BIG-IP Release Information

Version: 17.0.0.1
Build: 4.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes

Known Issues in BIG-IP v17.0.x

Functional Change Fixes

TMOS Fixes

Local Traffic Manager Fixes

Global Traffic Manager (DNS) Fixes

Application Security Manager Fixes

Access Policy Manager Fixes

Service Provider Fixes

Advanced Firewall Manager Fixes

Policy Enforcement Manager Fixes

In-tmm monitors Fixes

 

Cumulative fix details for BIG-IP v17.0.0.1 that are included in this release

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

---

Known Issues in BIG-IP v17.0.x


TMOS Issues

ID Number	Severity	Links to More Info	Description
1120433-1	1-Blocking	BT1120433	Removed gtmd and big3d daemon from the FIPS-compliant list
979045-5	2-Critical	BT979045	The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms
950201-5	2-Critical	BT950201	Tmm core on GCP
842669-7	2-Critical	BT842669	Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log
737692-7	2-Critical	BT737692	Handle x520 PF DOWN/UP sequence automatically by VE
1110893-5	2-Critical	BT1110893	Some portions of the BIG-IP GUI do not work when accessed behind an HTTP proxy
1105901-1	2-Critical	BT1105901	Tmm crash while doing high-speed logging
1097193-4	2-Critical	BT1097193	Unable to SCP files using WinSCP or relative path name
1095217-2	2-Critical	BT1095217	Peer unit incorrectly shows the pool status as unknown after upgrade to version 16.1.2.1
1093717-5	2-Critical	BT1093717	BGP4 SNMP traps are not working.
1085597-2	2-Critical	BT1085597	IKEv1 IPsec peer cannot be created in config utility (web UI)
1077789-5	2-Critical	BT1077789	System might become unresponsive after upgrading.&start;
1075905-4	2-Critical	BT1075905	TCP connections may fail when hardware SYN Cookie is active
992865-4	3-Major	BT992865	Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances
992053-7	3-Major	BT992053	Pva_stats for server side connections do not update for redirected flows
988745-5	3-Major	BT988745	On reboot, 'could not find platform object' errors may be seen in /var/log/ltm
966949-7	3-Major	BT966949	Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node
950153-4	3-Major	BT950153	LDAP remote authentication fails when empty attribute is returned
945413-5	3-Major	BT945413	Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync
930393-1	3-Major	BT930393	IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration
925469-4	3-Major	BT925469	SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo
921149-7	3-Major	BT921149	After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy
908453-6	3-Major	BT908453	Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly
879969-9	3-Major	BT879969	FQDN node resolution fails if DNS response latency >5 seconds
775845-7	3-Major	BT775845	Httpd fails to start after restarting the service using the iControl REST API
769741-5	3-Major	BT769741	TCP connection between mcp and tmm may get stalled
760982-4	3-Major	BT760982	An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios
760354-16	3-Major	BT760354	Continual mcpd process restarts after removing big logs when /var/log is full
755207-4	3-Major	BT755207	Large packets silently dropped on VE mlxvf5 devices
566995-5	3-Major	BT566995	bgpd might crash in rare circumstances.
1128169-2	3-Major	BT1128169	TMM core when IPsec tunnel object is reconfigured
1127881-1	3-Major	BT1127881	Deprecate sysClientsslStatFullyHwAcceleratedConns, sysClientsslStatPartiallyHwAcceleratedConns and sysClientsslStatNonHwAcceleratedConns
1125733-5	3-Major	BT1125733	Wrong server-side window scale used in hardware SYN cookie mode
1123885-1	3-Major	BT1123885	A specific type of software installation may fail to carry forward the management port's default gateway.
1123149-1	3-Major	BT1123149	Sys-icheck fail for /etc/security/opasswd
1122441-6	3-Major	BT1122441	Upgrade expat library to the latest version(2.4.8) to fix CVE's.
1122021-4	3-Major	BT1122021	Killall command might create corrupted core files
1121517-1	3-Major	BT1121517	Interrupts on Hyper-V are pinned on CPU 0
1120685-1	3-Major	BT1120685	Unable to update the password in the CLI when password-memory is set to > 0
1120345-7	3-Major	BT1120345	Running tmsh load sys config verify can trigger high availability (HA) failover
1113961-2	3-Major	K43391532, BT1113961	BIG-IP 16.1.3 VE with FIPS 140-3 May Fail to start in AWS-China
1113385-5	3-Major	BT1113385	Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP
1112537-1	3-Major	BT1112537	LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete.
1111629-5	3-Major	BT1111629	Messages with "Failed Read: User, referer" are logged in /var/log/httpd/httpd_errors
1111421-4	3-Major	BT1111421	TMSH/GUI fails to display IPsec SAs info
1106489-1	3-Major	BT1106489	GRO/LRO is disabled in environments using the TMM raw socket "sock" driver.
1103953-2	3-Major	BT1103953	SSMTP errors in logs every 20 minutes
1102849-4	3-Major	BT1102849	Less-privileged users (guest, operator, etc) are unable to run top level commands
1100409-5	3-Major		Valid connections may fail while a virtual server is in SYN cookie mode.
1100321-4	3-Major	BT1100321	MCPD memory leak
1093973-8	3-Major	BT1093973	Tmm may core when BFD peers select a new active device.
1093553-5	3-Major	BT1093553	OSPF "default-information originate" injects a new link-state advertisement
1093313-1	3-Major	BT1093313	CLIENTSSL_CLIENTCERT iRule event is not triggered for TLS1.3 when the client sends an empty certificate response
1091725-5	3-Major	BT1091725	Memory leak in IPsec
1090313-4	3-Major	BT1090313	Virtual server may remain in hardware SYN cookie mode longer than expected
1086517-3	3-Major	BT1086517	TMM may not properly exit hardware SYN cookie mode
1085837-3	3-Major	BT1085837	Virtual server may not exit from hardware SYN cookie mode
1081649-3	3-Major	BT1081649	Remove the "F5 iApps and Resources" link from the iApps->Package Management
1081641-5	3-Major	BT1081641	Remove Hyperlink to Legal Statement from Login Page
1080925-4	3-Major	BT1080925	Changed 'ssh-session-limit' value is not reflected after restarting mcpd
1080297-5	3-Major	BT1080297	ZebOS does not show "log syslog" in the running configuration, or store it in the startup configuration
1077533-4	3-Major	BT1077533	BIG-IP fails to restart services after mprov runs during boot.
1077405-1	3-Major	BT1077405	Ephemeral pool members may not be created with autopopulate enabled.
1076801-5	3-Major	BT1076801	Loaded system increases CPU usage when using CS features
1076785-3	3-Major	BT1076785	Virtual server may not properly exit from hardware SYN Cookie mode
1063237-6	3-Major	BT1063237	Stats are incorrect when the management interface is not eth0
1040277-6	3-Major	BT1040277	Syslog-ng issue may cause logging to stop and possible reboot of a system
1036613-6	3-Major	BT1036613	Client flow might not get offloaded to PVA in embryonic state
1032257-5	3-Major	BT1032257	Forwarded PVA offload requests fail on platforms with multiple PDE/TMM
1029105-2	3-Major	BT1029105	Hardware SYN cookie mode state change logs bogus virtual server address
1024421-4	3-Major	BT1024421	At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log
1019829-4	3-Major	BT1019829	Configsync.copyonswitch variable is not functioning on reboot
1009337-3	3-Major	BT1009337	LACP trunk down due to bcm56xxd send failure
964533-6	4-Minor	BT964533	Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.
936501-7	4-Minor	BT936501	Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled
929173-5	4-Minor	BT929173	Watchdog reset due to CPU stall detected by rcu_sched
915141-6	4-Minor	BT915141	Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'
658943-6	4-Minor	BT658943	Errors when platform-migrate loading UCS using trunks on vCMP guest
1121169-4	4-Minor	BT1121169	Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use
1114253-5	4-Minor	BT1114253	Weighted static routes do not recover from BFD link failures
1101741-1	4-Minor	BT1101741	Virtual server with default pool down and iRule pool up will flap for a second during a full config-sync.
1100609-1	4-Minor	BT1100609	Length Mismatch in DNS/DHCP IPv6 address in logs and pcap
1096461-1	4-Minor	BT1096461	TACACS system-auth Accounting setting has no effect when set to send-to-all-servers/send-to-first-server
1095973-4	4-Minor	BT1095973	Config load failure when Trusted CA Bundle is missing and URL is present in the Bundle Manager
1095205-5	4-Minor	BT1095205	Config.auditing.forward.multiple db Variable with value "none" is not working as expected with multiple destination addresses in audit_forwarder.
1089005-5	4-Minor	BT1089005	Dynamic routes might be missing in the kernel on secondary blades.
1082193-4	4-Minor	BT1082193	TMSH: Need to update the version info for SERVER_INIT in help page
1077293-3	4-Minor	BT1077293	APPIQ option still showing in BIG-IP GUI even though its functionality migrated to BIG-IQ.
1076897-5	4-Minor	BT1076897	OSPF default-information originate command options not working properly

Local Traffic Manager Issues

ID Number	Severity	Links to More Info	Description
1112349-5	1-Blocking	BT1112349	FIPS Card Cannot Initialize
999669-4	2-Critical	BT999669	Some HTTPS monitors are failing after upgrade when config has different SSL option&start;
949137-8	2-Critical	BT949137	Clusterd crash and vCMP guest failover
922737-3	2-Critical	BT922737	TMM crash
632553-7	2-Critical	K14947100, BT632553	DHCP: OFFER packets from server are intermittently dropped
1113549-2	2-Critical	BT1113549	System boots into an inoperative state after installing engineering hotfix with FIPS140-2/140-3 License&start;
1110813-4	2-Critical		Improve MPTCP retransmission handling while aborting
1110205-3	2-Critical	BT1110205	SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown
1100249-1	2-Critical	BT1100249	SNAT with FLOW_INIT firewall rule may core TMM due to wrong type of underlying flow structure
1099545-1	2-Critical	BT1099545	Tmm may core when PEM virtual with a simple policy and iRule is being used
1091021-1	2-Critical	BT1091021	The BIG-IP system may take no fail-safe action when the bigd daemon becomes unresponsive.
1087469-3	2-Critical	BT1087469	iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate.
1087217-3	2-Critical	BT1087217	TMM crash as part of the fix made for ID912209
1078741-3	2-Critical	BT1078741	Tmm crash
1073897-1	2-Critical	BT1073897	TMM core due to memory corruption
1063653-3	2-Critical	BT1063653	TMM Crash while processing traffic on virtual server.
1060369-2	2-Critical	BT1060369	HTTP MRF Router will not change serverside load balancing method
966785-4	3-Major	BT966785	Rate Shaping stops TCP retransmission
947125-8	3-Major	BT947125	Unable to delete monitors after certain operations
945189-6	3-Major	BT945189	HTTPS monitor fails due to missing ECDHE-RSA-AES256-CBC-SHA&start;
932461-6	3-Major	BT932461	Cert update on server SSL profile on HTTPS monitor: BIG-IP not using the updated certificate.
928445-7	3-Major	BT928445	HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2
912293-6	3-Major	BT912293	Persistence might not work properly on virtual servers that utilize address lists
901569-5	3-Major	BT901569	Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.
887265-5	3-Major	BT887265	BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration&start;
878641-4	3-Major	BT878641	TLS1.3 certificate request message does not contain CAs
739475-7	3-Major	BT739475	Site-Local IPv6 Unicast Addresses support.
1126329-1	3-Major	BT1126329	SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT&start;
1115041-2	3-Major	BT1115041	BIG-IP does not forward the response received after GOAWAY, to the client.
1113181-1	3-Major	BT1113181	Self-IP allows no traffic following a modification from "Allow Custom (Include Default)" to "Allow Custom".
1112385-4	3-Major	BT1112385	Traffic classes match when they shouldn't
1112205-1	3-Major	BT1112205	HTTP/2 may garble responses if the client-side stream aborts while response headers are on the wire
1111473-5	3-Major	BT1111473	"Invalid monitor rule instance identifier" error after sync with FQDN nodes
1110949-3	3-Major	BT1110949	Updating certKeyChain of parent SSL profile using iControl does not change the cert and key outside certKeyChain of the child profile
1109953-5	3-Major	BT1109953	TMM may crash if a data-group is used when an SSL Forward Proxy Bypass/Intercept list contains extremely long entry
1109833-2	3-Major	BT1109833	HTTP2 monitors not sending request
1107605-2	3-Major	BT1107605	TMM crash reported with specific policy settings
1106673-4	3-Major	BT1106673	Tmm crash with FastL4 virtual servers and CMP disabled
1105969-4	3-Major	BT1105969	Gratuitous ARP not issued for non-floating self-IP on clicking "Update" via the GUI
1104553-3	3-Major	BT1104553	HTTP_REJECT processing can lead to zombie SPAWN flows piling up
1102429-1	3-Major	BT1102429	iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases.
1101181-4	3-Major	BT1101181	HTTP request payload not forwarded by BIG-IP when serverside is HTTP/2 and HTTP MRF router is enabled on virtual server
1099373-3	3-Major	BT1099373	Virtual Servers may reply with a three-way handshake when disabled or when processing iRules
1099229-5	3-Major	BT1099229	SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present
1097473-5	3-Major	BT1097473	BIG-IP transmits packets with incorrect content
1096893-3	3-Major	BT1096893	TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection
1093061-1	3-Major	BT1093061	MCPD restart on secondary blade during hot-swap of another blade
1091969-4	3-Major	BT1091969	iRule 'virtual' command does not work for connections over virtual-wire.
1091785-1	3-Major	BT1091785	DBDaemon restarts unexpectedly and/or fails to restart under heavy load
1088597-1	3-Major	BT1088597	TCP keepalive timer can be immediately re-scheduled in rare circumstances
1088173-3	3-Major	BT1088173	With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile
1087569-5	3-Major	BT1087569	Changing max header table size according HTTP2 profile value may cause stream/connection to terminate
1086473-4	3-Major	BT1086473	BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake
1084965-4	3-Major	BT1084965	Low visibility of attack vector
1083621-5	3-Major	BT1083621	The virtio driver uses an incorrect packet length
1083589-4	3-Major	BT1083589	Some connections are dropped on chained IPv6 to IPv4 virtual servers.
1081813-3	3-Major	BT1081813	A rst_stream can erronously tear down the overall http2 connection.
1077553-4	3-Major	BT1077553	Traffic matches the wrong virtual server after modifying the port matching configuration
1076577-4	3-Major	BT1076577	iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg'
1070957-4	3-Major	BT1070957	Database monitor log file backups cannot be rotated normally.
1070789-1	3-Major	BT1070789	SSL fwd proxy invalidating certificate even through bundle has valid CA
1068673-4	3-Major	BT1068673	SSL forward Proxy triggers CLIENTSSL_DATA event on bypass.
1065353-2	3-Major	BT1065353	Disabling ciphers does not work due to the order of cipher suite.
1063977-4	3-Major	BT1063977	Tmsh load sys config merge fails with "basic_string::substr" for non-existing key.
1060989-1	3-Major		Improper handling of HTTP::collect
1060021-3	3-Major	BT1060021	Using OneConnect profile with RESOLVER::name_lookup iRule might result in core.
1056941-3	3-Major	BT1056941	HTTPS monitor continues using cached TLS version after receiving fatal alert.
1040465-2	3-Major	BT1040465	Incorrect SNAT pool is selected
1026781-4	3-Major	BT1026781	Standard HTTP monitor send strings have double CRLF appended
1025089-6	3-Major	BT1025089	Pool members marked down by database monitor due to stale cached connection
1023529-4	3-Major	BT1023529	FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory.
1002969-5	3-Major	BT1002969	csyncd can consume excessive CPU time&start;
1000561-6	3-Major	BT1000561	HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side
1000069-5	3-Major	BT1000069	Virtual server does not create the listener
990173-7	4-Minor	BT990173	Dynconfd repeatedly sends the same mcp message to mcpd
929429-9	4-Minor	BT929429	Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed
1124085-5	4-Minor	BT1124085	iRules command [info hostname] does not reflect modified hostname
1122377-1	4-Minor	BT1122377	If-Modified-Since always returns 304 response if there is no last-modified header in the server response
1121349-1	4-Minor	BT1121349	CPM NFA may stall due to lack of other state transition
1107453-1	4-Minor	BT1107453	Performance drop observed in some Ramcache::HTTP tests on BIG-IP i10800 platform
1103617-5	4-Minor	BT1103617	'Reset on Timeout' setting might be ignored when fastl4 is used with another profile.
1103117-1	4-Minor	BT1103117	iAppLX extension using express with httpserver script leaves lingering client-side flow on HTTP requests.
1101369-5	4-Minor		MQTT connection stats are not updated properly
1093545-5	4-Minor	BT1093545	Attempts to create illegal virtual-server may lead to mcpd crash.
1035757-5	4-Minor	BT1035757	iRulesLX restart leaves stale files in /var/tmstat/blade/tmplugin_ilx_*

Global Traffic Manager (DNS) Issues

ID Number	Severity	Links to More Info	Description
940733-6	2-Critical	BT940733	Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt&start;
931149-4	2-Critical	BT931149	Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings
1103833-1	2-Critical	BT1103833	Tmm core with SIGSEGV in gtmpoolmbr_UpdateStringProc
966461-8	3-Major	BT966461	Tmm memory leak
1127805-1	3-Major	BT1127805	Server.crt containing "<" will cause frequent reconnects between local gtmd and big3d
1124217-5	3-Major	BT1124217	Big3d cores on CTCPSocket::TCPReceive and connector
1116513-4	3-Major	BT1116513	Route-domains should not be allowed on name server addresses via the GUI.
1111361-4	3-Major	BT1111361	Refreshing DNS wide IP pool statistics returns an error
1108557-5	3-Major	BT1108557	DNS NOTIFY with TSIG is failing due to un-matched TSIG name
1108237-1	3-Major	BT1108237	Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM.
1100197-1	3-Major	BT1100197	GTM sends wrong commit_id originator for iqsyncer to do gtm group sync
1096165-5	3-Major	BT1096165	Tmm cored for accessing the pool after the gtm_add command is run
1078669-1	3-Major		iRule command “RESOLVER::name_lookup” returns null for TCP resolver with TC (truncated) flag set.
1073677-2	3-Major	BT1073677	Add a db variable to enable answering DNS requests before reqInitState Ready
1070953-5	3-Major	BT1070953	Dnssec zone transfer could cause numerous gtm sync events.
1060145-4	3-Major	BT1060145	Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2.
1040153-4	3-Major	BT1040153	Topology region returns narrowest scope netmask without matching
1125161-3	4-Minor	BT1125161	Wideip fails to display or delete in the Link Controller GUI.
1121937-5	4-Minor	BT1121937	ZoneRunner GUI is unable to display CAA records with "Property Value" set to ";"
1067821-5	4-Minor	BT1067821	Stats allocated_used for region inside zxfrd is overflowed
1054717-4	4-Minor	BT1054717	Incorrect Client Summary stats for transparent cache.
1122153-5	5-Cosmetic	BT1122153	Zonerunner GUI displaying incorrect error string "RRSig Covers Unsupported Record Type"

Application Security Manager Issues

ID Number	Severity	Links to More Info	Description
1105341-1	0-Unspecified	BT1105341	Decode_application_payload can break exponent notation in JSON
1113161-1	2-Critical		After upgrade, Learning and Blocking Settings page is not loading because some policies are still pointing to deleted factory Negsig sets&start;
1098609-2	2-Critical	BT1098609	BD crash on specific scenario
1095185-1	2-Critical	BT1095185	Failed Configuration Load on Secondary Slot After Device Group Sync
1117245-1	3-Major	BT1117245	Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file
1113881-1	3-Major		Headers without a space after the colon trigger an HTTP RFC violation
1112805-5	3-Major	BT1112805	ip_address_intelligence field is not populated with value in ArcSight remote log when source IP is IPv4
1110281-1	3-Major	BT1110281	Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable
1105485	3-Major	BT1105485	Emulated Interaction Events occurs when using Bot Defense Profile and Datasafe keylogger protection feature
1100669-2	3-Major	BT1100669	Brute force captcha loop
1099193-1	3-Major		Incorrect configuration for "Auto detect" parameter is shown after switching from other data types
1095041-1	3-Major	BT1095041	ASM truncates cookies that contain a space in the name and TS cookie as part of cookie list.
1089853-1	3-Major		"Virtual Server" or "Bot Defense Profile" links in Request Details are not working
1088849-1	3-Major	BT1088849	Inconsistent behavior while sending malformed request to /TSbd URLs
1085661-2	3-Major	BT1085661	Standby system saves config and changes status after sync from peer
1080613-4	3-Major	BT1080613	"Installation of Automatically Downloaded Updates" configuration in LiveUpdate is lost during the first tomcat restart, after upgrading to versions having the fix of ID907025.&start;
1077281-1	3-Major		Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages
1072165-5	3-Major	BT1072165	Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format
1070833-3	3-Major	BT1070833	False positives on FileUpload parameters due to default signature scanning
1069137-1	3-Major	BT1069137	Missing AWAF sync diagnostics
1067589-4	3-Major	BT1067589	Nsyncd memory leak.
1065681-2	3-Major	BT1065681	Sensitive data is not masked under certain conditions.
1029373-3	3-Major	BT1029373	Firefox 88+ raising Suspicious browser violations with bot defense
1023229-5	3-Major	BT1023229	False negative on specific authentication header issue
1021609-5	3-Major	BT1021609	Improve matching of URLs with specific characters to a policy.
1017557-5	3-Major	BT1017557	ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN
1120529-2	4-Minor	BT1120529	Illegal internal request in multipart batch request
1113753-1	4-Minor		Signatures might not be detected when using truncated multipart requests
1111793-1	4-Minor		New HTTP RFC Compliance check for incorrect newline separators between request line and first header
1108657-2	4-Minor		No notification about disabled "Virus detected" violation in case of enabling "Anti-Virus Protection"
1087005-1	4-Minor	BT1087005	Application charset may be ignored when using Bot Defense Browser Verification
1084857-1	4-Minor	BT1084857	ASM::support_id iRule command does not display the 20th digit
1083513-3	4-Minor	BT1083513	BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd
1076825-2	4-Minor	BT1076825	"Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.
1048445-4	4-Minor	BT1048445	Accept Request button is clickable for unlearnable violation illegal host name
1035361-7	4-Minor	BT1035361	Illegal cross-origin after successful CAPTCHA
1021637-5	4-Minor	BT1021637	In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs
1020717-5	4-Minor	BT1020717	Policy versions cleanup process sometimes removes newer versions
1003765-3	4-Minor	BT1003765	Authorization header signature triggered even when explicitly disabled
1048989-1	5-Cosmetic		Slight correction of button titles in the Data Guard Protection Enforcement
1041469-1	5-Cosmetic		Request Log Page: Line break in the middle of the word in the note next to Block this IP Address

Application Visibility and Reporting Issues

ID Number	Severity	Links to More Info	Description
1111189-1	3-Major	BT1111189	Listing errors in tmsh and installation failures when the configuration includes an AVR scheduled-report.

Access Policy Manager Issues

ID Number	Severity	Links to More Info	Description
831737-4	2-Critical	BT831737	Memory Leak when using Ping Access profile
1122473-5	2-Critical	BT1122473	TMM core
1082581-3	2-Critical		Apmd sees large memory growth due to CRLDP Cache handling
796065-3	3-Major	BT796065	PingAccess filter can accumulate connections increasing memory use.
1108109-5	3-Major	BT1108109	APM policy sync fails when access policy contains customization images&start;
1050165-2	3-Major	BT1050165	APM - users end up with SSO disabled for their session, admin intervention required to clear session
1037877-5	3-Major	BT1037877	OAuth Claim display order incorrect in VPE
1079441-4	4-Minor	BT1079441	APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries
1028081-2	4-Minor	BT1028081	[F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page

Service Provider Issues

ID Number	Severity	Links to More Info	Description
1116941-2	4-Minor		Need larger Content-Length value supported for SIP

Advanced Firewall Manager Issues

ID Number	Severity	Links to More Info	Description
1106273-4	2-Critical	BT1106273	"duplicate priming" assert in IPSECALG
1080957-5	2-Critical	BT1080957	TMM Seg fault while Offloading virtual server DOS attack to HW
990461-6	3-Major	BT990461	Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade&start;
1079985-2	3-Major	BT1079985	int_drops_rate shows an incorrect value
926425-6	4-Minor	BT926425	Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
1084901-2	4-Minor	BT1084901	Updating the firewall rule list for IPv6 with route domain throws an error in the GUI, works from tmsh
1003377-4	4-Minor	BT1003377	Disabling DoS TCP SYN-ACK does not clear suspicious event count option

Policy Enforcement Manager Issues

ID Number	Severity	Links to More Info	Description
1091565-2	2-Critical		Gy CCR AVP:Requested-Service-Unit is misformatted/NULL
924589-6	3-Major	BT924589	PEM ephemeral listeners with source-address-translation may not count subscriber data
1108681-5	3-Major	BT1108681	PEM queries with filters return error message when a blade is offline
1093357-5	3-Major	BT1093357	PEM intra-session mirroring can lead to a crash
1089829-4	3-Major	BT1089829	PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers

Carrier-Grade NAT Issues

ID Number	Severity	Links to More Info	Description
1096317-5	3-Major	BT1096317	SIP msg alg zombie flows

Anomaly Detection Services Issues

ID Number	Severity	Links to More Info	Description
1060409-5	4-Minor	BT1060409	Behavioral DoS enable checkbox is wrong.

Traffic Classification Engine Issues

ID Number	Severity	Links to More Info	Description
1117297-2	4-Minor	BT1117297	Wr_urldbd continuously crashes and restarts&start;

iApp Technology Issues

ID Number	Severity	Links to More Info	Description
889605-1	3-Major	BT889605	iApp with Bot profile is unavailable if application folder includes a subpath
1004697-4	3-Major	BT1004697	Saving UCS files can fail if /var runs out of space

In-tmm monitors Issues

ID Number	Severity	Links to More Info	Description
1107549-1	2-Critical	BT1107549	In-TMM TCP monitor memory leak
1104037-1	2-Critical	BT1104037	Tmm crash after changing "connection.vlankeyed" to disabled on system with L2 wire
1110241-1	3-Major	BT1110241	in-tmm http(s) monitor accumulates unchecked memory
1046917-5	3-Major	BT1046917	In-TMM monitors do not work after TMM crashes

SSL Orchestrator Issues

ID Number	Severity	Links to More Info	Description
969297-2	3-Major	BT969297	Virtual IP configured on a system with SelfIP on vwire becomes unresponsive
1095145-4	4-Minor	BT1095145	Virtual server responding with ICMP unreachable after using /Common/service

 

Known Issue details for BIG-IP v17.0.x

999669-4 : Some HTTPS monitors are failing after upgrade when config has different SSL option&start;

Links to More Info: BT999669

Component: Local Traffic Manager

Symptoms:
Some HTTPS monitors are failing after upgrade when the config has different SSL option properties for different monitors.

Conditions:
-- Individual SSL profiles exist for different HTTPS monitors with SSL parameters.
-- A unique server SSL profile is configured for each HTTP monitor (one with cert/key, one without).

Impact:
Some HTTPS monitors fail. Pool is down. Virtual server is down.

Workaround:
None

---

992865-4 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances

Links to More Info: BT992865

Component: TMOS

Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.

Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
  + BIG-IP i11000 series (C123)
  + BIG-IP i15000 series (D116)

Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.

Workaround:
None

---

992053-7 : Pva_stats for server side connections do not update for redirected flows

Links to More Info: BT992053

Component: TMOS

Symptoms:
Pva_stats for server side connections do not update for the re-directed flows

Conditions:
-- Flows that are redirected to TMM.
-- Server flows are offloaded to PVA.

Impact:
PVA stats do not reflect the offloaded flow.

Workaround:
None

---

990461-6 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade&start;

Links to More Info: BT990461

Component: Advanced Firewall Manager

Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.

Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.

Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.

Workaround:
Manually update the SYN cookie threshold values after an upgrade.

---

990173-7 : Dynconfd repeatedly sends the same mcp message to mcpd

Links to More Info: BT990173

Component: Local Traffic Manager

Symptoms:
If dynconfd sends a single message to mcpd containing two or more operations, and one of the operations fails mcpd validation, dynconfd repeatedly sends same message to mcpd.

An example of two operations in one mcp message would be an ephemeral node creation and an ephemeral pool member creation in a single mcp message.

Conditions:
This can occur when:

-- Using FQDN nodes and FQDN pool members.

-- There is an additional issue where the message from dynconfd fails validation within mcpd (e.g., a misconfiguration in which the monitor assigned to the pool is configured with a wildcard destination and the pool member is added to the pool with a port of '0' or 'any'.

Impact:
By repeatedly resending the same messages, which fail repeatedly, dynconfd causes increased mcpd CPU utilization.

This might cause the population of ephemeral nodes and pool members to fail and become out of sync with what the DNS server is resolving.

Workaround:
Examine the LTM logs for mcpd error messages indicating failed attempts to create ephemeral nodes or ephemeral pool members, and resolve the cause of the failed node or pool-member creation.

---

988745-5 : On reboot, 'could not find platform object' errors may be seen in /var/log/ltm

Links to More Info: BT988745

Component: TMOS

Symptoms:
During a reboot, several error messages are logged in /var/log/ltm:

-- err mcpd[9401]: 01070710:3: Database error (0), get_platform_obj: could not find platform object - sys/validation/Platform.cpp, line 188.

-- err chmand[6578]: 012a0003:3: hal_mcp_process_error: result_code=0x1070710 for result_operation=eom result_type=eom

Conditions:
This occurs when either of the following conditions is met:
-- A fresh installation of a BIG-IP system.
-- A reboot after forcing the mcpd process to reload the BIG-IP configuration,

Impact:
There is no functional impact to these error messages.

Workaround:
None.

---

979045-5 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms

Links to More Info: BT979045

Component: TMOS

Symptoms:
After installing an Engineering Hotfix version of BIG-IP v14.1.0 or later, certain BIG-IP hardware systems. The Trusted Platform Module (TPM), status is showing as INVALID.

Conditions:
This may occur:
-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
   - ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
   - ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
   - ID963017 (https://cdn.f5.com/product/bugtracker/ID963017.html)
-- The issue is observed only on the following platforms:
   - i11600 / i11800
   - i11400-DS / i11600-DS / i11800-DS

Impact:
The TPM status INVALID indicates that the system integrity is compromised when it is actually valid.

Workaround:
None.

---

969297-2 : Virtual IP configured on a system with SelfIP on vwire becomes unresponsive

Links to More Info: BT969297

Component: SSL Orchestrator

Symptoms:
Virtual IP ARP does not get resolved when a SelfIP is configured on a virtual-wire.

Conditions:
Issue happens when a SelfIP address is configured and a Virtual IP address is configured for a Virtual Server.

Impact:
The virtual server is unreachable.

Workaround:
None

---

966949-7 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node

Links to More Info: BT966949

Component: TMOS

Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.

Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230

This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.

Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.

Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")

---

966785-4 : Rate Shaping stops TCP retransmission

Links to More Info: BT966785

Component: Local Traffic Manager

Symptoms:
When rate shaping is applied to a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.

Conditions:
This issue occurs when both of the following conditions are met:

-- Virtual server configured with a rate shaping.
-- Standard type of virtual server.

Impact:
The BIG-IP system does not retransmit unacknowledged data segments.

Workaround:
None

---

966461-8 : Tmm memory leak

Links to More Info: BT966461

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm leaks memory for DNSSEC requests.

Conditions:
NetHSM is configured but disconnected.

or

Internal FIPS card is configured and tmm receives more DNSSEC requests than the FIPS card is capable of handling.

Impact:
Tmm memory utilization increases over time.

Workaround:
None

---

964533-6 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.

Links to More Info: BT964533

Component: TMOS

Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.

Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.

Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.

There is no impact other than additional log entries.

Workaround:
None.

---

950201-5 : Tmm core on GCP

Links to More Info: BT950201

Component: TMOS

Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.

TMM panic with this message in a tmm log file:

panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.

Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141

-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.


Note: Using either workaround has a performance impact.

---

950153-4 : LDAP remote authentication fails when empty attribute is returned

Links to More Info: BT950153

Component: TMOS

Symptoms:
LDAP/AD Remote authentication fails and the authenticating service may crash.

The failure might be intermittent.

Conditions:
LDAP/AD server SearchResEntry includes attribute with empty or NULL value.

This can be seen in tcpdump of the LDAP communication in following ways

1. No Value for attribute . Example in tcpdump taken on affected user :

vals: 1 item
        AttributeValue:

2. 1. NULL Value for attribute . Example in tcpdump taken on affected user :

vals: 1 item
    AttributeValue: 00

Impact:
Logging in via the GUI will fail silently
Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log

The logs will be similar to :

info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000]
info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0

Workaround:
There is no Workaround on the LTM side.

For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue

---

949137-8 : Clusterd crash and vCMP guest failover

Links to More Info: BT949137

Component: Local Traffic Manager

Symptoms:
Clusterd crashes and a vCMP guest fails over.

Conditions:
The exact conditions under which this occurs are unknown. It can occur during normal operation.

Impact:
Memory corruption and clusterd can crash, causing failover.

Workaround:
None.

---

947125-8 : Unable to delete monitors after certain operations

Links to More Info: BT947125

Component: Local Traffic Manager

Symptoms:
Unable to delete monitor with an error similar to:

01070083:3: Monitor /Common/my-mon is in use.

Conditions:
-- Monitors are attached directly to pool members, or node-level monitors exist.
-- Performing an operation that causes the configuration to get rebuilt implicitly, such as "reloadlic".

Impact:
Unable to delete object(s) no longer in use.

Workaround:
When the system gets into this state, save and reload the configuration:
tmsh save sys config && tmsh load sys config

---

945413-5 : Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync

Links to More Info: BT945413

Component: TMOS

Symptoms:
The BIG-IP system constantly downloads the certificate bundle if the CA-bundle manager config includes a URL.

Symptoms are different depending on if BIG-IP systems is in a manual or automatic sync device group.

Manual sync device groups will not stay in sync.

Automatic sync device groups will constantly sync.

Conditions:
The CA-bundle manager is configured.

Impact:
The keymgmtd and mcpd process gets into a loop that causes constant config changes and if the ca-bundle-manager includes a URL, the BIG-IP system constantly downloads the bundle.

---

945189-6 : HTTPS monitor fails due to missing ECDHE-RSA-AES256-CBC-SHA&start;

Links to More Info: BT945189

Component: Local Traffic Manager

Symptoms:
After upgrade, the 'DEFAULT' cipher in the server SSL profile attached to the HTTPS monitor does not include the ECDHE-RSA-AES256-CBC-SHA cipher suite in the Client Hello.

Conditions:
After upgrade, HTTPS monitor cipherlist is read from server SSL profile ciphers and set to DEFAULT after upgrade.

Impact:
1. Upgrade breaks the SSL pool monitoring.
2. It is also possible that the pools monitoring succeeds but with unexpected ciphers from the 'DEFAULT' list which may cause increased resource usage or unexpectedly weaker encryption.

Note: The ciphers negotiated between the HTTPS backend being monitored and the server SSL profile will still belong to the 'DEFAULT' list.

Workaround:
BIG-IP provides ways to customize the cipher string used by the server SSL profile.

Via the configuration utility:
https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-ltm-configuring-custom-cipher-string-for-ssl-negotiation/configuring-a-custom-cipher-string-for-ssl-negotiation.html

Via tmsh commands:
https://support.f5.com/csp/article/K65292843

---

940733-6 : Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt&start;

Links to More Info: BT940733

Component: Global Traffic Manager (DNS)

Symptoms:
The system fails during the boot-up process, reports a libcrypto validation error, and the system halts. The console will show this error:

Power-up self-test failures:
OpenSSL: Integrity test failed for libcrypto.so

This occurs after one of the following:
-- Upgrading a FIPS-enabled BIG-IP system, booting to a volume running an earlier software version
-- Running big3d_install from a BIG-IP GTM configuration to a BIG-IP LTM


On a FIPS-licensed BIG-IP LTM configuration, when checking the big3d version you may see something similar to this:

 /shared/bin/big3d -V
fips.c:204:f5_get_library_path: failed to dlopen libcrypto.so.1.0.2za
./big3d version big3d Version 17.0.0.0.0.22 for linux

Conditions:
-- FIPS-licensed BIG-IP system.
-- Upgrade.
-- Boot into a volume running an earlier version of the software.

Another way to encounter the issue is:

-- FIPS-licensed BIG-IP LTM.
-- BIG-IP DNS (GTM) device running a higher software version than the LTM.
-- Run big3d_install from a BIG-IP GTM-configuration pointing to FIPS-licensed BIG-IP LTM configuration.

Impact:
System boots to a halted state or big3d may continuously restart.

Workaround:
Before booting to the volume with the earlier version, delete /shared/bin/big3d.

Note: This issue might have ramifications for DNS/GTM support. DNS/GTM is not FIPS-certified.

If the target software volume has already experienced this issue (the system boots to a halted state), addition to deleting /shared/bin/big3d, follow the instructions in K25205233: BIG-IP System halted while booting. Halt at boot after FIPS Integrity Check Result FAIL :: https://support.f5.com/csp/article/K25205233 .

For additional information, see K29290121: Rollback after upgrade or big3d_install may cause FIPS to halt system on boot :: https://support.f5.com/csp/article/K29290121.

---

936501-7 : Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled

Links to More Info: BT936501

Component: TMOS

Symptoms:
When attempting to Export/Import a file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf via SCP, you receive an error dialog:

"file not allowed"

Conditions:
-- fips140 or common criteria mode enabled
-- Export/Import file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf

Impact:
Import/Export file using scp tool from/to the BIG-IP file path(s) /var/local/ucs or /var/local/scf not allowed when fips140 or cc mode enabled even if the file is encrypted.

Workaround:
None

---

932461-6 : Cert update on server SSL profile on HTTPS monitor: BIG-IP not using the updated certificate.

Links to More Info: BT932461

Component: Local Traffic Manager

Symptoms:
If you overwrite the certificate that is configured on the server SSL profile and used with the HTTPS monitor, the BIG-IP system still uses an old certificate.

After you update the certificate, the stored certificate is incremented, but monitor logging indicates it is still using the old certificate.

Conditions:
--Create a pool with an HTTPS pool member.
--Create an HTTPS monitor with cert and key.
--Assign the HTTPS monitor to the HTTPS pool.
--Update the certificate via GUI or tmsh.

Impact:
The monitor still tries to use the old certificate, even after the update.

Workaround:
Use either of the following workarounds:

-- Restart bigd:
bigstart restart bigd

-- Modify the server SSL profile cert key, set it to 'none', and switch back to the original cert key name.

The bigd utility successfully loads the new certificate file.

---

931149-4 : Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings

Links to More Info: BT931149

Component: Global Traffic Manager (DNS)

Symptoms:
RESOLV::lookup returns an empty string.

Conditions:
The name being looked up falls into one of these categories:

-- Forward DNS lookups in these zones:
    - localhost
    - onion
    - test
    - invalid

-- Reverse DNS lookups for:
    - 127.0.0.0/8
    - ::1
    - 10.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16
    - 0.0.0.0/8
    - 169.254.0.0/16
    - 192.0.2.0/24
    - 198.51.100.0/24
    - 203.0.113.0/24
    - 255.255.255.255/32
    - 100.64.0.0/10
    - fd00::/8
    - fe80::/10
    - 2001:db8::/32
    - ::/64

Impact:
RESOLV::lookup fails.

Workaround:
Use a DNS Resolver ('net dns') and RESOLVER::name_lookup / DNSMSG:: instead of RESOLV::lookup:

1. Configure a local 'net dns' resolver, replacing '192.88.99.1' with the IP address of your DNS resolver:

    tmsh create net dns-resolver resolver-for-irules answer-default-zones no forward-zones add { . { nameservers add { 192.88.99.1:53 } } }

2. Use an iRule procedure similar to this to perform PTR lookups for IPv4 addresses:

proc resolv_ptr_v4 { addr_v4 } {
    # Convert $addr_v4 into its constituent bytes
    set ret [scan $addr_v4 {%d.%d.%d.%d} a b c d]
    if { $ret != 4 } {
        return
    }

    # Perform a PTR lookup on the IP address $addr_v4, and return the first answer
    set ret [RESOLVER::name_lookup "/Common/resolver-for-irules" "$d.$c.$b.$a.in-addr.arpa" PTR]
    set ret [lindex [DNSMSG::section $ret answer] 0]
    if { $ret eq "" } {
        # log local0.warn "DNS PTR lookup for $addr_v4 failed."
        return
    }

    # Last element in '1.1.1.10.in-addr.arpa. 600 IN PTR otters.example.com'
    return [lindex $ret end]
}

-- In an iRule, instead of:
    RESOLV::lookup @192.88.9.1 $ipv4_addr
Use:
    call resolv_ptr_v4 $ipv4_addr

---

930393-1 : IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration

Links to More Info: BT930393

Component: TMOS

Symptoms:
-- IPsec tunnel does not start.
-- Remote IPsec networks unavailable.

Conditions:
-- Using IKEv1 and one of the following:
   + Performing an upgrade.
   + IPsec tunnel reconfiguration generally involving a change to, or addition of, a traffic-selector.

Impact:
IPsec tunnel is down permanently.

Workaround:
-- Reconfigure or delete and re-create the traffic selectors associated with the IPsec tunnel that does not start.

Special Notes:
-- This occurs rarely and does not happen spontaneously, without intentional changes (reconfiguration or upgrade).
-- A BIG-IP reboot or a restart of tmipsecd does not resolve this condition.
-- This symptom might also occur due to a genuine misconfiguration.
-- After major version upgrades, default ciphers can change, double-check the encryption and authentication ciphers for the tunnel.

---

929429-9 : Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed

Links to More Info: BT929429

Component: Local Traffic Manager

Symptoms:
Whenever you create Oracle or SQL (mssql, mysql or postgresql) database monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.

Conditions:
-- Create an Oracle or SQL database LTM monitor.
-- Add a pool member to the Oracle or SQL database monitor created.
-- Platform FIPS is licensed.

Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.

Workaround:
None.

---

929173-5 : Watchdog reset due to CPU stall detected by rcu_sched

Links to More Info: BT929173

Component: TMOS

Symptoms:
Rcu_sched detected CPU stall, which can cause vCMP host reboot. The device reboots without core and records "Host Watchdog timeout."

Typically there will logs in kern.log similar to:
err kernel: : [526684.876928] INFO: rcu_sched detected stalls on CPUs/tasks: ...

Conditions:
Host undergoing a watchdog reset in a vCMP environment.

Impact:
CPU RCU stalls and host watchdog reboots

---

928445-7 : HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2

Links to More Info: BT928445

Component: Local Traffic Manager

Symptoms:
HTTPS monitor state is down when server_ssl profile cipher string has the value 'TLSv1_2'.
 -- configured cipherstring TLSv1_2/TLSv1_1 is rejected by OpenSSL.

Conditions:
-- Pool member is attached with HTTPS monitor.
-- Monitor is configured with an SSL profile.
-- The configured server_ssl profile has cipher string as DEFAULT:!TLSv1_2.

Impact:
Pool status is down.

Workaround:
-- Enable 'in-tmm' monitoring.
-- Use SSL options available in the server SSL profile to disable TLSv1_2 or TLSv1_1 instead of cipher string.
-- Use the same cipher string with cipher group / cipher rule that is attached to the SSL profile.

---

926425-6 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts

Links to More Info: BT926425

Component: Advanced Firewall Manager

Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection continue to be unsupported until hardware SYN cookies are disabled.

Conditions:
SYN Cookie activated on Neuron-capable platforms:
  + VIPRION B4450N blade
  + BIG-IP iSeries devices (ix800) except the i850, ix2800, and ix4800:
     -- BIG-IP i5800 Series
     -- BIG-IP i7800 Series
     -- BIG-IP i11800 Series
     -- BIG-IP i15800 Series

Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.

Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options are not taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.

Workaround:
You can use any of the following to clear the HSB issue:
-- Restart neurond.
-- Restart TMM,
-- Reboot the device.

---

925469-4 : SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo

Links to More Info: BT925469

Component: TMOS

Symptoms:
When using the Certificate Order Manager to request new Multi-Domain certificate from the Sectigo Certificate Authority (CA), the request the BIG-IP sends is missing the field 'subjectAltName'.

Conditions:
-- Certificate Order Manager is configured to send requests to the Comodo/Sectigo CA.

-- Configure a new key with Subject Alternative Name (SAN).

Impact:
The BIG-IP system sends a request to the Sectigo CA that is missing the 'subjectAltName' field. That makes Certificate Order Manager not suitable for requesting Multi-Domain certificates.

Workaround:
There is no workaround other than not using Certificate Order Manager for Multi-Domain certificates.

---

924589-6 : PEM ephemeral listeners with source-address-translation may not count subscriber data

Links to More Info: BT924589

Component: Policy Enforcement Manager

Symptoms:
When a PEM profile is associated with a protocol that can create dynamic server-side listeners (such as FTP), and source-address-translation is also enabled on the virtual server, traffic on that flow (for example ftp-data) is not associated with the subscriber, and is therefore not counted or categorized.

Conditions:
-- Listener configured with PEM and FTP profiles
-- Some form of source address translation is enabled on the listener (for example, SNAT, Automap, SNAT Pool)

Impact:
Inaccurate subscriber traffic reporting and classification.

Workaround:
None.

---

922737-3 : TMM crash

Links to More Info: BT922737

Component: Local Traffic Manager

Symptoms:
TMM crashes with a sigsegv while passing traffic

Conditions:
Virtual server with a Connector profile that redirects to an internal virtual server on the same BIG-IP system

Impact:
Traffic disrupted while tmm restarts.

---

921149-7 : After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy

Links to More Info: BT921149

Component: TMOS

Symptoms:
All Bandwidth Controller (BWC) stats are 0 (zero) even though traffic is passing.

Conditions:
-- A BWC policy is attached to a virtual server.
-- The virtual server with the attached BWC policy is modified.

Impact:
The system disassociates the BWC policy from the virtual server. Traffic is no longer throttled according to the policy rules.

Workaround:
To reattach the policy, detach the Bandwidth Controller policy from the virtual server, and then reapply it.

---

915141-6 : Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'

Links to More Info: BT915141

Component: TMOS

Symptoms:
Availability status of virtual server can be left 'available' even if the corresponding pool's availability becomes 'unknown'.

Conditions:
- Pool member is configured as an FQDN node.
- You set monitor to 'none' with the pool.

Impact:
Inconsistent availability status of pool and virtual server.

Workaround:
Set the FQDN node to 'force offline', and then 'enable'. This triggers virtual server's status updates and syncs to pool.

---

912293-6 : Persistence might not work properly on virtual servers that utilize address lists

Links to More Info: BT912293

Component: Local Traffic Manager

Symptoms:
-- Connections to the virtual server might hang.
-- Increased tmm CPU utilization.

Conditions:
-- A virtual server is configured with a traffic-matching-criteria that utilizes a source-address-list and/or destination-address-list.

-- The virtual server utilizes certain persistence one of the following persistence types:
  + Source Address (but not hash-algorithm carp)
  + Destination Address (but not hash-algorithm carp)
  + Universal
  + Cookie (only cookie hash)
  + Host
  + SSL session
  + SIP
  + Hash (but not hash-algorithm carp)

Impact:
-- High tmm CPU utilization.
-- Stalled connections.

Workaround:
Enable match-across-virtuals in the persistence profile.

Note: Enabling match-across-virtuals might might affect the behavior of other virtual servers in the configuration that utilize persistence.

---

908453-6 : Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly

Links to More Info: BT908453

Component: TMOS

Symptoms:
When a trunk is configured with a name longer than 32 characters on a vCMP host, guests update the working-mbr-count for the trunk incorrectly when another trunk on the host changes. This might result in vCMP guests failing over unexpectedly.

Conditions:
-- Trunk configured with a name longer than 32 characters on vCMP host.
-- Trunk made available to guests for high availability (HA) Group scoring.
-- At least one other trunk configured on vCMP host.
-- Interface state changes in any other trunk.

Impact:
The vCMP guests may fail over unexpectedly.

Workaround:
Do not use trunk names longer than 32 characters.

---

901569-5 : Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.

Links to More Info: BT901569

Component: Local Traffic Manager

Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow.

Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.).

Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server.

Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue.

---

889605-1 : iApp with Bot profile is unavailable if application folder includes a subpath

Links to More Info: BT889605

Component: iApp Technology

Symptoms:
iApp with Bot profile is unavailable if the application folder includes a subpath. If the subpath is not present then iApp with bot profile is available.

Conditions:
1) Create default "Bot Protection" or "Web Application Comprehensive Protection" with an enabled "Bot Defense" use case in WGC without a virtual server.
2) Go to "iApps >> Application Services: Applications" and refer to the created iApp.

Impact:
iApp cannot be loaded when tried to open through iApps >> Applications view in TMUI.

Workaround:
View the configuration created from Guided configuration as mentioned: iApps >> Application Services >> Applications LX menu

---

887265-5 : BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration&start;

Links to More Info: BT887265

Component: Local Traffic Manager

Symptoms:
When booting to a boot location for the first time, the system does not come on-line.

Conditions:
-- There is a large configuration.
-- VLAN failsafe is configured, and the failsafe-action is something other than failover.
-- The BIG-IP system is an appliance.

Impact:
BIG-IP processes continually restart (VLAN failsafe-action failover-restart-tm), or the BIG-IP system continually reboots (VLAN failsafe-action reboot)

Workaround:
Either disable VLAN failsafe or set the failsafe-action to failover during an upgrade.

---

879969-9 : FQDN node resolution fails if DNS response latency >5 seconds

Links to More Info: BT879969

Component: TMOS

Symptoms:
When resolving FQDN names for FQDN nodes/pool members, pending DNS requests are timed out after 5 seconds with no response from the DNS server.
If there is a persistent latency of 5 seconds or greater in the DNS server responses, FQDN name resolution will fail and ephemeral nodes/pool members will not be created.

Conditions:
- BIG-IP using FQDN nodes/pool members
- Persistent latency of 5 seconds or greater in the DNS server responses

Impact:
Ephemeral pool members may not be created, thus no traffic will be sent to the intended pool members.

Workaround:
Resolve any persistent latency issues that might cause delays of 5 seconds or more in DNS server responses.

---

878641-4 : TLS1.3 certificate request message does not contain CAs

Links to More Info: BT878641

Component: Local Traffic Manager

Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4

Conditions:
TLS1.3 and client authentication

Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected

---

842669-7 : Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log

Links to More Info: BT842669

Component: TMOS

Symptoms:
Systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log. Bare ')' being logged to /var/log/user.log., for example:

cat /var/log/user.log
[...]: Deleting file /shared/core/*.core.*
[...]: Deleting file /shared/core/*.core.*
[...] )
[...] )

Conditions:
This occurs when the system logs syslog messages containing embedded newlines, such as

- The cron process tries and fails to send an email because of output from a cron script.
- Modifying the syslog 'include' configuration
- Applying ASM policy configuration change
- GTM.debugprobelogging output from big3d
- iqsyncer mcpd message debug output (log.gtm.level=debug)

Impact:
The logging subsystem accepts syslog messages with embedded newlines, and writes first line to the appropriate file, and remaining lines to /var/log/user.log.

Workaround:
View the logs using journalctl

---

831737-4 : Memory Leak when using Ping Access profile

Links to More Info: BT831737

Component: Access Policy Manager

Symptoms:
The memory usage by pingaccess keeps going up when sending request with expired session cookie to a virtual server with PingAccess Profile.

Conditions:
1. BIG-IP virtual server that contains PingAccess Profile.
2. Request sent with expired session cookie.

Impact:
Memory leak occurs in which ping access memory usage increases.

---

796065-3 : PingAccess filter can accumulate connections increasing memory use.

Links to More Info: BT796065

Component: Access Policy Manager

Symptoms:
Currently the maximum http header count value for ping access is 64. The connection to the backend is aborted if there are more than 64 headers.

Conditions:
1. Ping access is configured.
2. The HTTP header count is more than 64.

Impact:
Connection is aborted by the BIG-IP system users are unable to access the backend.

Workaround:
None

---

775845-7 : Httpd fails to start after restarting the service using the iControl REST API

Links to More Info: BT775845

Component: TMOS

Symptoms:
After restarting httpd using the iControl REST API, httpd fails to start, even with a subsequent restart of httpd at the command line.

Similar to the following example:

config # restcurl -u admin:admin /tm/sys/service -X POST -d '{"name":"httpd", "command":"restart"}'
{
  "kind": "tm:sys:service:restartstate",
  "name": "httpd",
  "command": "restart",
  "commandResult": "Stopping httpd: [ OK ]\r\nStarting httpd: [FAILED]\r\n(98)Address already in use: AH00072: make_sock: could not bind to address n.n.n.n:n\nno listening sockets available, shutting down\nAH00015: Unable to open logs\n"
}

config # tmsh restart sys service httpd
Stopping httpd: [ OK ]
Starting httpd: [FAILED]

Conditions:
Restarting httpd service using iControl REST API.

Impact:
Httpd fails to start.

Workaround:
To recover from the failed httpd state, you can kill all instances of the httpd daemon and start httpd:

killall -9 httpd

tmsh start sys service httpd

---

769741-5 : TCP connection between mcp and tmm may get stalled

Links to More Info: BT769741

Component: TMOS

Symptoms:
TMM may get stuck at start-up and does not transition to ready state.

Conditions:
The exact conditions remain unknown, however, the likelihood of this occurring increases with the number of TMMs.

Impact:
TMM does not complete startup, getting stuck on cmp_mpi. Traffic disrupted while tmm is offline.

Workaround:
1. Make the following modifications to profile tcp _mcptcp in /usr/lib/tmm/tmm_base.tcl:

Change this:
 rcvwnd 4194304

To this:
 rcvwnd 131072

2. To apply the changes, run the following command:
bigstart restart tmm

---

760982-4 : An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios

Links to More Info: BT760982

Component: TMOS

Symptoms:
Soft out reset does not work for the default route.

Conditions:
-- BGP enabled
-- A route configuration change is made and 'clear ip bgp <IP-addr> soft in/out' is executed

Impact:
A default-route is not propagated in Network Layer Reachability Information (NLRI) by 'soft out' request.

Workaround:
None

---

760354-16 : Continual mcpd process restarts after removing big logs when /var/log is full

Links to More Info: BT760354

Component: TMOS

Symptoms:
The BIG-IP device suddenly stops passing traffic. You might see errors similar to the following:

err mcpd[15230]: 01070596:3: An unexpected failure has occurred, TAP creation failed (tmm): Permission denied - net/validation/routing.cpp, line 168, exiting...

Conditions:
This might occur when when /var/log is full and then you remove big logs.

Impact:
The mcpd process restarts continuously. This occurs because tmm blocks mcpd from restarting after /var/log fills up.

Workaround:
Empty the contents of big size log files under /var/log and reboot the BIG-IP system.

If that does not resolve the problem, restart all processes (bigstart restart) or reboot the box.

---

755207-4 : Large packets silently dropped on VE mlxvf5 devices

Links to More Info: BT755207

Component: TMOS

Symptoms:
Jumbo frames are disabled by default for Mellanox ConnectX-4 and ConnectX-5 devices using the mlxvf5 driver (i.e., many BIG-IP Virtual Edition (VE) configurations). Packets larger than 1500 bytes are silently dropped. Only packets up to 1500 bytes are supported when jumbo framers are disabled.

Conditions:
BIG-IP VE with SR-IOV using Mellanox ConnectX-4 or ConnectX-5 NICs.

Typically this represents VE configurations running on private Cloud environments such as VMware, KVM, OpenStack, and others.

Note: You can determine your environment by running the following commands:

# tmctl -d blade tmm/device_probed
# tmctl -d blade xnet/device_probed

Configurations exhibiting this issue either:

1. reports a value of 'mlxvf5' in the driver_in_use column in tmm/device_probed, and possibly reports 'tmctl: xnet/device_probed: No such table.'
2. reports a value of 'xnet' in the driver_in_use column in tmm/device_probed, and a value of 'mlxvf5' in the driver_in_use column in xnet/device_probed.

Impact:
Packets larger than 1500 bytes are dropped without a warning.

Workaround:
Enable jumbo frames and then restart tmm.

1. Add the following line to /config/xnet_init.tcl:
drvcfg mlxvf5 jumbo_support 1

2. Restart tmm:
bigstart restart tmm

Important: There are two possible mlxvf5 drivers. It is possible to enable jumbo frames only for the xnet-based driver.

Important: Enabling jumbo frames causes a performance loss for 1500-byte-size packet, but offers higher throughput at lower CPU usage for larger packets. Note that 1500 bytes is the most common size for internet packets.

---

739475-7 : Site-Local IPv6 Unicast Addresses support.

Links to More Info: BT739475

Component: Local Traffic Manager

Symptoms:
No reply to Neighbor Advertisement packets.

Conditions:
Using FE80::/10 addresses in network.

Impact:
Cannot use FE80::/10 addressees in network.

Workaround:
N/A

---

737692-7 : Handle x520 PF DOWN/UP sequence automatically by VE

Links to More Info: BT737692

Component: TMOS

Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that is passed to the BIG-IP-VE). If an x520 device's PF is set down and then up, tmm does not recover traffic on that interface.

Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.

Impact:
VE does not process any traffic on that VF.

Workaround:
Reboot VE.

---

658943-6 : Errors when platform-migrate loading UCS using trunks on vCMP guest

Links to More Info: BT658943

Component: TMOS

Symptoms:
During platform migration from a physical BIG-IP system to a BIG-IP vCMP guest, the load fails with one of these messages:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.

01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.

Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest.

Impact:
The platform migration fails and the configuration does not load.

Workaround:
You can use one of the following workarounds:

-- Remove all trunks from the source configuration prior to generation of the UCS.

-- Before loading the UCS archive onto the target BIG-IP, edit the archive and remove the trunk configuration from ./config/bigip_base.conf, and then repack the UCS.

-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.

---

632553-7 : DHCP: OFFER packets from server are intermittently dropped

Links to More Info: K14947100, BT632553

Component: Local Traffic Manager

Symptoms:
With a DHCP relay virtual server, OFFER packets from DHCP server are intermittently not forwarded to the client and dropped on BIG-IP system.

Conditions:
It is not known exactly what triggers this condition, but it occurs intermittently when the DHCP relay virtual server is in use.

Impact:
Client machines joining the network do not receive DHCP OFFER messages.

Workaround:
Manually delete the serverside to force it to be recreated by the next DHCP request.

For example, if the flow to the DHCP server 10.0.66.222 is broken, issue the following tmsh command:

tmsh delete sys connection ss-server-addr 10.0.66.222 cs-server-port 67

---

566995-5 : bgpd might crash in rare circumstances.

Links to More Info: BT566995

Component: TMOS

Symptoms:
Under unspecified conditions and in rare cases, bgpd might crash. Although bgpd restarts right away, routing table might be impacted.

Conditions:
The conditions under which this occurs are not known.

Impact:
This might impact routing table and reachability.

Workaround:
None known.

---

1128169-2 : TMM core when IPsec tunnel object is reconfigured

Links to More Info: BT1128169

Component: TMOS

Symptoms:
TMM may core when a "tunnel tunnels" object related to an IPsec interface is reconfigured.

For example, a command that changes the IP address of the object may lead to a core:

# tmsh modify net tunnels tunnel my-ipsec-tunnel remote-address 1.2.3.4

Conditions:
-- IPsec IKEv1 or IKEv2.
-- Tunnel is in "interface" mode.
-- Tunnel object is reconfigured while the tunnel is up.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure the tunnel is down before reconfiguring it.
-- Set the IKE-Peer config state to disabled.
-- Delete an established IKE SA and IPsec SA related to that peer.

For example:

  # tmsh modify net ipsec ike-peer <Name> state disabled
  # tmsh delete net ipsec ike-sa peer-ip <IP>
  # tmsh delete net ipsec ipsec-sa dst-addr <IP>

"Name" is the specific name given to the ike-peer config object.
"IP" is the address configured to use for the remote peer.

Then make the desired changes and enable the IKE-Peer.

  # tmsh modify net ipsec ike-peer <name> state enabled

---

1127881-1 : Deprecate sysClientsslStatFullyHwAcceleratedConns, sysClientsslStatPartiallyHwAcceleratedConns and sysClientsslStatNonHwAcceleratedConns

Links to More Info: BT1127881

Component: TMOS

Symptoms:
SSL Hardware Acceleration MIBs are still in use which are meant to be deprecated.

Conditions:
Run snmpwalk for these MIBS and it's active.

#snmpwalk -c public localhost -v2c F5-BIGIP-SYSTEM-MIB::sysClientsslStatFullyHwAcceleratedConns
F5-BIGIP-SYSTEM-MIB::sysClientsslStatFullyHwAcceleratedConns.0 = Counter64: 0

# snmpwalk -c public localhost -v2c F5-BIGIP-SYSTEM-MIB::sysClientsslStatPartiallyHwAcceleratedConns
F5-BIGIP-SYSTEM-MIB::sysClientsslStatPartiallyHwAcceleratedConns.0 = Counter64: 0

# snmpwalk -c public localhost -v2c F5-BIGIP-SYSTEM-MIB::sysClientsslStatNonHwAcceleratedConns
F5-BIGIP-SYSTEM-MIB::sysClientsslStatNonHwAcceleratedConns.0 = Counter64: 0

Impact:
SSL MIB not up-to-date

Workaround:
None

---

1127805-1 : Server.crt containing "<" will cause frequent reconnects between local gtmd and big3d

Links to More Info: BT1127805

Component: Global Traffic Manager (DNS)

Symptoms:
Resources flap, frequent reconnects occur between the local gtmd and big3d.
Logs similar to this:
Jul 15 22:56:32 GSLB2 warning gtmd[11773]: 011ae023:4: XML parsing error not well-formed (invalid token) at line 483

Jul 15 05:36:54 GSLB2 notice gtmd[6917]: 011ae01a:5: SSL handshake complete to 10.10.10.10
Jul 15 05:37LB2 notice gtmd[6917]: 011ae01a:5: SSL handshake complete to 10.10.10.10
Jul 15 05:37:24 GSLB2 notice gtmd[6917]: 011ae01a:5: SSL handshake complete to 10.10.10.10
Jul 15 05:37:34 GSLB2 notice gtmd[6917]: 011ae01a:5: SSL handshake complete to 10.10.10.10

Conditions:
Server.crt containing "<"

Impact:
-- GTMs frequently leave/join the GTM sync group
-- Resources are marked up and down.

Workaround:
1. On each GTM, run bigip_add for all defined BIG-IP servers.
Or
2. Remove "<" from the server.crt file.

---

1126329-1 : SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT&start;

Links to More Info: BT1126329

Component: Local Traffic Manager

Symptoms:
SSL Orchestrator sends a TLS client hello instead of the expected HTTP CONNECT, leading to a failure in the client environment after an upgrade.

Conditions:
SSL Orchestrator in explicit proxy mode with proxy chaining enabled

Impact:
The exit proxy gives an HTTP 5xx error in response to the unexpected TLS Client Hello.

Workaround:
None

---

1125733-5 : Wrong server-side window scale used in hardware SYN cookie mode

Links to More Info: BT1125733

Component: TMOS

Symptoms:
Client enables Window Scale in the first SYN packet with a specific factor value, however the BIG-IP system disables Window Scale in its SYN/ACK response.

Instead, disabling the Window Scale TCP option in both peer BIG-IPs, TMM honors the Window Scale presented by the client in the first SYN, whereas client assumes Window Scale is disabled. This will cause BIG-IP to send data payload bytes exceeding the client's Windows Size.

Conditions:
Below conditions must be met in order to match this issue:

- Client and server enables timestamp TCP option.
- Client enables Window Scale TCP option.
- SYN Cookie HW is activated in BIG-IP.

Impact:
This can cause performance issues because some packets could need to be retransmitted.

In rare cases where client TCP stack is configured to abort connection when it receives window overflow the connection will be RST by client.

Workaround:
The preferred workaround is changing to Software SYN Cookie mode.

---

1125161-3 : Wideip fails to display or delete in the Link Controller GUI.

Links to More Info: BT1125161

Component: Global Traffic Manager (DNS)

Symptoms:
Attempting to display (i.e. click on) a WideIP in the Link Controller GUI returns an error similar to the following example:

General error: Error parsing value of "null" of type "gtm_qtype_t" in statement [SELECT SINGLE *, gtm_pool.name as pool_name FROM gtm_wideip, gtm_pool WHERE (name = '/Common/example.com' AND type = '1' AND pool_name = 'null' AND pool_type = 'null')]

Attempting to delete a Wideip in the Link Controller GUI returns an error similar to the following example (and the delete operation fails):

01020036:3: The requested Pool (A /Common/example.com) was not found.

Conditions:
-- Link Controller system.

-- The Wideip in question has no associated Pool. This is likely the result of improperly creating the Wideip via the tmsh utility, or upgrading the system from an earlier version which caused your configuration to be automatically fixed up (such as creating distinct A and AAAA Wideips from an earlier unique Wideip entry).

Impact:
The GUI cannot be used to display or delete the Wideip.

Workaround:
Link Controller, unlike GTM, does not expose the concept of Pools. Link Controller only exposes WideIPs and Virtual Servers. Pools exist, but are managed automatically by the system on your behalf.

If a WideIPs created using the GUI, the WideIP will be assigned a Pool of the same type and name automatically. This also happens if you initially decide to assign no Virtual Servers to the WideIP (and things work as intended in the BIG-IP GUI).

However, the tmsh utility is not aligned with this Link Controller requirement, and allows you to create WideIPs with no associated Pool.

If you have experienced this issue:

1) Deleted the affected WideIP using the tmsh utility.

2a) Going forward, use the GUI to define more Link Controller WideIPs.

2b) Alternatively, if you must use the tmsh utility to do so, ensure each WideIP you create is assigned an identically named Pool of the same type, even if initially you decide to place no Virtual Servers in the Pool. For example, define something like the following:

gtm pool a /Common/example.com { }
gtm wideip a /Common/example.com {
    pools {
        /Common/example.com {
            order 0
        }
    }
}

---

1124217-5 : Big3d cores on CTCPSocket::TCPReceive and connector

Links to More Info: BT1124217

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d crashes.

Conditions:
Big3d keeps restarting and coring on gtm with a large quantity of monitors configured.

Impact:
Segmentation fault and big3d restarts.

Workaround:
None

---

1124085-5 : iRules command [info hostname] does not reflect modified hostname

Links to More Info: BT1124085

Component: Local Traffic Manager

Symptoms:
Result from [info hostname] iRules command does not change after modifying system hostname.

Conditions:
- iRules [info hostname] command is being used.
- System hostname is modified.

Impact:
iRules command [info hostname] might reflect incorrect/old hostname

Workaround:
Use $static::tcl_platform(machine) insted of [info hostname]

---

1123885-1 : A specific type of software installation may fail to carry forward the management port's default gateway.

Links to More Info: BT1123885

Component: TMOS

Symptoms:
After performing a specific type of software installation, the unit returns on-line without the management port's default gateway.

Conditions:
-- A software installation that does not carry forward the entirety of the BIG-IP system's configuration is performed. For example, this is achieved by running "image2disk --format=volumes <...>", or by using the live-install subsystem after disabling the liveinstall.saveconfig and liveinstall.moveconfig db keys. This type of installation, however, does carry forward the management port's configuration (IP address, subnet mask, and default gateway).

-- In addition to the default gateway, the management port is configured with additional static routes (for example, to a log server, dns server, etc.).

-- When mcpd is queried for the management routes, the default gateway is not the first entry in mcpd's reply (this is something outside of your control that entirely depends on the name of the objects and how the config was loaded).

Impact:
On Virtual Edition systems, this issue coupled with the removal of autolasthop from the management port means you will not be able to connect to the BIG-IP system's management port from non-directly connected clients after the installation.

On all systems, this issue means the BIG-IP system will not be able to initiate connections to non-directly connected systems over the management port after the installation.

Note: If the system is configured for dual-stack (IPv4 and IPv6) this issue can affect either (or both) stack.

Workaround:
After the issue has occurred, you can connect to the affected BIG-IP system by means of serial console or video console and apply the default gateway again.

If you are trying to prevent this issue, you can remove all management routes except the default one before performing this type of installation.

---

1123149-1 : Sys-icheck fail for /etc/security/opasswd

Links to More Info: BT1123149

Component: TMOS

Symptoms:
In common criteria mode, when password-memory is set to > 0 and create the user and login from CLI causes the system integrity check to failed

An error message may be logged "ERROR: S.5...... c /etc/security/opasswd (no backup)"

Conditions:
--- common criteria mode enabled
--- password-memory set to > 0 in password-policy configuration
--- create a new user and login first time using CLI
--- run sys-icheck

Impact:
System integrity check failure when common criteria mode is enabled

Workaround:
None

---

1122473-5 : TMM core

Links to More Info: BT1122473

Component: Access Policy Manager

Symptoms:
Multiple TMM panics because of a race condition between urldb and TMM.

Conditions:
There seems to be some scenario probably related to boot time timings which allows urldb to create a file, thus preventing TMM from using it, causing the TMM to crash

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

---

1122441-6 : Upgrade expat library to the latest version(2.4.8) to fix CVE's.

Links to More Info: BT1122441

Component: TMOS

Symptoms:
For more information see:
https://support.f5.com/csp/article/K19473898
https://support.f5.com/csp/article/K91589041
https://support.f5.com/csp/article/K23421535
https://support.f5.com/csp/article/K23231802

Conditions:
For more information see:
https://support.f5.com/csp/article/K19473898
https://support.f5.com/csp/article/K91589041
https://support.f5.com/csp/article/K23421535
https://support.f5.com/csp/article/K23231802

Impact:
The following CVEs impact BIG-IP modules.
CVE-2021-45960, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852, CVE-2022-25235, CVE-2022-25236, CVE-2022-23515, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2021-46143.

For more information see:
https://support.f5.com/csp/article/K19473898
https://support.f5.com/csp/article/K91589041
https://support.f5.com/csp/article/K23421535
https://support.f5.com/csp/article/K23231802

Workaround:
N/A

---

1122377-1 : If-Modified-Since always returns 304 response if there is no last-modified header in the server response

Links to More Info: BT1122377

Component: Local Traffic Manager

Symptoms:
Requests sent with an If-Modified-Since header always return a 304 Not Modified response

Conditions:
The Last Modified header is not included in the origin server response headers.

Impact:
When the Last Modified header is not present in the response, its default value i.e., Thu, 01 Jan 1970 00:00:00 GMT, is used and 304 Not Modified is sent to the client.

Workaround:
Add the Last-Modified header to the response headers using iRule

when HTTP_RESPONSE priority 1 {
  set time [clock format [clock seconds] -gmt 1 -format "%a, %d %b %Y %H:%M:%S %Z"]
  HTTP::header insert Last-Modified $time
  log local0.debug "Inserting Last-Modified header as $time"
}

---

1122153-5 : Zonerunner GUI displaying incorrect error string "RRSig Covers Unsupported Record Type"

Links to More Info: BT1122153

Component: Global Traffic Manager (DNS)

Symptoms:
Zonerunner is displaying incorrect error information when it is unable to parse the value.

Conditions:
Zonerunner displays such errors when it is unable to parse the value when displaying records.

Impact:
The error message suggests it is a DNSSEC issue (RRSig) and is misleading.

Workaround:
None

---

1122021-4 : Killall command might create corrupted core files

Links to More Info: BT1122021

Component: TMOS

Symptoms:
When killing multiple processes via the 'killall' command, a single corrupted core file is created.

Conditions:
- using killall command
- killing multiple processes

Impact:
Corrupted core file is created.

Workaround:
Kill single specific processes instead

---

1121937-5 : ZoneRunner GUI is unable to display CAA records with "Property Value" set to ";"

Links to More Info: BT1121937

Component: Global Traffic Manager (DNS)

Symptoms:
If you try to view CAA record in ZoneRunner with "Property Value" set to ";", then "RRSig Covers Unsupported Record Type<none>:1: <none>:1: expected a string" message is displayed in GUI.

Conditions:
- Navigate to DNS :: Zones :: ZoneRunner :: Resource Record List :: Search All Records.

- Click on record of type CAA where the "Property Value" is set to ";".

Impact:
Unable to view or update CAA records through GUI where the "Property Value" is set to ";".

Workaround:
Manually edit or view the BIND configuration from the command line.

---

1121517-1 : Interrupts on Hyper-V are pinned on CPU 0

Links to More Info: BT1121517

Component: TMOS

Symptoms:
CPU 0 utilization is higher relative to other CPUs.

Conditions:
BIG-IP is deployed on a Hyper-V platform.

Impact:
Performance is degraded.

---

1121349-1 : CPM NFA may stall due to lack of other state transition

Links to More Info: BT1121349

Component: Local Traffic Manager

Symptoms:
The CPM NFA string state machines may stall due to missing data.

Conditions:
-- HTTP virtual server with LTM policy and iRule

Impact:
LTM policy rule does not trigger on HTTP URI path condition

Workaround:
Change rule from "HTTP URI path contains" to "HTTP URI full string contains"

---

1121169-4 : Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use

Links to More Info: BT1121169

Component: TMOS

Symptoms:
On systems where ID1004833 has been fixed, the resizing instructions for /appdata from K74200262 no longer work.

Conditions:
When the jitterentropy-rngd is started by systemd which is the default state of the BIG-IP.

Impact:
A filesystem resize operation may fail with the following error:

# lvreduce --resizefs --size -40G /dev/mapper/vg--db--sda-dat.appdata
Do you want to unmount "/appdata"? [Y|n] y
fsck from util-linux 2.23.2
/dev/mapper/vg--db--sda-dat.appdata is in use.
e2fsck: Cannot continue, aborting.

resize2fs 1.42.9 (28-Dec-2013)
resize2fs: Device or resource busy while trying to open /dev/mapper/vg--db--sda-dat.appdata
Couldn't find valid filesystem superblock.
fsadm: Resize ext3 failed
  fsadm failed: 1
  Filesystem resize failed.

Workaround:
Unmount /appdata and restart the jitterentropy-rngd, and then retry the resize operation.

---

1120685-1 : Unable to update the password in the CLI when password-memory is set to > 0

Links to More Info: BT1120685

Component: TMOS

Symptoms:
A BIG-IP system with password-memory enabled will fail to update the user password in the first login using the CLI

Conditions:
Password-memory set to > 0 in password-policy configuration

Impact:
Not able to update the user password in the first login using the CLI.

Workaround:
Create the user using the GUI and log in from the GUI.

---

1120529-2 : Illegal internal request in multipart batch request

Links to More Info: BT1120529

Component: Application Security Manager

Symptoms:
Request parser for inner request is intolerant for a linefeed that results in a HTTP Protocol Compliance violation with the following details.

HTTP Validation Bad multipart parameters parsing
Details Illegal internal request in multipart batch request

Conditions:
- multipart/batch(ing) request
- inner requests use LF for end-of-line marker, instead of canonical marker CRLF

Impact:
Request gets blocked

Workaround:
None

---

1120433-1 : Removed gtmd and big3d daemon from the FIPS-compliant list

Links to More Info: BT1120433

Component: TMOS

Symptoms:
The gtmd is not able to establish a secure connection to big3d due to failure in handshake because no common ciphers were found between big3d and gtmd in FIPS mode.

Conditions:
-- BIG-IP versions 16.1.3 and above
-- FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device.
-- Connections are established between big3d and gtmd in FIPS mode.

Impact:
SSL handshakes fail between big3d and gtmd because no common ciphers are present.

Workaround:
None

---

1120345-7 : Running tmsh load sys config verify can trigger high availability (HA) failover

Links to More Info: BT1120345

Component: TMOS

Symptoms:
When running tmsh 'load sys config verify' on a config that contains both an high availability (HA) group and a traffic group referencing that high availability (HA) group, this will trigger an high availability (HA) fault and failover.

Conditions:
- Running 2 BIG-IP systems in an high availability (HA) pair
- Run tmsh 'load sys config verify' on a config with the following conditions:
- Config to be verified contains an high availability (HA) group
- Config to be verified also contains a traffic group referencing the high availability (HA) group

Impact:
HA fault and failover. high availability (HA) pair will enter a degraded state.

Workaround:
No workaround currently known, but the failover fault can be cleared by running tmsh 'load sys config' on the system that had 'load sys config verify' run on it.

---

1117297-2 : Wr_urldbd continuously crashes and restarts&start;

Links to More Info: BT1117297

Component: Traffic Classification Engine

Symptoms:
Malloc failed while wr_urldb is started

Conditions:
Intermittently reproduced when rebooting to a new version or after restarting wr_urldbd

Impact:
Wr_urldbd crashes.

Workaround:
- Stop the wr_urldbd to stabilize(#bigstart stop wr_urldbd)
-- Update the customdb(i.e. delete or add custom urls) on the backend server
-- Start wr_urldbd to download and load the new DB(#bigstart start wr_urldbd)

---

1117245-1 : Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file

Links to More Info: BT1117245

Component: Application Security Manager

Symptoms:
You only see this message in /var/log/tomcat/liveupdate.log file. No other log messages are written, causing troubleshooting capability with LiveUpdate.

liveupdate.script file is corrupted, live update repository initialized with default schema


This error is emitted during tomcat startup.

/var/log/tomcat/catalina.out
java.io.FileNotFoundException: /usr/share/tomcat/logs/liveupdate.log (Permission denied)

Conditions:
You are running on a version which has a bug fix for ID907025. For more information see https://cdn.f5.com/product/bugtracker/ID907025.html

Impact:
Losing troubleshooting capability with LiveUpdate

Workaround:
chown tomcat:tomcat /var/log/tomcat/liveupdate.log
bigstart restart tomcat

---

1116941-2 : Need larger Content-Length value supported for SIP

Component: Service Provider

Symptoms:
SIP MRF sends error 413 when the content_length value in the SIP message is greater than 65535 (0xff).

Conditions:
The SIP content_length has to be greater than 65535 (0xff) on SIP MRF configuration

Impact:
The SIP messages with content_length greater than 65535 can't be processed by the BIG-IP successfully because of the hard coded constraint on the SIP content_length

Workaround:
None

---

1116513-4 : Route-domains should not be allowed on name server addresses via the GUI.

Links to More Info: BT1116513

Component: Global Traffic Manager (DNS)

Symptoms:
Route domains are allowed on nameserver address when configuring them via the GUI.

Conditions:
Create a DNS resolver via the GUI and include route domain for nameserver IP address.

Eg : Navigate to Network > DNS Resolvers > DNS Resolver List and can create a DNS resolver name server address with Route domain.

Impact:
Inconsistency between the GUI and TMSH for dns resolver namserver address.

Workaround:
None

---

1115041-2 : BIG-IP does not forward the response received after GOAWAY, to the client.

Links to More Info: BT1115041

Component: Local Traffic Manager

Symptoms:
After receiving a GOAWAY from the server followed by data on the same stream, the BIG-IP system does not forward that data to the client but rather sends RESET_STREAM.

Conditions:
1. Configure an NGINX server to handle two streams per connection
2. Virtual server with http2 profile
3. Send more than two requests on the same connection

Impact:
The client does not get a proper response

Workaround:
None

---

1114253-5 : Weighted static routes do not recover from BFD link failures

Links to More Info: BT1114253

Component: TMOS

Symptoms:
If a BFD link fails and recovers, the weighted static route that should be preferred does not populate back into the routing table.

Conditions:
Weighted static routes with BFD configured, this is an example of the affected configuration:

ip route 0.0.0.0/0 10.8.8.4 100
ip route 0.0.0.0/0 10.8.8.34 200
ip static 0.0.0.0/0 10.8.8.4 fall-over bfd
ip static 0.0.0.0/0 10.8.8.34 fall-over bfd

After BFD session to 10.8.8.4 fails and recovers the default route will still be pointing to 10.8.8.34.

Impact:
Incorrect route nexthop.

Workaround:
Re-add route config statements.

---

1113961-2 : BIG-IP 16.1.3 VE with FIPS 140-3 May Fail to start in AWS-China

Links to More Info: K43391532, BT1113961

Component: TMOS

Symptoms:
BIG-IP 16.1.3 VE with FIPS 140-3 may fail to start in AWS-China

Conditions:
Running BIG-IP 16.1.3 VE with FIPS 140-3 with 16.1.3 in AWS China region

Impact:
BIG-IP 16.1.3 VE with FIPS 140-3 may fail to start in AWS-China

Workaround:
Upgrade to 16.1.3.1 when it is available.

---

1113881-1 : Headers without a space after the colon trigger an HTTP RFC violation

Component: Application Security Manager

Symptoms:
An "Unparsable request content" violation is detected for valid headers without a space after the headers name ':'

Conditions:
Any header without a space between the ':' and the header value will trigger "Unparsable request content"

Impact:
Requests that suppose to pass are blocked by ASM enforcer

Workaround:
The client has to send headers with space after ':'

---

1113753-1 : Signatures might not be detected when using truncated multipart requests

Component: Application Security Manager

Symptoms:
On special cases when sending long requests that include a multipart section, signatures that should be detected in the multipart body might not be detected.

Conditions:
1. WAF-policy is attached to virtual server.
2. Signatures are enabled in the WAF policy.
3. Signatures contain special characters, i.e. ;"=\n
4. Request is longer than the value in max_raw_request_len.
5. Sending a multipart request.

Impact:
Signature is not detected.

Workaround:
None

---

1113549-2 : System boots into an inoperative state after installing engineering hotfix with FIPS140-2/140-3 License&start;

Links to More Info: BT1113549

Component: Local Traffic Manager

Symptoms:
BIG-IP persistently starts up in an inoperative state after installing an engineering hotfix with a console error similar to:

*** FIPS or Common Criteria power-up self-test failure.
*** This system has been placed in an error state.
*** To recover return to the grub menu and select another volume
*** or reinstall the system.
***
*** On many devices pressing the escape key followed by the (
*** key will bring up a menu which allows the system to be restarted.

Power-up self-test failures: <number>

Unmounting file systems
System halting.

Conditions:
- First boot after installing an engineering hotfix.
- FIPS 140-2 or FIPS140-3 license.

Impact:
You are unable to boot the BIG-IP system into an operational state after applying an engineering hotfix, and you are required to boot to a known good volume. For more information about FIPS mode previnting system boot, see https://support.f5.com/csp/article/K52534643

Workaround:
None

---

1113385-5 : Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP

Links to More Info: BT1113385

Component: TMOS

Symptoms:
REST tokens which are present in /var/run/pamcache on BIG-IP are not deleted after token expiration when there are a large number of tokens.

Conditions:
When a large number of tokens are generated.

Impact:
Disk space exhausted on the BIG-IP system.

Workaround:
Try to remove token files from /var/run/pamcache manually.
# rm -f /var/run/pamcache/*

---

1113181-1 : Self-IP allows no traffic following a modification from "Allow Custom (Include Default)" to "Allow Custom".

Links to More Info: BT1113181

Component: Local Traffic Manager

Symptoms:
Although a Self-IP address appears configured correctly (for example, when this is inspected using the WebUI or the tmsh utility), the Self-IP address does not allow through any traffic. Effectively, the Self-IP address behaves as if it was set to "Allow None".

Conditions:
The port-lockdown setting of the Self-IP address was recently modified from "Allow Custom (Include Default)" to "Allow Custom".

Impact:
The Self-IP does not allow through any traffic, whereas it should allow through the traffic in your custom list of ports and protocols.

Workaround:
You can work around this issue by temporarily setting the affected Self-IP to "Allow None" and then again to "Allow Custom", specifying your desired custom list of ports and protocols.

---

1113161-1 : After upgrade, Learning and Blocking Settings page is not loading because some policies are still pointing to deleted factory Negsig sets&start;

Component: Application Security Manager

Symptoms:
Learning and Blocking Settings page is not loading

Conditions:
Some policies are using factory sets which were deleted in later versions, and an upgrade was performed.

Impact:
When trying to open "Security ›› Application Security : Policy Building : Learning and Blocking Settings" page, GUI is stuck on 'loading' status

Workaround:
Run this mysql in the BIG-IP in order to fix the database, it will remove all unreferenced policy sets from the system:
mysql -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password(user => q{root})'` -e "delete from PLC. PL_POLICY_NEGSIG_SETS where set_id not in (SELECT set_id from PLC.NEGSIG_SETS);"

---

1112805-5 : ip_address_intelligence field is not populated with value in ArcSight remote log when source IP is IPv4

Links to More Info: BT1112805

Component: Application Security Manager

Symptoms:
The key used for the ip_address_intelligence field is mapped to an IPv6 Address in the latest CEF standard.

Conditions:
-- IP Intelligence is enabled.
-- An ArcSight remote logger is configured.
-- A HTTP transaction is carried out with a malicious Source IP Address

Impact:
The ip_address_intelligence field value is not populated in the ArcSight remote log

Workaround:
None

---

1112537-1 : LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete.

Links to More Info: BT1112537

Component: TMOS

Symptoms:
Upon attempting to delete a LTM or GTM monitor, the system returns an error similar to the following example, even though the monitor being deleted is no longer in use anywhere:

01070083:3: Monitor /Common/my-tcp is in use.

Conditions:
-- The configuration was loaded from file (for example, as restoring a UCS archive would do).

-- A BIG-IP Administrator deletes all objects using the monitor, and then attempts to delete the monitor itself.

Impact:
LTM or GTM monitor no longer in use anywhere cannot be deleted from the configuration.

Workaround:
Run one of the following sets of commands (depending on the affected module) and then try to delete the monitor again:

tmsh save sys config
tmsh load sys config

tmsh save sys config gtm-only
tmsh load sys config gtm-only

---

1112385-4 : Traffic classes match when they shouldn't

Links to More Info: BT1112385

Component: Local Traffic Manager

Symptoms:
Traffic classes may match when they should not.

Conditions:
* Fix for ID1074505 is present (without that fix this bug is hidden).
* Traffic class uses none (or equivalently all 0s) for source-address.

Impact:
Traffic is not categorized properly.

Workaround:
Specify a source address, e.g.

ltm traffic-class /Common/blah {
    source-address 1.1.1.1
    source-mask none
   ...
}

Note that because the mask is none this won't have any effect (other than working around this bug).

---

1112349-5 : FIPS Card Cannot Initialize

Links to More Info: BT1112349

Component: Local Traffic Manager

Symptoms:
Initializing the FIPS card for the first time which contains the FIPS firmware CNN35XX-NFBE-FW-1.1-02 may cause the below error and will not be able to initialize the card:
Enter new Security Officer password (min. 0, max. 0 characters):
ERROR: Too long input (max.: 0 characters)
ERROR: Failed to read password
ERROR: INITIALIZATION FAILED!

Conditions:
First time initialization of new device with "tmsh run util fips-util -f init" command which contains the FIPS firmware CNN35XX-NFBE-FW-1.1-02

Impact:
FIPS card cannot be used for the FIPS key traffic and will not be able to re-initialize.

Workaround:
None

---

1112205-1 : HTTP/2 may garble responses if the client-side stream aborts while response headers are on the wire

Links to More Info: BT1112205

Component: Local Traffic Manager

Symptoms:
If the client-side stream aborts while response headers are on the wire, the subsequent requests may receive a garbled response.

Conditions:
- HTTP2 profile is used on both client and server side.
- The client terminates the stream while the response has not yet reached the BIG-IP system.

Impact:
The client will receive an obscure response

Workaround:
None

---

1111793-1 : New HTTP RFC Compliance check for incorrect newline separators between request line and first header

Component: Application Security Manager

Symptoms:
ASM does not enforce incoming HTTP requests where the request line and the first header are separated with a line feed ('\n').

Conditions:
Any HTTP request with a line feed only at the end of the request line will not be enforced.

Impact:
Invalid requests might pass through ASM enforcement.

Workaround:
None

---

1111629-5 : Messages with "Failed Read: User, referer" are logged in /var/log/httpd/httpd_errors

Links to More Info: BT1111629

Component: TMOS

Symptoms:
After logging in to the GUI you may observe these logs under /var/log/httpd/httpd_errors

warning httpd[7698]: [auth_pam:warn] [pid 7698] [client 10.6.4.2:61221] AUTHCACHE Error processing cookie AFQ6MCL2VWASB6NZTAWGQLFFWY - Failed Read: User, referer:

Conditions:
- Using token authentication for rest calls
- Login to the GUI

Impact:
- Increase log space usage

Workaround:
None

---

1111473-5 : "Invalid monitor rule instance identifier" error after sync with FQDN nodes

Links to More Info: BT1111473

Component: Local Traffic Manager

Symptoms:
The following log messages may be observed in /var/log/ltm:

bigip1 err mcpd[4783]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 29.

This may also result in some monitors stuck in "checking" state.

Conditions:
-- FQDN nodes.
-- A full config sync occurs

Impact:
Some monitor statuses may not be correctly reported. Some monitors may be stuck in "checking" state.

Workaround:
Force the mcpd process to reload the BIG-IP configuration: K13030.

---

1111421-4 : TMSH/GUI fails to display IPsec SAs info

Links to More Info: BT1111421

Component: TMOS

Symptoms:
Ipsec SAs are not visible in GUI/TMSH in tunnel/interface mode
GUI network -> ipsec -> diagnostic -> traffic-selectors -> security association details shows no SAs
The 'tmsh show net ipsec ipsec-sa traffic-selector ts' command shows no SA

Conditions:
-- Configure the ipsec with tunnel/Interface mode.
-- Create the tunnel.
-- Check the ipsec-sa

Impact:
You are unable to see ipsec-sa in GUI/TMSH

Workaround:
None

---

1111361-4 : Refreshing DNS wide IP pool statistics returns an error

Links to More Info: BT1111361

Component: Global Traffic Manager (DNS)

Symptoms:
Refreshing the wide IP pool statistics results in the error message 'An error has occurred while trying to process your request'.

Conditions:
Go to "Statistics > Module Statistics > DNS > GSLB > Wide IPs > Statistic Pools", and click "Refresh".

Impact:
No results are returned, and the error message 'An error has occurred while trying to process your request' is displayed.

Workaround:
N/A.

---

1111189-1 : Listing errors in tmsh and installation failures when the configuration includes an AVR scheduled-report.

Links to More Info: BT1111189

Component: Application Visibility and Reporting

Symptoms:
-- The tmsh utility may return an error when listing analytics configuration.

-- TMOS installations may fail and return an error.

-- Saving new UCS archives may fail and return an error.

In all cases, the error is similar to the following example:

TSocket::open() getaddrinfo() <Host: 127.3.0.2
 Port: 9090>Name or service not known
std exception: (Could not resolve host for client socket.), exiting...

Conditions:
-- Multi-blade VIPRION system (either metal or in the form of a vCMP guest).

-- AVR is provisioned.

-- At least one AVR scheduled-report is present in the configuration.

-- An action such as listing the config, saving a UCS archive, performing a TMOS installation, etc. is performed on a secondary blade.

Impact:
The operation you were attempting fails and an error is returned.

Workaround:
The only workaround consists in removing all AVR scheduled-reports, performing the intended task, and then re-defining the AVR scheduled-reports as necessary. This is of course disruptive and may not be indicated for your site. If you require an Engineering Hotfix for this issue, please contact F5 Support.

---

1110949-3 : Updating certKeyChain of parent SSL profile using iControl does not change the cert and key outside certKeyChain of the child profile

Links to More Info: BT1110949

Component: Local Traffic Manager

Symptoms:
Invalid config after iControl call: the certificate and key of the child profile do not change as expected.

Conditions:
1. The SSL profile should default from a parent profile.
2. iControl REST is used to change the certkeychain of the parent profile.
3. The issue cannot be seen after the first call but from the second call, it's always reproducible.

Impact:
1. The child profile has an incorrect configuration.
2. The older certificate/key can not be deleted as they are still in use in the child profile.

Workaround:
Can use currently deprecated iControl call by using key and cert instead of certkeychain as follows:

curl -k -u admin:admin -H "Content-Type: application/json" -X PATCH https://10.155.75.246/mgmt/tm/ltm/profile/client-ssl/parent.example.com -d '{"key":"/Common/default.key","cert":"/Common/default.crt"}'

---

1110893-5 : Some portions of the BIG-IP GUI do not work when accessed behind an HTTP proxy

Links to More Info: BT1110893

Component: TMOS

Symptoms:
Some sections of the BIG-IP GUI fail to load properly, and may report "An error occurred:" Additionally, iControl REST calls may fail with a 401 unauthorized error.

Conditions:
-- BIG-IP GUI or iControl REST is accessed behind a proxy that that includes an X-Forwarded-For header

-- The "httpd.matchclient" BigDB key is set to true (this is the default).

Impact:
Some portions of the GUI are broken as well as iControl REST calls may fail.

Workaround:
Disable the "httpd.matchclient" DB key:

tmsh modify sys db httpd.matchclient value false
bigstart restart httpd

---

1110813-4 : Improve MPTCP retransmission handling while aborting

Component: Local Traffic Manager

Symptoms:
- MPTCP enabled TCP connection is aborting.
- TMM cores.

Conditions:
- MPTCP is enabled.
- MPTCP enabled TCP connection is aborting.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP option in the TCP profile.

---

1110281-1 : Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable

Links to More Info: BT1110281

Component: Application Security Manager

Symptoms:
Non-HTTP traffic is not forwarded to the backend server.

Conditions:
- ASM provisioned
- Behavioral DoS profile assigned to a virtual server
- DOSL7::disable and HTTP::disable applied at when CLIENT_ACCEPTED {}

Impact:
Broken webapps with non-HTTP traffic.

Workaround:
Instead of using DOSL7::disable, redirect non-HTTP traffic to a non-HTTP aware virtual server using the iRule command virtual <virtual_server_name>.

---

1110241-1 : in-tmm http(s) monitor accumulates unchecked memory

Links to More Info: BT1110241

Component: In-tmm monitors

Symptoms:
Connflows growing larger than expected/desired.

Conditions:
-- in-TMM monitors are enabled
-- http(s) monitors are configured
-- Pool members continue spooling chunked data

Impact:
If an http(s) server does not close its connection to BIG-IP and continues spooling chunked data, the connflow remains and can eventually cause similar issues.

Workaround:
Three possible:
1. Fix the server.
2. Periodically reboot the server.
3. Use BigD LTM monitors.

---

1110205-3 : SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown

Links to More Info: BT1110205

Component: Local Traffic Manager

Symptoms:
If a virtual server has an iRule performing SSL payload processing in CLIENTSSL_DATA, TMM fails to process or forward an ingress TCP FIN from a client, leaving the connection in a zombie state until it eventually idles out.

Conditions:
The issue occurs only when SSL::collect is used in CLIENTSSL_DATA

   when CLIENTSSL_DATA {
        log local0. "."
        SSL::release
        SSL::collect
    }

Impact:
Unexpected growth in the number of connections idling on a virtual server leads to memory pressure.

Workaround:
None

---

1109953-5 : TMM may crash if a data-group is used when an SSL Forward Proxy Bypass/Intercept list contains extremely long entry

Links to More Info: BT1109953

Component: Local Traffic Manager

Symptoms:
A very long entry (exceeding the maximum length allowed by internet stndards) in a data-group used for SSL Forward Proxy Bypass/Intercept hostname list may cause TMM to crash.

Conditions:
All of the below conditions have to be met:
-- A virtual server uses SSL profile
-- This SSL profile has Forward Proxy enabled.
-- The SSL profile has Forward Proxy Bypass enabled.
-- The SSL profile uses Hostname Bypass and/or Hostname Intercept data-group.
-- Anny to the data-groups contains entries which are longer than 255 characters.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Make sure all entries in the data-group used for intercept/bypass hostnanme list do not exceed 255 characters. According to RFC 1035 section 2.3.4, longer hostnames are not valid.

---

1109833-2 : HTTP2 monitors not sending request

Links to More Info: BT1109833

Component: Local Traffic Manager

Symptoms:
HTTP2 monitors do not send monitor traffic, incorrectly marking pool members down.

Conditions:
HTTP2 monitor configured.

Impact:
Pool members marked down erroneously.

Workaround:
Use different monitor type, if possible.

---

1108681-5 : PEM queries with filters return error message when a blade is offline

Links to More Info: BT1108681

Component: Policy Enforcement Manager

Symptoms:
Attempting to retrieve subscriber session data for a specific subscriber returns the following error: "Data Input Error: ERROR: 'query_view' query reply did not contain a result object."

Conditions:
One of the blades is disabled, and the pem sessiondb query contains a filter, for example subscriber-id or session-ip.

Impact:
Cosmetic error, no impact.

Workaround:
Enable the disabled blades, or send a pem sessiondb query without filters.

---

1108657-2 : No notification about disabled "Virus detected" violation in case of enabling "Anti-Virus Protection"

Component: Application Security Manager

Symptoms:
If the "Virus detected" violation is disabled, there is no notification about it after enabling "Anti-Virus Protection".

Conditions:
1. In Security ›› Application Security : Policy Building : Learning and Blocking Settings screen, for Virus Detected violation set at least one of the Learn, Alarm, or Block checkboxes as empty.

2. In Security ›› Application Security : Security Policies : Policies List ›› <selected_policy> screen - check the Scan HTTP Uploads (in Anti-Virus Protection field)

3. No warning is shown.

Impact:
No warning is shown to user which indicates that the related violation settings are switched off (Learning, Alarming or Blocking)

Workaround:
None

---

1108557-5 : DNS NOTIFY with TSIG is failing due to un-matched TSIG name

Links to More Info: BT1108557

Component: Global Traffic Manager (DNS)

Symptoms:
DNS NOTIFY messages are ignored.

Conditions:
The TSIG on the secondary needs to have the same algorithm and secret, but one or more characters in the name must be a different case.

Impact:
Failure to update the zone in a timely fashion.

Workaround:
Remove the offending TSIG on the secondary and re-create it with case matching the primary server.

---

1108237-1 : Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM.

Links to More Info: BT1108237

Component: Global Traffic Manager (DNS)

Symptoms:
It is possible for monitor probes to a certain destination to be owned by no GTM device in the sync-group. As a result, no monitoring of the destination will be performed, and the monitored object will be incorrectly marked down with reason "no reply from big3d: timed out".

Conditions:
-- GTM sync-group with multiple GTM devices (including a sync-group that contains only a single GTM server with more than one GTM device in it).

-- Monitors specifying an explicit destination to connect to (e.g. with the property "destination 192.168.1.1:*").

-- The destination of a monitored object (e.g. the IP address of the gtm server) is different from the destination explicitly defined in a monitor assigned to the object.

-- The two mismatching destination values are assigned to different GTM devices in the sync-group for monitoring.

Impact:
Monitored GTM objects may have an incorrect status.

Workaround:
None

---

1108109-5 : APM policy sync fails when access policy contains customization images&start;

Links to More Info: BT1108109

Component: Access Policy Manager

Symptoms:
APM policy sync fails after an upgrade. Mcpd logs an error

err mcpd[6405]: 01b70117:3: local_path (/tmp/psync_local_file) starts with invalid directory. Valid directories are /var/config/rest/, /var/tmp/, /shared/tmp/.

Conditions:
APM access policy contains a custom image file

Impact:
APM policy sync fails.

Workaround:
None

---

1107605-2 : TMM crash reported with specific policy settings

Links to More Info: BT1107605

Component: Local Traffic Manager

Symptoms:
TMM crashes when HTTPS request for a non-existent document

Conditions:
1) Virtual server with HTTP Profile
2) LTM Policy with "shutdown connection" for 400/404 response codes
3) Request for non-existent document

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove the policy and use an iRule with the same conditions as in the policy.

---

1107549-1 : In-TMM TCP monitor memory leak

Links to More Info: BT1107549

Component: In-tmm monitors

Symptoms:
TMM memory use grows unbounded; aggressive sweeper is engaged

Conditions:
-- In-TMM TCP monitors are enabled

Impact:
TCP peer ingress accumulates over time. Over an extended period of time the aggressive sweeper begins freeing memory.

Workaround:
1. Rebooting the BIG-IP system after the change is made is one potential remedy.
2. Use regular LTM monitors.

---

1107453-1 : Performance drop observed in some Ramcache::HTTP tests on BIG-IP i10800 platform

Links to More Info: BT1107453

Component: Local Traffic Manager

Symptoms:
Drop in TPS of around 6.5% observed for Ramcache::HTTP tests.

Conditions:
- BIG-IP i10800 l7-performance-fpga platform
- 5KB file size with 1 Request Per Connection
- 5KB file size with 100 Request Per Connection

Virtual server with the following profiles -
1. http
2. tcp profile with nagle disabled
3. web acceleration profile with following attributes -
   - cache-max-age 36000
   - cache-object-max-size 1500001
   - cache-object-min-size 1

Impact:
Delay in client side response during peak traffic flow due to lowered throughput.

Workaround:
None

---

1106673-4 : Tmm crash with FastL4 virtual servers and CMP disabled

Links to More Info: BT1106673

Component: Local Traffic Manager

Symptoms:
With CMP disabled, all traffic is forwarded to one TMM thread. A crash occurs when these flows are torn down.

Conditions:
The following is configured on a virtual server:
-- A fastL4 profile
-- CMP is disabled
-- An IPS firewall policy

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Enable CMP on the virtual server.

tmsh modify ltm virtual <virtual_server_name> cmp-enabled yes

---

1106489-1 : GRO/LRO is disabled in environments using the TMM raw socket "sock" driver.

Links to More Info: BT1106489

Component: TMOS

Symptoms:
GRO/LRO packets are not received: "tmctl -d blade tmm/ndal_rx_stats" shows "0" in "lro". The linux host has GRO disabled: "ethtool -k eth1 | grep generic-receive-offload" shows "off".

Conditions:
-- BIG-IP is deployed in a Hyper-V environment.
-- Any environment such that "tmctl -d blade tmm/device_probed" displays "sock" in "driver_in_use".

Impact:
Performance is degraded.

Workaround:
Manually enable GRO on the device: ethtool -K eth1 gro on

Check that it's enabled with: ethtool -k eth1 | grep generic-receive-offload

---

1106273-4 : "duplicate priming" assert in IPSECALG

Links to More Info: BT1106273

Component: Advanced Firewall Manager

Symptoms:
This is a specific issue with a complicated firewall/NAT/IPSEC scenario. In this case, when applying changes to a firewall policy in transparent mode, IPSECALG triggers a "duplicate priming" assert

Conditions:
When an IPSec session is established from a device with a source IP which has a firewall policy (transparent mode). As soon as traffic is passed over the new IPSec tunnel, this clash in the rules results in a tmm core.

Impact:
TMM asserts with "duplicate priming" assert.
Traffic disrupted while tmm restarts.

Workaround:
None

---

1105969-4 : Gratuitous ARP not issued for non-floating self-IP on clicking "Update" via the GUI

Links to More Info: BT1105969

Component: Local Traffic Manager

Symptoms:
A gratuitous ARP (GARP) is not issued as per K15858.

Conditions:
After the BIG-IP system is fully started and interfaces are online, select the non-floating self IP address in the Configuration utility and then select Update (without making any changes).

Impact:
You cannot force non-floating self-IPs to send a gratuitous ARP post-boot.

Workaround:
None

---

1105901-1 : Tmm crash while doing high-speed logging

Links to More Info: BT1105901

Component: TMOS

Symptoms:
Tmm crashes

Conditions:
-- High-speed logging is configured
-- Network instability occurs with the logging pool members

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

---

1105485 : Emulated Interaction Events occurs when using Bot Defense Profile and Datasafe keylogger protection feature

Links to More Info: BT1105485

Component: Application Security Manager

Symptoms:
Datasafe keylogger protection feature causes the Bot Defense profile to detect untrusted events.

Conditions:
-- Bot Defense profile is attached to a virtual server
-- Datasafe profile is attached to the virtual server, with keylogger protection feature enabled.

Impact:
Legitimate users are getting mitigated.

Workaround:
Modify bigDB:
tmsh modify sys db botdefense.cshui_checked_trusted_events value "mousedown, mouseup, mousemove, touchstart, touchmove, touchend"

---

1105341-1 : Decode_application_payload can break exponent notation in JSON

Links to More Info: BT1105341

Component: Application Security Manager

Symptoms:
With decode_application_payload set to 1, the single pass of decoding prior to JSON parsing will convert positive exponents to ascii characters ie "+" to " ". This results in Malformed numeric value violations

Conditions:
Positive exponents with decode_application_payload set to 1.

Impact:
Malformed JSON violations

Workaround:
Disable decode_application_payload
decode_application_payload set to 0.

---

1104553-3 : HTTP_REJECT processing can lead to zombie SPAWN flows piling up

Links to More Info: BT1104553

Component: Local Traffic Manager

Symptoms:
In the execution of a specific sequence of events, when TCL attempts to execute the non-existing event, it follows a path which in turn makes SPAWN flow to become a zombie, which pile up over time showing up on the monitoring system.

Conditions:
-- http2, client-ssl, optimized-caching filters on the virtual server
-- HTTP::respond iRule with LB_FAILED event and set of iRules like HTTP_REQUEST, HTTP_RESPONSE, CLIENTSSL_HANDSHAKE, CACHE_RESPONSE, ASM_REQUEST_BLOCKING
-- send http2 request through the virtual server

Impact:
Clients may not be able to connect to the virtual server after a point in time.

---

1104037-1 : Tmm crash after changing "connection.vlankeyed" to disabled on system with L2 wire

Links to More Info: BT1104037

Component: In-tmm monitors

Symptoms:
Tmm crashes.

Conditions:
Changing "connection.vlankeyed" from enabled to disabled on a system configured for L2 wire

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Keep "connection.vlankeyed" enabled

---

1103953-2 : SSMTP errors in logs every 20 minutes

Links to More Info: BT1103953

Component: TMOS

Symptoms:
An error is logged every 20 minutes to /var/log/maillog

err sSMTP[9797]: Unable to connect to "localhost" port 25.
err sSMTP[9797]: Cannot open localhost:25

The symptoms are similar to what you see in https://support.f5.com/csp/article/K60914243 but the solution in that article will not help. K60914243 talks about 15.x while current issue is on 16.x.

Conditions:
This occurs in one of the following happens

1. You have manually deleted restjavad or restnoded log files with following commands
   rm /var/log/restjavad*
   rm /var/log/restnonded*

2. One of the restjavad/restnoded log files is small and unable to rotate (rotation fails). This happens when file size does not exceed default "max-file-size"

Impact:
Log rotation for restjavad/restnoded will be stuck. You may see system emails about sSMTP errors every 20 minutes.

Workaround:
This issue subsides if you manually create a file for the stuck log file.

1. Open a command terminal
2. Run # ls -l /var/log/restnoded*
3. If you find that restnonded1.log is missing then manually create it
    # touch /var/log/restnoded/restnoded1.log
4. Run # ls -l /var/log/restjavad*.log
5. If you find that restjavad.1.log is missing then manually create it
    # touch /var/log/restjavad.1.log

---

1103833-1 : Tmm core with SIGSEGV in gtmpoolmbr_UpdateStringProc

Links to More Info: BT1103833

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm cored with SIGSEGV.

Conditions:
-- iRule pool command with member which is determined at run-time
-- A pool member is used for the iRule
-- The previous pool member is deleted and then re-created using the same name
-- That pool member is picked again for the next iRule event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use a string command to category the pool member variable like this:

  pool dnspool member [string trim $pool_member]

---

1103617-5 : 'Reset on Timeout' setting might be ignored when fastl4 is used with another profile.

Links to More Info: BT1103617

Component: Local Traffic Manager

Symptoms:
'Reset on Timeout' setting might be ignored when Fastl4 profile is configured along with some other profile.

Conditions:
Fastl4 profile is configured along with some other profile (for example IPS).

Impact:
Traffic might be reset unexpectedly.

Workaround:
None

---

1103117-1 : iAppLX extension using express with httpserver script leaves lingering client-side flow on HTTP requests.

Links to More Info: BT1103117

Component: Local Traffic Manager

Symptoms:
While using an iAppLX extension using express with simple HTTP server script, tmsh show sys conn shows a lingering client-side flow that is eventually expired by the sweeper.

Conditions:
Virtual server with iAppLX extension using express with a simple httpserver script like below:

  app.use(express.static('public'));
  var plugin = new f5.ILXPlugin();
  plugin.startHttpServer(app);

Impact:
The connection table (tmsh show sys conn) shows a lingering client-side flow that is eventually expired by the sweeper.

Workaround:
None

---

1102849-4 : Less-privileged users (guest, operator, etc) are unable to run top level commands

Links to More Info: BT1102849

Component: TMOS

Symptoms:
Less privileged users are no longer able to run top-level commands such as "show running-config recursive". Executing this command from TMOS results in an error:

Unexpected Error: Can't display all items, can't get object count from mcpd

and mcpd throws error:

result_message "01070823:3: Read Access Denied: user (test) type (Abort Ending Agent)"

Conditions:
User account with a role of guest, operator, or any role other than admin.

Impact:
You are unable to show the running config, or use list or list sys commands.

Workaround:
Logon with an account with admin access.

---

1102429-1 : iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases.

Links to More Info: BT1102429

Component: Local Traffic Manager

Symptoms:
Invoking the iRule command 'reject' under the iRule event 'FLOW_INIT' may, in some cases, fail to send out the intended reject packet (i.e. TCP reset or ICMP port unreachable).

Conditions:
The issue occurs when the BIG-IP system does not have a route back to the client, and should instead deliver the reject packet by means of autolasthop.

Impact:
The connection is actually removed from the BIG-IP system's connection table, and correctly does not progress. However, the lack of a reject packet could make the client retransmit its initial packet or insist in opening more connections.

---

1101741-1 : Virtual server with default pool down and iRule pool up will flap for a second during a full config-sync.

Links to More Info: BT1101741

Component: TMOS

Symptoms:
During a full manual config-sync, a virtual server with a default pool which is down and an iRule pool which is up will flap for a second on the receiving unit.

For instance:

Apr 22 13:52:31 bigip-ntr-b.local notice mcpd[7733]: 01071682:5: SNMP_TRAP: Virtual /Common/my_vs has become unavailable
Apr 22 13:52:31 bigip-ntr-b.local notice mcpd[7733]: 010719e7:5: Virtual Address /Common/10.0.0.71 general status changed from GREEN to RED.
Apr 22 13:52:31 bigip-ntr-b.local notice mcpd[7733]: 010719e8:5: Virtual Address /Common/10.0.0.71 monitor status changed from UP to DOWN.
<...>
Apr 22 13:52:32 bigip-ntr-b.local notice mcpd[7733]: 01071681:5: SNMP_TRAP: Virtual /Common/my_vs has become available
Apr 22 13:52:35 bigip-ntr-b.local notice mcpd[7733]: 010719e7:5: Virtual Address /Common/10.0.0.71 general status changed from RED to GREEN.
Apr 22 13:52:35 bigip-ntr-b.local notice mcpd[7733]: 010719e8:5: Virtual Address /Common/10.0.0.71 monitor status changed from DOWN to UP.

Conditions:
-- device-group configured for full manual sync
-- virtual server with default pool up and iRule pool down
-- a config sync is initiated

Impact:
There is no impact to application traffic during the flapping, as the virtual server continues to function correctly even when the unit receiving the config-sync is the Active one.

However, the logs (and the ensuing SNMP traps) may be confusing to BIG-IP Administrators and/or network operators monitoring alarms from the system.

Workaround:
You can work around this issue by configuring the device-group for incremental config-sync instead (either manual or automatic).

---

1101369-5 : MQTT connection stats are not updated properly

Component: Local Traffic Manager

Symptoms:
Negative values can be seen in current connections.

Conditions:
This issue can be seen when the 'CONNECT' message is dropped by iRule or when the first message received is not 'CONNECT.'

Impact:
MQTT profile stats are not incremented correctly with CONNECT message.

Workaround:
NA

---

1101181-4 : HTTP request payload not forwarded by BIG-IP when serverside is HTTP/2 and HTTP MRF router is enabled on virtual server

Links to More Info: BT1101181

Component: Local Traffic Manager

Symptoms:
The BIG-IP forwards HTTP request headers to pool member, but does not forward the request body. This results in a connection stall, and the connection eventually timing out and failing.

Conditions:
-- Virtual server with HTTP/2 full proxy configured (HTTP MRF router is enabled, and HTTP/2 profile present on virtual server).
-- Virtual server has request-logging profile assigned.
-- Serverside connection uses HTTP/2.
-- Client sends a request that includes a payload body (e.g. a POST).

Impact:
HTTP transaction fails; traffic does not pass.

Workaround:
Remove the request-logging profile.

---

1100669-2 : Brute force captcha loop

Links to More Info: BT1100669

Component: Application Security Manager

Symptoms:
Captchas for a user that failed to login after several attempts will continue after a successful login.

Conditions:
-- A user fails to log in after several attempts.
-- The mitigation is captcha mitigation.

Impact:
If the user eventually provides the correct password, the user will be able to log in.

Workaround:
None

---

1100609-1 : Length Mismatch in DNS/DHCP IPv6 address in logs and pcap

Links to More Info: BT1100609

Component: TMOS

Symptoms:
The wrong length is shown in logs for DNS/DHCP IPv6 addresses.

Conditions:
-- DNS/DHCP IPv6 configured in IKE-PEER configuration.
-- The tunnel is established.

Impact:
The length is reported incorrectly in the logs. It is reported as 15 when it should be reported as 16.

Workaround:
None

---

1100409-5 : Valid connections may fail while a virtual server is in SYN cookie mode.

Component: TMOS

Symptoms:
Some of the valid connections to a TCP virtual server may fail while the virtual server is in SYN cookie mode due to an attack.

Conditions:
-- BIG-IP i4x00 platform.
-- TCP virtual server under SYN flood attack.

Impact:
Failed connections, service degradation.

Workaround:
Disabling SYN cookie in the TCP or fastL4 profile is a possible workaround, but that would leave the virtual server open to SYN flood attacks.

---

1100321-4 : MCPD memory leak

Links to More Info: BT1100321

Component: TMOS

Symptoms:
Viewing virtual server firewall policy rules leaks some memory in MCPD.

Conditions:
- BIG-IP AFM is provisioned
- Virtual server firewall policy rules are viewed, e.g. by running one of the following commands:
  tmsh show ltm virtual fw-enforced-policy-rules
  tmsh show ltm virtual fw-staged-policy-rules

Impact:
A memory leak occurs when the command is run.

Workaround:
None

---

1100249-1 : SNAT with FLOW_INIT firewall rule may core TMM due to wrong type of underlying flow structure

Links to More Info: BT1100249

Component: Local Traffic Manager

Symptoms:
Tmm crashes with SIGSEGV while passing firewall traffic.

Conditions:
-- SNAT + firewall rule
-- FLOW_INIT used in an iRule

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

---

1100197-1 : GTM sends wrong commit_id originator for iqsyncer to do gtm group sync

Links to More Info: BT1100197

Component: Global Traffic Manager (DNS)

Symptoms:
GTM sends wrong commit_id originator for iqsyncer to do gtm group sync, which converts an incremental sync into a full sync.

Conditions:
Frequent GTM group syncs.

Impact:
Unnecessary GTM full sync.

Workaround:
None

---

1099545-1 : Tmm may core when PEM virtual with a simple policy and iRule is being used

Links to More Info: BT1099545

Component: Local Traffic Manager

Symptoms:
Tmm cores with SIGSEGV.

Conditions:
-- PEM virtual with a simple policy and iRule attached.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

---

1099373-3 : Virtual Servers may reply with a three-way handshake when disabled or when processing iRules

Links to More Info: BT1099373

Component: Local Traffic Manager

Symptoms:
Virtual servers may complete a three-way handshake before resetting a connection when they are disabled or when iRules process traffic for disabled virtual servers.

Conditions:
-- Virtual Server with a pool assigned
-- Pool is disabled administratively

Impact:
When a virtual server is marked as disabled and a client attempts to connect to it, tmm will normally send a reset to the first SYN packet. However, if you then administratively disable the pool ( disabled pool members - Not forced offline) tmm will complete the three-way handshake before sending resets. Additionally, when in this state, iRules will process and can pass traffic to pools if the iRule is configured to do that even though the virtual server status is disabled.

Workaround:
Avoid marking pools disabled or use forced offline for virtual servers that you want to administratively disable.

---

1099229-5 : SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present

Links to More Info: BT1099229

Component: Local Traffic Manager

Symptoms:
-- A connection to the virtual server hangs from the client device.
-- A memory leak occurs in tmm

Conditions:
-- Virtual server has an L7 policy configured.
-- Virtual server has iRules configured.

Impact:
-- Clients are unable to connect to the virtual server.
-- A memory leak occurs.

Workaround:
Remove the L7 policy or the iRules from the virtual server configuration.

---

1099193-1 : Incorrect configuration for "Auto detect" parameter is shown after switching from other data types

Component: Application Security Manager

Symptoms:
The Configuration shown in the GUI for the "Auto detect" Parameter value type is incorrect after certain steps are performed.

Conditions:
1. Create a default policy
2. Create new a Parameter with "User-input value" as a Parameter Value Type, and "File Upload" as the Data Type.
3. Save the settings above, and go back to the newly created Parameters settings.
4. Change its Parameter Value Type to "Auto detect".

Impact:
You either see unrelated fields, e.g. "Disallow File Upload of Executables" or missing tabs, like Value Meta Characters.

Workaround:
You can save a configuration with "User-input value" as a Parameter Value type, and "Alpha-Numeric" as Data Type, and then set "Auto detect" as Parameter Value Type.

---

1098609-2 : BD crash on specific scenario

Links to More Info: BT1098609

Component: Application Security Manager

Symptoms:
BD crashes while passing traffic.

Conditions:
Specific request criterias that happens while there is a configuration change.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

---

1097473-5 : BIG-IP transmits packets with incorrect content

Links to More Info: BT1097473

Component: Local Traffic Manager

Symptoms:
In rare instances, BIG-IP transmits packets with incorrect content

Conditions:
BIG-IP virtual edition utilizing the ixlv driver.

Impact:
Incorrect packets transmitted from the BIG-IP.

---

1097193-4 : Unable to SCP files using WinSCP or relative path name

Links to More Info: BT1097193

Component: TMOS

Symptoms:
When attempting to retrieve a file with WinSCP, you receive an error dialog and the session will be terminated:

"SCP Protocol error: Invalid control record (r; elative addresses not allowed)

Copying files from remote side failed."

If attempting to transfer a file by relative path with a command line utility the transfer will fail with the message:
"relative addresses not allowed"

Conditions:
-- Running BIG-IP version with fix for ID 915981
-- Using WinSCP set to use SCP protocol to retrieve files from a BIG-IP system.
-- Using a relative remote path to transfer a file with command line scp utility.

Impact:
No longer able to use WinSCP to retrieve files such as packet captures, log archives, or other diagnostic data from the BIG-IP system.

Workaround:
Use a command line SCP tool that allows specifying an absolute path for the source and/or destination file (a path that starts with a forward slash /), when the source and/or destination locations are a BIG-IP device.

If the user ID is permitted to do so, you may use WinSCP in SFTP mode.

---

1096893-3 : TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection

Links to More Info: BT1096893

Component: Local Traffic Manager

Symptoms:
When route metrics are applied by the TCP filter to a connection initiated by a syncookie, TCP sets the effective MSS for packetization, thereafter the egress_mtu will be set as per the route metrics entry, if present. The packets falling between the effective MSS and the lowered egress_mtu end up being unexpectedly IP-fragmented.

Conditions:
SYN cookies enabled and activated. A route metrics PMTU entry for the destination address that is smaller than the VLAN's egress MTU.

Impact:
Application traffic can fail or see disruption due to unexpected IP fragmentation.

Workaround:
Disable syn cookies (Reference: https://support.f5.com/csp/article/K80970950).

Alternatively, you can apply a lower static MTU to the interface.

---

1096461-1 : TACACS system-auth Accounting setting has no effect when set to send-to-all-servers/send-to-first-server

Links to More Info: BT1096461

Component: TMOS

Symptoms:
If the destination address is a single server, then the accounting info is sent to only the particular server.
If the destination has multiple servers, then the accounting info is sent to all servers irrespective of the setting "auth tacacs system-auth accounting"

Conditions:
Select multiple destination addresses and change the "auth tacacs system-auth accounting" to send-to-first-server, the accounting information is sent to all the destination servers.

Impact:
You are unable to use send-to-first server functionality

Workaround:
None

---

1096317-5 : SIP msg alg zombie flows

Links to More Info: BT1096317

Component: Carrier-Grade NAT

Symptoms:
The SIP msg alg can disrupt the expiration of a connflow in a way that it stays alive forever.

Conditions:
SIPGmsg alg with suspending iRule commands attached.

Impact:
Zombie flow, which cannot be expired anymore.

Workaround:
Restart TMM.

---

1096165-5 : Tmm cored for accessing the pool after the gtm_add command is run

Links to More Info: BT1096165

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm can crash

Conditions:
TMM process fails seconds after the gtm_add command is run.

Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.

Workaround:
Reduce the number of pools and the number of region records.

---

1095973-4 : Config load failure when Trusted CA Bundle is missing and URL is present in the Bundle Manager

Links to More Info: BT1095973

Component: TMOS

Symptoms:
1. BIG-IP will come up but there will be a config load failure.
2. During the upgrade, config sync issues occur.

Conditions:
1. Bundle Manager contains URL( exclude-url/include-url)
2. Trusted CA Bundle is not populated in the Bundle Manager.

Impact:
1. BIG-IP will be in "Inoperative"/"Not All Devices Synced" state

Workaround:
Add the Trusted CA Bundle (default ca-bundle.crt) to the Bundle Manager.

OR

Remove the URLS (both exclude-url and include-url) from the Bundle Manager.

---

1095217-2 : Peer unit incorrectly shows the pool status as unknown after upgrade to version 16.1.2.1

Links to More Info: BT1095217

Component: TMOS

Symptoms:
The peer unit incorrectly shows the status of pools as UNKNOWN

Conditions:
This is encountered for all pools that were created on the active device using tmsh load sys config merge from-terminal

Impact:
Pools are marked UNKNOWN.

Workaround:
Manually load the configuration after making a configuration change via tmsh load sys config merge from-terminal

---

1095205-5 : Config.auditing.forward.multiple db Variable with value "none" is not working as expected with multiple destination addresses in audit_forwarder.

Links to More Info: BT1095205

Component: TMOS

Symptoms:
When config.auditing.forward.multiple db is set to none, BIG-IP should restrict the system to send it to only one destination when multiple destination addresses are configured.

Conditions:
When configured to "none", logs are broadcasted to all the destination addresses. Working as "broadcast" mode.

Impact:
End user could not use "none" functionality

---

1095185-1 : Failed Configuration Load on Secondary Slot After Device Group Sync

Links to More Info: BT1095185

Component: Application Security Manager

Symptoms:
Configuration synchronization fails on secondary slots after the primary slot receives a full sync from a peer in a device group.

Conditions:
Bladed chassis devices are configured in an ASM enabled device group

Impact:
Incorrect enforcement on secondary slots.

Workaround:
None

---

1095145-4 : Virtual server responding with ICMP unreachable after using /Common/service

Links to More Info: BT1095145

Component: SSL Orchestrator

Symptoms:
After adding /Common/service profile and removing it from the virtual server, the virtual server starts dropping traffic with ICMP unreachable.

This profile is normally only needed in SSLo deployments.

Conditions:
/Common/service was attached and removed from a virtual server.

Impact:
Traffic is dropped on a virtual server.

Workaround:
Restart TMM after making the configuration change.

---

1095041-1 : ASM truncates cookies that contain a space in the name and TS cookie as part of cookie list.

Links to More Info: BT1095041

Component: Application Security Manager

Symptoms:
HTTP requests are truncated at the cookie and raise a violation.

Conditions:
-- Cookie list contains TS cookie
-- A cookie contains a space in the name
-- TS cookie stripping is enabled (db asm.strip_asm_cookies is set as true)

Impact:
Backend server does not receive a complete cookie.

Workaround:
Sys db asm.strip_asm_cookies is set as false.

---

1093973-8 : Tmm may core when BFD peers select a new active device.

Links to More Info: BT1093973

Component: TMOS

Symptoms:
Tmm cores.

Conditions:
-- BFD is in use
-- the active/owner BFD device changes

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

---

1093717-5 : BGP4 SNMP traps are not working.

Links to More Info: BT1093717

Component: TMOS

Symptoms:
BGP4 SNMP traps are not working and returning snmpwalk result of "BGP4-MIB::bgp = No Such Object available on this agent at this OID" or similar errors for all OIDs under the .1.3.6.1.2.1.15 MIB.

Conditions:
--Perform any BGP related event and check for snmp traps.
--Run snmpwalk -Of -Os -v 2c -c <community_name> localhost .1.3.6.1.2.1.15

Impact:
No BGP monitoring.

Workaround:
None

---

1093553-5 : OSPF "default-information originate" injects a new link-state advertisement

Links to More Info: BT1093553

Component: TMOS

Symptoms:
When configured with "default-information originate", the BIG-IP system might inject a new 0.0.0.0 link-state advertisement when receiving a default route from an OSPF neighbor.

This results in two 0.0.0.0 link-state advertisements being advertised from the box.

Conditions:
"default-information originate" is configured.

Impact:
Duplicate link-state advertisements

Workaround:
None

---

1093545-5 : Attempts to create illegal virtual-server may lead to mcpd crash.

Links to More Info: BT1093545

Component: Local Traffic Manager

Symptoms:
Mcpd crashes after the creation of virtual server with incorrect or duplicate configuration is attempted.

Conditions:
-- One or more attempts to create a virtual server with an illegal configuration are performed (i.e. attempts to create a virtual server that shares a configuration with an existing virtual server or has an incorrect configuration)

Impact:
Mcpd crashes with __GI_abort. Traffic disrupted while mcpd restarts.

Workaround:
None

---

1093357-5 : PEM intra-session mirroring can lead to a crash

Links to More Info: BT1093357

Component: Policy Enforcement Manager

Symptoms:
TMM crashes while passing PEM traffic

Conditions:
-- PEM mirroring enabled and passing traffic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

---

1093313-1 : CLIENTSSL_CLIENTCERT iRule event is not triggered for TLS1.3 when the client sends an empty certificate response

Links to More Info: BT1093313

Component: TMOS

Symptoms:
When an SSL client connects to the BIG-IP system using TLS 1.3 and sends an empty certificate, the CLIENTSSL_CLIENTCERT iRule event is not triggered.

Conditions:
-- Virtual server configured on BIG-IP with SSL and iRule added
-- Client authentication for client certificates is set to "request"
-- iRule relying on CLIENTSSL_CLIENTCERT
-- A client connects to BIG-IP using TLSv1.3 protocol without a certificate(empty certificate)

Impact:
CLIENTSSL_CLIENTCERT irules aren't triggered.

Workaround:
None

---

1093061-1 : MCPD restart on secondary blade during hot-swap of another blade

Links to More Info: BT1093061

Component: Local Traffic Manager

Symptoms:
In rare instances, inserting a new blade into a VIPRION system can trigger a config error on another secondary blade due to attempting to delete the old blade's physical disk while it is still "in use":
err mcpd[7965]: 01070265:3: The physical disk (S3F3NX0J902788) cannot be deleted because it is in use by a disk bay (1).
err mcpd[7965]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070265:3: The physical disk (S3F3NX0J902788) cannot be deleted because

This causes MCPD to restart on the secondary blade due to the config error.

Conditions:
-- VIPRION system with at least 3 blades
-- Remove a blade and replace it with a different one

Impact:
-- MCPD restarts on the secondary blade other than the blade that was replaced.

The config error triggering this is due to an issue with the cluster syncing process between blades; however, the config issue is temporary, and should be resolved after mcpd restarts on the secondary blade.

Workaround:
None

---

1091969-4 : iRule 'virtual' command does not work for connections over virtual-wire.

Links to More Info: BT1091969

Component: Local Traffic Manager

Symptoms:
iRule 'virtual' command does not work for connections over virtual-wire.

Conditions:
- Connection over a virtual-wire.
- Redirecting traffic to another virtual-server (for example, using an iRule 'virtual' command)

Impact:
Connection stalls on the first virtual-server and never completes.

---

1091785-1 : DBDaemon restarts unexpectedly and/or fails to restart under heavy load

Links to More Info: BT1091785

Component: Local Traffic Manager

Symptoms:
While under heavy load, the Database monitor daemon (DBDaemon) may:
- Restart for no apparent reason
- Restart repeatedly in rapid succession
- Log the following error while attempting to restart:
   java.net.BindException: Address already in use (Bind failed)
- Fail to start (remain down) after several attempts, leaving database monitors disabled and marking monitored resources Down

Conditions:
- Configure one or more GTM database monitors with short probe-timeout, interval and timeout values (e.g., 2, 5, 16 respectively)
- Configure a large number (e.g., 2,000) of GTM [or perhaps LTM?] database monitor instances (combinations of above monitor + pool
member)
- Optionally: configure GTM database monitors with debug yes and count 0 (for easier diagnosis, and assumption that count = 0 will
generate more stress/concurrency to aid repro; vary as needed)
- Watch for DBDaemon restarts (either through changes in the PID returned by ps, or watching for "Starting" messages in DBDaemon logs)

Impact:
Restart for no apparent reason
Fail to start (remain down) after several attempts, leaving database monitors disabled and marking monitored resources Down

Workaround:
None

---

1091725-5 : Memory leak in IPsec

Links to More Info: BT1091725

Component: TMOS

Symptoms:
Slow memory growth of tmm over time.

This leak affects both the active and standby BIG-IPs.

Conditions:
IPsec is in use.

Security associations are being created or recreated.

Impact:
Over time, tmm may exhaust its memory causing a tmm crash.

---

1091565-2 : Gy CCR AVP:Requested-Service-Unit is misformatted/NULL

Component: Policy Enforcement Manager

Symptoms:
Observed diameter protocol warning when Requested Service Unit(RSU) is empty for CCR-I and CCR-U requests.

Conditions:
If the 'Initial Quota' is EMPTY in policy under Policy Enforcement ›› Rating Groups, the BIG-IP system reports empty data in AVP: Requested-Service-Unit.

Impact:
In Wireshark, a protocol warning occurs.

Workaround:
None

---

1091021-1 : The BIG-IP system may take no fail-safe action when the bigd daemon becomes unresponsive.

Links to More Info: BT1091021

Component: Local Traffic Manager

Symptoms:
You may observe LTM monitors are malfunctioning on your system. For instance, you may notice some probes are not sent out on the network, and some monitored objects are showing the wrong status.

Conditions:
-- The bigd daemon consists of multiple processes (which you can determine by running "ps aux | grep bigd").

-- One or more of the processes (but not all of them) becomes disrupted for some reason, and stops serving heartbeats to the sod daemon.

Under these conditions, sod will not take any fail-safe action and the affected bigd processes will continue running impaired, potentially indefinitely.

Impact:
LTM monitoring is impacted.

Workaround:
If you have determined, or if you suspect, this issue is present on your system, you can resolve it by killing all bigd processes using the following command:

pgrep -f 'bigd\.[0-9]+' | xargs kill -9

However, this does not prevent the issue from manifesting again in the future if the cause for bigd's disruption occurs again.

Monitoring may become further disrupted as bigd restarts, and a failover may occur depending on your specific configuration.

---

1090313-4 : Virtual server may remain in hardware SYN cookie mode longer than expected

Links to More Info: BT1090313

Component: TMOS

Symptoms:
A virtual server may remain in hardware SYN cookie mode longer than expected after the SYN flood attack has stopped. The TMSH 'show ltm virtual' command shows that the virtual has already exited SYN Cookie mode, but the SYN packets are still responded from hardware for a few minutes longer.

Conditions:
The problem is a result of a race condition in TMM, so the issue might show up intermittently.

Impact:
Discrepancy between the actual SYN Cookie mode and the reported SYN Cookie mode for a short period of time after a SYN flood attack.

Workaround:
Disable hardware SYN Cookie mode.

---

1089853-1 : "Virtual Server" or "Bot Defense Profile" links in Request Details are not working

Component: Application Security Manager

Symptoms:
Nothing happens when you click the link for "Virtual Server" or "Bot Defense Profile" in request details on "Security ›› Event Logs : Bot Defense : Bot
Requests" page.

Conditions:
1. Go to Security ›› Event Logs : Bot Defense : Bot
Requests" page and click a Bot Request for details.
2. If "Virtual Server" or "Bot Defense Profile" has a hyperlink, the link does not work.

Impact:
You cannot reach the related pages of Virtual Server or Bot Profile details

Workaround:
Right-click one of the links above - and choose to open it in a new tab or new window.

---

1089829-4 : PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers

Links to More Info: BT1089829

Component: Policy Enforcement Manager

Symptoms:
SIGSEGV tmm cores with back trace in PEM area.
"pem_sessiondump --list" command will show session with custom attribute name as empty/NULL.

Conditions:
Setting pem session custom attribute value with length more than (1024- attribute name length).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
In the iRule, make sure the custom attribute value size + custom attribute name length is not more than 1024.

---

1089005-5 : Dynamic routes might be missing in the kernel on secondary blades.

Links to More Info: BT1089005

Component: TMOS

Symptoms:
Dynamic routes might be missing in the kernel on secondary blades.

Conditions:
- Long VLAN names (16+ characters).
- MCPD unable to load configuration from binary database (software update/forceload was performed).

Impact:
Kernel routes are missing on secondary blades.

Workaround:
Restart tmrouted on the affected secondary blade. Note, this will also briefly affect TMM dynamic routes.
<bigstart restart tmrouted>

---

1088849-1 : Inconsistent behavior while sending malformed request to /TSbd URLs

Links to More Info: BT1088849

Component: Application Security Manager

Symptoms:
When the BIG-IP system receives crafted/malformed requests to fictive /TSbd URLs, the BIG-IP system behaves in three different ways:

-- Displaying a default response page with Support ID
-- Reset the connection
-- Displaying an alternative response page, e.g. 'Leaked Credentials Detected' OR 'Login Failed').

Conditions:
Use malformed /TSbd URLs.

Impact:
Inconsistent behavior for malformed /TSbd fictive URLs.

---

1088597-1 : TCP keepalive timer can be immediately re-scheduled in rare circumstances

Links to More Info: BT1088597

Component: Local Traffic Manager

Symptoms:
In rare circumstances, the TCP timer is rescheduled immediately due to the utilization of the interval encompassing also the idle_timeout.

Conditions:
Virtual Server with:

- TCP Profile
- SSL Profile with alert timeout configured

Another way this can occur is by manually deleting connections, which effectively only sets the idle timeout to 0.

Impact:
High CPU utilization potentially leading to reduced performance.

Workaround:
If the alert timeout is not re-enabled in the SSL Profile that should be sufficient.

---

1088173-3 : With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile

Links to More Info: BT1088173

Component: Local Traffic Manager

Symptoms:
Log files indicate that the client certificate is retained when it should not be.

Conditions:
Enable TLS 1.3 and disable retain-certificate parameter in SSL profile

Impact:
Storage of client certificates will increase memory utilization.

Workaround:
None

---

1087569-5 : Changing max header table size according HTTP2 profile value may cause stream/connection to terminate

Links to More Info: BT1087569

Component: Local Traffic Manager

Symptoms:
BIG-IP initializes HEADER_TABLE_SIZE to the profile value and thus when it exceeds 4K (RFC default), the receiver's header table size is still at the default value. Therefore, upon receiving header indexes which has been removed from its table, receiver sends GOAWAY (COMPRESSION_ERROR)

Conditions:
-- HTTP2 profile used in a virtual server
-- In the HTTP2 profile, 'Header Table Size' is set to a value greater than 4096

Impact:
Stream/connection is terminated with GOAWAY (COMPRESSION_ERROR)

Workaround:
Issue can be avoided by restoring the header-table-size value to the default of 4096

---

1087469-3 : iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate.

Links to More Info: BT1087469

Component: Local Traffic Manager

Symptoms:
When an SSL client connects to BIG-IP system and sends an empty certificate, the CLIENTSSL_CLIENTCERT is not triggered for iRules.

Conditions:
- Virtual server configured on BIG-IP with a clientssl profile
- Client authentication on the virtual server is set to "request"
- iRule relying on CLIENTSSL_CLIENTCERT
- A client connects to BIG-IP using an empty certificate

Impact:
CLIENTSSL_CLIENTCERT irules aren't triggered.

Workaround:
None

---

1087217-3 : TMM crash as part of the fix made for ID912209

Links to More Info: BT1087217

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
BIG-IP versions 16.1.0 or later which includes the fix of ID912209.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

---

1087005-1 : Application charset may be ignored when using Bot Defense Browser Verification

Links to More Info: BT1087005

Component: Application Security Manager

Symptoms:
In some cases, when using Bot Defense Browser Verification, the application <meta charset> tag may be ignored.

Conditions:
-- Bot Defense Profile is attached to a virtual server.
-- Bot Defense "Browser Verification" is configured to "Verify Before Access" or "Verify After Access"
-- Backend application uses non-standard charset.

Impact:
Random meta chars are viewed in the web page.

Workaround:
Run the command:
tmsh modify sys db dosl7.parse_html_inject_tags value "after,body"

---

1086517-3 : TMM may not properly exit hardware SYN cookie mode

Links to More Info: BT1086517

Component: TMOS

Symptoms:
Due to a race condition, when one TMM exits SYN cookie mode, another may immediately re-enter hardware SYN cookie mode, keeping the virtual server in SYN cookie mode and the mitigation offloaded to hardware. The SYN cookie status of the virtual server is not properly updated and will show 'not-activated'.

Conditions:
Hardware SYN cookie protection is enabled and SYN cookie mode is triggered.

Impact:
A virtual server that once entered hardware SYN cookie mode may remain in that state indefinitely. The reduced MSS size may affect performance of that virtual server.

Workaround:
Disable hardware SYN cookie either locally via the TCP or FastL4 profile, or globally by the PvaSynCookies.Enabled BigDB variable. Software SYN cookie mode is unaffected.

---

1086473-4 : BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake

Links to More Info: BT1086473

Component: Local Traffic Manager

Symptoms:
When a client attempts to resume the TLS session using the Session-ID in its Client Hello from a previous session, the BIG-IP agrees by using the same Session-ID in its Server Hello, but then proceeds to perform a full handshake (Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done) instead of an abbreviated handshake (Server Hello, Change Cipher Spec, Server Hello Done).

This is a violation of the TLS RFC.

Conditions:
- High availability (HA) pair of two BIG-IP units.
- LTM virtual server with a client-ssl profile.
- Mirroring enabled on the virtual server

Impact:
Client-side TLS session resumption not working.

Workaround:
Disable mirroring on the virtual server

---

1085837-3 : Virtual server may not exit from hardware SYN cookie mode

Links to More Info: BT1085837

Component: TMOS

Symptoms:
Once a virtual server enters hardware SYN cookie mode it may not exit until a TMM restart.

Conditions:
-- On B2250 and B4450 platforms.
-- A condition triggers SYN cookie mode and then goes back to normal.

Impact:
-- Virtual servers in hardware SYN cookie mode do not receive TCP SYN packets.
-- The limited number of possible TCP MSS values may have a light performance impact.

Workaround:
Disable hardware SYN cookie mode on the affected objects.

---

1085661-2 : Standby system saves config and changes status after sync from peer

Links to More Info: BT1085661

Component: Application Security Manager

Symptoms:
After running config sync from an Active to a Standby device, the sync status is in SYNC for a short period time.
After a while, it automatically goes to Changes Pending status.

The same symptom was reported via ID698757 and fixed in earlier versions, but the same can happen via different scenario.

Conditions:
Create an ASM policy and let the system determining language encoding from traffic.

Impact:
The high availability (HA) configuration goes out of SYNC.

Workaround:
To prevent the issue from happening, you can manually configure language encoding

---

1085597-2 : IKEv1 IPsec peer cannot be created in config utility (web UI)

Links to More Info: BT1085597

Component: TMOS

Symptoms:
It is not possible to configure an IKE peer using the web UI.

Conditions:
-- Configuring an IKEv1 peer
-- Using the configuration utility (web UI)

Impact:
Configuration cannot be created.

Workaround:
Use the tmsh shell to create the ike-peer config.

---

1084965-4 : Low visibility of attack vector

Links to More Info: BT1084965

Component: Local Traffic Manager

Symptoms:
The DoS vector FIN 'Only Set' is not triggered and causes lack of visibility of the attack vector.

Conditions:
-- Using BIG-IP Virtual Edition

Impact:
There is reduced visibility of possible attacks on the BIG-IP.

Workaround:
Check 'drop_inv_pkt' with the tmctl table, "tmm/ndal_rx_stats".

---

1084901-2 : Updating the firewall rule list for IPv6 with route domain throws an error in the GUI, works from tmsh

Links to More Info: BT1084901

Component: Advanced Firewall Manager

Symptoms:
You are unable to modify IPV6 + Route domain for Network Firewall Rule Lists using the GUI

Conditions:
-- AFM is provisioned
-- IPv6 with route domain is being used in an address list

Impact:
Unable to create/manage Firewall rule lists for IPv6 with a route domain.

Workaround:
Use tmsh to create/manage firewall rule lists for IPv6 with a route domain.

---

1084857-1 : ASM::support_id iRule command does not display the 20th digit

Links to More Info: BT1084857

Component: Application Security Manager

Symptoms:
ASM::support_id iRule command does not display the 20th digit.

A support id seen in REST/TMUI that has 20 digits, e.g 13412620314886537617 is displayed as 1341262031488653761 with the iRule command ( the last digit '7' is stripped ).

Conditions:
ASM::support_id iRule command

Impact:
Inability to trace request events using the support id

---

1083621-5 : The virtio driver uses an incorrect packet length

Links to More Info: BT1083621

Component: Local Traffic Manager

Symptoms:
In some cases, tmm might drop network packets.

In rare circumstances, this might trigger tmm to crash.

Conditions:
BIG-IP Virtual Edition using the virtio driver. You can see this in /var/log/tmm ("indir" is zero):
  notice virtio[0:5.0]: cso: 1 tso: 0 lro: 1 mrg: 1 event: 0 indir: 0 mq: 0 s: 1

Impact:
Tmm might drop packets.

In rare circumstances, this might trigger tmm to crash. Traffic disrupted while tmm restarts.

Workaround:
None

---

1083589-4 : Some connections are dropped on chained IPv6 to IPv4 virtual servers.

Links to More Info: BT1083589

Component: Local Traffic Manager

Symptoms:
IPv6 virtual servers targeting IPv4 virtual servers (for example, using the 'virtual' iRule command) might drop traffic coming from some clients unexpectedly.

Note: See also ID1002945 (https://cdn.f5.com/product/bugtracker/ID1002945.html), which is a closely related issue.

Conditions:
- IPv6 to IPv4 virtual server chaining.

Impact:
Traffic is dropped.

Workaround:
Apply a SNAT with an IPv4 address to the IPv6 virtual server.

---

1083513-3 : BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd

Links to More Info: BT1083513

Component: Application Security Manager

Symptoms:
"Challenge Failure Reason" field in a request event log shows N/A.

Conditions:
The db key has not been changed manually on the system.

Impact:
"Challenge Failure Reason" field is disabled.

Workaround:
Disable the key and re-enable, then save.

tmsh modify sys db botdefense.disable_challenge_failure_reporting value disable
tmsh modify sys db botdefense.disable_challenge_failure_reporting value enable
tmsh save sys config

---

1082581-3 : Apmd sees large memory growth due to CRLDP Cache handling

Component: Access Policy Manager

Symptoms:
Apmd memory keeps growing slowly over time and finally oom killer kills apmd.

Conditions:
Access policy has the crldp auth agent configured.

Impact:
Apmd killed by oom-killer thereby impacting traffic

Workaround:
None

---

1082193-4 : TMSH: Need to update the version info for SERVER_INIT in help page

Links to More Info: BT1082193

Component: TMOS

Symptoms:
The SERVER_INIT iRule event was introduced in version 14.0.0. But in tmsh help it is showing as version 13.1.0.

Conditions:
-- Using tmsh to configure an iRule event
-- The BIG-IP version is 13.1.0 and you use tab complete for 'tmsh help ltm rule event SERVER_INIT'

Impact:
The tmsh help makes it appear as if SERVER_INIT is supported in version 13.1.0 when it is not.

Workaround:
None

---

1081813-3 : A rst_stream can erronously tear down the overall http2 connection.

Links to More Info: BT1081813

Component: Local Traffic Manager

Symptoms:
Clients report pages load intermittently

Conditions:
-- HTTP2 virtual server

Impact:
HTTP2 connections may be erroneously torn down.

Workaround:
None.

---

1081649-3 : Remove the "F5 iApps and Resources" link from the iApps->Package Management

Links to More Info: BT1081649

Component: TMOS

Symptoms:
The "F5 iApps and Resources" is being removed.

Conditions:
NA

Impact:
iApp page shows "F5"

Workaround:
None

---

1081641-5 : Remove Hyperlink to Legal Statement from Login Page

Links to More Info: BT1081641

Component: TMOS

Symptoms:
The hyperlink to the legal statement should be removed from the login page.

Conditions:
This appears on the login page of OEM-branded BIG-IP systems.

Impact:
The OEM GUI shows the F5 logo/info.

Workaround:
None

---

1080957-5 : TMM Seg fault while Offloading virtual server DOS attack to HW

Links to More Info: BT1080957

Component: Advanced Firewall Manager

Symptoms:
TMM crashes during virtual server DOS attack scenarios.

Conditions:
-- HSB-equipped hardware platforms.
-- The attack is detected on configured virtual server Dos Vector and trying to offload to hardware.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

---

1080925-4 : Changed 'ssh-session-limit' value is not reflected after restarting mcpd

Links to More Info: BT1080925

Component: TMOS

Symptoms:
Change 'ssh-session-limit' field from 'disabled' to 'enable'. Save the config . Restart the mcpd and check the value of the field 'ssh-session-limit'. It appears to be the same 'disabled'.

Conditions:
The issue occurs when MCPD restores the configuration from its binary database file.

Impact:
Enabling and disabling "ssh-session-limit" will have an undesirable effect when creating ssh sessions, and you will not be able to edit the field.

Workaround:
None

---

1080613-4 : "Installation of Automatically Downloaded Updates" configuration in LiveUpdate is lost during the first tomcat restart, after upgrading to versions having the fix of ID907025.&start;

Links to More Info: BT1080613

Component: Application Security Manager

Symptoms:
LiveUpdate configuration, such as "Installation of Automatically Downloaded Updates", and update installation history get lost and revert to default.

Conditions:
This occurs during the first tomcat restart, after upgrading to versions that have the fix for ID907025.

Impact:
The live update configuration and installation history are reverted to the default.

Workaround:
After upgrade, restart tomcat and re-configure. After this the issue won't occur and the configuration is retained.

---

1080297-5 : ZebOS does not show "log syslog" in the running configuration, or store it in the startup configuration

Links to More Info: BT1080297

Component: TMOS

Symptoms:
ZebOS does not show the "log syslog" or "no log syslog" in the running configuration, nor is it saved to the startup configuration.

There is no way to know if the 'log syslog' is configured or not by checking the configuration.

Conditions:
-- Under Configure log syslog.
-- Check the show running-config.

Impact:
There is no way to know if the 'log syslog' is configured or not by checking the configuration.

If syslog logging has been disabled using 'no log syslog', and then zebos is restarted, for example by rebooting or upgrading the BIG-IP, syslog logging will revert to the default setting, which is enabled.

Workaround:
If logging to syslog is not desired, it must be re-disabled every time the zebos daemons are started, using "no log syslog"

---

1079985-2 : int_drops_rate shows an incorrect value

Links to More Info: BT1079985

Component: Advanced Firewall Manager

Symptoms:
int_drops_rate shows an incorrect value, it shows a cumulative value instead of an avg value, same as int_drops and syncookies.hw_syncookies.

Conditions:
A tcp-halfOpen attack or similar SYN attack where SYNs are flooded into the BIG-IP system.

Impact:
It is difficult to figure out the drop rate per second

Workaround:
None

---

1079441-4 : APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries

Links to More Info: BT1079441

Component: Access Policy Manager

Symptoms:
APMD memory can grow over a period of time

Conditions:
-- A BIG-IP system with the patched cyrus-sasl/krb5 libraries

Impact:
APMD memory can grow over a period of time

Workaround:
None

---

1078741-3 : Tmm crash

Links to More Info: BT1078741

Component: Local Traffic Manager

Symptoms:
Tmm crashes while processing an iRule while handling traffic.

Conditions:
-- HTTP virtual server
-- HTTP profile with explicit proxy having default-connect-handling allowed
-- iRule with SERVER_CONNECTED event

Impact:
Traffic disrupted while tmm restarts.

---

1078669-1 : iRule command “RESOLVER::name_lookup” returns null for TCP resolver with TC (truncated) flag set.

Component: Global Traffic Manager (DNS)

Symptoms:
“RESOLVER::name_lookup” returns null for TCP resolver with TC set.

Conditions:
Backend server returns very large DNS response.

Impact:
iRule command does not give any response but with TC set.

Workaround:
N/A

---

1077789-5 : System might become unresponsive after upgrading.&start;

Links to More Info: BT1077789

Component: TMOS

Symptoms:
After upgrading, the system encounters numerous issues:

-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.

Conditions:
-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.

Exact conditions that trigger this issue are unknown and could be varied. In the environment in which it occurs, a datagroup is deleted, but an iRule still references it.

Impact:
-- System down, too busy to process traffic.
-- Difficulty logging in over SSH might require serial console access.

Workaround:
Reboot to an unaffected, pre-upgrade volume.

-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.

-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.

Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.

For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.

---

1077553-4 : Traffic matches the wrong virtual server after modifying the port matching configuration

Links to More Info: BT1077553

Component: Local Traffic Manager

Symptoms:
Traffic matches the wrong virtual server.

Conditions:
A virtual server configured to match any port is modified to matching a specific port. Alternatively, a virtual server matching a specific port is modified to match any port.

Impact:
Traffic may be directed to the wrong backend server.

Workaround:
Restart the TMM after the config change.

---

1077533-4 : BIG-IP fails to restart services after mprov runs during boot.

Links to More Info: BT1077533

Component: TMOS

Symptoms:
Very occasionally, after mprov runs after a reboot the BIG-IP may fail to start with logs similar to the following:

bigip1 info mprov:7459:[7459]: 'admd failed to stop.'
bigip1 err mprov:7459:[7459]: 'admd failed to stop, provisioning may fail.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
...
bigip1 err mcpd[5584]: 01071392:3: Background command '/usr/bin/mprov.pl --quiet --commit asm avr host tmos ui ' failed. The command was signaled.

Conditions:
Occurs rarely after a reboot.

Impact:
The BIG-IP is unable to finish booting.

Workaround:
Reboot the BIG-IP again.

---

1077405-1 : Ephemeral pool members may not be created with autopopulate enabled.

Links to More Info: BT1077405

Component: TMOS

Symptoms:
Ephemeral pool members might not be added to a pool with an FQDN pool member "autopopulate enabled".

When this issue occurs:

-- Some or all of the expected Ephemeral Pool Members will not be created for the affected pool.

-- A message will be logged in the LTM log similar to the following:

err mcpd[####]: 01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (/Common/_auto_<IP address>) has autopopulate set to disabled.

(Note that the node name here is an Ephemeral Node.)

Also note that if you attempt to create an FQDN Pool Member with autopopulate enabled while the corresponding FQDN Node has autopopulate disabled, you will see a similar error message:
01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (/Common/fred) has autopopulate set to disabled.

Conditions:
This issue can occur under the following conditions:

-- Two or more FQDN Nodes have FQDN names that resolve to the same IP address(es).
  -- That is, some Ephemeral Nodes have addresses resolved by more than one FQDN name defined in FQDN Nodes.

-- At least one of these FQDN Nodes has "autopopulate enabled."

-- At least one of these FQDN Nodes does not have "autopopulate enabled."
  -- That is, autopopulate is disabled for one or more of these FQDN Nodes.

-- The FQDN Pool Member(s) in the affected pool(s) has "autopopulate enabled."

Impact:
The affected LTM pool(s) are not populated with expected (or any) ephemeral pool members.

Workaround:
To allow some LTM pools to use FQDN pool members with autopopulate enabled (allowing multiple ephemeral pool members to be created) while other LTM pools use FQDN pool members with autopopulate (allowing only one ephemeral pool member to be created), configure the following:

-- Create all FQDN Nodes with FQDN names that might resolve to a common/overlapping set of IP addresses with "autopopulate enabled".

-- Create FQDN Pool Members with autopopulate enabled or disabled depending on the desired membership for each pool.

---

1077293-3 : APPIQ option still showing in BIG-IP GUI even though its functionality migrated to BIG-IQ.

Links to More Info: BT1077293

Component: TMOS

Symptoms:
AppIQ is still visible in the System :: Configuration screen.

Conditions:
Navigating to the System :: Configuration : AppIQ page.

Impact:
AppIQ appears to be able to be provisioned but it has been removed from the BIG-IP system.

Workaround:
N/A

---

1077281-1 : Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages

Component: Application Security Manager

Symptoms:
When a policy contains an individual login page in session tracking, the exported xml policy fails to be imported back due to error “Malformed XML: Could not resolve foreign key dependence”.

Conditions:
The policy contains an individual login page in session tracking and the policy is exported in xml format

Impact:
Import the policy fails with an error: "Could not resolve foreign key dependence”.

Workaround:
This occurs when using XML format only, so you can use binary export/import

---

1076897-5 : OSPF default-information originate command options not working properly

Links to More Info: BT1076897

Component: TMOS

Symptoms:
OSPF default-information originate command options are not working properly.

Conditions:
Using OSPF default-information originate with metric/metric-type options.

Impact:
Incorrect route advertisement.

Workaround:
None

---

1076825-2 : "Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.

Links to More Info: BT1076825

Component: Application Security Manager

Symptoms:
"Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.

Conditions:
Upgrading to v16.1.x from earlier releases.

Impact:
Configuration of "Installation of Automatically Downloaded Updates" is lost and reverts to default.

Workaround:
Manually configure "Installation of Automatically Downloaded Updates" after the upgrade.

---

1076801-5 : Loaded system increases CPU usage when using CS features

Links to More Info: BT1076801

Component: TMOS

Symptoms:
When the BIG-IP system is under heavy load, datasyncd might create multiple java obfuscator processes running at the same time, which increases load even more.

Conditions:
-- CPU utilization on the BIG-IP system is high.

And one or more of the following conditions:

-- Bot Defense profile is attached to a virtual server
-- DoS profile with CS/Captcha mitigation is attached to the virtual server
-- ASM policy with brute force configuration is attached to the virtual server

Impact:
System load is increased.

Workaround:
None.

---

1076785-3 : Virtual server may not properly exit from hardware SYN Cookie mode

Links to More Info: BT1076785

Component: TMOS

Symptoms:
Virtual servers do not exit hardware SYN Cookie mode even after the SYN flood attack stops. The TMSH 'show ltm virtual' output shows 'full hardware' mode.

Conditions:
Selected HSB platforms where TMM is attached to multiple HSB modules. This depends on platform, BIG-IP version and selected Turboflex profile where applicable.

Impact:
The affected virtual server would not receive the TCP SYN packets until a TMM restart. The limited range of MSS values in SYN Cookie mode may slightly affect performance.

Workaround:
Disable hardware SYN Cookie mode on all virtual servers.

---

1076577-4 : iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg'

Links to More Info: BT1076577

Component: Local Traffic Manager

Symptoms:
The 'connect' iRule command fails to resume, causing processing of traffic to halt due to 'irule_scope_msg', which causes iRule processing to proceed in a way that 'connect' does not expect.

Conditions:
- iRule using 'connect' command
- Diameter/Generic-message 'irule_scope_msg' enabled

Impact:
Traffic processing halts (no crash)

---

1075905-4 : TCP connections may fail when hardware SYN Cookie is active

Links to More Info: BT1075905

Component: TMOS

Symptoms:
When an object is in hardware SYN Cookie mode, some of the valid connections are also rejected with "No flow found for ACK" reset cause.

Conditions:
VELOS and rSeries platforms.

Impact:
Service degradation.

Workaround:
Disable hardware SYN Cookie on all objects (virtual server, VLAN, etc.).

---

1073897-1 : TMM core due to memory corruption

Links to More Info: BT1073897

Component: Local Traffic Manager

Symptoms:
Tmm restarts

Conditions:
Unknown

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

---

1073677-2 : Add a db variable to enable answering DNS requests before reqInitState Ready

Links to More Info: BT1073677

Component: Global Traffic Manager (DNS)

Symptoms:
When a new GTM is added to the Sync group, it takes a significant amount of time, and the newly added GTM won't become ready.

Conditions:
-- GTMs in a cluster with a large number of persist records
-- A new GTM device is added

Impact:
Clients of the BIG-IP GTM do not receive an answer, and application failures may occur.

Workaround:
None

---

1072165-5 : Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format

Links to More Info: BT1072165

Component: Application Security Manager

Symptoms:
Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format

Conditions:
ASM remote logging in ArcSight format

Impact:
Due to the missing fields, the remote message does not tell name of threat campaign name(s) that was detected.

Workaround:
Use other message format.

---

1070957-4 : Database monitor log file backups cannot be rotated normally.

Links to More Info: BT1070957

Component: Local Traffic Manager

Symptoms:
Debug log files used by the BIG-IP database monitor daemon (DBDaemon) do not exhibit the log-rotation behavior of other BIG-IP log files.
- The active DBDaemon log file is /var/log/DBDaemon-0.log
- DBDaemon log file size is limited to approximately 5MB. DBDaemon log files are backed up/rotated upon reaching this size.
- Exactly 9 (nine) DBDaemon log file backups are retained (/var/log/DBDaemon-0.log.[1-9])
- DBDaemon log file backups are not compressed.
- DBDaemon log file backup/rotation behavior is not user-configurable.

Conditions:
This issue applies when using BIG-IP database monitors:
-- mssql
-- mysql
-- oracle
-- postrgresql

Impact:
-- DBDaemon log file backups may consume more space under /var/log than desired.
-- When troubleshooting database monitor issues, DBDaemon log file rotation may occur so rapidly that older DBDaemon events may be lost, limiting the ability to capture meaningful diagnostic data.

Workaround:
It may be possible to work around this issue by periodically archiving DBDaemon log files, such as in a script with the following core functionality:
pushd /var/log;tar -czf DBDaemon_$(date +%Y%m%d%H%M).tgz DBDaemon-0.log*;popd

---

1070953-5 : Dnssec zone transfer could cause numerous gtm sync events.

Links to More Info: BT1070953

Component: Global Traffic Manager (DNS)

Symptoms:
GTM syncs for zone transfers that happen on other GTMs.

Conditions:
Dnssec zone transfer to client on peer GTM in the same GTM sync group.

Impact:
Numerous GTM sync and possible sync storm.

Workaround:
N/A

---

1070833-3 : False positives on FileUpload parameters due to default signature scanning

Links to More Info: BT1070833

Component: Application Security Manager

Symptoms:
False positives on FileUpload parameters due to signature scanning by default

Conditions:
A request containing binary content is sent in "FileUpload" type parameters

Impact:
False positives and ineffective resource utilization

Workaround:
Disable signature scanning on "FileUpload" parameters manually using GUI/REST.

---

1070789-1 : SSL fwd proxy invalidating certificate even through bundle has valid CA

Links to More Info: BT1070789

Component: Local Traffic Manager

Symptoms:
BIG-IP system rejects SSL forward proxy connections due to expired CA certificates present in ca-bundle even though other, valid CA certificates exist.

Conditions:
-- Forward proxy is enabled in client and server SSL profiles.
-- A valid CA certificate is followed by an expired CA certificate in ca-bundle.

Impact:
SSL handshakes will fail.

Workaround:
Remove all invalid trusted (i.e., expired) certificates from the certificate chain and replace them with a valid trusted certificate.

---

1069137-1 : Missing AWAF sync diagnostics

Links to More Info: BT1069137

Component: Application Security Manager

Symptoms:
Complex issues related to Policy Synchronization over Device Sync Groups and chassis are difficult to diagnose.
More detailed logging is needed if errors occur.

Conditions:
Device Group Sync is enabled on a chassis device.

Impact:
Root cause analysis is lengthy and difficult.

Workaround:
Enable debug logs in the environment:
> tmsh modify sys db log.asm.asmconfiglevel value debug
> tmsh modify sys db log.asm.asmconfigvent.level value debug
> tmsh modify sys db log.asm.asmconfigverbose.level value debug

---

1068673-4 : SSL forward Proxy triggers CLIENTSSL_DATA event on bypass.

Links to More Info: BT1068673

Component: Local Traffic Manager

Symptoms:
The CLIENTSSL_DATA iRule event is triggered unexpectedly during SSL forward proxy bypass.

Conditions:
This issue is seen when SSL forward proxy with bypass is enabled on client & server SSL profiles.

Impact:
This can cause unexpected failure of existing iRules which only expect CLIENTSSL_DATA on intercepted (and decrypted) data.

Workaround:
N/A

---

1067821-5 : Stats allocated_used for region inside zxfrd is overflowed

Links to More Info: BT1067821

Component: Global Traffic Manager (DNS)

Symptoms:
No visible symptoms.

Conditions:
Large resource record addition and deletion for dns express zones.

Impact:
Internal zxfrd stats are incorrect.

---

1067589-4 : Nsyncd memory leak.

Links to More Info: BT1067589

Component: Application Security Manager

Symptoms:
Memory usage for nsyncd increases over time, pressuring the device into OOM.

Conditions:
-- High availability (HA) environment with ASM sync failover device group.
-- ASU file are being installed by Live Update.

Impact:
OOM activity causing random process restarts and disruption.

Workaround:
Restart the nsyncd daemon.

---

1065681-2 : Sensitive data is not masked under certain conditions.

Links to More Info: BT1065681

Component: Application Security Manager

Symptoms:
Sensitive data (or part of it) is visible in the request logs or the remote log.

Conditions:
A parameter that is defined as a JSON profile. That profile has the parse parameters flag set.

Impact:
Sensitive data is visible in the log.

Workaround:
There are 2 possible workarounds:
1. Make the parameter that contains the json a sensitive parameter.
2. In the json profile attached to the parameter, uncheck the parse parameters flag. You will see a tab of sensitive data added in the UI. In that tab, explicitly add the JSON element as a sensitive element.

---

1065353-2 : Disabling ciphers does not work due to the order of cipher suite.

Links to More Info: BT1065353

Component: Local Traffic Manager

Symptoms:
You are not able to disable a list of ciphers.

Conditions:
The cipher list is given in an order in the tmsh command 'tmm --clientciphers'

Impact:
Inconsistent behavior of the command "tmm --clientciphers".

Workaround:
Reorder the ciphers in the list and pass the reordered list to "tmm --clientciphers".

---

1063977-4 : Tmsh load sys config merge fails with "basic_string::substr" for non-existing key.

Links to More Info: BT1063977

Component: Local Traffic Manager

Symptoms:
"tmsh load sys config merge" fails with the following error.

Loading configuration...
  /var/tmp/repro.txt
01070711:3: basic_string::substr
Unexpected Error: Loading configuration process failed.

Conditions:
The key referenced in the configuration of the SSL profile does not exist in the BIG-IP.

Impact:
"tmsh load sys config merge" fails which is expected, but the error is not meaningful.

Workaround:
Identify the missing SSL key used in the configuration and correct it.

---

1063653-3 : TMM Crash while processing traffic on virtual server.

Links to More Info: BT1063653

Component: Local Traffic Manager

Symptoms:
TMM core while processing traffic on a virtual server.

Conditions:
iRule Execution during processing HTTP response.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

---

1063237-6 : Stats are incorrect when the management interface is not eth0

Links to More Info: BT1063237

Component: TMOS

Symptoms:
The provision.managementeth db variable can be used to change which interface the management interface is bridged to:

https://clouddocs.f5.com/cloud/public/v1/shared/change_mgmt_nic_google.html

If this is changed to something other than eth0, the management interface stats will continue to be read from eth0 and thus be incorrect.

Conditions:
When provision.managementeth is changed to something other than eth0.

Impact:
Management interface stats are incorrect.

Workaround:
Reconfigure the management interface to use eth0

---

1060989-1 : Improper handling of HTTP::collect

Component: Local Traffic Manager

Symptoms:
When a complete body has been received and a new HTTP::collect is attempted, an error occurs:

TCL error: /Common/rule_vs_server_15584 <HTTP_RESPONSE_DATA> - ERR_ARG (line 1) invoked from within "HTTP::collect 256000"

Conditions:
- HTTP Virtual server
- incremental HTTP::collect irule

Impact:
iRule failure

Workaround:
None

---

1060409-5 : Behavioral DoS enable checkbox is wrong.

Links to More Info: BT1060409

Component: Anomaly Detection Services

Symptoms:
Behavioral DoS Enabled indicator is wrongly reported after configuration change, when no traffic is injected to the virtual server.

Conditions:
Behavioral DoS is enabled and then disabled when no traffic is injected to the virtual server.

Impact:
After server health is stabilized and constant, the BIG-IP system doesn't report the configuration changes.

Workaround:
Send 1-2 requests to the server and the configuration will be updated.

---

1060369-2 : HTTP MRF Router will not change serverside load balancing method

Links to More Info: BT1060369

Component: Local Traffic Manager

Symptoms:
Selecting a different load balancing mechanism (i.e. an iRule or Local Traffic Policy selecting a different pool/node, the "virtual" command, etc) does not work for subsequent HTTP/1.x requests on a keep-alive connection.

Conditions:
-- "HTTP MRF Router" virtual server (virtual server has an "httprouter" profile attached)
-- Virtual server is handling HTTP/1.x traffic

Impact:
Traffic is load-balanced to incorrect destination.

Workaround:
None.

---

1060145-4 : Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2.

Links to More Info: BT1060145

Component: Global Traffic Manager (DNS)

Symptoms:
When secondary slot reboots and it gets the configuration from the primary blade, the secondary throws a validation error and enters into a restart loop.

The following error is logged:

Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/Common/bbt-generic-bigip 10.1.10.12 80 gtm-vs) was not found.... failed validation with error 16908342.

Conditions:
-- Change the virtual server address on the LTM (manual edit of bigip.conf and load).

-- Reboot the secondary slot.

Impact:
Mcpd enters a restart loop on the secondary slot.

Workaround:
N/A

---

1060021-3 : Using OneConnect profile with RESOLVER::name_lookup iRule might result in core.

Links to More Info: BT1060021

Component: Local Traffic Manager

Symptoms:
Tmm might core while using a OneConnect profile with iRule command RESOLVER::name_lookup.

Conditions:
1. One connect profile attached.
2. iRules with RESOLVER::name_lookup command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Don't use RESOLVER::name_lookup iRule on virtual that uses the oneconnect profile.

---

1056941-3 : HTTPS monitor continues using cached TLS version after receiving fatal alert.

Links to More Info: BT1056941

Component: Local Traffic Manager

Symptoms:
After an HTTPS monitor completes successfully, the TLS version is cached and used for subsequent monitor probes.
If the back end server TLS version changes between monitor polls and no longer allows the cached TLS version, the back end server correctly sends a fatal alert to the BIG-IP in response to the no longer allowed TLS version.
The BIG-IP will continue to use the cached, now prohibited, version in all subsequent probes resulting in a false down resource until the cached information is cleared on the BIG-IP.

Conditions:
ClientSSL profile is changed on backend BIG-IP device's virtual server,

Impact:
BIG-IP continues to send prohibited TLS version and reports the member as down.

Workaround:
-- Delete and re-add pool member.
-- Change HTTPS monitor to any other monitor (including another HTTPS monitor) and then back.
-- Restart bigd with "bigstart restart bigd" - Note that this impacts all monitoring on the BIG-IP.
-- Restart BIG-IP - Note that this impacts all traffic on the BIG-IP.

---

1054717-4 : Incorrect Client Summary stats for transparent cache.

Links to More Info: BT1054717

Component: Global Traffic Manager (DNS)

Symptoms:
The Client Summary section in transparent cache is incorrect for transparent cache.

Conditions:
Transparent cache attached to a DNS profile.

Impact:
Efficacy of DNS Transparent cache stats reduced.

Workaround:
N/A

---

1050165-2 : APM - users end up with SSO disabled for their session, admin intervention required to clear session

Links to More Info: BT1050165

Component: Access Policy Manager

Symptoms:
If a user is trying to access a webtop resource that is configured behind APM single sign-on (SSO) which has failed for some reason, then the SSO process for that user is disabled for the rest of that session's life time.

Conditions:
-- Configure Kerberos SSO
-- Configure a network resource (a user's mail box configured on exchnage server, or an IIS based web service)

Impact:
BIG-IP Admin has to intervene to release the affected session manually.

Workaround:
None

---

1048989-1 : Slight correction of button titles in the Data Guard Protection Enforcement

Component: Application Security Manager

Symptoms:
A button title read as "Ignored URLs / Enforced URLs" instead of "Ignore URLs / Enforce URLs".

Conditions:
1. On the Security > Application Security > Security Policies > Policies List > <selected_policy> screen, click the Data Guard tab.

2. Look on the Data Guard Protection Enforcement (Wildcards Supported) button fields. The button title should appear as Ignore/Enforce URLs.

Impact:
The title of the button is misleading.

Workaround:
None

---

1048445-4 : Accept Request button is clickable for unlearnable violation illegal host name

Links to More Info: BT1048445

Component: Application Security Manager

Symptoms:
For the following violations:
- VIOL_HOSTNAME (Hostname violation)
- VIOL_HOSTNAME_MISMATCH (Hostname mismatch violation)

The accept button is clickable when it should not. Accept Request button should be disabled for this violations.

Conditions:
Generate an illegal host name or hostname mismatch violation.

Impact:
Request will not be accepted even though you have elected to accept the illegal request.

Workaround:
Do not accept the request to hostname and hostname mismatch violation, no ASM config changes will be triggered.

---

1046917-5 : In-TMM monitors do not work after TMM crashes

Links to More Info: BT1046917

Component: In-tmm monitors

Symptoms:
After TMM crashes and restarts, in-TMM monitors do not run. Monitored pool members are down.

Conditions:
-- In-TMM monitors are enabled.
-- TMM exits abnormally, as a result of one of the following:
  + TMM crashing and restarting
  + TMM being sent a termination signal (i.e. using 'pkill' to kill TMM)

Note: This issue does not occur if TMM is restarted using 'bigstart' or 'tmsh sys service'.

Impact:
Monitored pool members are offline.

Workaround:
One of the following:

1. Do not use in-TMM monitors.

2. After TMM restarts, manually restart bigd:
   tmsh restart sys service bigd

3. Add an entry to /config/user_alert.conf such as the following, so that the system restarts bigd when TMM starts up.

On an appliance or single-slot vCMP guest/tenant:

alert id1046917 "Tmm ready - links up." {
    exec command="bigstart restart bigd"
}

On a VIPRION or multi-slot vCMP guest/tenant:

alert id1046917 "Tmm ready - links up." {
    exec command="clsh --color=all bigstart restart bigd"
}

Note: This change must be made separately on each device in a ConfigSync device group.

---

1041469-1 : Request Log Page: Line break in the middle of the word in the note next to Block this IP Address

Component: Application Security Manager

Symptoms:
Words may break in the middle before going to the next line.

Conditions:
1. Create Policy, for example Fundamental
2. Disable Alarm and Block flags for the "IP is blacklisted" violation in Learning and Blocking Settings
3. Apply Policy
4. Send request:

GET / HTTP/1.1
User-Agent: python-requests/2.21.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Request-Id: 003390
Host: 10.0.1.101:7000


5. open request details in Security ›› Event Logs : Application : Requests
6. click the arrow next to Source IP Address
7. Set Block this IP Address to Always

Impact:
Words at the end of the line and the beginning of the next line may seems broken. Only cosmetic impact.

Workaround:
None

---

1040465-2 : Incorrect SNAT pool is selected

Links to More Info: BT1040465

Component: Local Traffic Manager

Symptoms:
An incorrect SNAT pool is selected when an SSL Forward Proxy is configured and BYPASS is enabled along with an iRule to choose the SNAT pool.

Conditions:
-- Virtual Server has SSL Forward Proxy Deployment with BYPASS enabled
-- iRule configured to decide the SNAT pool members
-- Virtual Server passes the traffic

Impact:
Traffic diverted to incorrect SNAT pool when BYPASS happens.

---

1040277-6 : Syslog-ng issue may cause logging to stop and possible reboot of a system

Links to More Info: BT1040277

Component: TMOS

Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to logging via syslog-ng to stop.

For software version 13.1 only it may lead to BIG-IP unexpectedly rebooting due to host watchdog timeout, typically within hours to day or two after syslog-ng gets hung up.


The cessation of logging happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.

At this time syslog-ng typically spins, using near 100% CPU.

Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.

A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.

Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:

  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

The final log will of a broken connection only, usually one minute after the last established/broken pair in the very rare event that syslog-ng hangs.

  Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.

Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable. If a remote server is not reachable remove it from the BIG-IP syslog configuration.

---

1040153-4 : Topology region returns narrowest scope netmask without matching

Links to More Info: BT1040153

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP returns malformed packets or the narrowest scope not matching the request.

Conditions:
Mixed sub networks with different mask length.

Impact:
Malformed packets.

Workaround:
Do not put mixed subnets in one region.

---

1037877-5 : OAuth Claim display order incorrect in VPE

Links to More Info: BT1037877

Component: Access Policy Manager

Symptoms:
In the visual policy editor (VPE), it is difficult to re-order custom previously created Claims in the oAuth Authorization agent.

The following error is thrown in the developer tools screen of the client browser:
common.js?m=st&ver=15.1.2.1-0.0.10.0:902 Uncaught TypeError: Cannot read property 'row' of undefined
    at Object.common_class.swap (common.js?m=st&ver=15.1.2.1-0.0.10.0:902)
    at multipleObjectsSelectionCBDialogue_class.swapEntries (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263)
    at HTMLAnchorElement.<anonymous> (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185)
common_class.swap @ common.js?m=st&ver=15.1.2.1-0.0.10.0:902
multipleObjectsSelectionCBDialogue_class.swapEntries @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263
(anonymous) @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185

Conditions:
-- There are at least two claims in Access :: Federation : OAuth Authorization Server : Claim
-- You are attempting to reorder the claims in the visual policy editor

Impact:
It is not possible to re-order the claims

Workaround:
None

---

1036613-6 : Client flow might not get offloaded to PVA in embryonic state

Links to More Info: BT1036613

Component: TMOS

Symptoms:
The client flow is not offloaded in embryonic state, but only is only offloaded once the flow transitions to an established state.

Conditions:
-- FastL4 profile configured to offload TCP connections in embryonic state (this is the default)
-- Clientside and serverside ingress traffic is handled by different TMMs
-- Running on a platform with multiple HSB modules per TMM, i.e.:
--+ BIG-IP i11600 Series
--+ BIG-IP i15600 Series

Impact:
- minor performance degradation;
- PVA traffic counters show unexpectedly high values;

---

1035757-5 : iRulesLX restart leaves stale files in /var/tmstat/blade/tmplugin_ilx_*

Links to More Info: BT1035757

Component: Local Traffic Manager

Symptoms:
After restarting the ilx plugin, new tmplugin_ilx_rpc_* stat files are being created, but old files are not being deleted.

Conditions:
- ilx configured
- ilx plugin restarted

Impact:
The presence of too many of these leftover files might prevent merged from rolling up stats and providing graphs and cause such errors:

err merged[8523]: 011b0900:3: TMSTAT error tmstat_remerge: Cannot allocate memory.

Workaround:
Delete stale tmplugin_ilx_* files manually

---

1035361-7 : Illegal cross-origin after successful CAPTCHA

Links to More Info: BT1035361

Component: Application Security Manager

Symptoms:
After enabling CAPTCHA locally on BIG-IP with brute force, after configured login attempts, CAPTCHA appears, but after bypassing the CAPTCHA successfully the user receives a support ID with cross-origin violation.

Conditions:
- brute force with CAPTCHA mitigation enforced on login page.
- cross-origin violation is enforced on the login page.
- user fails to login until CAPTCHA appears
- user inserts the CAPTCHA correctly

Impact:
- blocking page appears.
- on the event log cross-origin violation is triggered.

Workaround:
- disable cross-origin violation enforcement.

---

1032257-5 : Forwarded PVA offload requests fail on platforms with multiple PDE/TMM

Links to More Info: BT1032257

Component: TMOS

Symptoms:
Forwarded PVA requests use a static bigip_connection that does not have its pva_pde_info initialized, which results in offload failure on platforms that have multiple PDEs per TMM.

Conditions:
Pva_pde_info is not initialized and Forwarded PVA requests occur.

Impact:
Hardware offload does not occur.

---

1029373-3 : Firefox 88+ raising Suspicious browser violations with bot defense

Links to More Info: BT1029373

Component: Application Security Manager

Symptoms:
Bot-defense might block legal traffic arriving from Firefox version 88

Conditions:
- ASM provisioned
- bot-defense profile assigned on a virtual server

Impact:
Legal traffic is blocked

Workaround:
Tmsh modify sys db botdefense.suspicious_js_score value 60

---

1029105-2 : Hardware SYN cookie mode state change logs bogus virtual server address

Links to More Info: BT1029105

Component: TMOS

Symptoms:
When a virtual server enters or exits hardware SYN cookie mode, a bogus IP address is logged in /var/log/ltm. For example:

Syncookie HW mode activated, server name = /Common/vs server IP = 0.0.0.3:0

Conditions:
A virtual server enters or exits hardware SYN cookie mode.

Impact:
Only the logging information is wrong, the hardware SYN cookie mode functions correctly.

Workaround:
None

---

1028081-2 : [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page

Links to More Info: BT1028081

Component: Access Policy Manager

Symptoms:
1. Users connecting with F5 Access from an Android device see string "function () {[native code]}" in the Logon Page Form 'Username' field.
2. This issue only affects the F5 Access embedded browser. It works fine when connecting from the same Android device using Chrome. F5 Access from iOS is also working fine.

Conditions:
Configure an access policy with modern customization that includes a Logon Page.

Impact:
The string "function () {[native code]}" appears in the Logon Page Form 'Username' field.

Workaround:
This solution is temporal as changes are lost after an upgrade.
steps:
1) create a copy of the original "main.js" file
# cp /var/sam/www/webtop/public/include/js/modern/main.js /var/sam/www/webtop/public/include/js/modern/main.js.origin

2) edit the file using an editor (e.g., vi).
# vi /var/sam/www/webtop/public/include/js/modern/main.js
modify
window.externalAndroidWebHost.getWebLogonUserName to window.externalAndroidWebHost.getWebLogonUserName()
and
window.externalAndroidWebHost.getWebLogonPassword to window.externalAndroidWebHost.getWebLogonPassword()

3) Restart BIG-IP

---

1026781-4 : Standard HTTP monitor send strings have double CRLF appended

Links to More Info: BT1026781

Component: Local Traffic Manager

Symptoms:
Standard (bigd-based, not In-TMM) HTTP monitors have a double CRLF appended (\r\n\r\n) to the send string. This does not comply with RFC1945 section 5.1 which states requests must terminate with a single CRLF (\r\n). This non-compliant behavior can lead to unexpected results when probing servers.

Conditions:
Standard bigd (not In-TMM) HTTP monitors

Impact:
Servers probed by these non-RFC-compliant HTTP monitors may respond in an unexpected manner, resulting in false negative or false positive monitor results.

Workaround:
There are several workarounds:

1. If running 13.1.0 or later, switch monitoring from bigd-based to In-TMM. In-TMM monitors properly follow RFC1945 and will send only a single CRLF (\r\n)

2. Remain with bigd-based monitoring and configure probed servers to respond to double CRLF (\r\n\r\n) in a desired fashion

Depending on server configuration, a customized send string, even with the double CRLF, may still yield expected responses.

---

1025089-6 : Pool members marked down by database monitor due to stale cached connection

Links to More Info: BT1025089

Component: Local Traffic Manager

Symptoms:
By default, BIG-IP database monitors (mssql, mysql, oracle, postgresql) are configured to keep a connection to the database server open between monitor probes to avoid the overhead of establishing the network connection to the database server for each query operation.
If this cached network connection times out or is dropped by the database server, it is marked as "stale" when the next probe occurs, and a new connection is made during the next scheduled monitor probe.
In the meantime, due to the lost connection, the monitored pool member may be marked DOWN until the next scheduled monitor probe. This is more likely to occur when a database monitor is used to monitor a GTM pool member instead of an LTM pool member, due to differences between how monitors are configured for GTM versus LTM.

Conditions:
This may occur under the following conditions:
-- GTM or LTM pool members are monitored by a database monitor, configured such that a single probe failure will mark the member DOWN. (Such configuration may be more common for GTM monitors.)
-- Either the database server times out or drops the connection for some reason, or no database monitor probes are sent to the database server within a 5 minute interval.

Impact:
-- GTM or LTM pool members monitored by a database monitor may be marked DOWN temporarily if the network connection to the database server is dropped or times out.

-- High CPU utilization is observed on control plane cores.

Workaround:
To work around this issue, perform one of the following actions:
-- Configure the database (mssql, mysql, oracle, postgresql) monitor with a "count" value of "1". This prevents the caching/reuse of network connections to the database server between probes. Thus there is no cached connection to time out/get dropped. However, the overhead of establishing the network connection to the database server will be incurred for each probe.
-- Configure the database monitor "interval" and "timeout" values (for an LTM monitor), or the "interval", "timeout", "probe-attempts", "probe-interval" and "probe-timeout" values (for a GTM monitor) such that multiple failed monitor probes are required before the monitored member is marked DOWN.

---

1024421-4 : At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log

Links to More Info: BT1024421

Component: TMOS

Symptoms:
TMM log shows clock advancing and MPI timeout messages:

notice slot1 MPI stream: connection to node aborted for reason: TCP RST from remote system (tcp.c:5201)
notice slot1 tmm[42900]: 01010029:5: Clock advanced by 6320 ticks

Conditions:
-- pva.standby.flush DB key set to 1 (enabled). The default is 0.
-- Processing high traffic volume for some time

Impact:
Upstream switch could receive flow response from both active and standby units and cause a traffic disturbance.

---

1023529-4 : FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory.

Links to More Info: BT1023529

Component: Local Traffic Manager

Symptoms:
Command "tmsh show sys tmm-traffic" reports non-zero number of current connections but "tmsh show sys connection" shows nothing.

Conditions:
-- A virtual sever with fastL4 profile with infinite timeout enabled and an iRule containing "after" command. Having "-periodic" argument makes the problem more prominent.
-- Aggressive sweeper activated due to low memory conditions.

Impact:
Connections that were supposed to be removed by aggressive sweeper but were waiting for completion of an iRule may end up in a state where they are not reported by "tmsh show sys connection." Because of this issue, these connections cannot be deleted manually using 'tmsh del sys connection", but remain in memory. Their presence can be confirmed by non-zero number of current connections shown by "tmsh show sys tmm-traffic". Because of the infinite timeout setting, they will not timeout by themselves either.

Workaround:
N/A

---

1023229-5 : False negative on specific authentication header issue

Links to More Info: BT1023229

Component: Application Security Manager

Symptoms:
Blocking does not occur on a specific authentication header issue when a non-default internal parameter is set.

Conditions:
ignore_authorization_header_decode_failure is not set to 0

Impact:
A request with an authentication header issue can pass.

Workaround:
None

---

1021637-5 : In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs

Links to More Info: BT1021637

Component: Application Security Manager

Symptoms:
CSRF is sometimes enforced on URLs that do not match the CSRF URLs list

Conditions:
ASM policy with CSRF settings

Impact:
URLs that do not match the CSRF URLs list can be blocked due to CSRF violation.

Workaround:
None

---

1021609-5 : Improve matching of URLs with specific characters to a policy.

Links to More Info: BT1021609

Component: Application Security Manager

Symptoms:
Request with a URL containing specific characters is not matched to the correct policy.

Conditions:
URL of request contains specific percent-encoded characters.

Impact:
The request will not be matched by an expected policy rule.

Workaround:
Add an additional rule with explicit decoded characters.

---

1020717-5 : Policy versions cleanup process sometimes removes newer versions

Links to More Info: BT1020717

Component: Application Security Manager

Symptoms:
The policy versions cleanup process sometimes removes versions in incorrect order. Newer versions are removed while older versions are preserved.

Conditions:
"maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg" has very low value.

Impact:
Newer versions are removed.

Workaround:
increase value of "maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg"

---

1019829-4 : Configsync.copyonswitch variable is not functioning on reboot

Links to More Info: BT1019829

Component: TMOS

Symptoms:
Configsync.copyonswitch variable is not functioning properly during reboot to another partition

Conditions:
-- db variable configsync.copyonswitch modified
-- hostname is changed in global-settings
-- reboot to another partition

Impact:
The hostname will be changed back to the default hostname after reboot

---

1017557-5 : ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN

Links to More Info: BT1017557

Component: Application Security Manager

Symptoms:
ASM BD sends a reset back to the client when the backend server sends a response without proper terminating 0 chunk followed by FIN.

Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Backed server sends a bad chunked response

Impact:
Valid requests can be reset.

Workaround:
Any one of the following workarounds can be applied.

-- Fix backed server behavior.
-- Fix bad response using iRule, appending proper terminating 0 chunk
-- Change ASM internal /usr/share/ts/bin/add_del_internal update bypass_upon_load 1

---

1009337-3 : LACP trunk down due to bcm56xxd send failure

Links to More Info: BT1009337

Component: TMOS

Symptoms:
Lacp reports trunk(s) down. lacpd reports having trouble writing to bcm56xxd over the unix domain socket /var/run/uds_bcm56xxd.

Conditions:
Not known at this time.

Impact:
An outage was observed.

Workaround:
Restart bcm56xxd, lacpd, and lldpd daemons.

---

1004697-4 : Saving UCS files can fail if /var runs out of space

Links to More Info: BT1004697

Component: iApp Technology

Symptoms:
When saving a UCS, /var can fill up leading to UCS failure and the following log message:

err diskmonitor[1441]: 011d0004:3: Disk partition /var has only 0% free

Conditions:
-- iApps LX installed.
-- Multiple iApps LX applications.
-- A /var partition of 1.5 GB.

Impact:
UCS archives can not be created.

Workaround:
You can use either of the following Workarounds:

-- Manually remove the /var/config/rest/node/tmp/BUILD and /var/config/rest/node/tmp/BUILDROOT directories.

-- Increase the size of /var/. For information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952

---

1003765-3 : Authorization header signature triggered even when explicitly disabled

Links to More Info: BT1003765

Component: Application Security Manager

Symptoms:
Requests with base64 encoded Authorization header with disabled signatures might result in a blocking page even though the specific signature is disabled.

Conditions:
Base64 encoded Authorization header is included in the request.

Impact:
A signature violation is detected, even though the signature is disabled.

Workaround:
None

---

1003377-4 : Disabling DoS TCP SYN-ACK does not clear suspicious event count option

Links to More Info: BT1003377

Component: Advanced Firewall Manager

Symptoms:
When the 'Only Count Suspicious Events' option is turned on for the TCP SYN ACK Flood vector and the vector gets disabled, TMM continues operating as if 'Only Count Suspicious Events' is still configured.

Conditions:
Disabling TCP SYN ACK Flood vector with 'Only Count Suspicious Events' enabled.

Impact:
BIG-IP system might continue altering TCP initial sequence numbers for SYN-ACK cookie validations.

Workaround:
Disable the 'Only Count Suspicious Events' option first, and then disable TCP SYN ACK Flood vector.

---

1002969-5 : csyncd can consume excessive CPU time&start;

Links to More Info: BT1002969

Component: Local Traffic Manager

Symptoms:
Following a configuration change or software upgrade, the "csyncd" process becomes always busy, consuming excessive CPU.

Conditions:
-- occurs on a multiblade VIPRION chassis
-- may occur with or without vCMP
-- may occur after configuring F5 Telemetry Streaming, but may also occur in other circumstances
-- large numbers of files are contained in one or more of the directories being sync'ed between blades

Impact:
The overuse of CPU resources by "csyncd" may starve other control-plane processes. Handling of payload network traffic by the data plane is not directly affected.

Workaround:
To mitigate the processing load, identify which directory or directories contain excessive numbers of files being replicated between blades by "csyncd". If this replication is not absolutely needed, such a directory can be removed from the set of directories being sync'ed.

For example: if there are too many files being generated in the "/run/pamcache" directory (same as "/var/run/pamcache"), remove this directory from the set being acted upon by "csyncd" by running the following commands to comment-out the associated lines in the configuration file:

# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"

# clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"

# clsh "bigstart restart csyncd"

If the problem was observed soon after the installation of F5 Telemetry Streaming, the configuration can be adjusted to make csyncd ignore the related files in a subdirectory of "/var/config/rest/iapps". Run the following commands:

# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"

# clsh "sed -i '/\/var\/config\/rest\/iapps/a \ \ \ \ \ \ \ \ ignore f5-telemetry' /etc/csyncd.conf"

# clsh "bigstart restart csyncd"

---

1000561-6 : HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side

Links to More Info: BT1000561

Component: Local Traffic Manager

Symptoms:
HTTP/2 virtual servers pass the chunk size bytes from the server-side (HTTP/1.1) to the client-side (HTTP/2) when OneConnect and request-logging profiles are applied.

This results in a malformed HTTP response.

Conditions:
-- BIG-IP configured with a HTTP/2 virtual server using OneConnect and request-logging profiles.
-- The pool member sends a chunked response.

Impact:
The HTTP response passed to the client-side includes chunk size header values when it should not, resulting in a malformed HTTP response.

Workaround:
Change HTTP response-chunking to either 'unchunk' or 'rechunk' in the HTTP profile for the virtual server.

---

1000069-5 : Virtual server does not create the listener

Links to More Info: BT1000069

Component: Local Traffic Manager

Symptoms:
A virtual-address is in an offline state.

Conditions:
An address-list is used on a virtual server in a non-default route domain.

Impact:
The virtual IP address remains in an offline state.

Workaround:
Using tmsh, create the traffic-matching-criteria. Specify the route domain, and attach it to the virtual server.

---

&start; This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade