
Component: TMOS
Symptoms:
After logging in to the GUI you may observe these logs under /var/log/httpd/httpd_errors
warning httpd[7698]: [auth_pam:warn] [pid 7698] [client 10.6.4.2:61221] AUTHCACHE Error processing cookie AFQ6MCL2VWASB6NZTAWGQLFFWY - Failed Read: User, referer:
Conditions:
- Using token authentication for rest calls
- Login to the GUI
Impact:
- Increase log space usage
Workaround:
None
1111473-5 : "Invalid monitor rule instance identifier" error after sync with FQDN nodes
Links to More Info: BT1111473
Component: Local Traffic Manager
Symptoms:
The following log messages may be observed in /var/log/ltm:
bigip1 err mcpd[4783]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 29.
This may also result in some monitors stuck in "checking" state.
Conditions:
-- FQDN nodes.
-- A full config sync occurs
Impact:
Some monitor statuses may not be correctly reported. Some monitors may be stuck in "checking" state.
Workaround:
Force the mcpd process to reload the BIG-IP configuration: K13030.
1111421-4 : TMSH/GUI fails to display IPsec SAs info
Links to More Info: BT1111421
Component: TMOS
Symptoms:
Ipsec SAs are not visible in GUI/TMSH in tunnel/interface mode
GUI network -> ipsec -> diagnostic -> traffic-selectors -> security association details shows no SAs
The 'tmsh show net ipsec ipsec-sa traffic-selector ts' command shows no SA
Conditions:
-- Configure the ipsec with tunnel/Interface mode.
-- Create the tunnel.
-- Check the ipsec-sa
Impact:
You are unable to see ipsec-sa in GUI/TMSH
Workaround:
None
1111361-4 : Refreshing DNS wide IP pool statistics returns an error
Links to More Info: BT1111361
Component: Global Traffic Manager (DNS)
Symptoms:
Refreshing the wide IP pool statistics results in the error message 'An error has occurred while trying to process your request'.
Conditions:
Go to "Statistics > Module Statistics > DNS > GSLB > Wide IPs > Statistic Pools", and click "Refresh".
Impact:
No results are returned, and the error message 'An error has occurred while trying to process your request' is displayed.
Workaround:
N/A.
1111189-1 : Listing errors in tmsh and installation failures when the configuration includes an AVR scheduled-report.
Links to More Info: BT1111189
Component: Application Visibility and Reporting
Symptoms:
-- The tmsh utility may return an error when listing analytics configuration.
-- TMOS installations may fail and return an error.
-- Saving new UCS archives may fail and return an error.
In all cases, the error is similar to the following example:
TSocket::open() getaddrinfo() <Host: 127.3.0.2
Port: 9090>Name or service not known
std exception: (Could not resolve host for client socket.), exiting...
Conditions:
-- Multi-blade VIPRION system (either metal or in the form of a vCMP guest).
-- AVR is provisioned.
-- At least one AVR scheduled-report is present in the configuration.
-- An action such as listing the config, saving a UCS archive, performing a TMOS installation, etc. is performed on a secondary blade.
Impact:
The operation you were attempting fails and an error is returned.
Workaround:
The only workaround consists in removing all AVR scheduled-reports, performing the intended task, and then re-defining the AVR scheduled-reports as necessary. This is of course disruptive and may not be indicated for your site. If you require an Engineering Hotfix for this issue, please contact F5 Support.
1110949-3 : Updating certKeyChain of parent SSL profile using iControl does not change the cert and key outside certKeyChain of the child profile
Links to More Info: BT1110949
Component: Local Traffic Manager
Symptoms:
Invalid config after iControl call: the certificate and key of the child profile do not change as expected.
Conditions:
1. The SSL profile should default from a parent profile.
2. iControl REST is used to change the certkeychain of the parent profile.
3. The issue cannot be seen after the first call but from the second call, it's always reproducible.
Impact:
1. The child profile has an incorrect configuration.
2. The older certificate/key can not be deleted as they are still in use in the child profile.
Workaround:
Can use currently deprecated iControl call by using key and cert instead of certkeychain as follows:
curl -k -u admin:admin -H "Content-Type: application/json" -X PATCH https://10.155.75.246/mgmt/tm/ltm/profile/client-ssl/parent.example.com -d '{"key":"/Common/default.key","cert":"/Common/default.crt"}'
1110893-5 : Some portions of the BIG-IP GUI do not work when accessed behind an HTTP proxy
Links to More Info: BT1110893
Component: TMOS
Symptoms:
Some sections of the BIG-IP GUI fail to load properly, and may report "An error occurred:" Additionally, iControl REST calls may fail with a 401 unauthorized error.
Conditions:
-- BIG-IP GUI or iControl REST is accessed behind a proxy that that includes an X-Forwarded-For header
-- The "httpd.matchclient" BigDB key is set to true (this is the default).
Impact:
Some portions of the GUI are broken as well as iControl REST calls may fail.
Workaround:
Disable the "httpd.matchclient" DB key:
tmsh modify sys db httpd.matchclient value false
bigstart restart httpd
1110813-4 : Improve MPTCP retransmission handling while aborting
Component: Local Traffic Manager
Symptoms:
- MPTCP enabled TCP connection is aborting.
- TMM cores.
Conditions:
- MPTCP is enabled.
- MPTCP enabled TCP connection is aborting.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable MPTCP option in the TCP profile.
1110281-1 : Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable
Links to More Info: BT1110281
Component: Application Security Manager
Symptoms:
Non-HTTP traffic is not forwarded to the backend server.
Conditions:
- ASM provisioned
- Behavioral DoS profile assigned to a virtual server
- DOSL7::disable and HTTP::disable applied at when CLIENT_ACCEPTED {}
Impact:
Broken webapps with non-HTTP traffic.
Workaround:
Instead of using DOSL7::disable, redirect non-HTTP traffic to a non-HTTP aware virtual server using the iRule command virtual <virtual_server_name>.
1110241-1 : in-tmm http(s) monitor accumulates unchecked memory
Links to More Info: BT1110241
Component: In-tmm monitors
Symptoms:
Connflows growing larger than expected/desired.
Conditions:
-- in-TMM monitors are enabled
-- http(s) monitors are configured
-- Pool members continue spooling chunked data
Impact:
If an http(s) server does not close its connection to BIG-IP and continues spooling chunked data, the connflow remains and can eventually cause similar issues.
Workaround:
Three possible:
1. Fix the server.
2. Periodically reboot the server.
3. Use BigD LTM monitors.
1110205-3 : SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown
Links to More Info: BT1110205
Component: Local Traffic Manager
Symptoms:
If a virtual server has an iRule performing SSL payload processing in CLIENTSSL_DATA, TMM fails to process or forward an ingress TCP FIN from a client, leaving the connection in a zombie state until it eventually idles out.
Conditions:
The issue occurs only when SSL::collect is used in CLIENTSSL_DATA
when CLIENTSSL_DATA {
log local0. "."
SSL::release
SSL::collect
}
Impact:
Unexpected growth in the number of connections idling on a virtual server leads to memory pressure.
Workaround:
None
1109953-5 : TMM may crash if a data-group is used when an SSL Forward Proxy Bypass/Intercept list contains extremely long entry
Links to More Info: BT1109953
Component: Local Traffic Manager
Symptoms:
A very long entry (exceeding the maximum length allowed by internet stndards) in a data-group used for SSL Forward Proxy Bypass/Intercept hostname list may cause TMM to crash.
Conditions:
All of the below conditions have to be met:
-- A virtual server uses SSL profile
-- This SSL profile has Forward Proxy enabled.
-- The SSL profile has Forward Proxy Bypass enabled.
-- The SSL profile uses Hostname Bypass and/or Hostname Intercept data-group.
-- Anny to the data-groups contains entries which are longer than 255 characters.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Make sure all entries in the data-group used for intercept/bypass hostnanme list do not exceed 255 characters. According to RFC 1035 section 2.3.4, longer hostnames are not valid.
1109833-2 : HTTP2 monitors not sending request
Links to More Info: BT1109833
Component: Local Traffic Manager
Symptoms:
HTTP2 monitors do not send monitor traffic, incorrectly marking pool members down.
Conditions:
HTTP2 monitor configured.
Impact:
Pool members marked down erroneously.
Workaround:
Use different monitor type, if possible.
1108681-5 : PEM queries with filters return error message when a blade is offline
Links to More Info: BT1108681
Component: Policy Enforcement Manager
Symptoms:
Attempting to retrieve subscriber session data for a specific subscriber returns the following error: "Data Input Error: ERROR: 'query_view' query reply did not contain a result object."
Conditions:
One of the blades is disabled, and the pem sessiondb query contains a filter, for example subscriber-id or session-ip.
Impact:
Cosmetic error, no impact.
Workaround:
Enable the disabled blades, or send a pem sessiondb query without filters.
1108657-2 : No notification about disabled "Virus detected" violation in case of enabling "Anti-Virus Protection"
Component: Application Security Manager
Symptoms:
If the "Virus detected" violation is disabled, there is no notification about it after enabling "Anti-Virus Protection".
Conditions:
1. In Security ›› Application Security : Policy Building : Learning and Blocking Settings screen, for Virus Detected violation set at least one of the Learn, Alarm, or Block checkboxes as empty.
2. In Security ›› Application Security : Security Policies : Policies List ›› <selected_policy> screen - check the Scan HTTP Uploads (in Anti-Virus Protection field)
3. No warning is shown.
Impact:
No warning is shown to user which indicates that the related violation settings are switched off (Learning, Alarming or Blocking)
Workaround:
None
1108557-5 : DNS NOTIFY with TSIG is failing due to un-matched TSIG name
Links to More Info: BT1108557
Component: Global Traffic Manager (DNS)
Symptoms:
DNS NOTIFY messages are ignored.
Conditions:
The TSIG on the secondary needs to have the same algorithm and secret, but one or more characters in the name must be a different case.
Impact:
Failure to update the zone in a timely fashion.
Workaround:
Remove the offending TSIG on the secondary and re-create it with case matching the primary server.
1108237-1 : Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM.
Links to More Info: BT1108237
Component: Global Traffic Manager (DNS)
Symptoms:
It is possible for monitor probes to a certain destination to be owned by no GTM device in the sync-group. As a result, no monitoring of the destination will be performed, and the monitored object will be incorrectly marked down with reason "no reply from big3d: timed out".
Conditions:
-- GTM sync-group with multiple GTM devices (including a sync-group that contains only a single GTM server with more than one GTM device in it).
-- Monitors specifying an explicit destination to connect to (e.g. with the property "destination 192.168.1.1:*").
-- The destination of a monitored object (e.g. the IP address of the gtm server) is different from the destination explicitly defined in a monitor assigned to the object.
-- The two mismatching destination values are assigned to different GTM devices in the sync-group for monitoring.
Impact:
Monitored GTM objects may have an incorrect status.
Workaround:
None
1108109-5 : APM policy sync fails when access policy contains customization images&start;
Links to More Info: BT1108109
Component: Access Policy Manager
Symptoms:
APM policy sync fails after an upgrade. Mcpd logs an error
err mcpd[6405]: 01b70117:3: local_path (/tmp/psync_local_file) starts with invalid directory. Valid directories are /var/config/rest/, /var/tmp/, /shared/tmp/.
Conditions:
APM access policy contains a custom image file
Impact:
APM policy sync fails.
Workaround:
None
1107605-2 : TMM crash reported with specific policy settings
Links to More Info: BT1107605
Component: Local Traffic Manager
Symptoms:
TMM crashes when HTTPS request for a non-existent document
Conditions:
1) Virtual server with HTTP Profile
2) LTM Policy with "shutdown connection" for 400/404 response codes
3) Request for non-existent document
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove the policy and use an iRule with the same conditions as in the policy.
1107549-1 : In-TMM TCP monitor memory leak
Links to More Info: BT1107549
Component: In-tmm monitors
Symptoms:
TMM memory use grows unbounded; aggressive sweeper is engaged
Conditions:
-- In-TMM TCP monitors are enabled
Impact:
TCP peer ingress accumulates over time. Over an extended period of time the aggressive sweeper begins freeing memory.
Workaround:
1. Rebooting the BIG-IP system after the change is made is one potential remedy.
2. Use regular LTM monitors.
1107453-1 : Performance drop observed in some Ramcache::HTTP tests on BIG-IP i10800 platform
Links to More Info: BT1107453
Component: Local Traffic Manager
Symptoms:
Drop in TPS of around 6.5% observed for Ramcache::HTTP tests.
Conditions:
- BIG-IP i10800 l7-performance-fpga platform
- 5KB file size with 1 Request Per Connection
- 5KB file size with 100 Request Per Connection
Virtual server with the following profiles -
1. http
2. tcp profile with nagle disabled
3. web acceleration profile with following attributes -
- cache-max-age 36000
- cache-object-max-size 1500001
- cache-object-min-size 1
Impact:
Delay in client side response during peak traffic flow due to lowered throughput.
Workaround:
None
1106673-4 : Tmm crash with FastL4 virtual servers and CMP disabled
Links to More Info: BT1106673
Component: Local Traffic Manager
Symptoms:
With CMP disabled, all traffic is forwarded to one TMM thread. A crash occurs when these flows are torn down.
Conditions:
The following is configured on a virtual server:
-- A fastL4 profile
-- CMP is disabled
-- An IPS firewall policy
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Enable CMP on the virtual server.
tmsh modify ltm virtual <virtual_server_name> cmp-enabled yes
1106489-1 : GRO/LRO is disabled in environments using the TMM raw socket "sock" driver.
Links to More Info: BT1106489
Component: TMOS
Symptoms:
GRO/LRO packets are not received: "tmctl -d blade tmm/ndal_rx_stats" shows "0" in "lro". The linux host has GRO disabled: "ethtool -k eth1 | grep generic-receive-offload" shows "off".
Conditions:
-- BIG-IP is deployed in a Hyper-V environment.
-- Any environment such that "tmctl -d blade tmm/device_probed" displays "sock" in "driver_in_use".
Impact:
Performance is degraded.
Workaround:
Manually enable GRO on the device: ethtool -K eth1 gro on
Check that it's enabled with: ethtool -k eth1 | grep generic-receive-offload
1106273-4 : "duplicate priming" assert in IPSECALG
Links to More Info: BT1106273
Component: Advanced Firewall Manager
Symptoms:
This is a specific issue with a complicated firewall/NAT/IPSEC scenario. In this case, when applying changes to a firewall policy in transparent mode, IPSECALG triggers a "duplicate priming" assert
Conditions:
When an IPSec session is established from a device with a source IP which has a firewall policy (transparent mode). As soon as traffic is passed over the new IPSec tunnel, this clash in the rules results in a tmm core.
Impact:
TMM asserts with "duplicate priming" assert.
Traffic disrupted while tmm restarts.
Workaround:
None
1105969-4 : Gratuitous ARP not issued for non-floating self-IP on clicking "Update" via the GUI
Links to More Info: BT1105969
Component: Local Traffic Manager
Symptoms:
A gratuitous ARP (GARP) is not issued as per K15858.
Conditions:
After the BIG-IP system is fully started and interfaces are online, select the non-floating self IP address in the Configuration utility and then select Update (without making any changes).
Impact:
You cannot force non-floating self-IPs to send a gratuitous ARP post-boot.
Workaround:
None
1105901-1 : Tmm crash while doing high-speed logging
Links to More Info: BT1105901
Component: TMOS
Symptoms:
Tmm crashes
Conditions:
-- High-speed logging is configured
-- Network instability occurs with the logging pool members
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1105485 : Emulated Interaction Events occurs when using Bot Defense Profile and Datasafe keylogger protection feature
Links to More Info: BT1105485
Component: Application Security Manager
Symptoms:
Datasafe keylogger protection feature causes the Bot Defense profile to detect untrusted events.
Conditions:
-- Bot Defense profile is attached to a virtual server
-- Datasafe profile is attached to the virtual server, with keylogger protection feature enabled.
Impact:
Legitimate users are getting mitigated.
Workaround:
Modify bigDB:
tmsh modify sys db botdefense.cshui_checked_trusted_events value "mousedown, mouseup, mousemove, touchstart, touchmove, touchend"
1105341-1 : Decode_application_payload can break exponent notation in JSON
Links to More Info: BT1105341
Component: Application Security Manager
Symptoms:
With decode_application_payload set to 1, the single pass of decoding prior to JSON parsing will convert positive exponents to ascii characters ie "+" to " ". This results in Malformed numeric value violations
Conditions:
Positive exponents with decode_application_payload set to 1.
Impact:
Malformed JSON violations
Workaround:
Disable decode_application_payload
decode_application_payload set to 0.
1104553-3 : HTTP_REJECT processing can lead to zombie SPAWN flows piling up
Links to More Info: BT1104553
Component: Local Traffic Manager
Symptoms:
In the execution of a specific sequence of events, when TCL attempts to execute the non-existing event, it follows a path which in turn makes SPAWN flow to become a zombie, which pile up over time showing up on the monitoring system.
Conditions:
-- http2, client-ssl, optimized-caching filters on the virtual server
-- HTTP::respond iRule with LB_FAILED event and set of iRules like HTTP_REQUEST, HTTP_RESPONSE, CLIENTSSL_HANDSHAKE, CACHE_RESPONSE, ASM_REQUEST_BLOCKING
-- send http2 request through the virtual server
Impact:
Clients may not be able to connect to the virtual server after a point in time.
1104037-1 : Tmm crash after changing "connection.vlankeyed" to disabled on system with L2 wire
Links to More Info: BT1104037
Component: In-tmm monitors
Symptoms:
Tmm crashes.
Conditions:
Changing "connection.vlankeyed" from enabled to disabled on a system configured for L2 wire
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Keep "connection.vlankeyed" enabled
1103953-2 : SSMTP errors in logs every 20 minutes
Links to More Info: BT1103953
Component: TMOS
Symptoms:
An error is logged every 20 minutes to /var/log/maillog
err sSMTP[9797]: Unable to connect to "localhost" port 25.
err sSMTP[9797]: Cannot open localhost:25
The symptoms are similar to what you see in https://support.f5.com/csp/article/K60914243 but the solution in that article will not help. K60914243 talks about 15.x while current issue is on 16.x.
Conditions:
This occurs in one of the following happens
1. You have manually deleted restjavad or restnoded log files with following commands
rm /var/log/restjavad*
rm /var/log/restnonded*
2. One of the restjavad/restnoded log files is small and unable to rotate (rotation fails). This happens when file size does not exceed default "max-file-size"
Impact:
Log rotation for restjavad/restnoded will be stuck. You may see system emails about sSMTP errors every 20 minutes.
Workaround:
This issue subsides if you manually create a file for the stuck log file.
1. Open a command terminal
2. Run # ls -l /var/log/restnoded*
3. If you find that restnonded1.log is missing then manually create it
# touch /var/log/restnoded/restnoded1.log
4. Run # ls -l /var/log/restjavad*.log
5. If you find that restjavad.1.log is missing then manually create it
# touch /var/log/restjavad.1.log
1103833-1 : Tmm core with SIGSEGV in gtmpoolmbr_UpdateStringProc
Links to More Info: BT1103833
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm cored with SIGSEGV.
Conditions:
-- iRule pool command with member which is determined at run-time
-- A pool member is used for the iRule
-- The previous pool member is deleted and then re-created using the same name
-- That pool member is picked again for the next iRule event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use a string command to category the pool member variable like this:
pool dnspool member [string trim $pool_member]
1103617-5 : 'Reset on Timeout' setting might be ignored when fastl4 is used with another profile.
Links to More Info: BT1103617
Component: Local Traffic Manager
Symptoms:
'Reset on Timeout' setting might be ignored when Fastl4 profile is configured along with some other profile.
Conditions:
Fastl4 profile is configured along with some other profile (for example IPS).
Impact:
Traffic might be reset unexpectedly.
Workaround:
None
1103117-1 : iAppLX extension using express with httpserver script leaves lingering client-side flow on HTTP requests.
Links to More Info: BT1103117
Component: Local Traffic Manager
Symptoms:
While using an iAppLX extension using express with simple HTTP server script, tmsh show sys conn shows a lingering client-side flow that is eventually expired by the sweeper.
Conditions:
Virtual server with iAppLX extension using express with a simple httpserver script like below:
app.use(express.static('public'));
var plugin = new f5.ILXPlugin();
plugin.startHttpServer(app);
Impact:
The connection table (tmsh show sys conn) shows a lingering client-side flow that is eventually expired by the sweeper.
Workaround:
None
1102849-4 : Less-privileged users (guest, operator, etc) are unable to run top level commands
Links to More Info: BT1102849
Component: TMOS
Symptoms:
Less privileged users are no longer able to run top-level commands such as "show running-config recursive". Executing this command from TMOS results in an error:
Unexpected Error: Can't display all items, can't get object count from mcpd
and mcpd throws error:
result_message "01070823:3: Read Access Denied: user (test) type (Abort Ending Agent)"
Conditions:
User account with a role of guest, operator, or any role other than admin.
Impact:
You are unable to show the running config, or use list or list sys commands.
Workaround:
Logon with an account with admin access.
1102429-1 : iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases.
Links to More Info: BT1102429
Component: Local Traffic Manager
Symptoms:
Invoking the iRule command 'reject' under the iRule event 'FLOW_INIT' may, in some cases, fail to send out the intended reject packet (i.e. TCP reset or ICMP port unreachable).
Conditions:
The issue occurs when the BIG-IP system does not have a route back to the client, and should instead deliver the reject packet by means of autolasthop.
Impact:
The connection is actually removed from the BIG-IP system's connection table, and correctly does not progress. However, the lack of a reject packet could make the client retransmit its initial packet or insist in opening more connections.
1101741-1 : Virtual server with default pool down and iRule pool up will flap for a second during a full config-sync.
Links to More Info: BT1101741
Component: TMOS
Symptoms:
During a full manual config-sync, a virtual server with a default pool which is down and an iRule pool which is up will flap for a second on the receiving unit.
For instance:
Apr 22 13:52:31 bigip-ntr-b.local notice mcpd[7733]: 01071682:5: SNMP_TRAP: Virtual /Common/my_vs has become unavailable
Apr 22 13:52:31 bigip-ntr-b.local notice mcpd[7733]: 010719e7:5: Virtual Address /Common/10.0.0.71 general status changed from GREEN to RED.
Apr 22 13:52:31 bigip-ntr-b.local notice mcpd[7733]: 010719e8:5: Virtual Address /Common/10.0.0.71 monitor status changed from UP to DOWN.
<...>
Apr 22 13:52:32 bigip-ntr-b.local notice mcpd[7733]: 01071681:5: SNMP_TRAP: Virtual /Common/my_vs has become available
Apr 22 13:52:35 bigip-ntr-b.local notice mcpd[7733]: 010719e7:5: Virtual Address /Common/10.0.0.71 general status changed from RED to GREEN.
Apr 22 13:52:35 bigip-ntr-b.local notice mcpd[7733]: 010719e8:5: Virtual Address /Common/10.0.0.71 monitor status changed from DOWN to UP.
Conditions:
-- device-group configured for full manual sync
-- virtual server with default pool up and iRule pool down
-- a config sync is initiated
Impact:
There is no impact to application traffic during the flapping, as the virtual server continues to function correctly even when the unit receiving the config-sync is the Active one.
However, the logs (and the ensuing SNMP traps) may be confusing to BIG-IP Administrators and/or network operators monitoring alarms from the system.
Workaround:
You can work around this issue by configuring the device-group for incremental config-sync instead (either manual or automatic).
1101369-5 : MQTT connection stats are not updated properly
Component: Local Traffic Manager
Symptoms:
Negative values can be seen in current connections.
Conditions:
This issue can be seen when the 'CONNECT' message is dropped by iRule or when the first message received is not 'CONNECT.'
Impact:
MQTT profile stats are not incremented correctly with CONNECT message.
Workaround:
NA
1101181-4 : HTTP request payload not forwarded by BIG-IP when serverside is HTTP/2 and HTTP MRF router is enabled on virtual server
Links to More Info: BT1101181
Component: Local Traffic Manager
Symptoms:
The BIG-IP forwards HTTP request headers to pool member, but does not forward the request body. This results in a connection stall, and the connection eventually timing out and failing.
Conditions:
-- Virtual server with HTTP/2 full proxy configured (HTTP MRF router is enabled, and HTTP/2 profile present on virtual server).
-- Virtual server has request-logging profile assigned.
-- Serverside connection uses HTTP/2.
-- Client sends a request that includes a payload body (e.g. a POST).
Impact:
HTTP transaction fails; traffic does not pass.
Workaround:
Remove the request-logging profile.
1100669-2 : Brute force captcha loop
Links to More Info: BT1100669
Component: Application Security Manager
Symptoms:
Captchas for a user that failed to login after several attempts will continue after a successful login.
Conditions:
-- A user fails to log in after several attempts.
-- The mitigation is captcha mitigation.
Impact:
If the user eventually provides the correct password, the user will be able to log in.
Workaround:
None
1100609-1 : Length Mismatch in DNS/DHCP IPv6 address in logs and pcap
Links to More Info: BT1100609
Component: TMOS
Symptoms:
The wrong length is shown in logs for DNS/DHCP IPv6 addresses.
Conditions:
-- DNS/DHCP IPv6 configured in IKE-PEER configuration.
-- The tunnel is established.
Impact:
The length is reported incorrectly in the logs. It is reported as 15 when it should be reported as 16.
Workaround:
None
1100409-5 : Valid connections may fail while a virtual server is in SYN cookie mode.
Component: TMOS
Symptoms:
Some of the valid connections to a TCP virtual server may fail while the virtual server is in SYN cookie mode due to an attack.
Conditions:
-- BIG-IP i4x00 platform.
-- TCP virtual server under SYN flood attack.
Impact:
Failed connections, service degradation.
Workaround:
Disabling SYN cookie in the TCP or fastL4 profile is a possible workaround, but that would leave the virtual server open to SYN flood attacks.
1100321-4 : MCPD memory leak
Links to More Info: BT1100321
Component: TMOS
Symptoms:
Viewing virtual server firewall policy rules leaks some memory in MCPD.
Conditions:
- BIG-IP AFM is provisioned
- Virtual server firewall policy rules are viewed, e.g. by running one of the following commands:
tmsh show ltm virtual fw-enforced-policy-rules
tmsh show ltm virtual fw-staged-policy-rules
Impact:
A memory leak occurs when the command is run.
Workaround:
None
1100249-1 : SNAT with FLOW_INIT firewall rule may core TMM due to wrong type of underlying flow structure
Links to More Info: BT1100249
Component: Local Traffic Manager
Symptoms:
Tmm crashes with SIGSEGV while passing firewall traffic.
Conditions:
-- SNAT + firewall rule
-- FLOW_INIT used in an iRule
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1100197-1 : GTM sends wrong commit_id originator for iqsyncer to do gtm group sync
Links to More Info: BT1100197
Component: Global Traffic Manager (DNS)
Symptoms:
GTM sends wrong commit_id originator for iqsyncer to do gtm group sync, which converts an incremental sync into a full sync.
Conditions:
Frequent GTM group syncs.
Impact:
Unnecessary GTM full sync.
Workaround:
None
1099545-1 : Tmm may core when PEM virtual with a simple policy and iRule is being used
Links to More Info: BT1099545
Component: Local Traffic Manager
Symptoms:
Tmm cores with SIGSEGV.
Conditions:
-- PEM virtual with a simple policy and iRule attached.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1099373-3 : Virtual Servers may reply with a three-way handshake when disabled or when processing iRules
Links to More Info: BT1099373
Component: Local Traffic Manager
Symptoms:
Virtual servers may complete a three-way handshake before resetting a connection when they are disabled or when iRules process traffic for disabled virtual servers.
Conditions:
-- Virtual Server with a pool assigned
-- Pool is disabled administratively
Impact:
When a virtual server is marked as disabled and a client attempts to connect to it, tmm will normally send a reset to the first SYN packet. However, if you then administratively disable the pool ( disabled pool members - Not forced offline) tmm will complete the three-way handshake before sending resets. Additionally, when in this state, iRules will process and can pass traffic to pools if the iRule is configured to do that even though the virtual server status is disabled.
Workaround:
Avoid marking pools disabled or use forced offline for virtual servers that you want to administratively disable.
1099229-5 : SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present
Links to More Info: BT1099229
Component: Local Traffic Manager
Symptoms:
-- A connection to the virtual server hangs from the client device.
-- A memory leak occurs in tmm
Conditions:
-- Virtual server has an L7 policy configured.
-- Virtual server has iRules configured.
Impact:
-- Clients are unable to connect to the virtual server.
-- A memory leak occurs.
Workaround:
Remove the L7 policy or the iRules from the virtual server configuration.
1099193-1 : Incorrect configuration for "Auto detect" parameter is shown after switching from other data types
Component: Application Security Manager
Symptoms:
The Configuration shown in the GUI for the "Auto detect" Parameter value type is incorrect after certain steps are performed.
Conditions:
1. Create a default policy
2. Create new a Parameter with "User-input value" as a Parameter Value Type, and "File Upload" as the Data Type.
3. Save the settings above, and go back to the newly created Parameters settings.
4. Change its Parameter Value Type to "Auto detect".
Impact:
You either see unrelated fields, e.g. "Disallow File Upload of Executables" or missing tabs, like Value Meta Characters.
Workaround:
You can save a configuration with "User-input value" as a Parameter Value type, and "Alpha-Numeric" as Data Type, and then set "Auto detect" as Parameter Value Type.
1098609-2 : BD crash on specific scenario
Links to More Info: BT1098609
Component: Application Security Manager
Symptoms:
BD crashes while passing traffic.
Conditions:
Specific request criterias that happens while there is a configuration change.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
1097473-5 : BIG-IP transmits packets with incorrect content
Links to More Info: BT1097473
Component: Local Traffic Manager
Symptoms:
In rare instances, BIG-IP transmits packets with incorrect content
Conditions:
BIG-IP virtual edition utilizing the ixlv driver.
Impact:
Incorrect packets transmitted from the BIG-IP.
1097193-4 : Unable to SCP files using WinSCP or relative path name
Links to More Info: BT1097193
Component: TMOS
Symptoms:
When attempting to retrieve a file with WinSCP, you receive an error dialog and the session will be terminated:
"SCP Protocol error: Invalid control record (r; elative addresses not allowed)
Copying files from remote side failed."
If attempting to transfer a file by relative path with a command line utility the transfer will fail with the message:
"relative addresses not allowed"
Conditions:
-- Running BIG-IP version with fix for ID 915981
-- Using WinSCP set to use SCP protocol to retrieve files from a BIG-IP system.
-- Using a relative remote path to transfer a file with command line scp utility.
Impact:
No longer able to use WinSCP to retrieve files such as packet captures, log archives, or other diagnostic data from the BIG-IP system.
Workaround:
Use a command line SCP tool that allows specifying an absolute path for the source and/or destination file (a path that starts with a forward slash /), when the source and/or destination locations are a BIG-IP device.
If the user ID is permitted to do so, you may use WinSCP in SFTP mode.
1096893-3 : TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection
Links to More Info: BT1096893
Component: Local Traffic Manager
Symptoms:
When route metrics are applied by the TCP filter to a connection initiated by a syncookie, TCP sets the effective MSS for packetization, thereafter the egress_mtu will be set as per the route metrics entry, if present. The packets falling between the effective MSS and the lowered egress_mtu end up being unexpectedly IP-fragmented.
Conditions:
SYN cookies enabled and activated. A route metrics PMTU entry for the destination address that is smaller than the VLAN's egress MTU.
Impact:
Application traffic can fail or see disruption due to unexpected IP fragmentation.
Workaround:
Disable syn cookies (Reference: https://support.f5.com/csp/article/K80970950).
Alternatively, you can apply a lower static MTU to the interface.
1096461-1 : TACACS system-auth Accounting setting has no effect when set to send-to-all-servers/send-to-first-server
Links to More Info: BT1096461
Component: TMOS
Symptoms:
If the destination address is a single server, then the accounting info is sent to only the particular server.
If the destination has multiple servers, then the accounting info is sent to all servers irrespective of the setting "auth tacacs system-auth accounting"
Conditions:
Select multiple destination addresses and change the "auth tacacs system-auth accounting" to send-to-first-server, the accounting information is sent to all the destination servers.
Impact:
You are unable to use send-to-first server functionality
Workaround:
None
1096317-5 : SIP msg alg zombie flows
Links to More Info: BT1096317
Component: Carrier-Grade NAT
Symptoms:
The SIP msg alg can disrupt the expiration of a connflow in a way that it stays alive forever.
Conditions:
SIPGmsg alg with suspending iRule commands attached.
Impact:
Zombie flow, which cannot be expired anymore.
Workaround:
Restart TMM.
1096165-5 : Tmm cored for accessing the pool after the gtm_add command is run
Links to More Info: BT1096165
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm can crash
Conditions:
TMM process fails seconds after the gtm_add command is run.
Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.
Workaround:
Reduce the number of pools and the number of region records.
1095973-4 : Config load failure when Trusted CA Bundle is missing and URL is present in the Bundle Manager
Links to More Info: BT1095973
Component: TMOS
Symptoms:
1. BIG-IP will come up but there will be a config load failure.
2. During the upgrade, config sync issues occur.
Conditions:
1. Bundle Manager contains URL( exclude-url/include-url)
2. Trusted CA Bundle is not populated in the Bundle Manager.
Impact:
1. BIG-IP will be in "Inoperative"/"Not All Devices Synced" state
Workaround:
Add the Trusted CA Bundle (default ca-bundle.crt) to the Bundle Manager.
OR
Remove the URLS (both exclude-url and include-url) from the Bundle Manager.
1095217-2 : Peer unit incorrectly shows the pool status as unknown after upgrade to version 16.1.2.1
Links to More Info: BT1095217
Component: TMOS
Symptoms:
The peer unit incorrectly shows the status of pools as UNKNOWN
Conditions:
This is encountered for all pools that were created on the active device using tmsh load sys config merge from-terminal
Impact:
Pools are marked UNKNOWN.
Workaround:
Manually load the configuration after making a configuration change via tmsh load sys config merge from-terminal
1095205-5 : Config.auditing.forward.multiple db Variable with value "none" is not working as expected with multiple destination addresses in audit_forwarder.
Links to More Info: BT1095205
Component: TMOS
Symptoms:
When config.auditing.forward.multiple db is set to none, BIG-IP should restrict the system to send it to only one destination when multiple destination addresses are configured.
Conditions:
When configured to "none", logs are broadcasted to all the destination addresses. Working as "broadcast" mode.
Impact:
End user could not use "none" functionality
1095185-1 : Failed Configuration Load on Secondary Slot After Device Group Sync
Links to More Info: BT1095185
Component: Application Security Manager
Symptoms:
Configuration synchronization fails on secondary slots after the primary slot receives a full sync from a peer in a device group.
Conditions:
Bladed chassis devices are configured in an ASM enabled device group
Impact:
Incorrect enforcement on secondary slots.
Workaround:
None
1095145-4 : Virtual server responding with ICMP unreachable after using /Common/service
Links to More Info: BT1095145
Component: SSL Orchestrator
Symptoms:
After adding /Common/service profile and removing it from the virtual server, the virtual server starts dropping traffic with ICMP unreachable.
This profile is normally only needed in SSLo deployments.
Conditions:
/Common/service was attached and removed from a virtual server.
Impact:
Traffic is dropped on a virtual server.
Workaround:
Restart TMM after making the configuration change.
1095041-1 : ASM truncates cookies that contain a space in the name and TS cookie as part of cookie list.
Links to More Info: BT1095041
Component: Application Security Manager
Symptoms:
HTTP requests are truncated at the cookie and raise a violation.
Conditions:
-- Cookie list contains TS cookie
-- A cookie contains a space in the name
-- TS cookie stripping is enabled (db asm.strip_asm_cookies is set as true)
Impact:
Backend server does not receive a complete cookie.
Workaround:
Sys db asm.strip_asm_cookies is set as false.
1093973-8 : Tmm may core when BFD peers select a new active device.
Links to More Info: BT1093973
Component: TMOS
Symptoms:
Tmm cores.
Conditions:
-- BFD is in use
-- the active/owner BFD device changes
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1093717-5 : BGP4 SNMP traps are not working.
Links to More Info: BT1093717
Component: TMOS
Symptoms:
BGP4 SNMP traps are not working and returning snmpwalk result of "BGP4-MIB::bgp = No Such Object available on this agent at this OID" or similar errors for all OIDs under the .1.3.6.1.2.1.15 MIB.
Conditions:
--Perform any BGP related event and check for snmp traps.
--Run snmpwalk -Of -Os -v 2c -c <community_name> localhost .1.3.6.1.2.1.15
Impact:
No BGP monitoring.
Workaround:
None
1093553-5 : OSPF "default-information originate" injects a new link-state advertisement
Links to More Info: BT1093553
Component: TMOS
Symptoms:
When configured with "default-information originate", the BIG-IP system might inject a new 0.0.0.0 link-state advertisement when receiving a default route from an OSPF neighbor.
This results in two 0.0.0.0 link-state advertisements being advertised from the box.
Conditions:
"default-information originate" is configured.
Impact:
Duplicate link-state advertisements
Workaround:
None
1093545-5 : Attempts to create illegal virtual-server may lead to mcpd crash.
Links to More Info: BT1093545
Component: Local Traffic Manager
Symptoms:
Mcpd crashes after the creation of virtual server with incorrect or duplicate configuration is attempted.
Conditions:
-- One or more attempts to create a virtual server with an illegal configuration are performed (i.e. attempts to create a virtual server that shares a configuration with an existing virtual server or has an incorrect configuration)
Impact:
Mcpd crashes with __GI_abort. Traffic disrupted while mcpd restarts.
Workaround:
None
1093357-5 : PEM intra-session mirroring can lead to a crash
Links to More Info: BT1093357
Component: Policy Enforcement Manager
Symptoms:
TMM crashes while passing PEM traffic
Conditions:
-- PEM mirroring enabled and passing traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1093313-1 : CLIENTSSL_CLIENTCERT iRule event is not triggered for TLS1.3 when the client sends an empty certificate response
Links to More Info: BT1093313
Component: TMOS
Symptoms:
When an SSL client connects to the BIG-IP system using TLS 1.3 and sends an empty certificate, the CLIENTSSL_CLIENTCERT iRule event is not triggered.
Conditions:
-- Virtual server configured on BIG-IP with SSL and iRule added
-- Client authentication for client certificates is set to "request"
-- iRule relying on CLIENTSSL_CLIENTCERT
-- A client connects to BIG-IP using TLSv1.3 protocol without a certificate(empty certificate)
Impact:
CLIENTSSL_CLIENTCERT irules aren't triggered.
Workaround:
None
1093061-1 : MCPD restart on secondary blade during hot-swap of another blade
Links to More Info: BT1093061
Component: Local Traffic Manager
Symptoms:
In rare instances, inserting a new blade into a VIPRION system can trigger a config error on another secondary blade due to attempting to delete the old blade's physical disk while it is still "in use":
err mcpd[7965]: 01070265:3: The physical disk (S3F3NX0J902788) cannot be deleted because it is in use by a disk bay (1).
err mcpd[7965]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070265:3: The physical disk (S3F3NX0J902788) cannot be deleted because
This causes MCPD to restart on the secondary blade due to the config error.
Conditions:
-- VIPRION system with at least 3 blades
-- Remove a blade and replace it with a different one
Impact:
-- MCPD restarts on the secondary blade other than the blade that was replaced.
The config error triggering this is due to an issue with the cluster syncing process between blades; however, the config issue is temporary, and should be resolved after mcpd restarts on the secondary blade.
Workaround:
None
1091969-4 : iRule 'virtual' command does not work for connections over virtual-wire.
Links to More Info: BT1091969
Component: Local Traffic Manager
Symptoms:
iRule 'virtual' command does not work for connections over virtual-wire.
Conditions:
- Connection over a virtual-wire.
- Redirecting traffic to another virtual-server (for example, using an iRule 'virtual' command)
Impact:
Connection stalls on the first virtual-server and never completes.
1091785-1 : DBDaemon restarts unexpectedly and/or fails to restart under heavy load
Links to More Info: BT1091785
Component: Local Traffic Manager
Symptoms:
While under heavy load, the Database monitor daemon (DBDaemon) may:
- Restart for no apparent reason
- Restart repeatedly in rapid succession
- Log the following error while attempting to restart:
java.net.BindException: Address already in use (Bind failed)
- Fail to start (remain down) after several attempts, leaving database monitors disabled and marking monitored resources Down
Conditions:
- Configure one or more GTM database monitors with short probe-timeout, interval and timeout values (e.g., 2, 5, 16 respectively)
- Configure a large number (e.g., 2,000) of GTM [or perhaps LTM?] database monitor instances (combinations of above monitor + pool
member)
- Optionally: configure GTM database monitors with debug yes and count 0 (for easier diagnosis, and assumption that count = 0 will
generate more stress/concurrency to aid repro; vary as needed)
- Watch for DBDaemon restarts (either through changes in the PID returned by ps, or watching for "Starting" messages in DBDaemon logs)
Impact:
Restart for no apparent reason
Fail to start (remain down) after several attempts, leaving database monitors disabled and marking monitored resources Down
Workaround:
None
1091725-5 : Memory leak in IPsec
Links to More Info: BT1091725
Component: TMOS
Symptoms:
Slow memory growth of tmm over time.
This leak affects both the active and standby BIG-IPs.
Conditions:
IPsec is in use.
Security associations are being created or recreated.
Impact:
Over time, tmm may exhaust its memory causing a tmm crash.
1091565-2 : Gy CCR AVP:Requested-Service-Unit is misformatted/NULL
Component: Policy Enforcement Manager
Symptoms:
Observed diameter protocol warning when Requested Service Unit(RSU) is empty for CCR-I and CCR-U requests.
Conditions:
If the 'Initial Quota' is EMPTY in policy under Policy Enforcement ›› Rating Groups, the BIG-IP system reports empty data in AVP: Requested-Service-Unit.
Impact:
In Wireshark, a protocol warning occurs.
Workaround:
None
1091021-1 : The BIG-IP system may take no fail-safe action when the bigd daemon becomes unresponsive.
Links to More Info: BT1091021
Component: Local Traffic Manager
Symptoms:
You may observe LTM monitors are malfunctioning on your system. For instance, you may notice some probes are not sent out on the network, and some monitored objects are showing the wrong status.
Conditions:
-- The bigd daemon consists of multiple processes (which you can determine by running "ps aux | grep bigd").
-- One or more of the processes (but not all of them) becomes disrupted for some reason, and stops serving heartbeats to the sod daemon.
Under these conditions, sod will not take any fail-safe action and the affected bigd processes will continue running impaired, potentially indefinitely.
Impact:
LTM monitoring is impacted.
Workaround:
If you have determined, or if you suspect, this issue is present on your system, you can resolve it by killing all bigd processes using the following command:
pgrep -f 'bigd\.[0-9]+' | xargs kill -9
However, this does not prevent the issue from manifesting again in the future if the cause for bigd's disruption occurs again.
Monitoring may become further disrupted as bigd restarts, and a failover may occur depending on your specific configuration.
1090313-4 : Virtual server may remain in hardware SYN cookie mode longer than expected
Links to More Info: BT1090313
Component: TMOS
Symptoms:
A virtual server may remain in hardware SYN cookie mode longer than expected after the SYN flood attack has stopped. The TMSH 'show ltm virtual' command shows that the virtual has already exited SYN Cookie mode, but the SYN packets are still responded from hardware for a few minutes longer.
Conditions:
The problem is a result of a race condition in TMM, so the issue might show up intermittently.
Impact:
Discrepancy between the actual SYN Cookie mode and the reported SYN Cookie mode for a short period of time after a SYN flood attack.
Workaround:
Disable hardware SYN Cookie mode.
1089853-1 : "Virtual Server" or "Bot Defense Profile" links in Request Details are not working
Component: Application Security Manager
Symptoms:
Nothing happens when you click the link for "Virtual Server" or "Bot Defense Profile" in request details on "Security ›› Event Logs : Bot Defense : Bot
Requests" page.
Conditions:
1. Go to Security ›› Event Logs : Bot Defense : Bot
Requests" page and click a Bot Request for details.
2. If "Virtual Server" or "Bot Defense Profile" has a hyperlink, the link does not work.
Impact:
You cannot reach the related pages of Virtual Server or Bot Profile details
Workaround:
Right-click one of the links above - and choose to open it in a new tab or new window.
1089829-4 : PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers
Links to More Info: BT1089829
Component: Policy Enforcement Manager
Symptoms:
SIGSEGV tmm cores with back trace in PEM area.
"pem_sessiondump --list" command will show session with custom attribute name as empty/NULL.
Conditions:
Setting pem session custom attribute value with length more than (1024- attribute name length).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
In the iRule, make sure the custom attribute value size + custom attribute name length is not more than 1024.
1089005-5 : Dynamic routes might be missing in the kernel on secondary blades.
Links to More Info: BT1089005
Component: TMOS
Symptoms:
Dynamic routes might be missing in the kernel on secondary blades.
Conditions:
- Long VLAN names (16+ characters).
- MCPD unable to load configuration from binary database (software update/forceload was performed).
Impact:
Kernel routes are missing on secondary blades.
Workaround:
Restart tmrouted on the affected secondary blade. Note, this will also briefly affect TMM dynamic routes.
<bigstart restart tmrouted>
1088849-1 : Inconsistent behavior while sending malformed request to /TSbd URLs
Links to More Info: BT1088849
Component: Application Security Manager
Symptoms:
When the BIG-IP system receives crafted/malformed requests to fictive /TSbd URLs, the BIG-IP system behaves in three different ways:
-- Displaying a default response page with Support ID
-- Reset the connection
-- Displaying an alternative response page, e.g. 'Leaked Credentials Detected' OR 'Login Failed').
Conditions:
Use malformed /TSbd URLs.
Impact:
Inconsistent behavior for malformed /TSbd fictive URLs.
1088597-1 : TCP keepalive timer can be immediately re-scheduled in rare circumstances
Links to More Info: BT1088597
Component: Local Traffic Manager
Symptoms:
In rare circumstances, the TCP timer is rescheduled immediately due to the utilization of the interval encompassing also the idle_timeout.
Conditions:
Virtual Server with:
- TCP Profile
- SSL Profile with alert timeout configured
Another way this can occur is by manually deleting connections, which effectively only sets the idle timeout to 0.
Impact:
High CPU utilization potentially leading to reduced performance.
Workaround:
If the alert timeout is not re-enabled in the SSL Profile that should be sufficient.
1088173-3 : With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile
Links to More Info: BT1088173
Component: Local Traffic Manager
Symptoms:
Log files indicate that the client certificate is retained when it should not be.
Conditions:
Enable TLS 1.3 and disable retain-certificate parameter in SSL profile
Impact:
Storage of client certificates will increase memory utilization.
Workaround:
None
1087569-5 : Changing max header table size according HTTP2 profile value may cause stream/connection to terminate
Links to More Info: BT1087569
Component: Local Traffic Manager
Symptoms:
BIG-IP initializes HEADER_TABLE_SIZE to the profile value and thus when it exceeds 4K (RFC default), the receiver's header table size is still at the default value. Therefore, upon receiving header indexes which has been removed from its table, receiver sends GOAWAY (COMPRESSION_ERROR)
Conditions:
-- HTTP2 profile used in a virtual server
-- In the HTTP2 profile, 'Header Table Size' is set to a value greater than 4096
Impact:
Stream/connection is terminated with GOAWAY (COMPRESSION_ERROR)
Workaround:
Issue can be avoided by restoring the header-table-size value to the default of 4096
1087469-3 : iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate.
Links to More Info: BT1087469
Component: Local Traffic Manager
Symptoms:
When an SSL client connects to BIG-IP system and sends an empty certificate, the CLIENTSSL_CLIENTCERT is not triggered for iRules.
Conditions:
- Virtual server configured on BIG-IP with a clientssl profile
- Client authentication on the virtual server is set to "request"
- iRule relying on CLIENTSSL_CLIENTCERT
- A client connects to BIG-IP using an empty certificate
Impact:
CLIENTSSL_CLIENTCERT irules aren't triggered.
Workaround:
None
1087217-3 : TMM crash as part of the fix made for ID912209
Links to More Info: BT1087217
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
BIG-IP versions 16.1.0 or later which includes the fix of ID912209.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1087005-1 : Application charset may be ignored when using Bot Defense Browser Verification
Links to More Info: BT1087005
Component: Application Security Manager
Symptoms:
In some cases, when using Bot Defense Browser Verification, the application <meta charset> tag may be ignored.
Conditions:
-- Bot Defense Profile is attached to a virtual server.
-- Bot Defense "Browser Verification" is configured to "Verify Before Access" or "Verify After Access"
-- Backend application uses non-standard charset.
Impact:
Random meta chars are viewed in the web page.
Workaround:
Run the command:
tmsh modify sys db dosl7.parse_html_inject_tags value "after,body"
1086517-3 : TMM may not properly exit hardware SYN cookie mode
Links to More Info: BT1086517
Component: TMOS
Symptoms:
Due to a race condition, when one TMM exits SYN cookie mode, another may immediately re-enter hardware SYN cookie mode, keeping the virtual server in SYN cookie mode and the mitigation offloaded to hardware. The SYN cookie status of the virtual server is not properly updated and will show 'not-activated'.
Conditions:
Hardware SYN cookie protection is enabled and SYN cookie mode is triggered.
Impact:
A virtual server that once entered hardware SYN cookie mode may remain in that state indefinitely. The reduced MSS size may affect performance of that virtual server.
Workaround:
Disable hardware SYN cookie either locally via the TCP or FastL4 profile, or globally by the PvaSynCookies.Enabled BigDB variable. Software SYN cookie mode is unaffected.
1086473-4 : BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake
Links to More Info: BT1086473
Component: Local Traffic Manager
Symptoms:
When a client attempts to resume the TLS session using the Session-ID in its Client Hello from a previous session, the BIG-IP agrees by using the same Session-ID in its Server Hello, but then proceeds to perform a full handshake (Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done) instead of an abbreviated handshake (Server Hello, Change Cipher Spec, Server Hello Done).
This is a violation of the TLS RFC.
Conditions:
- High availability (HA) pair of two BIG-IP units.
- LTM virtual server with a client-ssl profile.
- Mirroring enabled on the virtual server
Impact:
Client-side TLS session resumption not working.
Workaround:
Disable mirroring on the virtual server
1085837-3 : Virtual server may not exit from hardware SYN cookie mode
Links to More Info: BT1085837
Component: TMOS
Symptoms:
Once a virtual server enters hardware SYN cookie mode it may not exit until a TMM restart.
Conditions:
-- On B2250 and B4450 platforms.
-- A condition triggers SYN cookie mode and then goes back to normal.
Impact:
-- Virtual servers in hardware SYN cookie mode do not receive TCP SYN packets.
-- The limited number of possible TCP MSS values may have a light performance impact.
Workaround:
Disable hardware SYN cookie mode on the affected objects.
1085661-2 : Standby system saves config and changes status after sync from peer
Links to More Info: BT1085661
Component: Application Security Manager
Symptoms:
After running config sync from an Active to a Standby device, the sync status is in SYNC for a short period time.
After a while, it automatically goes to Changes Pending status.
The same symptom was reported via ID698757 and fixed in earlier versions, but the same can happen via different scenario.
Conditions:
Create an ASM policy and let the system determining language encoding from traffic.
Impact:
The high availability (HA) configuration goes out of SYNC.
Workaround:
To prevent the issue from happening, you can manually configure language encoding
1085597-2 : IKEv1 IPsec peer cannot be created in config utility (web UI)
Links to More Info: BT1085597
Component: TMOS
Symptoms:
It is not possible to configure an IKE peer using the web UI.
Conditions:
-- Configuring an IKEv1 peer
-- Using the configuration utility (web UI)
Impact:
Configuration cannot be created.
Workaround:
Use the tmsh shell to create the ike-peer config.
1084965-4 : Low visibility of attack vector
Links to More Info: BT1084965
Component: Local Traffic Manager
Symptoms:
The DoS vector FIN 'Only Set' is not triggered and causes lack of visibility of the attack vector.
Conditions:
-- Using BIG-IP Virtual Edition
Impact:
There is reduced visibility of possible attacks on the BIG-IP.
Workaround:
Check 'drop_inv_pkt' with the tmctl table, "tmm/ndal_rx_stats".
1084901-2 : Updating the firewall rule list for IPv6 with route domain throws an error in the GUI, works from tmsh
Links to More Info: BT1084901
Component: Advanced Firewall Manager
Symptoms:
You are unable to modify IPV6 + Route domain for Network Firewall Rule Lists using the GUI
Conditions:
-- AFM is provisioned
-- IPv6 with route domain is being used in an address list
Impact:
Unable to create/manage Firewall rule lists for IPv6 with a route domain.
Workaround:
Use tmsh to create/manage firewall rule lists for IPv6 with a route domain.
1084857-1 : ASM::support_id iRule command does not display the 20th digit
Links to More Info: BT1084857
Component: Application Security Manager
Symptoms:
ASM::support_id iRule command does not display the 20th digit.
A support id seen in REST/TMUI that has 20 digits, e.g 13412620314886537617 is displayed as 1341262031488653761 with the iRule command ( the last digit '7' is stripped ).
Conditions:
ASM::support_id iRule command
Impact:
Inability to trace request events using the support id
1083621-5 : The virtio driver uses an incorrect packet length
Links to More Info: BT1083621
Component: Local Traffic Manager
Symptoms:
In some cases, tmm might drop network packets.
In rare circumstances, this might trigger tmm to crash.
Conditions:
BIG-IP Virtual Edition using the virtio driver. You can see this in /var/log/tmm ("indir" is zero):
notice virtio[0:5.0]: cso: 1 tso: 0 lro: 1 mrg: 1 event: 0 indir: 0 mq: 0 s: 1
Impact:
Tmm might drop packets.
In rare circumstances, this might trigger tmm to crash. Traffic disrupted while tmm restarts.
Workaround:
None
1083589-4 : Some connections are dropped on chained IPv6 to IPv4 virtual servers.
Links to More Info: BT1083589
Component: Local Traffic Manager
Symptoms:
IPv6 virtual servers targeting IPv4 virtual servers (for example, using the 'virtual' iRule command) might drop traffic coming from some clients unexpectedly.
Note: See also ID1002945 (https://cdn.f5.com/product/bugtracker/ID1002945.html), which is a closely related issue.
Conditions:
- IPv6 to IPv4 virtual server chaining.
Impact:
Traffic is dropped.
Workaround:
Apply a SNAT with an IPv4 address to the IPv6 virtual server.
1083513-3 : BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd
Links to More Info: BT1083513
Component: Application Security Manager
Symptoms:
"Challenge Failure Reason" field in a request event log shows N/A.
Conditions:
The db key has not been changed manually on the system.
Impact:
"Challenge Failure Reason" field is disabled.
Workaround:
Disable the key and re-enable, then save.
tmsh modify sys db botdefense.disable_challenge_failure_reporting value disable
tmsh modify sys db botdefense.disable_challenge_failure_reporting value enable
tmsh save sys config
1082581-3 : Apmd sees large memory growth due to CRLDP Cache handling
Component: Access Policy Manager
Symptoms:
Apmd memory keeps growing slowly over time and finally oom killer kills apmd.
Conditions:
Access policy has the crldp auth agent configured.
Impact:
Apmd killed by oom-killer thereby impacting traffic
Workaround:
None
1082193-4 : TMSH: Need to update the version info for SERVER_INIT in help page
Links to More Info: BT1082193
Component: TMOS
Symptoms:
The SERVER_INIT iRule event was introduced in version 14.0.0. But in tmsh help it is showing as version 13.1.0.
Conditions:
-- Using tmsh to configure an iRule event
-- The BIG-IP version is 13.1.0 and you use tab complete for 'tmsh help ltm rule event SERVER_INIT'
Impact:
The tmsh help makes it appear as if SERVER_INIT is supported in version 13.1.0 when it is not.
Workaround:
None
1081813-3 : A rst_stream can erronously tear down the overall http2 connection.
Links to More Info: BT1081813
Component: Local Traffic Manager
Symptoms:
Clients report pages load intermittently
Conditions:
-- HTTP2 virtual server
Impact:
HTTP2 connections may be erroneously torn down.
Workaround:
None.
1081649-3 : Remove the "F5 iApps and Resources" link from the iApps->Package Management
Links to More Info: BT1081649
Component: TMOS
Symptoms:
The "F5 iApps and Resources" is being removed.
Conditions:
NA
Impact:
iApp page shows "F5"
Workaround:
None
1081641-5 : Remove Hyperlink to Legal Statement from Login Page
Links to More Info: BT1081641
Component: TMOS
Symptoms:
The hyperlink to the legal statement should be removed from the login page.
Conditions:
This appears on the login page of OEM-branded BIG-IP systems.
Impact:
The OEM GUI shows the F5 logo/info.
Workaround:
None
1080957-5 : TMM Seg fault while Offloading virtual server DOS attack to HW
Links to More Info: BT1080957
Component: Advanced Firewall Manager
Symptoms:
TMM crashes during virtual server DOS attack scenarios.
Conditions:
-- HSB-equipped hardware platforms.
-- The attack is detected on configured virtual server Dos Vector and trying to offload to hardware.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1080925-4 : Changed 'ssh-session-limit' value is not reflected after restarting mcpd
Links to More Info: BT1080925
Component: TMOS
Symptoms:
Change 'ssh-session-limit' field from 'disabled' to 'enable'. Save the config . Restart the mcpd and check the value of the field 'ssh-session-limit'. It appears to be the same 'disabled'.
Conditions:
The issue occurs when MCPD restores the configuration from its binary database file.
Impact:
Enabling and disabling "ssh-session-limit" will have an undesirable effect when creating ssh sessions, and you will not be able to edit the field.
Workaround:
None
1080613-4 : "Installation of Automatically Downloaded Updates" configuration in LiveUpdate is lost during the first tomcat restart, after upgrading to versions having the fix of ID907025.&start;
Links to More Info: BT1080613
Component: Application Security Manager
Symptoms:
LiveUpdate configuration, such as "Installation of Automatically Downloaded Updates", and update installation history get lost and revert to default.
Conditions:
This occurs during the first tomcat restart, after upgrading to versions that have the fix for ID907025.
Impact:
The live update configuration and installation history are reverted to the default.
Workaround:
After upgrade, restart tomcat and re-configure. After this the issue won't occur and the configuration is retained.
1080297-5 : ZebOS does not show "log syslog" in the running configuration, or store it in the startup configuration
Links to More Info: BT1080297
Component: TMOS
Symptoms:
ZebOS does not show the "log syslog" or "no log syslog" in the running configuration, nor is it saved to the startup configuration.
There is no way to know if the 'log syslog' is configured or not by checking the configuration.
Conditions:
-- Under Configure log syslog.
-- Check the show running-config.
Impact:
There is no way to know if the 'log syslog' is configured or not by checking the configuration.
If syslog logging has been disabled using 'no log syslog', and then zebos is restarted, for example by rebooting or upgrading the BIG-IP, syslog logging will revert to the default setting, which is enabled.
Workaround:
If logging to syslog is not desired, it must be re-disabled every time the zebos daemons are started, using "no log syslog"
1079985-2 : int_drops_rate shows an incorrect value
Links to More Info: BT1079985
Component: Advanced Firewall Manager
Symptoms:
int_drops_rate shows an incorrect value, it shows a cumulative value instead of an avg value, same as int_drops and syncookies.hw_syncookies.
Conditions:
A tcp-halfOpen attack or similar SYN attack where SYNs are flooded into the BIG-IP system.
Impact:
It is difficult to figure out the drop rate per second
Workaround:
None
1079441-4 : APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries
Links to More Info: BT1079441
Component: Access Policy Manager
Symptoms:
APMD memory can grow over a period of time
Conditions:
-- A BIG-IP system with the patched cyrus-sasl/krb5 libraries
Impact:
APMD memory can grow over a period of time
Workaround:
None
1078741-3 : Tmm crash
Links to More Info: BT1078741
Component: Local Traffic Manager
Symptoms:
Tmm crashes while processing an iRule while handling traffic.
Conditions:
-- HTTP virtual server
-- HTTP profile with explicit proxy having default-connect-handling allowed
-- iRule with SERVER_CONNECTED event
Impact:
Traffic disrupted while tmm restarts.
1078669-1 : iRule command “RESOLVER::name_lookup” returns null for TCP resolver with TC (truncated) flag set.
Component: Global Traffic Manager (DNS)
Symptoms:
“RESOLVER::name_lookup” returns null for TCP resolver with TC set.
Conditions:
Backend server returns very large DNS response.
Impact:
iRule command does not give any response but with TC set.
Workaround:
N/A
1077789-5 : System might become unresponsive after upgrading.&start;
Links to More Info: BT1077789
Component: TMOS
Symptoms:
After upgrading, the system encounters numerous issues:
-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.
Conditions:
-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.
Exact conditions that trigger this issue are unknown and could be varied. In the environment in which it occurs, a datagroup is deleted, but an iRule still references it.
Impact:
-- System down, too busy to process traffic.
-- Difficulty logging in over SSH might require serial console access.
Workaround:
Reboot to an unaffected, pre-upgrade volume.
-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.
-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.
Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.
For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.
1077553-4 : Traffic matches the wrong virtual server after modifying the port matching configuration
Links to More Info: BT1077553
Component: Local Traffic Manager
Symptoms:
Traffic matches the wrong virtual server.
Conditions:
A virtual server configured to match any port is modified to matching a specific port. Alternatively, a virtual server matching a specific port is modified to match any port.
Impact:
Traffic may be directed to the wrong backend server.
Workaround:
Restart the TMM after the config change.
1077533-4 : BIG-IP fails to restart services after mprov runs during boot.
Links to More Info: BT1077533
Component: TMOS
Symptoms:
Very occasionally, after mprov runs after a reboot the BIG-IP may fail to start with logs similar to the following:
bigip1 info mprov:7459:[7459]: 'admd failed to stop.'
bigip1 err mprov:7459:[7459]: 'admd failed to stop, provisioning may fail.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
...
bigip1 err mcpd[5584]: 01071392:3: Background command '/usr/bin/mprov.pl --quiet --commit asm avr host tmos ui ' failed. The command was signaled.
Conditions:
Occurs rarely after a reboot.
Impact:
The BIG-IP is unable to finish booting.
Workaround:
Reboot the BIG-IP again.
1077405-1 : Ephemeral pool members may not be created with autopopulate enabled.
Links to More Info: BT1077405
Component: TMOS
Symptoms:
Ephemeral pool members might not be added to a pool with an FQDN pool member "autopopulate enabled".
When this issue occurs:
-- Some or all of the expected Ephemeral Pool Members will not be created for the affected pool.
-- A message will be logged in the LTM log similar to the following:
err mcpd[####]: 01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (/Common/_auto_<IP address>) has autopopulate set to disabled.
(Note that the node name here is an Ephemeral Node.)
Also note that if you attempt to create an FQDN Pool Member with autopopulate enabled while the corresponding FQDN Node has autopopulate disabled, you will see a similar error message:
01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (/Common/fred) has autopopulate set to disabled.
Conditions:
This issue can occur under the following conditions:
-- Two or more FQDN Nodes have FQDN names that resolve to the same IP address(es).
-- That is, some Ephemeral Nodes have addresses resolved by more than one FQDN name defined in FQDN Nodes.
-- At least one of these FQDN Nodes has "autopopulate enabled."
-- At least one of these FQDN Nodes does not have "autopopulate enabled."
-- That is, autopopulate is disabled for one or more of these FQDN Nodes.
-- The FQDN Pool Member(s) in the affected pool(s) has "autopopulate enabled."
Impact:
The affected LTM pool(s) are not populated with expected (or any) ephemeral pool members.
Workaround:
To allow some LTM pools to use FQDN pool members with autopopulate enabled (allowing multiple ephemeral pool members to be created) while other LTM pools use FQDN pool members with autopopulate (allowing only one ephemeral pool member to be created), configure the following:
-- Create all FQDN Nodes with FQDN names that might resolve to a common/overlapping set of IP addresses with "autopopulate enabled".
-- Create FQDN Pool Members with autopopulate enabled or disabled depending on the desired membership for each pool.
1077293-3 : APPIQ option still showing in BIG-IP GUI even though its functionality migrated to BIG-IQ.
Links to More Info: BT1077293
Component: TMOS
Symptoms:
AppIQ is still visible in the System :: Configuration screen.
Conditions:
Navigating to the System :: Configuration : AppIQ page.
Impact:
AppIQ appears to be able to be provisioned but it has been removed from the BIG-IP system.
Workaround:
N/A
1077281-1 : Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages
Component: Application Security Manager
Symptoms:
When a policy contains an individual login page in session tracking, the exported xml policy fails to be imported back due to error “Malformed XML: Could not resolve foreign key dependence”.
Conditions:
The policy contains an individual login page in session tracking and the policy is exported in xml format
Impact:
Import the policy fails with an error: "Could not resolve foreign key dependence”.
Workaround:
This occurs when using XML format only, so you can use binary export/import
1076897-5 : OSPF default-information originate command options not working properly
Links to More Info: BT1076897
Component: TMOS
Symptoms:
OSPF default-information originate command options are not working properly.
Conditions:
Using OSPF default-information originate with metric/metric-type options.
Impact:
Incorrect route advertisement.
Workaround:
None
1076825-2 : "Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.
Links to More Info: BT1076825
Component: Application Security Manager
Symptoms:
"Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.
Conditions:
Upgrading to v16.1.x from earlier releases.
Impact:
Configuration of "Installation of Automatically Downloaded Updates" is lost and reverts to default.
Workaround:
Manually configure "Installation of Automatically Downloaded Updates" after the upgrade.
1076801-5 : Loaded system increases CPU usage when using CS features
Links to More Info: BT1076801
Component: TMOS
Symptoms:
When the BIG-IP system is under heavy load, datasyncd might create multiple java obfuscator processes running at the same time, which increases load even more.
Conditions:
-- CPU utilization on the BIG-IP system is high.
And one or more of the following conditions:
-- Bot Defense profile is attached to a virtual server
-- DoS profile with CS/Captcha mitigation is attached to the virtual server
-- ASM policy with brute force configuration is attached to the virtual server
Impact:
System load is increased.
Workaround:
None.
1076785-3 : Virtual server may not properly exit from hardware SYN Cookie mode
Links to More Info: BT1076785
Component: TMOS
Symptoms:
Virtual servers do not exit hardware SYN Cookie mode even after the SYN flood attack stops. The TMSH 'show ltm virtual' output shows 'full hardware' mode.
Conditions:
Selected HSB platforms where TMM is attached to multiple HSB modules. This depends on platform, BIG-IP version and selected Turboflex profile where applicable.
Impact:
The affected virtual server would not receive the TCP SYN packets until a TMM restart. The limited range of MSS values in SYN Cookie mode may slightly affect performance.
Workaround:
Disable hardware SYN Cookie mode on all virtual servers.
1076577-4 : iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg'
Links to More Info: BT1076577
Component: Local Traffic Manager
Symptoms:
The 'connect' iRule command fails to resume, causing processing of traffic to halt due to 'irule_scope_msg', which causes iRule processing to proceed in a way that 'connect' does not expect.
Conditions:
- iRule using 'connect' command
- Diameter/Generic-message 'irule_scope_msg' enabled
Impact:
Traffic processing halts (no crash)
1075905-4 : TCP connections may fail when hardware SYN Cookie is active
Links to More Info: BT1075905
Component: TMOS
Symptoms:
When an object is in hardware SYN Cookie mode, some of the valid connections are also rejected with "No flow found for ACK" reset cause.
Conditions:
VELOS and rSeries platforms.
Impact:
Service degradation.
Workaround:
Disable hardware SYN Cookie on all objects (virtual server, VLAN, etc.).
1073897-1 : TMM core due to memory corruption
Links to More Info: BT1073897
Component: Local Traffic Manager
Symptoms:
Tmm restarts
Conditions:
Unknown
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1073677-2 : Add a db variable to enable answering DNS requests before reqInitState Ready
Links to More Info: BT1073677
Component: Global Traffic Manager (DNS)
Symptoms:
When a new GTM is added to the Sync group, it takes a significant amount of time, and the newly added GTM won't become ready.
Conditions:
-- GTMs in a cluster with a large number of persist records
-- A new GTM device is added
Impact:
Clients of the BIG-IP GTM do not receive an answer, and application failures may occur.
Workaround:
None
1072165-5 : Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format
Links to More Info: BT1072165
Component: Application Security Manager
Symptoms:
Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format
Conditions:
ASM remote logging in ArcSight format
Impact:
Due to the missing fields, the remote message does not tell name of threat campaign name(s) that was detected.
Workaround:
Use other message format.
1070957-4 : Database monitor log file backups cannot be rotated normally.
Links to More Info: BT1070957
Component: Local Traffic Manager
Symptoms:
Debug log files used by the BIG-IP database monitor daemon (DBDaemon) do not exhibit the log-rotation behavior of other BIG-IP log files.
- The active DBDaemon log file is /var/log/DBDaemon-0.log
- DBDaemon log file size is limited to approximately 5MB. DBDaemon log files are backed up/rotated upon reaching this size.
- Exactly 9 (nine) DBDaemon log file backups are retained (/var/log/DBDaemon-0.log.[1-9])
- DBDaemon log file backups are not compressed.
- DBDaemon log file backup/rotation behavior is not user-configurable.
Conditions:
This issue applies when using BIG-IP database monitors:
-- mssql
-- mysql
-- oracle
-- postrgresql
Impact:
-- DBDaemon log file backups may consume more space under /var/log than desired.
-- When troubleshooting database monitor issues, DBDaemon log file rotation may occur so rapidly that older DBDaemon events may be lost, limiting the ability to capture meaningful diagnostic data.
Workaround:
It may be possible to work around this issue by periodically archiving DBDaemon log files, such as in a script with the following core functionality:
pushd /var/log;tar -czf DBDaemon_$(date +%Y%m%d%H%M).tgz DBDaemon-0.log*;popd
1070953-5 : Dnssec zone transfer could cause numerous gtm sync events.
Links to More Info: BT1070953
Component: Global Traffic Manager (DNS)
Symptoms:
GTM syncs for zone transfers that happen on other GTMs.
Conditions:
Dnssec zone transfer to client on peer GTM in the same GTM sync group.
Impact:
Numerous GTM sync and possible sync storm.
Workaround:
N/A
1070833-3 : False positives on FileUpload parameters due to default signature scanning
Links to More Info: BT1070833
Component: Application Security Manager
Symptoms:
False positives on FileUpload parameters due to signature scanning by default
Conditions:
A request containing binary content is sent in "FileUpload" type parameters
Impact:
False positives and ineffective resource utilization
Workaround:
Disable signature scanning on "FileUpload" parameters manually using GUI/REST.
1070789-1 : SSL fwd proxy invalidating certificate even through bundle has valid CA
Links to More Info: BT1070789
Component: Local Traffic Manager
Symptoms:
BIG-IP system rejects SSL forward proxy connections due to expired CA certificates present in ca-bundle even though other, valid CA certificates exist.
Conditions:
-- Forward proxy is enabled in client and server SSL profiles.
-- A valid CA certificate is followed by an expired CA certificate in ca-bundle.
Impact:
SSL handshakes will fail.
Workaround:
Remove all invalid trusted (i.e., expired) certificates from the certificate chain and replace them with a valid trusted certificate.
1069137-1 : Missing AWAF sync diagnostics
Links to More Info: BT1069137
Component: Application Security Manager
Symptoms:
Complex issues related to Policy Synchronization over Device Sync Groups and chassis are difficult to diagnose.
More detailed logging is needed if errors occur.
Conditions:
Device Group Sync is enabled on a chassis device.
Impact:
Root cause analysis is lengthy and difficult.
Workaround:
Enable debug logs in the environment:
> tmsh modify sys db log.asm.asmconfiglevel value debug
> tmsh modify sys db log.asm.asmconfigvent.level value debug
> tmsh modify sys db log.asm.asmconfigverbose.level value debug
1068673-4 : SSL forward Proxy triggers CLIENTSSL_DATA event on bypass.
Links to More Info: BT1068673
Component: Local Traffic Manager
Symptoms:
The CLIENTSSL_DATA iRule event is triggered unexpectedly during SSL forward proxy bypass.
Conditions:
This issue is seen when SSL forward proxy with bypass is enabled on client & server SSL profiles.
Impact:
This can cause unexpected failure of existing iRules which only expect CLIENTSSL_DATA on intercepted (and decrypted) data.
Workaround:
N/A
1067821-5 : Stats allocated_used for region inside zxfrd is overflowed
Links to More Info: BT1067821
Component: Global Traffic Manager (DNS)
Symptoms:
No visible symptoms.
Conditions:
Large resource record addition and deletion for dns express zones.
Impact:
Internal zxfrd stats are incorrect.
1067589-4 : Nsyncd memory leak.
Links to More Info: BT1067589
Component: Application Security Manager
Symptoms:
Memory usage for nsyncd increases over time, pressuring the device into OOM.
Conditions:
-- High availability (HA) environment with ASM sync failover device group.
-- ASU file are being installed by Live Update.
Impact:
OOM activity causing random process restarts and disruption.
Workaround:
Restart the nsyncd daemon.
1065681-2 : Sensitive data is not masked under certain conditions.
Links to More Info: BT1065681
Component: Application Security Manager
Symptoms:
Sensitive data (or part of it) is visible in the request logs or the remote log.
Conditions:
A parameter that is defined as a JSON profile. That profile has the parse parameters flag set.
Impact:
Sensitive data is visible in the log.
Workaround:
There are 2 possible workarounds:
1. Make the parameter that contains the json a sensitive parameter.
2. In the json profile attached to the parameter, uncheck the parse parameters flag. You will see a tab of sensitive data added in the UI. In that tab, explicitly add the JSON element as a sensitive element.
1065353-2 : Disabling ciphers does not work due to the order of cipher suite.
Links to More Info: BT1065353
Component: Local Traffic Manager
Symptoms:
You are not able to disable a list of ciphers.
Conditions:
The cipher list is given in an order in the tmsh command 'tmm --clientciphers'
Impact:
Inconsistent behavior of the command "tmm --clientciphers".
Workaround:
Reorder the ciphers in the list and pass the reordered list to "tmm --clientciphers".
1063977-4 : Tmsh load sys config merge fails with "basic_string::substr" for non-existing key.
Links to More Info: BT1063977
Component: Local Traffic Manager
Symptoms:
"tmsh load sys config merge" fails with the following error.
Loading configuration...
/var/tmp/repro.txt
01070711:3: basic_string::substr
Unexpected Error: Loading configuration process failed.
Conditions:
The key referenced in the configuration of the SSL profile does not exist in the BIG-IP.
Impact:
"tmsh load sys config merge" fails which is expected, but the error is not meaningful.
Workaround:
Identify the missing SSL key used in the configuration and correct it.
1063653-3 : TMM Crash while processing traffic on virtual server.
Links to More Info: BT1063653
Component: Local Traffic Manager
Symptoms:
TMM core while processing traffic on a virtual server.
Conditions:
iRule Execution during processing HTTP response.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
1063237-6 : Stats are incorrect when the management interface is not eth0
Links to More Info: BT1063237
Component: TMOS
Symptoms:
The provision.managementeth db variable can be used to change which interface the management interface is bridged to:
https://clouddocs.f5.com/cloud/public/v1/shared/change_mgmt_nic_google.html
If this is changed to something other than eth0, the management interface stats will continue to be read from eth0 and thus be incorrect.
Conditions:
When provision.managementeth is changed to something other than eth0.
Impact:
Management interface stats are incorrect.
Workaround:
Reconfigure the management interface to use eth0
1060989-1 : Improper handling of HTTP::collect
Component: Local Traffic Manager
Symptoms:
When a complete body has been received and a new HTTP::collect is attempted, an error occurs:
TCL error: /Common/rule_vs_server_15584 <HTTP_RESPONSE_DATA> - ERR_ARG (line 1) invoked from within "HTTP::collect 256000"
Conditions:
- HTTP Virtual server
- incremental HTTP::collect irule
Impact:
iRule failure
Workaround:
None
1060409-5 : Behavioral DoS enable checkbox is wrong.
Links to More Info: BT1060409
Component: Anomaly Detection Services
Symptoms:
Behavioral DoS Enabled indicator is wrongly reported after configuration change, when no traffic is injected to the virtual server.
Conditions:
Behavioral DoS is enabled and then disabled when no traffic is injected to the virtual server.
Impact:
After server health is stabilized and constant, the BIG-IP system doesn't report the configuration changes.
Workaround:
Send 1-2 requests to the server and the configuration will be updated.
1060369-2 : HTTP MRF Router will not change serverside load balancing method
Links to More Info: BT1060369
Component: Local Traffic Manager
Symptoms:
Selecting a different load balancing mechanism (i.e. an iRule or Local Traffic Policy selecting a different pool/node, the "virtual" command, etc) does not work for subsequent HTTP/1.x requests on a keep-alive connection.
Conditions:
-- "HTTP MRF Router" virtual server (virtual server has an "httprouter" profile attached)
-- Virtual server is handling HTTP/1.x traffic
Impact:
Traffic is load-balanced to incorrect destination.
Workaround:
None.
1060145-4 : Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2.
Links to More Info: BT1060145
Component: Global Traffic Manager (DNS)
Symptoms:
When secondary slot reboots and it gets the configuration from the primary blade, the secondary throws a validation error and enters into a restart loop.
The following error is logged:
Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/Common/bbt-generic-bigip 10.1.10.12 80 gtm-vs) was not found.... failed validation with error 16908342.
Conditions:
-- Change the virtual server address on the LTM (manual edit of bigip.conf and load).
-- Reboot the secondary slot.
Impact:
Mcpd enters a restart loop on the secondary slot.
Workaround:
N/A
1060021-3 : Using OneConnect profile with RESOLVER::name_lookup iRule might result in core.
Links to More Info: BT1060021
Component: Local Traffic Manager
Symptoms:
Tmm might core while using a OneConnect profile with iRule command RESOLVER::name_lookup.
Conditions:
1. One connect profile attached.
2. iRules with RESOLVER::name_lookup command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Don't use RESOLVER::name_lookup iRule on virtual that uses the oneconnect profile.
1056941-3 : HTTPS monitor continues using cached TLS version after receiving fatal alert.
Links to More Info: BT1056941
Component: Local Traffic Manager
Symptoms:
After an HTTPS monitor completes successfully, the TLS version is cached and used for subsequent monitor probes.
If the back end server TLS version changes between monitor polls and no longer allows the cached TLS version, the back end server correctly sends a fatal alert to the BIG-IP in response to the no longer allowed TLS version.
The BIG-IP will continue to use the cached, now prohibited, version in all subsequent probes resulting in a false down resource until the cached information is cleared on the BIG-IP.
Conditions:
ClientSSL profile is changed on backend BIG-IP device's virtual server,
Impact:
BIG-IP continues to send prohibited TLS version and reports the member as down.
Workaround:
-- Delete and re-add pool member.
-- Change HTTPS monitor to any other monitor (including another HTTPS monitor) and then back.
-- Restart bigd with "bigstart restart bigd" - Note that this impacts all monitoring on the BIG-IP.
-- Restart BIG-IP - Note that this impacts all traffic on the BIG-IP.
1054717-4 : Incorrect Client Summary stats for transparent cache.
Links to More Info: BT1054717
Component: Global Traffic Manager (DNS)
Symptoms:
The Client Summary section in transparent cache is incorrect for transparent cache.
Conditions:
Transparent cache attached to a DNS profile.
Impact:
Efficacy of DNS Transparent cache stats reduced.
Workaround:
N/A
1050165-2 : APM - users end up with SSO disabled for their session, admin intervention required to clear session
Links to More Info: BT1050165
Component: Access Policy Manager
Symptoms:
If a user is trying to access a webtop resource that is configured behind APM single sign-on (SSO) which has failed for some reason, then the SSO process for that user is disabled for the rest of that session's life time.
Conditions:
-- Configure Kerberos SSO
-- Configure a network resource (a user's mail box configured on exchnage server, or an IIS based web service)
Impact:
BIG-IP Admin has to intervene to release the affected session manually.
Workaround:
None
1048989-1 : Slight correction of button titles in the Data Guard Protection Enforcement
Component: Application Security Manager
Symptoms:
A button title read as "Ignored URLs / Enforced URLs" instead of "Ignore URLs / Enforce URLs".
Conditions:
1. On the Security > Application Security > Security Policies > Policies List > <selected_policy> screen, click the Data Guard tab.
2. Look on the Data Guard Protection Enforcement (Wildcards Supported) button fields. The button title should appear as Ignore/Enforce URLs.
Impact:
The title of the button is misleading.
Workaround:
None
1048445-4 : Accept Request button is clickable for unlearnable violation illegal host name
Links to More Info: BT1048445
Component: Application Security Manager
Symptoms:
For the following violations:
- VIOL_HOSTNAME (Hostname violation)
- VIOL_HOSTNAME_MISMATCH (Hostname mismatch violation)
The accept button is clickable when it should not. Accept Request button should be disabled for this violations.
Conditions:
Generate an illegal host name or hostname mismatch violation.
Impact:
Request will not be accepted even though you have elected to accept the illegal request.
Workaround:
Do not accept the request to hostname and hostname mismatch violation, no ASM config changes will be triggered.
1046917-5 : In-TMM monitors do not work after TMM crashes
Links to More Info: BT1046917
Component: In-tmm monitors
Symptoms:
After TMM crashes and restarts, in-TMM monitors do not run. Monitored pool members are down.
Conditions:
-- In-TMM monitors are enabled.
-- TMM exits abnormally, as a result of one of the following:
+ TMM crashing and restarting
+ TMM being sent a termination signal (i.e. using 'pkill' to kill TMM)
Note: This issue does not occur if TMM is restarted using 'bigstart' or 'tmsh sys service'.
Impact:
Monitored pool members are offline.
Workaround:
One of the following:
1. Do not use in-TMM monitors.
2. After TMM restarts, manually restart bigd:
tmsh restart sys service bigd
3. Add an entry to /config/user_alert.conf such as the following, so that the system restarts bigd when TMM starts up.
On an appliance or single-slot vCMP guest/tenant:
alert id1046917 "Tmm ready - links up." {
exec command="bigstart restart bigd"
}
On a VIPRION or multi-slot vCMP guest/tenant:
alert id1046917 "Tmm ready - links up." {
exec command="clsh --color=all bigstart restart bigd"
}
Note: This change must be made separately on each device in a ConfigSync device group.
1041469-1 : Request Log Page: Line break in the middle of the word in the note next to Block this IP Address
Component: Application Security Manager
Symptoms:
Words may break in the middle before going to the next line.
Conditions:
1. Create Policy, for example Fundamental
2. Disable Alarm and Block flags for the "IP is blacklisted" violation in Learning and Blocking Settings
3. Apply Policy
4. Send request:
GET / HTTP/1.1
User-Agent: python-requests/2.21.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Request-Id: 003390
Host: 10.0.1.101:7000
5. open request details in Security ›› Event Logs : Application : Requests
6. click the arrow next to Source IP Address
7. Set Block this IP Address to Always
Impact:
Words at the end of the line and the beginning of the next line may seems broken. Only cosmetic impact.
Workaround:
None
1040465-2 : Incorrect SNAT pool is selected
Links to More Info: BT1040465
Component: Local Traffic Manager
Symptoms:
An incorrect SNAT pool is selected when an SSL Forward Proxy is configured and BYPASS is enabled along with an iRule to choose the SNAT pool.
Conditions:
-- Virtual Server has SSL Forward Proxy Deployment with BYPASS enabled
-- iRule configured to decide the SNAT pool members
-- Virtual Server passes the traffic
Impact:
Traffic diverted to incorrect SNAT pool when BYPASS happens.
1040277-6 : Syslog-ng issue may cause logging to stop and possible reboot of a system
Links to More Info: BT1040277
Component: TMOS
Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to logging via syslog-ng to stop.
For software version 13.1 only it may lead to BIG-IP unexpectedly rebooting due to host watchdog timeout, typically within hours to day or two after syslog-ng gets hung up.
The cessation of logging happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.
At this time syslog-ng typically spins, using near 100% CPU.
Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.
A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.
Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
The final log will of a broken connection only, usually one minute after the last established/broken pair in the very rare event that syslog-ng hangs.
Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.
Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable. If a remote server is not reachable remove it from the BIG-IP syslog configuration.
1040153-4 : Topology region returns narrowest scope netmask without matching
Links to More Info: BT1040153
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP returns malformed packets or the narrowest scope not matching the request.
Conditions:
Mixed sub networks with different mask length.
Impact:
Malformed packets.
Workaround:
Do not put mixed subnets in one region.
1037877-5 : OAuth Claim display order incorrect in VPE
Links to More Info: BT1037877
Component: Access Policy Manager
Symptoms:
In the visual policy editor (VPE), it is difficult to re-order custom previously created Claims in the oAuth Authorization agent.
The following error is thrown in the developer tools screen of the client browser:
common.js?m=st&ver=15.1.2.1-0.0.10.0:902 Uncaught TypeError: Cannot read property 'row' of undefined
at Object.common_class.swap (common.js?m=st&ver=15.1.2.1-0.0.10.0:902)
at multipleObjectsSelectionCBDialogue_class.swapEntries (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263)
at HTMLAnchorElement.<anonymous> (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185)
common_class.swap @ common.js?m=st&ver=15.1.2.1-0.0.10.0:902
multipleObjectsSelectionCBDialogue_class.swapEntries @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263
(anonymous) @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185
Conditions:
-- There are at least two claims in Access :: Federation : OAuth Authorization Server : Claim
-- You are attempting to reorder the claims in the visual policy editor
Impact:
It is not possible to re-order the claims
Workaround:
None
1036613-6 : Client flow might not get offloaded to PVA in embryonic state
Links to More Info: BT1036613
Component: TMOS
Symptoms:
The client flow is not offloaded in embryonic state, but only is only offloaded once the flow transitions to an established state.
Conditions:
-- FastL4 profile configured to offload TCP connections in embryonic state (this is the default)
-- Clientside and serverside ingress traffic is handled by different TMMs
-- Running on a platform with multiple HSB modules per TMM, i.e.:
--+ BIG-IP i11600 Series
--+ BIG-IP i15600 Series
Impact:
- minor performance degradation;
- PVA traffic counters show unexpectedly high values;
1035757-5 : iRulesLX restart leaves stale files in /var/tmstat/blade/tmplugin_ilx_*
Links to More Info: BT1035757
Component: Local Traffic Manager
Symptoms:
After restarting the ilx plugin, new tmplugin_ilx_rpc_* stat files are being created, but old files are not being deleted.
Conditions:
- ilx configured
- ilx plugin restarted
Impact:
The presence of too many of these leftover files might prevent merged from rolling up stats and providing graphs and cause such errors:
err merged[8523]: 011b0900:3: TMSTAT error tmstat_remerge: Cannot allocate memory.
Workaround:
Delete stale tmplugin_ilx_* files manually
1035361-7 : Illegal cross-origin after successful CAPTCHA
Links to More Info: BT1035361
Component: Application Security Manager
Symptoms:
After enabling CAPTCHA locally on BIG-IP with brute force, after configured login attempts, CAPTCHA appears, but after bypassing the CAPTCHA successfully the user receives a support ID with cross-origin violation.
Conditions:
- brute force with CAPTCHA mitigation enforced on login page.
- cross-origin violation is enforced on the login page.
- user fails to login until CAPTCHA appears
- user inserts the CAPTCHA correctly
Impact:
- blocking page appears.
- on the event log cross-origin violation is triggered.
Workaround:
- disable cross-origin violation enforcement.
1032257-5 : Forwarded PVA offload requests fail on platforms with multiple PDE/TMM
Links to More Info: BT1032257
Component: TMOS
Symptoms:
Forwarded PVA requests use a static bigip_connection that does not have its pva_pde_info initialized, which results in offload failure on platforms that have multiple PDEs per TMM.
Conditions:
Pva_pde_info is not initialized and Forwarded PVA requests occur.
Impact:
Hardware offload does not occur.
1029373-3 : Firefox 88+ raising Suspicious browser violations with bot defense
Links to More Info: BT1029373
Component: Application Security Manager
Symptoms:
Bot-defense might block legal traffic arriving from Firefox version 88
Conditions:
- ASM provisioned
- bot-defense profile assigned on a virtual server
Impact:
Legal traffic is blocked
Workaround:
Tmsh modify sys db botdefense.suspicious_js_score value 60
1029105-2 : Hardware SYN cookie mode state change logs bogus virtual server address
Links to More Info: BT1029105
Component: TMOS
Symptoms:
When a virtual server enters or exits hardware SYN cookie mode, a bogus IP address is logged in /var/log/ltm. For example:
Syncookie HW mode activated, server name = /Common/vs server IP = 0.0.0.3:0
Conditions:
A virtual server enters or exits hardware SYN cookie mode.
Impact:
Only the logging information is wrong, the hardware SYN cookie mode functions correctly.
Workaround:
None
1028081-2 : [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page
Links to More Info: BT1028081
Component: Access Policy Manager
Symptoms:
1. Users connecting with F5 Access from an Android device see string "function () {[native code]}" in the Logon Page Form 'Username' field.
2. This issue only affects the F5 Access embedded browser. It works fine when connecting from the same Android device using Chrome. F5 Access from iOS is also working fine.
Conditions:
Configure an access policy with modern customization that includes a Logon Page.
Impact:
The string "function () {[native code]}" appears in the Logon Page Form 'Username' field.
Workaround:
This solution is temporal as changes are lost after an upgrade.
steps:
1) create a copy of the original "main.js" file
# cp /var/sam/www/webtop/public/include/js/modern/main.js /var/sam/www/webtop/public/include/js/modern/main.js.origin
2) edit the file using an editor (e.g., vi).
# vi /var/sam/www/webtop/public/include/js/modern/main.js
modify
window.externalAndroidWebHost.getWebLogonUserName to window.externalAndroidWebHost.getWebLogonUserName()
and
window.externalAndroidWebHost.getWebLogonPassword to window.externalAndroidWebHost.getWebLogonPassword()
3) Restart BIG-IP
1026781-4 : Standard HTTP monitor send strings have double CRLF appended
Links to More Info: BT1026781
Component: Local Traffic Manager
Symptoms:
Standard (bigd-based, not In-TMM) HTTP monitors have a double CRLF appended (\r\n\r\n) to the send string. This does not comply with RFC1945 section 5.1 which states requests must terminate with a single CRLF (\r\n). This non-compliant behavior can lead to unexpected results when probing servers.
Conditions:
Standard bigd (not In-TMM) HTTP monitors
Impact:
Servers probed by these non-RFC-compliant HTTP monitors may respond in an unexpected manner, resulting in false negative or false positive monitor results.
Workaround:
There are several workarounds:
1. If running 13.1.0 or later, switch monitoring from bigd-based to In-TMM. In-TMM monitors properly follow RFC1945 and will send only a single CRLF (\r\n)
2. Remain with bigd-based monitoring and configure probed servers to respond to double CRLF (\r\n\r\n) in a desired fashion
Depending on server configuration, a customized send string, even with the double CRLF, may still yield expected responses.
1025089-6 : Pool members marked down by database monitor due to stale cached connection
Links to More Info: BT1025089
Component: Local Traffic Manager
Symptoms:
By default, BIG-IP database monitors (mssql, mysql, oracle, postgresql) are configured to keep a connection to the database server open between monitor probes to avoid the overhead of establishing the network connection to the database server for each query operation.
If this cached network connection times out or is dropped by the database server, it is marked as "stale" when the next probe occurs, and a new connection is made during the next scheduled monitor probe.
In the meantime, due to the lost connection, the monitored pool member may be marked DOWN until the next scheduled monitor probe. This is more likely to occur when a database monitor is used to monitor a GTM pool member instead of an LTM pool member, due to differences between how monitors are configured for GTM versus LTM.
Conditions:
This may occur under the following conditions:
-- GTM or LTM pool members are monitored by a database monitor, configured such that a single probe failure will mark the member DOWN. (Such configuration may be more common for GTM monitors.)
-- Either the database server times out or drops the connection for some reason, or no database monitor probes are sent to the database server within a 5 minute interval.
Impact:
-- GTM or LTM pool members monitored by a database monitor may be marked DOWN temporarily if the network connection to the database server is dropped or times out.
-- High CPU utilization is observed on control plane cores.
Workaround:
To work around this issue, perform one of the following actions:
-- Configure the database (mssql, mysql, oracle, postgresql) monitor with a "count" value of "1". This prevents the caching/reuse of network connections to the database server between probes. Thus there is no cached connection to time out/get dropped. However, the overhead of establishing the network connection to the database server will be incurred for each probe.
-- Configure the database monitor "interval" and "timeout" values (for an LTM monitor), or the "interval", "timeout", "probe-attempts", "probe-interval" and "probe-timeout" values (for a GTM monitor) such that multiple failed monitor probes are required before the monitored member is marked DOWN.
1024421-4 : At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log
Links to More Info: BT1024421
Component: TMOS
Symptoms:
TMM log shows clock advancing and MPI timeout messages:
notice slot1 MPI stream: connection to node aborted for reason: TCP RST from remote system (tcp.c:5201)
notice slot1 tmm[42900]: 01010029:5: Clock advanced by 6320 ticks
Conditions:
-- pva.standby.flush DB key set to 1 (enabled). The default is 0.
-- Processing high traffic volume for some time
Impact:
Upstream switch could receive flow response from both active and standby units and cause a traffic disturbance.
1023529-4 : FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory.
Links to More Info: BT1023529
Component: Local Traffic Manager
Symptoms:
Command "tmsh show sys tmm-traffic" reports non-zero number of current connections but "tmsh show sys connection" shows nothing.
Conditions:
-- A virtual sever with fastL4 profile with infinite timeout enabled and an iRule containing "after" command. Having "-periodic" argument makes the problem more prominent.
-- Aggressive sweeper activated due to low memory conditions.
Impact:
Connections that were supposed to be removed by aggressive sweeper but were waiting for completion of an iRule may end up in a state where they are not reported by "tmsh show sys connection." Because of this issue, these connections cannot be deleted manually using 'tmsh del sys connection", but remain in memory. Their presence can be confirmed by non-zero number of current connections shown by "tmsh show sys tmm-traffic". Because of the infinite timeout setting, they will not timeout by themselves either.
Workaround:
N/A
1023229-5 : False negative on specific authentication header issue
Links to More Info: BT1023229
Component: Application Security Manager
Symptoms:
Blocking does not occur on a specific authentication header issue when a non-default internal parameter is set.
Conditions:
ignore_authorization_header_decode_failure is not set to 0
Impact:
A request with an authentication header issue can pass.
Workaround:
None
1021637-5 : In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs
Links to More Info: BT1021637
Component: Application Security Manager
Symptoms:
CSRF is sometimes enforced on URLs that do not match the CSRF URLs list
Conditions:
ASM policy with CSRF settings
Impact:
URLs that do not match the CSRF URLs list can be blocked due to CSRF violation.
Workaround:
None
1021609-5 : Improve matching of URLs with specific characters to a policy.
Links to More Info: BT1021609
Component: Application Security Manager
Symptoms:
Request with a URL containing specific characters is not matched to the correct policy.
Conditions:
URL of request contains specific percent-encoded characters.
Impact:
The request will not be matched by an expected policy rule.
Workaround:
Add an additional rule with explicit decoded characters.
1020717-5 : Policy versions cleanup process sometimes removes newer versions
Links to More Info: BT1020717
Component: Application Security Manager
Symptoms:
The policy versions cleanup process sometimes removes versions in incorrect order. Newer versions are removed while older versions are preserved.
Conditions:
"maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg" has very low value.
Impact:
Newer versions are removed.
Workaround:
increase value of "maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg"
1019829-4 : Configsync.copyonswitch variable is not functioning on reboot
Links to More Info: BT1019829
Component: TMOS
Symptoms:
Configsync.copyonswitch variable is not functioning properly during reboot to another partition
Conditions:
-- db variable configsync.copyonswitch modified
-- hostname is changed in global-settings
-- reboot to another partition
Impact:
The hostname will be changed back to the default hostname after reboot
1017557-5 : ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN
Links to More Info: BT1017557
Component: Application Security Manager
Symptoms:
ASM BD sends a reset back to the client when the backend server sends a response without proper terminating 0 chunk followed by FIN.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Backed server sends a bad chunked response
Impact:
Valid requests can be reset.
Workaround:
Any one of the following workarounds can be applied.
-- Fix backed server behavior.
-- Fix bad response using iRule, appending proper terminating 0 chunk
-- Change ASM internal /usr/share/ts/bin/add_del_internal update bypass_upon_load 1
1009337-3 : LACP trunk down due to bcm56xxd send failure
Links to More Info: BT1009337
Component: TMOS
Symptoms:
Lacp reports trunk(s) down. lacpd reports having trouble writing to bcm56xxd over the unix domain socket /var/run/uds_bcm56xxd.
Conditions:
Not known at this time.
Impact:
An outage was observed.
Workaround:
Restart bcm56xxd, lacpd, and lldpd daemons.
1004697-4 : Saving UCS files can fail if /var runs out of space
Links to More Info: BT1004697
Component: iApp Technology
Symptoms:
When saving a UCS, /var can fill up leading to UCS failure and the following log message:
err diskmonitor[1441]: 011d0004:3: Disk partition /var has only 0% free
Conditions:
-- iApps LX installed.
-- Multiple iApps LX applications.
-- A /var partition of 1.5 GB.
Impact:
UCS archives can not be created.
Workaround:
You can use either of the following Workarounds:
-- Manually remove the /var/config/rest/node/tmp/BUILD and /var/config/rest/node/tmp/BUILDROOT directories.
-- Increase the size of /var/. For information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952
1003765-3 : Authorization header signature triggered even when explicitly disabled
Links to More Info: BT1003765
Component: Application Security Manager
Symptoms:
Requests with base64 encoded Authorization header with disabled signatures might result in a blocking page even though the specific signature is disabled.
Conditions:
Base64 encoded Authorization header is included in the request.
Impact:
A signature violation is detected, even though the signature is disabled.
Workaround:
None
1003377-4 : Disabling DoS TCP SYN-ACK does not clear suspicious event count option
Links to More Info: BT1003377
Component: Advanced Firewall Manager
Symptoms:
When the 'Only Count Suspicious Events' option is turned on for the TCP SYN ACK Flood vector and the vector gets disabled, TMM continues operating as if 'Only Count Suspicious Events' is still configured.
Conditions:
Disabling TCP SYN ACK Flood vector with 'Only Count Suspicious Events' enabled.
Impact:
BIG-IP system might continue altering TCP initial sequence numbers for SYN-ACK cookie validations.
Workaround:
Disable the 'Only Count Suspicious Events' option first, and then disable TCP SYN ACK Flood vector.
1002969-5 : csyncd can consume excessive CPU time&start;
Links to More Info: BT1002969
Component: Local Traffic Manager
Symptoms:
Following a configuration change or software upgrade, the "csyncd" process becomes always busy, consuming excessive CPU.
Conditions:
-- occurs on a multiblade VIPRION chassis
-- may occur with or without vCMP
-- may occur after configuring F5 Telemetry Streaming, but may also occur in other circumstances
-- large numbers of files are contained in one or more of the directories being sync'ed between blades
Impact:
The overuse of CPU resources by "csyncd" may starve other control-plane processes. Handling of payload network traffic by the data plane is not directly affected.
Workaround:
To mitigate the processing load, identify which directory or directories contain excessive numbers of files being replicated between blades by "csyncd". If this replication is not absolutely needed, such a directory can be removed from the set of directories being sync'ed.
For example: if there are too many files being generated in the "/run/pamcache" directory (same as "/var/run/pamcache"), remove this directory from the set being acted upon by "csyncd" by running the following commands to comment-out the associated lines in the configuration file:
# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"
# clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"
# clsh "bigstart restart csyncd"
If the problem was observed soon after the installation of F5 Telemetry Streaming, the configuration can be adjusted to make csyncd ignore the related files in a subdirectory of "/var/config/rest/iapps". Run the following commands:
# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"
# clsh "sed -i '/\/var\/config\/rest\/iapps/a \ \ \ \ \ \ \ \ ignore f5-telemetry' /etc/csyncd.conf"
# clsh "bigstart restart csyncd"
1000561-6 : HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side
Links to More Info: BT1000561
Component: Local Traffic Manager
Symptoms:
HTTP/2 virtual servers pass the chunk size bytes from the server-side (HTTP/1.1) to the client-side (HTTP/2) when OneConnect and request-logging profiles are applied.
This results in a malformed HTTP response.
Conditions:
-- BIG-IP configured with a HTTP/2 virtual server using OneConnect and request-logging profiles.
-- The pool member sends a chunked response.
Impact:
The HTTP response passed to the client-side includes chunk size header values when it should not, resulting in a malformed HTTP response.
Workaround:
Change HTTP response-chunking to either 'unchunk' or 'rechunk' in the HTTP profile for the virtual server.
1000069-5 : Virtual server does not create the listener
Links to More Info: BT1000069
Component: Local Traffic Manager
Symptoms:
A virtual-address is in an offline state.
Conditions:
An address-list is used on a virtual server in a non-default route domain.
Impact:
The virtual IP address remains in an offline state.
Workaround:
Using tmsh, create the traffic-matching-criteria. Specify the route domain, and attach it to the virtual server.
&start; This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/