Applies To:
Show Versions
BIG-IP APM
- 17.0.0
BIG-IP Link Controller
- 17.0.0
BIG-IP Analytics
- 17.0.0
BIG-IP LTM
- 17.0.0
BIG-IP PEM
- 17.0.0
BIG-IP AFM
- 17.0.0
BIG-IP DNS
- 17.0.0
BIG-IP FPS
- 17.0.0
BIG-IP ASM
- 17.0.0
BIG-IP Release Information
Version: 17.0.0.2
Build: 2.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
The blue background highlights fixes |
Cumulative fixes from BIG-IP v17.0.0.1 that are included in this release
Known Issues in BIG-IP v17.0.x
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1143073-5 | CVE-2022-41622 | K94221585, BT1143073 | iControl SOAP vulnerability CVE-2022-41622 | 17.0.0.2, 15.1.8.1 |
1106161-1 | CVE-2022-41800 | K13325942, BT1106161 | Securing iControlRest API for appliance mode | 17.0.0.2, 15.1.8.1 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1113385-5 | 3-Major | BT1113385 | Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP | 17.0.0.2, 15.1.8.1 |
1103369-1 | 3-Major | BT1103369 | DELETE of REST auth token does not result in deletion of the pamcache token file on a multi slot VIPRION chassis or vCMP guest | 17.0.0.2, 15.1.8.1 |
1073005-5 | 3-Major | iControl REST use of the dig command does not follow security best practices | 17.0.0.2, 15.1.8.1 | |
1032553-6 | 3-Major | Core when virtual server with destination NATing receives multicast | 17.0.0.2, 15.1.8 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1134085-3 | 2-Critical | BT1134085 | Intermittent TMM core when iRule is configured with SSL persistence | 17.0.0.2, 15.1.8.1 |
1112445-1 | 2-Critical | Fix to avoid zombie node on the chain | 17.0.0.2 | |
890917-10 | 3-Major | Performance may be reduced while processing SSL traffic | 17.0.0.2, 15.1.8.1 | |
1093821-5 | 3-Major | TMM may behave unexpectedly while processing HTTP traffic | 17.0.0.2 | |
1062569-3 | 3-Major | HTTP/2 stream bottom filter leaks memory at teardown under certain conditions | 17.0.0.2 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1107437-4 | 2-Critical | TMM may crash when enable-rapid-response is enabled on a DNS profile | 17.0.0.2, 15.1.8.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1105389-3 | 3-Major | Incorrect HTTP request handling may lead to resource leak | 17.0.0.2, 15.1.8 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1174873-5 | 3-Major | BT1174873 | The location header query string separate is converted from "?" to "%3F" breaking multi-domain | 17.0.0.2, 15.1.8.1 |
1065917-1 | 3-Major | BIG-IP APM Virtual Server does not follow security best practices | 17.0.0.2, 15.1.7 |
Cumulative fixes from BIG-IP v17.0.0.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1106289-1 | CVE-2022-41624 | K43024307, BT1106289 | TMM may leak memory when processing sideband connections. | 17.0.0.1, 16.1.3.2, 15.1.7, 14.1.5.2, 13.1.5.1 |
1104493-2 | CVE-2022-35272 | K90024104, BT1104493 | Client-side abort during server-side establishment may cause tmm to behave abnormally in HTTP MRF proxy | 17.0.0.1, 16.1.3.1 |
1093621-5 | CVE-2022-41832 | K10347453 | Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP | 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1, 13.1.5.1 |
1085729-1 | CVE-2022-41836 | K47204506, BT1085729 | bd may crash while processing specific request | 17.0.0.1, 16.1.3.1, 15.1.7 |
1066673-7 | CVE-2022-35728 | K55580033, BT1066673 | BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions | 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
919357-9 | CVE-2022-41770 | K22505850, BT919357 | iControl REST hardening | 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
740321-5 | CVE-2022-34851 | K50310001, BT740321 | iControl SOAP API does not follow current best practices | 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1084013-5 | CVE-2022-36795 | K52494562, BT1084013 | TMM does not follow TCP best practices | 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1006921-8 | CVE-2022-33962 | K80970653, BT1006921 | iRules Hardening | 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1063641-5 | CVE-2022-33968 | K23465404, BT1063641 | NTLM library hardening | 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1063637-5 | CVE-2022-33968 | K23465404, BT1063637 | NTLM library hardening | 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1036057-5 | 3-Major | BT1036057 | Add support for line folding in multipart parser. | 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1025261-4 | 3-Major | BT1025261 | Restjavad uses more resident memory in control plane after software upgrade | 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1071621-2 | 4-Minor | BT1071621 | Increase the number of supported traffic selectors | 17.0.0.1, 16.1.3.1, 15.1.6.1 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1128245 | 1-Blocking | BT1128245 | Secure Vault value created as part of block restricted property does not sync to the peer after High Availability (HA) sync | 17.0.0.1 |
1101705-1 | 1-Blocking | BT1101705 | RSA-KEX ciphers list are removed from httpd configuration in FIPS mode since these are non-approved ciphers for FIPS 140-3 certification | 17.0.0.1, 16.1.3 |
989517-4 | 2-Critical | BT989517 | Acceleration section of virtual server page not available in DHD | 17.0.0.1, 16.1.3.1, 15.1.6.1 |
957637-4 | 2-Critical | BT957637 | The pfmand daemon can crash when it starts. | 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
940225-5 | 2-Critical | BT940225 | Not able to add more than 6 NICs on VE running in Azure | 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
1108181-5 | 2-Critical | BT1108181 | iControl REST call with token fails with 401 Unauthorized | 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
886649-6 | 3-Major | BT886649 | Connections stall when dynamic BWC policy is changed via GUI and TMSH | 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
1091345-1 | 3-Major | BT1091345 | The /root/.bash_history file is not carried forward by default during installations. | 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1089849-1 | 3-Major | BT1089849 | NIST SP800-90B compliance | 17.0.0.1, 16.1.3 |
1087621-3 | 3-Major | BT1087621 | IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload | 17.0.0.1, 16.1.3.1, 15.1.6.1 |
1083537-1 | 3-Major | BT1083537 | FIPS 140-3 Certification | 17.0.0.1, 16.1.2.2 |
1061481-4 | 3-Major | BT1061481 | Denied strings were found in the /var/log/ folder after an update or reboot | 17.0.0.1, 16.1.3 |
1042737-5 | 3-Major | BT1042737 | BGP sending malformed update missing Tot-attr-len of '0. | 17.0.0.1, 16.1.3.1, 15.1.7 |
1024661-4 | 3-Major | BT1024661 | SCTP forwarding flows based on VTAG for bigproto | 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1090569-2 | 4-Minor | BT1090569 | After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV | 17.0.0.1, 16.1.3.1, 15.1.6.1 |
1080317-4 | 4-Minor | BT1080317 | Hostname is getting truncated on some logs that are sourced from TMM | 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1067105-5 | 4-Minor | BT1067105 | Racoon logging shows incorrect SA length. | 17.0.0.1, 16.1.3.1, 15.1.7 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1074517-4 | 2-Critical | BT1074517 | Tmm may core while adding/modifying traffic-class attached to a virtual server | 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
922413 | 3-Major | BT922413 | Excessive memory consumption with ntlmconnpool configured | 17.0.0.1, 16.1.3.1, 15.1.7 |
748886-5 | 3-Major | BT748886 | Virtual server stops passing traffic after modification | 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1091761-5 | 3-Major | BT1091761 | Mqtt_message memory leaks when iRules are used | 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1082505-1 | 3-Major | BT1082505 | TLS ciphersuites including RSA-KEX are non-approved ciphers for FIPS 140-3 certification | 17.0.0.1, 16.1.3 |
1082225-6 | 3-Major | BT1082225 | Tmm may core while Adding/modifying traffic-class attached to a virtual server. | 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1022453-5 | 3-Major | BT1022453 | IPv6 fragments are dropped when packet filtering is enabled. | 17.0.0.1, 16.1.3.1, 15.1.7 |
1006157-7 | 3-Major | BT1006157 | FQDN nodes not repopulated immediately after 'load sys config' | 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1104073-1 | 4-Minor | BT1104073 | Use of iRules command whereis with "isp" or "org" options may cause TCL object leak. | 17.0.0.1, 16.1.3.1, 15.1.7 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1091249-1 | 3-Major | BT1091249 | BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address. | 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1084673-1 | 4-Minor | BT1084673 | GTM Monitor "require M from N" status change log message does not print pool name | 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
886533-4 | 3-Major | BT886533 | Icap server connection adjustments | 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1084257-1 | 3-Major | New HTTP RFC Compliance check for incorrect newline separators in headers | 17.0.0.1, 15.1.7 | |
1082461-1 | 3-Major | BT1082461 | The enforcer cores during a call to 'ASM::raise' from an active iRule | 17.0.0.1, 16.1.3.1, 15.1.6.1 |
1078765-5 | 3-Major | BT1078765 | Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer. | 17.0.0.1, 16.1.3.1, 15.1.7 |
1062493-5 | 3-Major | BT1062493 | BD crash close to it's startup | 17.0.0.1, 16.1.3.1, 15.1.7 |
1056957-2 | 3-Major | BT1056957 | An attack signature can be bypassed under some scenarios. | 17.0.0.1, 16.1.3.1 |
1030133-1 | 3-Major | BT1030133 | BD core on XML out of memory | 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1014973-6 | 3-Major | BT1014973 | ASM changed cookie value. | 17.0.0.1, 16.1.3.1, 15.1.7 |
948241-5 | 4-Minor | BT948241 | Count Stateful anomalies based only on Device ID | 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
947333-1 | 4-Minor | BT947333 | Irrelevant content profile diffs in Policy Diff | 17.0.0.1, 16.1.3.1 |
1073625-1 | 4-Minor | BT1073625 | Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled. | 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1058297-1 | 4-Minor | BT1058297 | Policy history values for 'max Size Of Saved Versions' and for 'min Retained Files In Dir' is reset during upgrade★ | 17.0.0.1, 16.1.3.1, 15.1.7 |
1040513-4 | 4-Minor | BT1040513 | The counter for "FTP commands" is always 0. | 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1014573-5 | 4-Minor | BT1014573 | Several large arrays/objects in JSON payload may core the enforcer | 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1029689-1 | 5-Cosmetic | BT1029689 | Incosnsitent username "SYSTEM" in Audit Log | 17.0.0.1, 16.1.3.1, 15.1.7 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1097821-1 | 3-Major | BT1097821 | Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified | 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1103233-1 | 4-Minor | BT1103233 | Diameter in-tmm monitor is logging disconnect events unnecessarily | 17.0.0.1, 16.1.3.1, 15.1.7 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
977153-6 | 3-Major | BT977153 | Packet with routing header IPv6 as next header in IP layer fails to be forwarded | 17.0.0.1, 16.1.3.1, 15.1.7 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1090649-4 | 3-Major | BT1090649 | PEM errors when configuring IPv6 flow filter via GUI | 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1084993-5 | 3-Major | BT1084993 | [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching | 17.0.0.1, 16.1.3.1, 15.1.7 |
911585-6 | 4-Minor | BT911585 | PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval | 17.0.0.1, 16.1.3.1, 15.1.7 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
832133-6 | 3-Major | BT832133 | In-TMM monitors fail to match certain binary data in the response from the server | 17.0.0.1, 16.1.3.1, 15.1.7 |
Cumulative fix details for BIG-IP v17.0.0.2 that are included in this release
989517-4 : Acceleration section of virtual server page not available in DHD
Links to More Info: BT989517
Component: TMOS
Symptoms:
Cannot use Advanced Menu to create a virtual server for HTTP/2 on systems with DHD licenses. This occurs because the Acceleration section is not available.
You can via TMSH then it works, but at as soon as you use the GUI to modify the virtual server, it loses the HTTP/2 configuration.
Conditions:
The Acceleration section is not visible in case 'DoS' is provisioned (available with the DHD license).
Impact:
1) You are unable to use the GUI to modify any parameters of the Acceleration table in the virtual server page.
2) Loss of configuration items if making changes via the GUI.
Workaround:
A virtual server with parameters present in the Acceleration table can still be created using TMSH. However, do not edit that virtual server in the GUI, or the Acceleration parameters will be lost.
Fix:
The Acceleration table is now visible, and there is no loss of configuration items if making changes via the GUI.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1
977153-6 : Packet with routing header IPv6 as next header in IP layer fails to be forwarded
Links to More Info: BT977153
Component: Advanced Firewall Manager
Symptoms:
BIG-IP systems fail to follow RFC 5095, which specifies the traffic should be forwarded.
Conditions:
This symptom is found when the following conditions are met:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
This failure in forwarding ICMP error message prevents the BIG-IP AFM product from completing certification.
Workaround:
None.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7
957637-4 : The pfmand daemon can crash when it starts.
Links to More Info: BT957637
Component: TMOS
Symptoms:
The pfmand process crashes and writes out a core file during bootup (or if the process is manually restarted by an Administrator for any reason) on certain platforms.
The crash may happen more than once, until the process finally settles and is able to start correctly.
Conditions:
-- Platforms i4000/i2000/i4800/i2800/i4600/i2600/i850.
Impact:
Network connection lost while pfmand restarts.
Workaround:
None
Fix:
The issue causing the pfmand daemon to occasionally crash has been resolved.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
948241-5 : Count Stateful anomalies based only on Device ID
Links to More Info: BT948241
Component: Application Security Manager
Symptoms:
Currently when Device ID is enabled, the BIG-IP system counts stateful anomalies on both IP and Device ID. When a client has a proxy (without XFF), and many requests arrive with the same IP, this can cause false positives
Conditions:
- Bot Defense profile is attached to a virtual server.
- Bot Defense profile has "Browser Verification" set to "Verify After Access" or "Device ID Mode" set to "Generate After Access".
Impact:
False positives may occur in case of a proxy without XFF
Workaround:
None
Fix:
Stateful anomalies are no longer counted on IP when Device ID is enabled
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
947333-1 : Irrelevant content profile diffs in Policy Diff
Links to More Info: BT947333
Component: Application Security Manager
Symptoms:
Defense attributes' grayed out values are shown in the policy diff even if "any" is selected
Conditions:
-- Import a policy
-- Perform a policy diff
Impact:
Policy diff showing irrelevant diffs
Workaround:
None
Fix:
Removed grayed out diffs from policy diff content profile section
Fixed Versions:
17.0.0.1, 16.1.3.1
940225-5 : Not able to add more than 6 NICs on VE running in Azure
Links to More Info: BT940225
Component: TMOS
Symptoms:
Azure BIG-IP Virtual Edition (VE) with more than 6 NICs fails to boot.
Conditions:
-- Standard_DS4_v2 Azure instance type.
-- Mellanox ConnectX-3 ethernet controller.
-- A greater-than-2-NIC template is used, for example https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/standalone/n-nic/existing-stack/byol with "numberOfAdditionalNics" set.
-- Accelerated networking is enabled on two or more NICs.
Impact:
Not able to boot BIG-IP VM with 8 NICs, which should be supported for Standard_DS4_v2 instance type:
8 vCPU
28 GiB
8 Max NICs
Adding more NICs to the instance makes the device fail to boot.
Workaround:
None
Fixed Versions:
17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
922413 : Excessive memory consumption with ntlmconnpool configured
Links to More Info: BT922413
Component: Local Traffic Manager
Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.
Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.
Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.
Workaround:
None.
Fix:
When an NTLM Conn Pool profile is attached to a virtual server, it no longer causes memory pressure on a large number connections with NTLM authentication.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7
911585-6 : PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval
Links to More Info: BT911585
Component: Policy Enforcement Manager
Symptoms:
PEM sessions go to a stale state and the Credit Control Request (CCRi) is not sent.
Conditions:
-- PEM is configured and passing normal PEM traffic.
-- Using BIG-IP Virtual Edition (VE)
Impact:
Session is not established.
Workaround:
None.
Fix:
Enhanced application to accept new sessions under problem conditions.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7
890917-10 : Performance may be reduced while processing SSL traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM and MCP may consume excessive resources while processing SSL traffic.
Conditions:
-- Using a virtual server with OCSP auth configured.
Impact:
High resource consumption may lead to reduced performance and eventually to a failover event.
Workaround:
None.
Fix:
TMM and MCP now process SSL traffic as expected.
Fixed Versions:
17.0.0.2, 15.1.8.1
886649-6 : Connections stall when dynamic BWC policy is changed via GUI and TMSH
Links to More Info: BT886649
Component: TMOS
Symptoms:
Connections stall when dynamic BWC policy is changed via GUI and TMSH.
Conditions:
Issue is seen when you have a dynamic bandwidth control policy configured, and you make a change to the policy via the GUI and TMSH.
Impact:
Connection does not transfer data.
Workaround:
Restart TMM. Delete the relevant configuration, create a new configuration, and apply it.
Fixed Versions:
17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
886533-4 : Icap server connection adjustments
Links to More Info: BT886533
Component: Application Security Manager
Symptoms:
Request getting to the ICAP server takes a long time to process (several seconds), which makes the whole transaction slower than expected. When testing the connection to the ICAP server itself, you determine that it is fast.
Conditions:
This happens especially with large file uploads that are mixed with smaller file uploads. The smaller uploads are waiting for the bigger upload.
Impact:
Slow responses to specific requests.
Workaround:
None.
Fix:
This release provides greater responsiveness of the internal queue to the ICAP thread.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
832133-6 : In-TMM monitors fail to match certain binary data in the response from the server
Links to More Info: BT832133
Component: In-tmm monitors
Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system marks them DOWN.
Conditions:
This issue occurs when all of the following conditions are met:
- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).
- One or more TCP or HTTP monitors specify a receive string using HEX encoding, in order to match binary data in the server's response.
- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.
Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.
Workaround:
Either one of the following workarounds can be used:
- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.
- Do not monitor the application through a binary response (if the application allows it).
Fix:
The monitor finds the recv string and shows the pool or member as available.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7
748886-5 : Virtual server stops passing traffic after modification
Links to More Info: BT748886
Component: Local Traffic Manager
Symptoms:
A virtual server stops passing traffic after changes are made to it.
Conditions:
-- Virtual server is using a port-list or address-list
-- High availability (HA) environment with multiple traffic groups
-- A change is made to the virtual server
Impact:
Every time you make changes to the virtual server, the traffic-group for the virtual address is changed, and traffic goes down.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1174873-5 : The location header query string separate is converted from "?" to "%3F" breaking multi-domain
Links to More Info: BT1174873
Component: Access Policy Manager
Symptoms:
In muti-domain Single Sign-On (SSO), the location header query string separate is converted from "?" to "%3F" breaking multi-domain.
Conditions:
- Create an access policy with a redirect to login page.
Impact:
Breaking multi-domain.
Workaround:
None
Fix:
Issue is with the normalized URL function, removed the search filter parameters normalization.
Fixed Versions:
17.0.0.2, 15.1.8.1
1134085-3 : Intermittent TMM core when iRule is configured with SSL persistence
Links to More Info: BT1134085
Component: Local Traffic Manager
Symptoms:
The TMM core file is observed.
Conditions:
Under certain conditions, the TMM core file is observed with iRule and SSL persistence.
Impact:
TMM core file is observed.
Workaround:
Perform either of the following tasks:
- Disable SSL persistence
- Disable iRule
Fix:
Added fix to handle cases which can lead to the TMM core file generation.
Fixed Versions:
17.0.0.2, 15.1.8.1
1128245 : Secure Vault value created as part of block restricted property does not sync to the peer after High Availability (HA) sync
Links to More Info: BT1128245
Component: TMOS
Symptoms:
Restricted storage ID is not synced to standby device.
Following is an example:
[root@bigip1ha:Standby:In Sync] config # restcurl shared/restricted-store/storage/39cf9918-dbf6-4097-8817-bfe9ae436f62
{
"code": 404,
"message": "shared/restricted-store/storage/39cf9918-dbf6-4097-8817-bfe9ae436f62",
"restOperationId": 6888310,
"errorStack": [],
"kind": ":resterrorresponse"
}
Conditions:
The sync SSL Orchestrator iApp block configuration with restricted property through HA Migration.
Impact:
- On Standby device edit SSLO iApp block configuration and then deployment will be failed.
- Decryption of the restricted Properties on standby device will not work.
Workaround:
Use the following steps:
1. GET on shared/restricted-store/storage to find the restricted ID for the corresponding iApp template.
Following is an example:
Active:
=======
[root@bigip1:Active:In Sync] config # restcurl shared/restricted-store/storage/c6fe376d-ac88-42bd-8b57-fac96709bb17
{
"id": "c6fe376d-ac88-42bd-8b57-fac96709bb17",
"encryptedData": "yjKX6Pz93wGF8qgvKuleYK+AeqIy3CiemI8shZsAy9nPQlfALl0RkgerwVDKI2NRTPsb/3kllb4wJj3oUydj7pQpqh82p5zUKuFKOJWLrG7spDijeFMlR/mI40fbvjB6JShaXSKiwyZtseq1tR/FHSNnbZhRaPg7qF5EwKay+DXHKihKrblvLI8aKe/+fOKN",
"generation": 1,
"lastUpdateMicros": 1666691181977380,
"kind": "shared:restricted-store:storage:restrictedstorestate",
"selfLink": "https://localhost/mgmt/shared/restricted-store/storage/c6fe376d-ac88-42bd-8b57-fac96709bb17"
}
Standby:
========
2. Make sure storage is not synced in Standby.
Following is an example:
[root@bigip1ha:Standby:In Sync] config # restcurl shared/restricted-store/storage/c6fe376d-ac88-42bd-8b57-fac96709bb17
{
"code": 404,
"message": "shared/restricted-store/storage/c6fe376d-ac88-42bd-8b57-fac96709bb17",
"restOperationId": 6888310,
"errorStack": [],
"kind": ":resterrorresponse"
}
[root@bigip1ha:Standby:In Sync] config # restcurl shared/restricted-store/storage/
{
"items": [],
"generation": 4,
"kind": "shared:restricted-store:storage:restrictedstorecollectionstate",
"lastUpdateMicros": 1666684046568524,
"selfLink": "https://localhost/mgmt/shared/restricted-store/storage"
}
3. POST on shared/restricted-store/storage with "ID" and "encryptedData" details from Active machine.
Following is an example:
[root@bigip1ha:Standby:In Sync] config # restcurl shared/restricted-store/storage/ -X POST -d '{"id": "c6fe376d-ac88-42bd-8b57-fac96709bb17",
"encryptedData": "yjKX6Pz93wGF8qgvKuleYK+AeqIy3CiemI8shZsAy9nPQlfALl0RkgerwVDKI2NRTPsb/3kllb4wJj3oUydj7pQpqh82p5zUKuFKOJWLrG7spDijeFMlR/mI40fbvjB6JShaXSKiwyZtseq1tR/FHSNnbZhRaPg7qF5EwKay+DXHKihKrblvLI8aKe/+fOKN"}'
{
"id": "c6fe376d-ac88-42bd-8b57-fac96709bb17",
"encryptedData": "yjKX6Pz93wGF8qgvKuleYK+AeqIy3CiemI8shZsAy9nPQlfALl0RkgerwVDKI2NRTPsb/3kllb4wJj3oUydj7pQpqh82p5zUKuFKOJWLrG7spDijeFMlR/mI40fbvjB6JShaXSKiwyZtseq1tR/FHSNnbZhRaPg7qF5EwKay+DXHKihKrblvLI8aKe/+fOKN",
"generation": 1,
"lastUpdateMicros": 1666692760785557,
"kind": "shared:restricted-store:storage:restrictedstorestate",
"selfLink": "https://localhost/mgmt/shared/restricted-store/storage/c6fe376d-ac88-42bd-8b57-fac96709bb17"
}
4. Make sure Storage created with same ID as Active in the standby.
Following is an examlpe:
[root@bigip1ha:Standby:In Sync] config # restcurl shared/restricted-store/storage/
{ "items": [
{
"id": "c6fe376d-ac88-42bd-8b57-fac96709bb17",
"encryptedData": "yjKX6Pz93wGF8qgvKuleYK+AeqIy3CiemI8shZsAy9nPQlfALl0RkgerwVDKI2NRTPsb/3kllb4wJj3oUydj7pQpqh82p5zUKuFKOJWLrG7spDijeFMlR/mI40fbvjB6JShaXSKiwyZtseq1tR/FHSNnbZhRaPg7qF5EwKay+DXHKihKrblvLI8aKe/+fOKN",
"generation": 1,
"lastUpdateMicros": 1666692760785557,
"kind": "shared:restricted-store:storage:restrictedstorestate",
"selfLink": "https://localhost/mgmt/shared/restricted-store/storage/c6fe376d-ac88-42bd-8b57-fac96709bb17"
}
],
"generation": 5,
"kind": "shared:restricted-store:storage:restrictedstorecollectionstate",
"lastUpdateMicros": 1666692760786844,
"selfLink": "https://localhost/mgmt/shared/restricted-store/storage"
}
5. Decrypt the restricted Properties using Block-Id and restrictedId
Following is an example:
[root@bigip1ha:Standby:In Sync] config # restcurl shared/restricted-store/crypto -X POST -d '{"operation": "DECRYPT", "salt": "3100c16e-1c9d-4aff-bdfd-780fbe14dce6", "id": "c6fe376d-ac88-42bd-8b57-fac96709bb17"}'{
"data": {
"list": [
{
"id": "T_1666691134763633",
"type": "STRING",
"value": "password"
},
{
"id": "T_1666691134763447",
"type": "STRING",
"value": "password"
}
]
},
"generation": 0,
"lastUpdateMicros": 0
}
6. In webUI, edit the same template on standby and deploy the application. Deployment is successful and no error observed.
Fixed Versions:
17.0.0.1
1113385-5 : Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP
Links to More Info: BT1113385
Component: TMOS
Symptoms:
REST tokens which are present in /var/run/pamcache on BIG-IP are not deleted after token expiration when there are a large number of tokens.
Conditions:
When a large number of tokens are generated.
Impact:
Disk space exhausted on the BIG-IP system.
Workaround:
Try to remove token files from /var/run/pamcache manually.
# rm -f /var/run/pamcache/*
Fix:
Expired token are removed from /var/run/pamcache by the BIG-IP system.
Fixed Versions:
17.0.0.2, 15.1.8.1
1112445-1 : Fix to avoid zombie node on the chain
Component: Local Traffic Manager
Symptoms:
TMM crashing because of not removing complete nodes
Conditions:
Flush to finally remove complete nodes will avoids the TMM crash and avoids leaving zombie nodes
Impact:
Subsequent activities on the connection could lead to TMM to crash or misbehave in a variety of ways.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0.2
1108181-5 : iControl REST call with token fails with 401 Unauthorized
Links to More Info: BT1108181
Component: TMOS
Symptoms:
For a short period after creating or refreshing a token, the iControl REST calls may fail with a 401 Unauthorized error and an HTML body content, or a 401 F5 Authorization Required error and a JSON body content.
When using F5 Ansible modules for BIG-IP, the modules may fail with an error "Expecting value: line 1 column 1 (char 0)".
The AS3 may return an error "AS3 API code: 401".
Conditions:
- REST call using valid token.
- Can commonly occur on the call after a token has been refreshed or a Token list has been requested.
Impact:
The iControl REST calls may temporarily fail (typically less than 1 second) after the creation or refresh of an iControl REST token.
Workaround:
After being issued a token or refreshing a token, wait a second before attempting to use it.
If this does not work, request a new token.
No workaround exists for AS3 or F5 Ansible BIG-IP modules.
Fix:
A race condition on a PAM file update has been resolved. Tokens should remain valid.
Fixed Versions:
17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
1107437-4 : TMM may crash when enable-rapid-response is enabled on a DNS profile
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crash
Conditions:
The "enable-rapid-response" is enabled on a DNS profile. The BIG-IP is a platform that has hardware syncookie capability.
Impact:
TMM restart, unexpected failover
Workaround:
Disable rapid response or disable syncookies in the tcp profile attached to the rapid response virtual server.
Fix:
TMM no longer crashes
Fixed Versions:
17.0.0.2, 15.1.8.1
1105389-3 : Incorrect HTTP request handling may lead to resource leak
Component: Application Security Manager
Symptoms:
Under certain configurations specific HTTP requests may cause BD to waste resources and hang during the ingress process.
Conditions:
An unspecified virtual server configuration attached to an ASM policy.
Impact:
Excess resource consumption on the BIG-IP.
Traffic disruption while TMM restarts.
Workaround:
Configure high availability.
Fix:
The connection handling between the enforcer and the client after a response violation is received has been corrected.
Fixed Versions:
17.0.0.2, 15.1.8
1104493-2 : Client-side abort during server-side establishment may cause tmm to behave abnormally in HTTP MRF proxy
1104073-1 : Use of iRules command whereis with "isp" or "org" options may cause TCL object leak.
Links to More Info: BT1104073
Component: Local Traffic Manager
Symptoms:
When iRules command whereis is being used with "isp" or "org" options and underlying GEOIP database(s) have not been loaded,
cur_allocs for tcl memory increases over time and does not return to the prior level.
Conditions:
- iRules command whereis is used with "isp" or "org" options
- The underlying GEOIP database(s) have not been loaded
Impact:
Cur_allocs for tcl memory increases over time and does not return to the prior level.
Workaround:
Load the underlying GEOIP database(s) before using "isp" or "org" options of the iRules command whereis.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7
1103369-1 : DELETE of REST auth token does not result in deletion of the pamcache token file on a multi slot VIPRION chassis or vCMP guest
Links to More Info: BT1103369
Component: TMOS
Symptoms:
Deletion of REST tokens from cache /var/run/pamcache is not happening when the token expires or is deleted.
Conditions:
A large number of REST auth tokens get created.
Multi-slot VIPRION or Multi-slot vCMP Guest.
Impact:
The deleted token is still present in the cache.
Memory is consumed as a cache is stored in an in-memory filesystem
Workaround:
Remove the pamcache directory from the set being acted upon by "csyncd" by running the following commands in bash:
# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"
# clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"
# clsh "bigstart restart csyncd"
Fix:
Auth tokens in /run/pamcache are deleted as required.
Fixed Versions:
17.0.0.2, 15.1.8.1
1103233-1 : Diameter in-tmm monitor is logging disconnect events unnecessarily
Links to More Info: BT1103233
Component: Service Provider
Symptoms:
Errors are logged to /var/log/ltm:
err tmm[20104]: 01cc0006:3: Peer (<peer>) connection state has changed: disconnected
Conditions:
A diameter in-tmm monitor is configured
Impact:
Debug logs are logged at the error level.
Workaround:
None
Fix:
Log level has been changed to the debug level for the peer disconnected log.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7
1101705-1 : RSA-KEX ciphers list are removed from httpd configuration in FIPS mode since these are non-approved ciphers for FIPS 140-3 certification
Links to More Info: BT1101705
Component: TMOS
Symptoms:
- RSA-KEX ciphers list are removed from httpd configuration when FIPS mode is enabled since these are non-approved ciphers for FIPS 140-3 certification.
- Mandatory fix for FIPS 140-3 Certification.
Conditions:
- BIG-IP versions 16.1.3 and above.
- Applies to systems requiring FIPS 140-3 Certification.
- FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device.
- https connections are established using the RSA-KEX based ciphers
Impact:
- BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be running a FIPS 140-3 certified configuration.
- https connection using RSA KEX ciphers will not be successful when FIPS 140-3 license is installed in the device.
Workaround:
None
Fix:
Apply this fix to ensure that the system is compliant with FIPS 140-3 Certification.
Fixed Versions:
17.0.0.1, 16.1.3
1097821-1 : Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified
Links to More Info: BT1097821
Component: Access Policy Manager
Symptoms:
Creating an APM policy image file with source_path attribute fails.
Conditions:
APM provisioned
Impact:
You are unable to use the source_path attribute for creating APM customization image files.
Workaround:
Copy the image file to one of the directories of /var/config/rest/, /var/tmp/, /shared/tmp/ and use local_path instead of source_path.
E.g. create apm policy image-file test.jpg local-path /var/tmp/<file name>
Fixed Versions:
17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5
1093821-5 : TMM may behave unexpectedly while processing HTTP traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing HTTP traffic
Conditions:
- HTTP profile enabled
Impact:
TMM may crashing leading to a traffic interruption and failover event.
Fix:
TMM now processes HTTP traffic as expected.
Fixed Versions:
17.0.0.2
1093621-5 : Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP
Links to More Info: K10347453
1091761-5 : Mqtt_message memory leaks when iRules are used
Links to More Info: BT1091761
Component: Local Traffic Manager
Symptoms:
Mqtt_message memory leaks when iRules like insert_after, insert_before, and respond are used.
Conditions:
Basic mqtt virtual server with any of the below rules ->insert_after
>insert_before
>respond
Impact:
Memory leak occurs and TMM may crash
Workaround:
NA
Fix:
There is no longer a memory leak with iRules usage
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1091345-1 : The /root/.bash_history file is not carried forward by default during installations.
Links to More Info: BT1091345
Component: TMOS
Symptoms:
By default, the /root/.bash_history file is not included in the UCS archives. As such, this file is not rolled forward during a software installation.
Conditions:
Performing a BIG-IP software installation.
Impact:
This issue may hinder the efforts of F5 Support should the need to determine what was done prior to a software installation arise.
Workaround:
None
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1091249-1 : BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address.
Links to More Info: BT1091249
Component: Global Traffic Manager (DNS)
Symptoms:
As BIG-IP DNS and Link Controller systems connect with one another (or with monitored BIG-IP systems) over iQuery, you may notice:
-- Log messages that specify IPv6 translation addresses non-existent in your configuration and often meaningless (as in not pertaining to some of the more common IPv6 address spaces). For example:
debug gtmd[24229]: 011ae01e:7: Creating new socket to connect to 2001::1 (a06d:3d70:fd7f:0:109c:7000::)
-- If you restart the gtmd daemon, the IPv6 translation address mentioned above between parenthesis changes to a new, random meaningless value.
-- The GTM portion of the configuration fails to synchronize.
Conditions:
IPv6 translation addresses are in use in relevant objects.
Impact:
The logs are misleading and the GTM portion of the configuration may fail to synchronize.
Workaround:
If possible, do not use IPv6 translation addresses.
Fix:
IPv6 translation addresses now function as designed.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1090649-4 : PEM errors when configuring IPv6 flow filter via GUI
Links to More Info: BT1090649
Component: Policy Enforcement Manager
Symptoms:
An error occurs while configuring an IPv6 flow filter using the GUI:
0107174e:3: The source address (::) and source netmask (0.0.0.0) addresses for pem flow info filter (filter0) must be be the same type (IPv4 or IPv6).
Conditions:
Configuring an IPv6 flow filter using the GUI
Impact:
You are unable to configure the IPv6 flow filter via the GUI
Workaround:
The error does not occur when using tmsh.
Fix:
Modified the IPv6 Validation. Able to create IPV6 flow filter after the fix
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1090569-2 : After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV
Links to More Info: BT1090569
Component: TMOS
Symptoms:
Some SSL handshakes are fail when using the CRL certificate validator and tmm crashes.
Conditions:
-- TLS virtual server
-- The virtual server passes network traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm crash related to the CRL certificate validator.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1
1089849-1 : NIST SP800-90B compliance
Links to More Info: BT1089849
Component: TMOS
Symptoms:
Common Criteria and FIPS 140-3 certifications require compliance with NIST SP800-90B; this completes that compliance.
Conditions:
This applies to systems requiring Common Criteria and/or FIPS 140-3 compliance.
Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be using a Common Criteria and/or FIPS 140-3 certified configuration.
Workaround:
None
Fix:
Apply this fix to ensure that the system is compliant with NIST SP800-90B.
Fixed Versions:
17.0.0.1, 16.1.3
1087621-3 : IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload
Links to More Info: BT1087621
Component: TMOS
Symptoms:
The tunnel stops working after initially starting with no problem.
The BIG-IP will send a bad KE (Key Exchange) Payload when rekeying the IKE SA with ECP.
Conditions:
-- IKEv2
-- ECP PFS
-- Peer attempts to re-key IKE SA (CREATE_CHILD SA) over existing IKE SA.
Impact:
IPsec tunnels stop working for periods of time.
Workaround:
Do not use ECP for PFS.
Fix:
ECP will work correctly when rekeying.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1
1084993-5 : [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching
Links to More Info: BT1084993
Component: Policy Enforcement Manager
Symptoms:
E2e id and h2h id in Re-Authorisation Answer from PEM to OCS is not matching with Re-Authorisation Request from OCS to PEM.
Conditions:
Diameter-endpoint configuration. PCEF(PEM) communicating over gy interface with OCS for quota information.
Impact:
OCS will not be able to determine for which RAR it got RAA. This is catastrophic for billing.
Workaround:
None
Fix:
There was conversion issue in PEM, fixed it.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7
1084673-1 : GTM Monitor "require M from N" status change log message does not print pool name
Links to More Info: BT1084673
Component: Global Traffic Manager (DNS)
Symptoms:
The number of probes that are succeeding is changing in between different windows in which the "N" number of probes were sent.
Conditions:
- GTM/DNS is provisioned
- A "require M from N" monitor rule is assigned to a gtm pool or an individual gtm pool member.
Impact:
The log written to provide information on the changing number of successful probes does not contain information about the pool member.
Workaround:
None
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1084257-1 : New HTTP RFC Compliance check for incorrect newline separators in headers
Component: Application Security Manager
Symptoms:
ASM is not enforcing incoming HTTP requests headers ending with LF('\n')
Conditions:
Any HTTP request with LF('\n') as the only header separator will pass ASM without enforcement
Impact:
Invalid requests according to RFC might pass through ASM enforcement
Fix:
HTTP requests with LF('\n') as the only header separator are enforced, and "Unparsable request content" is reported
Fixed Versions:
17.0.0.1, 15.1.7
1083537-1 : FIPS 140-3 Certification
Links to More Info: BT1083537
Component: TMOS
Symptoms:
For FIPS 140-3 Certification
Conditions:
This applies to systems requiring FIPS 140-3 Certification.
Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be running a FIPS 140-3 certified configuration.
Workaround:
None
Fix:
Apply this fix to ensure that the system is compliant with FIPS 140-3 Certification.
Fixed Versions:
17.0.0.1, 16.1.2.2
1082505-1 : TLS ciphersuites including RSA-KEX are non-approved ciphers for FIPS 140-3 certification
Links to More Info: BT1082505
Component: Local Traffic Manager
Symptoms:
TLS ciphersuites including RSA KEX are non-approved ciphers as per FIPS 140-3 certification standard
Conditions:
- BIG-IP versions 16.1.3 and above
- FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device.
- f5-fips cipher-group is associated with SSL profiles
- Connections are established using the RSA-KEX based ciphers
Impact:
SSL handshake will not be successful.
Workaround:
Create a custom cipher-group including all the required cipher strings and associate with the SSL profiles.
Fix:
For FIPS 140-3 certification, TLS ciphersuites including RSA-KEX are reported as non-approved ciphers in fips mode, also these cipher strings have been removed from the f5-fips cipher group.
Fixed Versions:
17.0.0.1, 16.1.3
1082461-1 : The enforcer cores during a call to 'ASM::raise' from an active iRule
Links to More Info: BT1082461
Component: Application Security Manager
Symptoms:
In the case of 'ASM::raise' call execution from an iRule that contains a list length greater than 100, the enforcer (bd) will core.
Conditions:
A call to 'ASM::raise' with a list length greater than 100 from an iRule.
Impact:
Traffic disrupted while bd restarts.
Workaround:
While constructing the iRule, make sure that the list passed into 'ASM::raise' contains fewer than 100 elements.
Fix:
Fixed an enforcer core.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1
1082225-6 : Tmm may core while Adding/modifying traffic-class attached to a virtual server.
Links to More Info: BT1082225
Component: Local Traffic Manager
Symptoms:
Tmm may core with 'tmm SIGSEGV' while performing addition/updating of traffic class attached to a virtual server.
Conditions:
-- Some Traffic classes have been removed from the virtual server.
-- A new traffic class is attached to the virtual server, or modification of the existing traffic class is triggered.
Impact:
Traffic disrupted while tmm restarts.
The traffic class might not be applied as expected.
Workaround:
None
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1080317-4 : Hostname is getting truncated on some logs that are sourced from TMM
Links to More Info: BT1080317
Component: TMOS
Symptoms:
Hostnames in the APM, IPSEC, SAAS, FW_LOG logs that are sourced from TMM are truncated.
Conditions:
The truncation occurs when the hostname contains a period (for example "my.hostname").
Impact:
Some logs contain truncated hostnames and some contain full hostnames. The inconsistent hostnames degrade the readability and therefore the usefulness of the logs.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1078765-5 : Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer.
Links to More Info: BT1078765
Component: Application Security Manager
Symptoms:
A BD core may occur due to enforcement of 200004390 200004389 signatures with the combination of Arcsight remote logger enabled.
Conditions:
The request must contain 200004390 200004389 signatures with the combination of Arcsight remote logger attached to the virtual server.
Impact:
The enforcer may crash.
Workaround:
Disable 200004390 200004389 signatures.
Fix:
200004390 200004389 are now signatures enforced successfully.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7
1074517-4 : Tmm may core while adding/modifying traffic-class attached to a virtual server
Links to More Info: BT1074517
Component: Local Traffic Manager
Symptoms:
Tmm may core while adding/modifying traffic-class attached to a virtual server
Conditions:
-- Traffic class is attached to a virtual server.
-- Add an existing traffic class to a virtual server.
-- Afterwards, a new traffic class is attached to the virtual server, or modification of the existing traffic class is triggered.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1073625-1 : Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled.
Links to More Info: BT1073625
Component: Application Security Manager
Symptoms:
ASM policy import is successful on Active unit and it syncs to standby device, but "Apply changes" is displayed on the standby device policies page.
Conditions:
1. XML policy with learning enabled imported via TMSH.
2. Autosync with incremental sync enabled on device-group with ASM sync enabled.
Impact:
The peer (standby) unit needs to have the policies applied manually even though everything is set to auto-sync
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1073005-5 : iControl REST use of the dig command does not follow security best practices
Component: TMOS
Symptoms:
iControl REST does not follow security best practices when invoking the 'dig' command to perform DNS lookups via the /mgmt/tm/util/dig endpoint
Conditions:
This issue only affects standard deployments. Appliance Mode deployments are not affected
Impact:
Security best practices are not followed
Fix:
iControl REST now follows best practices when performing DNS lookups via the dig endpoint
Fixed Versions:
17.0.0.2, 15.1.8.1
1071621-2 : Increase the number of supported traffic selectors
Links to More Info: BT1071621
Component: TMOS
Symptoms:
There is an imposed limit of 30 traffic selectors that can be attached to an IPsec policy / IKEv2 ike-peer.
Conditions:
-- IKEv2
-- More than 30 traffic selectors required on one IPsec policy / ike-peer.
Impact:
No more than 30 traffic selectors can be added to a single IPsec policy / ike-peer.
Workaround:
None
Fix:
The behavior of sys db ipsec.maxtrafficselectors has changed.
- Max traffic selectors associated with an ike-peer are increased from 30 to 100.
- When the sys-db variable is non-zero, the limit is enforced.
Warning: Adding hundreds or thousands of traffic-selectors to an ipsec-policy may result in slow config-load times (for example, during startup). An excessive number of traffic selectors may also slow down IPsec tunnel negotiation. The impact will depend on the BIG-IP system's provisioning and the overall configuration.
- ipsec.maxtrafficselectors can be set to "0" to indicate there is no limit.
Behavior Change:
The behavior of sys db ipsec.maxtrafficselectors has changed.
- Max traffic selectors associated with an ike-peer are increased from 30 to 100.
- When the sys-db variable is non-zero, the limit is enforced.
- ipsec.maxtrafficselectors can be set to "0" to indicate there is no limit.
Warning: Adding hundreds or thousands of traffic-selectors to an ipsec-policy may result in slow config-load times (for example, during startup). An excessive number of traffic selectors may also slow down IPsec tunnel negotiation. The impact will depend on the BIG-IP system's provisioning and the overall configuration.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1
1067105-5 : Racoon logging shows incorrect SA length.
Links to More Info: BT1067105
Component: TMOS
Symptoms:
Debug2 logs incorrect "total SA" length in racoon.log.
Conditions:
-- IKEv1 tunnels in use
-- ikedaemon in debug2 mode
Impact:
Troubleshooting is confused by misleading information about the SA payload length.
Workaround:
None. This is a cosmetic / logging issue.
Fix:
Clarified the log message to indicate what the logged length actually covers.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7
1066673-7 : BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions
1065917-1 : BIG-IP APM Virtual Server does not follow security best practices
Component: Access Policy Manager
Symptoms:
BIG-IP APM Virtual Server with an associated access policy does not follow security best practices when handling authenticated user traffic
Conditions:
APM Access Policy assigned to a Virtual Server
A valid, logged in user
Impact:
APM virtual server allows a malicious authenticated user to cause APM to mis-handle specific requests
Fix:
BIG-IP APM virtual server now correctly follows security best practices.
Fixed Versions:
17.0.0.2, 15.1.7
1062569-3 : HTTP/2 stream bottom filter leaks memory at teardown under certain conditions
Component: Local Traffic Manager
Symptoms:
Xhead/xdata allocations increase over time and do not return to initial levels.
Conditions:
-HTTP/2 MRF Virtual Server with client-side HTTP/2.
-HTTP/2 undisclosed clientside requests
Impact:
Memory leakage
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0.2
1062493-5 : BD crash close to it's startup
Links to More Info: BT1062493
Component: Application Security Manager
Symptoms:
BD crashes shortly after startup.
Conditions:
FTP or SMTP are in use. Other causes are unknown.
Impact:
Traffic disrupted while bd restarts.
Workaround:
No workaround except removal of the FTP/SMTP protection.
Fix:
Crashes close to startup coming from SMTP or FTP were fixed.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7
1061481-4 : Denied strings were found in the /var/log/ folder after an update or reboot
Links to More Info: BT1061481
Component: TMOS
Symptoms:
Denied strings error message were found in /var/log/dmesg and /var/log/messages files after update or reboot.
For example, the string "denied" was found:[ 5.704716] type=1401 audit(1636790175.688:4): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:f5_jitter_entropy_t:s0
Conditions:
After update or reboot, check the following log files:
/var/log/dmesg and /var/log/messages.
Impact:
Error strings are observed in /var/log/dmesg and /var/log/messages.
Workaround:
None.
Fix:
No error strings are observed.
Fixed Versions:
17.0.0.1, 16.1.3
1058297-1 : Policy history values for 'max Size Of Saved Versions' and for 'min Retained Files In Dir' is reset during upgrade★
Links to More Info: BT1058297
Component: Application Security Manager
Symptoms:
The values for "minRetainedFilesInDir" and "maxSizeOfSavedVersions" in /etc/ts/tools/policy_history.cfg
are set back to default after an upgrade.
Conditions:
-- Non-default values for "minRetainedFilesInDir" and for "maxSizeOfSavedVersions"
-- An upgrade occurs
Impact:
After upgrade, the values in the configuration file are set back to default.
Workaround:
Update the values after the upgrade is complete.
Fix:
The usage of the configuration file /etc/ts/tools/policy_history.cfg is deprecated.
New internal config items have been added:
"policy_history_min_retained_versions" and "policy_history_max_total_size"
The internal variables are preserved during the upgrade.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7
1056957-2 : An attack signature can be bypassed under some scenarios.
Links to More Info: BT1056957
Component: Application Security Manager
Symptoms:
An attack signature is not detected.
Conditions:
A specific condition.
Impact:
False negative - attack is not detected.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0.1, 16.1.3.1
1042737-5 : BGP sending malformed update missing Tot-attr-len of '0.
Links to More Info: BT1042737
Component: TMOS
Symptoms:
BIG-IP might send a malformed BGP update missing Tot-attr-len of '0 when performing a soft reset out.
Conditions:
-- Multiple traffic groups configured.
-- A BGP soft reset occurs.
Impact:
BGP peering resets.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7
1040513-4 : The counter for "FTP commands" is always 0.
Links to More Info: BT1040513
Component: Application Security Manager
Symptoms:
On the FTP Statistics page, the "FTP Commands" value is always zero.
Conditions:
FTP security is applied and "FTP commands violations" is enforced.
Impact:
The FTP security does not show violations statistics regarding the FTP commands.
Workaround:
None
Fix:
"FTP commands statistics" now shows an accurate value in the UI.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1036057-5 : Add support for line folding in multipart parser.
Links to More Info: BT1036057
Component: Application Security Manager
Symptoms:
RFC 2616 allowed HTTP header field values to be extended over multiple lines by preceding each extra line with at least one space or horizontal tab. This was then deprecated by RFC 7230.
The multipart parser of ASM does not support the multiple line header, so these requests cause false positives.
Conditions:
Multiline header in multipart request
Impact:
False positives.
Workaround:
None
Fix:
Introduced a new ASM internal parameter: multipart_allow_multiline_header
Note: default value is 0 (disabled)
Note: enabling/disabling the feature requires asm restart that triggers the unit going offline for a short time period. If the unit is a part of a high availability (HA) cluster, failover to the other unit will occur. If it is a standalone unit, traffic disruption until the unit comes back to online.
- Enable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 1
# bigstart restart asm
- Disable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 0
# bigstart restart asm
Behavior Change:
Introduced a new ASM internal parameter: multipart_allow_multiline_header
Note: default value is 0 (disabled)
Note: enabling/disabling the feature requires asm restart that triggers the unit going offline for a short time period. If the unit is a part of a high availability (HA) cluster, failover to the other unit will occur. If it is a standalone unit, traffic disruption until the unit comes back to online.
- Enable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 1
# bigstart restart asm
- Disable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 0
# bigstart restart asm
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1032553-6 : Core when virtual server with destination NATing receives multicast
Component: TMOS
Symptoms:
TMM cores when the virtual server processes a multicast packet.
Conditions:
-- Virtual server that can match multicast, e.g. destination address 0.0.0.0:any and mask any.
-- LTM and AFM provisioned.
-- Virtual server is using destination NATing.
-- Virtual server uses fastL4.
-- Multicast route setup, e.g. with Zebos.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Add a virtual server to specifically match multicast without destination NATing.
Fix:
TMM does not crash.
Fixed Versions:
17.0.0.2, 15.1.8
1030133-1 : BD core on XML out of memory
Links to More Info: BT1030133
Component: Application Security Manager
Symptoms:
Missing error handling in lib xml parser.
Conditions:
XML parser going out of memory.
Impact:
ASM traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1029689-1 : Incosnsitent username "SYSTEM" in Audit Log
Links to More Info: BT1029689
Component: Application Security Manager
Symptoms:
The Security Policy Auto Log in ASM displays the system component that triggered the event. The component name is sometimes shown as 'SYSTEM', other times shown as 'System'
Conditions:
The value is "SYSTEM" when Apply Policy was initiated locally.
The value is "System" when Apply Policy was initiated by the peer unit
Impact:
Component name inconsistency causing confusion
Workaround:
None
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7
1025261-4 : Restjavad uses more resident memory in control plane after software upgrade
Links to More Info: BT1025261
Component: TMOS
Symptoms:
The restjavad process immediately reserves more memory and the process size (as shown by RSS) increases as the starting heap size has been made to be the same as maximum heap size for performance reasons.
(Note the process name displays as 'java', but there are multiple independent Java processes on the system. The parent process of restjavad is 'runsv restjavad', and the command line arguments may have 'logging' in them.)
For restjavad with the default size, the increase is usually 200 MB-300 MB.
The increase is particularly apparent where restjavad.useextramb is set to the value 'true' and provision.extramb is set to a high value but restjavad had not required that much extra memory previously.
Conditions:
After upgrading to a BIG-IP software version with the fix for ID 776393 ( https://cdn.f5.com/product/bugtracker/ID776393.html ), where more memory has been allocated for restjavad.
Impact:
The memory Resident Set Size (RSS) of the restjavad process will be larger than needed, possibly constricting other processes in the control plane.
Workaround:
If restjavad.useextramb is set to value true you may find that if only a small amount of extra restjavad memory was required (~192 MB or less extra) that it can be set to false.
This is because the default size of restjavad has increased by 192 MB to 384MB.
Restart restjavad after the change.
Fix:
A new sys DB variable, provision.restjavad.extramb has been introduced to allow finer-grained control of restjavad memory.
It takes effect only if sys db restjavad.useextramb is true. It can be used to set restjavad heap size both above and below the default heap size of 384 MB.
Behavior Change:
A new sys DB variable, provision.restjavad.extramb has been introduced to allow finer-grained control of restjavad memory.
The variable is particularly useful when you need restjavad to be slightly bigger and also need a much larger provision.extramb without most of that being taken by restjavad.
For the variable to take effect, sys db restjavad.useextramb must be set to 'true'; otherwise, default memory values are used.
The variable sets the heap size, and defaults to and has a minimum value of 192 MB.
If the value of provision.restjavad.extramb is set above a certain cap value, the heap size will be set to the cap value. In this release, the cap value 384 MB + 80% of provision.extramb.
So with restjavad.useextramb set to 'true', you can set the restjavad heap size from 192 MB to 384 MB + 80% of provision.extramb using the provision.restjavad.extramb variable.
After changing value of provision.restjavad.extramb, restart restjavad to enable the change in memory size:
bigstart restart restjavad
Or on multi-blade systems:
clsh bigstart restart restjavad
If using a sys db restjavad.useextramb value of true and needing to restore your previous restjavad memory setting ( based on maximum heap size) please look at advice below.
Before upgrade - if you set sys db restjavad.useextramb to value false before install of new version you will have more restjavad memory, the default 384MB, after upgrade.
tmsh modify sys db restjavad.useextramb value false
If you restart restjavad you can see if that value works before upgrade. If you don't restart then it will come into effect after reboot.
If that no longer has issues after update then leave that setting at false. Otherwise set back to true (no restart) and increase provision.restjavad.extramb as in After upgrade section below.
After upgrade:
Set sys db provision.restjavad.extramb to an appropriate value and restart restjavad.
Run the following command:
tmsh modify sys db provision.restjavad.extramb value X
bigstart restart restjavad
Iterate as necessary.
The value of X is derived by using one of the following formulae:
- When updating from versions before 14.1.4 and 15.1.3, to affected versions, a value that preserves the maximum previous restjavad heap size is:
192MB + 80% of MIN(provision.extramb|2500)
the minimum possible heap size was:
192MB + 20% of MIN(provision.extramb|2500)
The actual restjavad heap size would be between those extremes. SSLO systems would typically need a higher amount towards the maximum.
Example 1: If provision.restjavad was 1000 MB on previous version, the possible range of restjavad heap size would have been between (20% of 1000 + 192) = 392 MB and (80% of 1000 + 192) = 992 MB.
Example 2: If provision.extramb was 4000 MB, the possible range would be between (20 % of 2500 + 192) = 692 MB and (80% of 2500 + 192) = 2192 MB.
- When updating from 14.1.4-14.1.5, from 15.1.3-15.1.6.1 or from 16.0.x to affected versions:
384MB + 80% of MIN(provision.extramb|2500)
Example 3: If provision.extramb was 500 MB, the restjavad heap size on the previous version would have been 80% of 500 + 384 = 784 MB.
- When updating from 16.1.0-16.1.3 or from 17.0.0.0 to affected versions:
384MB + 90% of MIN(provision.extramb|4000)
Example 4: If provision.extramb was 2000 MB, the restjavad heap size on the previous version would have been 90% of 2000 + 384 = 2184 MB.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1024661-4 : SCTP forwarding flows based on VTAG for bigproto
Links to More Info: BT1024661
Component: TMOS
Symptoms:
Sometimes SCTP traffic is unidirectionally dropped on one link after an SCTP link down occurs.
Conditions:
-- SCTP configured and BIG-IP is passing traffic
-- A link goes down
Impact:
Flow creation on the wrong TMM and some traffic is dropped.
Workaround:
Disable SCTP flow redirection.
tmm.sctp.redirect_packets == disable
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1022453-5 : IPv6 fragments are dropped when packet filtering is enabled.
Links to More Info: BT1022453
Component: Local Traffic Manager
Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.
Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.
Impact:
Some or all of the fragments of an IPv6 packet are lost.
Workaround:
Disable packet filtering
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7
1014973-6 : ASM changed cookie value.
Links to More Info: BT1014973
Component: Application Security Manager
Symptoms:
ASM changes the value of a cookie going to the server.
Conditions:
Specific conditions.
Impact:
Domain cookie will reach the server with a wrong value. Can cause different malfunctions depending on the application.
Workaround:
Change the following db variable:
tmsh modify sys db asm.strip_asm_cookies (https://support.f5.com/csp/article/K30023210) value false.
There is no need to restart asm.
Add an iRule without the use of strip_asm_cookies:
https://support.f5.com/csp/article/K13693.
Fix:
Original cookies not being deleted/modified after the removing of TS cookies in ASM.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7
1014573-5 : Several large arrays/objects in JSON payload may core the enforcer
Links to More Info: BT1014573
Component: Application Security Manager
Symptoms:
Requests with JSON payload that consists of more than one object with elements, such as a couple of large arrays, may cause the enforcer to crash.
Conditions:
Each of the objects/arrays in JSON payload has to consist lesser amount of elements than defined in the "Maximum Array Length" JSON profile attribute.
Impact:
Large enough arrays may cause performance decrease, in addition, the enforcer may crash.
Workaround:
Set "Maximum Array Length" to a lower value than the requests array length.
Fix:
Added internal param "count_overall_child_elements_in_json" to control "Maximum Array/Object Elements" behaviour:
0 (default) - retain current behaviour (check max elements in each array/object separately);
1 - count overall elements in all arrays/objects.
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1006157-7 : FQDN nodes not repopulated immediately after 'load sys config'
Links to More Info: BT1006157
Component: Local Traffic Manager
Symptoms:
A DNS query is not sent for configured FQDN nodes until the TTL value expires.
Conditions:
This occurs when 'load sys config' is executed.
Impact:
Name addresses do not resolve to IP addresses until the TTL expires.
Workaround:
You can use either of the following workarounds:
-- Change the default TTL value to be fewer than 300 seconds (the default value is 3600 seconds).
-- Restart dynconfd daemon:
tmsh restart sys service dynconfd
Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
Known Issues in BIG-IP v17.0.x
TMOS Issues
ID Number | Severity | Links to More Info | Description |
1190777-1 | 1-Blocking | Unable to add a device to a device trust when the BigDB variable icontrol.basic_auth is set to disable on target device | |
1173441-4 | 1-Blocking | The 'tmsh save sys config' call is being triggered when REST Authentication tokens (X-F5-Auth-Token) are deleted or expired | |
1161913 | 1-Blocking | BT1161913 | Upgrade from 15.1.8 or 15.1.8.1 to 16.x or 17.x fails, and leaves device INOPERATIVE★ |
1120433-1 | 1-Blocking | BT1120433 | Removed gtmd and big3d daemon from the FIPS-compliant list |
1116845-3 | 1-Blocking | BT1116845 | Interfaces using the xnet driver are not assigned a MAC address |
1088037-2 | 1-Blocking | BT1088037 | VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers |
979045-5 | 2-Critical | BT979045 | The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms |
950201-5 | 2-Critical | BT950201 | Tmm core on GCP |
842669-7 | 2-Critical | BT842669 | Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log |
776117-5 | 2-Critical | BT776117 | BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type |
737692-7 | 2-Critical | BT737692 | Handle x520 PF DOWN/UP sequence automatically by VE |
652877-8 | 2-Critical | BT652877 | Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades |
1195377-1 | 2-Critical | Getting Service Indicator log for disallowed RSA-1024 crypto algorithm | |
1191137-4 | 2-Critical | BT1191137 | WebUI crashes when the localized form data fails to match the expectations |
1181613-2 | 2-Critical | BT1181613 | IPsec IKEv2: BIG-IP version 16.1.0 introduced RFC5996 non-compliance in IKE SA delete |
1178221-4 | 2-Critical | BT1178221 | In IPsec IKEv2, packet memory corruption after retransmitted ISAKMP with NAT |
1144477-2 | 2-Critical | BT1144477 | IKE_SA_INIT uses src port 500 and dst port 4500 after IKE SA deleted |
1136429-5 | 2-Critical | BT1136429 | Closing of unrelated MCPD connection causes an errant reply to an in-progress transaction or request group |
1134301-4 | 2-Critical | BT1134301 | IPsec interface mode may stop sending packets over tunnel after configuration update |
1128629-3 | 2-Critical | BT1128629 | Neurond crash observed during live install through test script |
1110893-5 | 2-Critical | BT1110893 | Some portions of the BIG-IP GUI do not work when accessed behind an HTTP proxy |
1105901-1 | 2-Critical | BT1105901 | Tmm crash while doing high-speed logging |
1097193-4 | 2-Critical | BT1097193 | Unable to SCP files using WinSCP or relative path name |
1095217-2 | 2-Critical | BT1095217 | Peer unit incorrectly shows the pool status as unknown after merging the configuration |
1093717-5 | 2-Critical | BT1093717 | BGP4 SNMP traps are not working. |
1085805-5 | 2-Critical | UCS restore with SSL Orchestrator deployed fails due to multiple iFiles and incorrect iFile reference. | |
1085597-2 | 2-Critical | BT1085597 | IKEv1 IPsec peer cannot be created in config utility (web UI) |
1077789-5 | 2-Critical | BT1077789 | System might become unresponsive after upgrading.★ |
1076909-5 | 2-Critical | BT1076909 | Syslog-ng truncates the hostname at the first period. |
1075905-4 | 2-Critical | BT1075905 | TCP connections may fail when hardware SYN Cookie is active |
992865-4 | 3-Major | BT992865 | Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances |
992053-7 | 3-Major | BT992053 | Pva_stats for server side connections do not update for redirected flows |
991829-4 | 3-Major | BT991829 | Continuous connection refused errors in restjavad |
988745-5 | 3-Major | BT988745 | On reboot, 'could not find platform object' errors may be seen in /var/log/ltm |
966949-7 | 3-Major | BT966949 | Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node |
962477-1 | 3-Major | BT962477 | REST calls that modify GTM objects as a user other than admin may take longer than expected |
950153-4 | 3-Major | BT950153 | LDAP remote authentication fails when empty attribute is returned |
945413-5 | 3-Major | BT945413 | Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync |
930393-1 | 3-Major | BT930393 | IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration |
925469-4 | 3-Major | BT925469 | SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo |
921149-7 | 3-Major | BT921149 | After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy |
908453-6 | 3-Major | BT908453 | Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly |
891333-3 | 3-Major | K32545132, BT891333 | Very rarely the HSB can get into a corrupted state resulting in ARP entry in BIG-IP stuck incomplete. |
879969-9 | 3-Major | BT879969 | FQDN node resolution fails if DNS response latency >5 seconds |
778513-4 | 3-Major | BT778513 | APM intermittently drops log messages for per-request policies |
775845-7 | 3-Major | BT775845 | Httpd fails to start after restarting the service using the iControl REST API |
760982-4 | 3-Major | BT760982 | An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios |
760354-16 | 3-Major | BT760354 | Continual mcpd process restarts after removing big logs when /var/log is full |
755207-4 | 3-Major | BT755207 | Large packets silently dropped on VE mlxvf5 devices |
662301-10 | 3-Major | BT662301 | 'Unlicensed objects' error message appears despite there being no unlicensed config |
566995-5 | 3-Major | BT566995 | bgpd might crash in rare circumstances. |
1217473 | 3-Major | All the UDP traffic is sent to a single TMM | |
1194409-1 | 3-Major | BT1194409 | Dropped messages seen in auditforwarder logging |
1185605-4 | 3-Major | BT1185605 | The iCall EventTriggeredHandler in non-common partition break after scriptd daemon restart |
1181757-5 | 3-Major | BT1181757 | BGPD assert when sending an update due to cq_wbuf mishandling |
1169141-4 | 3-Major | BT1169141 | Bash tab-completion of '~' to '\~' |
1166329-1 | 3-Major | BT1166329 | The mcpd process fails on secondary blades, if the predefined classification applications are updated. |
1154381-5 | 3-Major | BT1154381 | The tmrouted might crash when management route subnet is received over a dynamic routing protocol |
1153865-5 | 3-Major | BT1153865 | Restjavad OutOfMemoryError errors and restarts after upgrade★ |
1153853-5 | 3-Major | BT1153853 | Revision of default value for provision.restjavad.extramb to avoid OOM errors in restjavad |
1145749-5 | 3-Major | BT1145749 | Locally defined BIG-IP users can be lost during a failed config-sync |
1143809-2 | 3-Major | BT1143809 | Unable to modify SNMP monitors from webUI |
1137269-5 | 3-Major | BT1137269 | MCPD fails to reply if a request is proxied to another daemon and the connection to that daemon closes |
1136921-5 | 3-Major | BT1136921 | BGP might delay route updates after failover |
1136781-1 | 3-Major | BT1136781 | Incorrect parsing of 'bfd notification' CLI in IMI Shell (imish) |
1136013-6 | 3-Major | BT1136013 | The tmrouted generates core with double free or corruption |
1135961-6 | 3-Major | BT1135961 | The tmrouted generates core with double free or corruption |
1135393-2 | 3-Major | BT1135393 | The pfmand support is not available on i15820-DF (D120) |
1134509-5 | 3-Major | BT1134509 | TMM crash in BFD code when peers from ipv4 and ipv6 families are in use. |
1134057-5 | 3-Major | BT1134057 | BGP routes not advertised after graceful restart |
1132957-2 | 3-Major | BT1132957 | Modifying IPsec tunnels tunnel object may result in TMM core |
1132949-5 | 3-Major | BT1132949 | GUI reported error when changing password after mgmt port was changed |
1128169-2 | 3-Major | BT1128169 | TMM core when IPsec tunnel object is reconfigured |
1127881-1 | 3-Major | BT1127881 | Deprecate sysClientsslStatFullyHwAcceleratedConns, sysClientsslStatPartiallyHwAcceleratedConns and sysClientsslStatNonHwAcceleratedConns |
1127169-2 | 3-Major | BT1127169 | The BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG |
1126805-4 | 3-Major | BT1126805 | TMM CPU usage statistics may show a lower than expected value on Virtual Edition |
1126181-1 | 3-Major | BT1126181 | ZebOS "no log syslog" configuration is not surviving reboot |
1125733-5 | 3-Major | BT1125733 | Wrong server-side window scale used in hardware SYN cookie mode |
1124733-2 | 3-Major | Unnecessary internal traffic is observed on the internal tmm_bp vlan | |
1124209-4 | 3-Major | BT1124209 | Duplicate key objects when renewing certificate using pkcs12 bundle |
1123885-1 | 3-Major | BT1123885 | A specific type of software installation may fail to carry forward the management port's default gateway. |
1123149-1 | 3-Major | BT1123149 | Sys-icheck fail for /etc/security/opasswd |
1122021-4 | 3-Major | BT1122021 | Killall command might create corrupted core files |
1121517-1 | 3-Major | BT1121517 | Interrupts on Hyper-V are pinned on CPU 0 |
1120685-1 | 3-Major | BT1120685 | Unable to update the password in the CLI when password-memory is set to > 0 |
1120345-7 | 3-Major | BT1120345 | Running tmsh load sys config verify can trigger high availability (HA) failover |
1114137-5 | 3-Major | LibUV library for latest bind 9.16 | |
1113961-2 | 3-Major | K43391532, BT1113961 | BIG-IP 16.1.3 VE with FIPS 140-3 May Fail to start in AWS-China |
1112537-1 | 3-Major | BT1112537 | LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete. |
1112109-5 | 3-Major | BT1112109 | Unable to retrieve SCP files using WinSCP or relative path name |
1111629-5 | 3-Major | BT1111629 | Messages with "Failed Read: User, referer" are logged in /var/log/httpd/httpd_errors |
1111421-4 | 3-Major | BT1111421 | TMSH/GUI fails to display IPsec SAs info |
1106489-1 | 3-Major | BT1106489 | GRO/LRO is disabled in environments using the TMM raw socket "sock" driver. |
1103953-2 | 3-Major | BT1103953 | SSMTP errors in logs every 20 minutes |
1102849-4 | 3-Major | BT1102849 | Less-privileged users (guest, operator, etc) are unable to run top level commands |
1101453-7 | 3-Major | BT1101453 | MCPD SIGABRT and core happened while deleting GTM pool member |
1100409-5 | 3-Major | Valid connections may fail while a virtual server is in SYN cookie mode. | |
1100321-4 | 3-Major | BT1100321 | MCPD memory leak |
1093973-8 | 3-Major | BT1093973 | Tmm may core when BFD peers select a new active device. |
1093553-5 | 3-Major | BT1093553 | OSPF "default-information originate" injects a new link-state advertisement |
1093313-1 | 3-Major | BT1093313 | CLIENTSSL_CLIENTCERT iRule event is not triggered for TLS1.3 when the client sends an empty certificate response |
1091725-5 | 3-Major | BT1091725 | Memory leak in IPsec |
1090313-4 | 3-Major | BT1090313 | Virtual server may remain in hardware SYN cookie mode longer than expected |
1088429-5 | 3-Major | BT1088429 | Kernel slab memory leak |
1086517-3 | 3-Major | BT1086517 | TMM may not properly exit hardware SYN cookie mode |
1086393-3 | 3-Major | BT1086393 | Sint Maarten and Curacao are missing in the GTM region list |
1085837-3 | 3-Major | BT1085837 | Virtual server may not exit from hardware SYN cookie mode |
1081649-3 | 3-Major | BT1081649 | Remove the "F5 iApps and Resources" link from the iApps->Package Management |
1081641-5 | 3-Major | BT1081641 | Remove Hyperlink to Legal Statement from Login Page |
1080925-4 | 3-Major | BT1080925 | Changed 'ssh-session-limit' value is not reflected after restarting mcpd |
1080297-5 | 3-Major | BT1080297 | ZebOS does not show 'log syslog' in the running configuration, or store it in the startup configuration |
1079705-5 | 3-Major | BT1079705 | Restjavad may restart repeatedly if sys db provision.extramb is high |
1077533-4 | 3-Major | BT1077533 | BIG-IP fails to restart services after mprov runs during boot. |
1077405-1 | 3-Major | BT1077405 | Ephemeral pool members may not be created with autopopulate enabled. |
1076801-5 | 3-Major | BT1076801 | Loaded system increases CPU usage when using CS features |
1076785-3 | 3-Major | BT1076785 | Virtual server may not properly exit from hardware SYN Cookie mode |
1063237-6 | 3-Major | BT1063237 | Stats are incorrect when the management interface is not eth0 |
1040277-6 | 3-Major | BT1040277 | Syslog-ng issue may cause logging to stop and possible reboot of a system |
1036613-6 | 3-Major | BT1036613 | Client flow might not get offloaded to PVA in embryonic state |
1032257-5 | 3-Major | BT1032257 | Forwarded PVA offload requests fail on platforms with multiple PDE/TMM |
1029105-2 | 3-Major | BT1029105 | Hardware SYN cookie mode state change logs bogus virtual server address |
1027481-4 | 3-Major | BT1027481 | The log messages 'error: /bin/haloptns unexpected error -- 768' generated on A110 and D112 platforms |
1024421-4 | 3-Major | BT1024421 | At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log |
1019829-4 | 3-Major | BT1019829 | Configsync.copyonswitch variable is not functioning on reboot |
1009793-4 | 3-Major | Tmm crash when using ipsec | |
1009337-3 | 3-Major | BT1009337 | LACP trunk down due to bcm56xxd send failure |
964533-6 | 4-Minor | BT964533 | Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs. |
939757-6 | 4-Minor | BT939757 | Deleting a virtual server might not trigger route injection update. |
936501-7 | 4-Minor | BT936501 | Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled |
929173-5 | 4-Minor | BT929173 | Watchdog reset due to CPU stall detected by rcu_sched |
915141-6 | 4-Minor | BT915141 | Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown' |
904661-5 | 4-Minor | BT904661 | Mellanox NIC speeds may be reported incorrectly on Virtual Edition |
658943-6 | 4-Minor | BT658943 | Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants |
1209589-6 | 4-Minor | BT1209589 | BFD multihop does not work with ECMP routes |
1185257-5 | 4-Minor | BT1185257 | BGP confederations do not support 4-byte ASNs |
1155733-3 | 4-Minor | NULL bytes are clipped from the end of buffer | |
1154685-2 | 4-Minor | BT1154685 | Error log "Database error (13)" seen during the bootup |
1144729-5 | 4-Minor | BT1144729 | PVA stats may be incorrect when PVA offloaded flows have their nexthops changed to a different VLAN |
1142445-5 | 4-Minor | BT1142445 | Multicast handling on wildcard virtual servers leads to TMM memory leak |
1141213-1 | 4-Minor | BT1141213 | Peer is aborting the connection when PEM client runs diameter traffic over SCTP |
1136837-5 | 4-Minor | BT1136837 | TMM crash in BFD code due to incorrect timer initialization |
1121169-4 | 4-Minor | BT1121169 | Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use |
1117305-7 | 4-Minor | BT1117305 | The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials |
1114253-5 | 4-Minor | BT1114253 | Weighted static routes do not recover from BFD link failures |
1105757 | 4-Minor | BT1105757 | Creating CSR with invalid parameters for basic-constraints, tmsh does not generate meaningful errors |
1101741-1 | 4-Minor | BT1101741 | Virtual server with default pool down and iRule pool up will flap for a second during a full config-sync. |
1100609-1 | 4-Minor | BT1100609 | Length Mismatch in DNS/DHCP IPv6 address in logs and pcap |
1096461-1 | 4-Minor | BT1096461 | TACACS system-auth Accounting setting has no effect when set to send-to-all-servers/send-to-first-server |
1095973-4 | 4-Minor | BT1095973 | Config load failure when Trusted CA Bundle is missing and URL is present in the Bundle Manager |
1095205-5 | 4-Minor | BT1095205 | Config.auditing.forward.multiple db Variable with value "none" is not working as expected with multiple destination addresses in audit_forwarder. |
1090441-4 | 4-Minor | BT1090441 | IKEv2: Add algorithm info to SK_ logging |
1089005-5 | 4-Minor | BT1089005 | Dynamic routes might be missing in the kernel on secondary blades. |
1082193-4 | 4-Minor | BT1082193 | TMSH: Need to update the version info for SERVER_INIT in help page |
1077293-3 | 4-Minor | BT1077293 | APPIQ option still showing in BIG-IP GUI even though its functionality migrated to BIG-IQ. |
1076897-5 | 4-Minor | BT1076897 | OSPF default-information originate command options not working properly |
1064753-5 | 4-Minor | BT1064753 | OSPF LSAs are dropped/rate limited incorrectly. |
1011081-4 | 4-Minor | BT1011081 | Connection lost to the Postgres client during the BIG-IP bootup process |
1006449-3 | 4-Minor | BT1006449 | The default size of the subagent object cache possibly leading to slow snmp response time★ |
1184653 | 5-Cosmetic | TMSH help text for TCP profiles should be updated for timeout attributes |
Local Traffic Manager Issues
ID Number | Severity | Links to More Info | Description |
1112349-5 | 1-Blocking | BT1112349 | FIPS Card Cannot Initialize |
999669-4 | 2-Critical | BT999669 | Some HTTPS monitors are failing after upgrade when config has different SSL option★ |
949137-8 | 2-Critical | BT949137 | Clusterd crash and vCMP guest failover |
937649-5 | 2-Critical | BT937649 | Flow fwd broken with statemirror.verify enabled and source-port preserve strict |
632553-7 | 2-Critical | K14947100, BT632553 | DHCP: OFFER packets from server are intermittently dropped |
1205501-3 | 2-Critical | BT1205501 | The iRule command SSL::profile can select server SSL profile with outdated configuration |
1186249-1 | 2-Critical | BT1186249 | TMM crashes on reject rule |
1156697-4 | 2-Critical | BT1156697 | Translucent VLAN groups may pass some packets without changing the locally administered bit |
1146377-1 | 2-Critical | BT1146377 | FastHTTP profiles do not insert HTTP headers triggered by iRules |
1134257-1 | 2-Critical | BT1134257 | TMM cores when pingaccess profile is modified multiple times and configuration is loaded |
1132405-5 | 2-Critical | BT1132405 | TMM does not process BFD echo pkts with src.addr == dst.addr |
1113549-2 | 2-Critical | BT1113549 | System boots into an inoperative state after installing engineering hotfix with FIPS140-2/140-3 License★ |
1110813-4 | 2-Critical | Improve MPTCP retransmission handling while aborting | |
1110205-3 | 2-Critical | BT1110205 | SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown |
1100721-1 | 2-Critical | BT1100721 | IPv6 link-local floating self-IP breaks IPv6 query to BIND |
1100249-1 | 2-Critical | BT1100249 | SNAT with FLOW_INIT firewall rule may core TMM due to wrong type of underlying flow structure |
1099545-1 | 2-Critical | BT1099545 | Tmm may core when PEM virtual with a simple policy and iRule is being used |
1091021-1 | 2-Critical | BT1091021 | The BIG-IP system may take no fail-safe action when the bigd daemon becomes unresponsive. |
1087469-3 | 2-Critical | BT1087469 | iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate. |
1087217-3 | 2-Critical | BT1087217 | TMM crash as part of the fix made for ID912209 |
1078741-3 | 2-Critical | BT1078741 | Tmm crash |
1073897-1 | 2-Critical | BT1073897 | TMM core due to memory corruption |
1072377-2 | 2-Critical | BT1072377 | TMM crash in rare circumstances during route changes |
1063653-3 | 2-Critical | BT1063653 | TMM Crash while processing traffic on virtual server. |
1060369-2 | 2-Critical | BT1060369 | HTTP MRF Router will not change serverside load balancing method |
1020645-7 | 2-Critical | BT1020645 | When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered |
966785-4 | 3-Major | BT966785 | Rate Shaping stops TCP retransmission |
947125-8 | 3-Major | BT947125 | Unable to delete monitors after certain operations |
945189-6 | 3-Major | BT945189 | HTTPS monitor fails due to missing ECDHE-RSA-AES256-CBC-SHA★ |
932461-6 | 3-Major | BT932461 | Cert update on server SSL profile on HTTPS monitor: BIG-IP not using the updated certificate. |
928445-7 | 3-Major | BT928445 | HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2 |
912293-6 | 3-Major | BT912293 | Persistence might not work properly on virtual servers that utilize address lists |
901569-5 | 3-Major | BT901569 | Loopback traffic might get dropped when VLAN filter is enabled for a virtual server. |
887265-5 | 3-Major | BT887265 | BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration★ |
878641-4 | 3-Major | BT878641 | TLS1.3 certificate request message does not contain CAs |
857769-2 | 3-Major | BT857769 | FastL4+HTTP or FastL4+Hash-Persistence virtual servers do not work correctly in DSR mode. |
851121-7 | 3-Major | BT851121 | Database monitor DBDaemon debug logging not enabled consistently |
739475-7 | 3-Major | BT739475 | Site-Local IPv6 Unicast Addresses support. |
1216053-5 | 3-Major | BT1216053 | Regular monitors do not use options from SSL profiles |
1210469-2 | 3-Major | BT1210469 | TMM can crash when processing AXFR query for DNSX zone |
1205045-5 | 3-Major | BT1205045 | WMI monitor does not put pool members into an offline/unchecked state when BIG-IP receives HTTP responses other than 200 |
1185929-1 | 3-Major | BT1185929 | Under rare circumstances, the TCL interpreter can crash TMM after a long time |
1185133-1 | 3-Major | BT1185133 | ILX streaming plugins limited to MCP OIDs less than 10 million |
1184153-1 | 3-Major | BT1184153 | TMM crashes when you use the rateshaper with packetfilter enabled |
1166481-4 | 3-Major | BT1166481 | The vip-targeting-vip fastL4 may core |
1159569-3 | 3-Major | BT1159569 | Persistence cache records may accumulate over time |
1155393-3 | 3-Major | BT1155393 | Failure to remove chunk headers from chunked response with Rewrite/HTML profile and compression |
1148065-1 | 3-Major | BT1148065 | HTTP::header exists and value iRule commands will not return successful even if the header is present |
1146241-1 | 3-Major | BT1146241 | FastL4 virtual server may egress packets with unexpected and erratic TTL values |
1144845-5 | 3-Major | BT1144845 | GARPs from a newly active unit may be bridged for a brief time while the peer chassis transitions to standby |
1144117-4 | 3-Major | BT1144117 | "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands |
1143833-3 | 3-Major | BT1143833 | ILX (iRules LX) may corrupt tmstat (profile statistics) memory |
1141845-5 | 3-Major | BT1141845 | RULE_INIT with a call that contains an extra colon character (:) will crash BIG-IP. |
1135313-5 | 3-Major | BT1135313 | Pool member current connection counts are incremented and not decremented |
1133881-1 | 3-Major | BT1133881 | Errors in attaching port lists to virtual server when TMC is used with same sources |
1133625-1 | 3-Major | BT1133625 | The HTTP2 protocol is not working when SSL persistence and session ticket are enabled |
1126841-4 | 3-Major | BT1126841 | HTTP::enable can rarely cause cores |
1126329-1 | 3-Major | BT1126329 | SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT★ |
1125381-1 | 3-Major | BT1125381 | Extraneous warnings recorded in when using only intermediate certificates |
1123169-2 | 3-Major | BT1123169 | Error saving an iRule when calling a procedure from HTML_TAG_MATCHED event |
1115041-2 | 3-Major | BT1115041 | BIG-IP does not forward the response received after GOAWAY, to the client. |
1113181-1 | 3-Major | BT1113181 | Self-IP allows no traffic following a modification from "Allow Custom (Include Default)" to "Allow Custom". |
1112745-1 | 3-Major | BT1112745 | System CPU Usage detailed graph is not accessible on Cerebrus+ |
1112385-4 | 3-Major | BT1112385 | Traffic classes match when they shouldn't |
1112205-1 | 3-Major | BT1112205 | HTTP/2 may garble responses if the client-side stream aborts while response headers are on the wire |
1111473-5 | 3-Major | BT1111473 | "Invalid monitor rule instance identifier" error after sync with FQDN nodes |
1110949-3 | 3-Major | BT1110949 | Updating certKeyChain of parent SSL profile using iControl does not change the cert and key outside certKeyChain of the child profile |
1110485-4 | 3-Major | BT1110485 | SSL handshake failures with invalid profile error |
1109953-5 | 3-Major | BT1109953 | TMM may crash if a data-group is used when an SSL Forward Proxy Bypass/Intercept list contains extremely long entry |
1109833-2 | 3-Major | BT1109833 | HTTP2 monitors not sending request |
1107605-2 | 3-Major | BT1107605 | TMM crash reported with specific policy settings |
1107565-1 | 3-Major | BT1107565 | SSL Persistence behavior change for TLS1.3 connection between v16.1.0 and v16.1.2.2 |
1106673-4 | 3-Major | BT1106673 | Tmm crash with FastL4 virtual servers and CMP disabled |
1105969-4 | 3-Major | BT1105969 | Gratuitous ARP not issued for non-floating self-IP on clicking "Update" via the GUI |
1104553-3 | 3-Major | BT1104553 | HTTP_REJECT processing can lead to zombie SPAWN flows piling up |
1102429-1 | 3-Major | BT1102429 | iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases. |
1101697-3 | 3-Major | BT1101697 | TLS1.3 connection failure with 0-RTT and Hello Retry Request (HRR). |
1101181-4 | 3-Major | BT1101181 | HTTP request payload not forwarded by BIG-IP when serverside is HTTP/2 and HTTP MRF router is enabled on virtual server |
1099373-3 | 3-Major | BT1099373 | Virtual Servers may reply with a three-way handshake when disabled or when processing iRules |
1099229-5 | 3-Major | BT1099229 | SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present |
1096893-3 | 3-Major | BT1096893 | TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection |
1093061-1 | 3-Major | BT1093061 | MCPD restart on secondary blade during hot-swap of another blade |
1091969-4 | 3-Major | BT1091969 | iRule 'virtual' command does not work for connections over virtual-wire. |
1091785-1 | 3-Major | BT1091785 | DBDaemon restarts unexpectedly and/or fails to restart under heavy load |
1088597-1 | 3-Major | BT1088597 | TCP keepalive timer can be immediately re-scheduled in rare circumstances |
1088173-3 | 3-Major | BT1088173 | With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile |
1087569-5 | 3-Major | BT1087569 | Changing max header table size according HTTP2 profile value may cause stream/connection to terminate |
1086473-4 | 3-Major | BT1086473 | BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake |
1084965-4 | 3-Major | BT1084965 | Low visibility of attack vector |
1083621-5 | 3-Major | BT1083621 | The virtio driver uses an incorrect packet length |
1083589-4 | 3-Major | BT1083589 | Some connections are dropped on chained IPv6 to IPv4 virtual servers. |
1080569-3 | 3-Major | BIG-IP prematurely closes clientside HTTP1.1 connection when serverside is HTTP2 and HTTP MRF router is enabled on virtual server | |
1077553-4 | 3-Major | BT1077553 | Traffic matches the wrong virtual server after modifying the port matching configuration |
1076577-4 | 3-Major | BT1076577 | iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg' |
1070957-4 | 3-Major | BT1070957 | Database monitor log file backups cannot be rotated normally. |
1070789-1 | 3-Major | BT1070789 | SSL fwd proxy invalidating certificate even through bundle has valid CA |
1068673-4 | 3-Major | BT1068673 | SSL forward Proxy triggers CLIENTSSL_DATA event on bypass. |
1065353-2 | 3-Major | BT1065353 | Disabling ciphers does not work due to the order of cipher suite. |
1063977-4 | 3-Major | BT1063977 | Tmsh load sys config merge fails with "basic_string::substr" for non-existing key. |
1060989-1 | 3-Major | BT1060989 | Improper handling of HTTP::collect |
1060021-3 | 3-Major | BT1060021 | Using OneConnect profile with RESOLVER::name_lookup iRule might result in core. |
1056941-3 | 3-Major | BT1056941 | HTTPS monitor continues using cached TLS version after receiving fatal alert. |
1053741-5 | 3-Major | BT1053741 | Bigd may exit and restart abnormally without logging a reason |
1043009-6 | 3-Major | BT1043009 | TMM dump capture for compression engine hang |
1040465-2 | 3-Major | BT1040465 | Incorrect SNAT pool is selected |
1026781-4 | 3-Major | BT1026781 | Standard HTTP monitor send strings have double CRLF appended |
1025089-6 | 3-Major | BT1025089 | Pool members marked DOWN by database monitor under heavy load and/or unstable connections |
1023529-4 | 3-Major | BT1023529 | FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory. |
1002969-5 | 3-Major | BT1002969 | Csyncd can consume excessive CPU time★ |
1000561-6 | 3-Major | BT1000561 | HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side |
1000069-5 | 3-Major | BT1000069 | Virtual server does not create the listener |
990173-7 | 4-Minor | BT990173 | Dynconfd repeatedly sends the same mcp message to mcpd |
929429-9 | 4-Minor | BT929429 | Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed |
1156105-1 | 4-Minor | BT1156105 | Proxy Exclusion List is not configurable if VLAN group and route-domain are in non default partition |
1142225-1 | 4-Minor | BT1142225 | Regular and In-TMM HTTPS monitors advertise different cipher suites with SSL profile is set to None |
1138101-1 | 4-Minor | BT1138101 | Tunnel connections might not come up when using pool routes |
1137717-1 | 4-Minor | BT1137717 | There are no dynconfd logs during early initialization |
1133557-1 | 4-Minor | BT1133557 | Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name |
1132765-5 | 4-Minor | BT1132765 | Virtual server matching might fail in rare cases when using virtual server chaining. |
1128505-1 | 4-Minor | BT1128505 | HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy |
1124085-5 | 4-Minor | BT1124085 | iRules command [info hostname] does not reflect modified hostname |
1122377-1 | 4-Minor | BT1122377 | If-Modified-Since always returns 304 response if there is no last-modified header in the server response |
1121349-1 | 4-Minor | BT1121349 | CPM NFA may stall due to lack of other state transition |
1107453-1 | 4-Minor | BT1107453 | Performance drop observed in some Ramcache::HTTP tests on BIG-IP i10800 platform |
1103617-5 | 4-Minor | BT1103617 | 'Reset on Timeout' setting might be ignored when fastl4 is used with another profile. |
1103117-1 | 4-Minor | BT1103117 | iAppLX extension using express with httpserver script leaves lingering client-side flow on HTTP requests. |
1101369-5 | 4-Minor | MQTT connection stats are not updated properly | |
1093545-5 | 4-Minor | BT1093545 | Attempts to create illegal virtual-server may lead to mcpd crash. |
1035757-5 | 4-Minor | BT1035757 | iRulesLX restart leaves stale files in /var/tmstat/blade/tmplugin_ilx_* |
926085-3 | 5-Cosmetic | BT926085 | In WebUI node or port monitor test is not possible, but it works in TMSH |
Performance Issues
ID Number | Severity | Links to More Info | Description |
1127445-4 | 2-Critical | BT1127445 | Performance degradation after Bug ID 1019853 |
Global Traffic Manager (DNS) Issues
ID Number | Severity | Links to More Info | Description |
1211341-5 | 1-Blocking | Failed to delete custom monitor after dissociating from virtual server | |
940733-6 | 2-Critical | BT940733 | Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt★ |
931149-4 | 2-Critical | BT931149 | Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings |
1225061-2 | 2-Critical | BT1225061 | The zxfrd segfault with numerous zone transfers |
1212081-1 | 2-Critical | BT1212081 | The zxfrd segfault and restart loop due to incorrect packet processing |
1137485-1 | 2-Critical | BT1137485 | Gtmd produces excessive logging and may also crash (SIGSEGV) repeatedly |
1127241-5 | 2-Critical | BT1127241 | AS3 tenants don't sync reliably in GTM sync groups. |
1103833-1 | 2-Critical | BT1103833 | Tmm core with SIGSEGV in gtmpoolmbr_UpdateStringProc |
966461-8 | 3-Major | BT966461 | Tmm memory leak |
936417-5 | 3-Major | BT936417 | DNS/GTM daemon big3d does not accept ECDH or DH ciphers |
1205509-1 | 3-Major | BT1205509 | Region cache fails to update appropriately after referenced region update |
1205061-1 | 3-Major | BT1205061 | DNSSEC keys removed from the configuration before expiration date when iQuery connection goes down |
1200929-3 | 3-Major | BT1200929 | GTM configuration objects larger than 16384 bytes can cause the GTM sync process to hang |
1191349-1 | 3-Major | BT1191349 | The dns_cache_derived_stat show corrupted values. |
1189877-5 | 3-Major | The option /dev/random is depreciated from rndc-confgen with the latest BIND 9.16 | |
1182353-1 | 3-Major | BT1182353 | DNS cache consumes more memory because of the accumulated mesh_states |
1162221-1 | 3-Major | BT1162221 | Probing decision will skip local GTM upon reboot if net interface is not brought up soon enough |
1162081-7 | 3-Major | Upgrade the bind package to fix security vulnerabilities | |
1161241-6 | 3-Major | BIND default behavior changed from 9.11 to 9.16 | |
1142153-1 | 3-Major | BT1142153 | DNS Resource Records for Wide IPs are potentially misleading when creating or deleting a large number of Wide IPs |
1137217-1 | 3-Major | BT1137217 | DNS profile fails to set TC flag for responses containing RRSIG algorithm 13 |
1127805-1 | 3-Major | BT1127805 | Server.crt containing "<" will cause frequent reconnects between local gtmd and big3d |
1125561-1 | 3-Major | Add nameserver-min-rtt (infra-cache-min-rtt) feature support for DNS validating resolver cache | |
1124217-5 | 3-Major | BT1124217 | Big3d cores on CTCPSocket::TCPReceive and connector |
1122497-3 | 3-Major | BT1122497 | Rapid response not functioning after configuration changes |
1116513-4 | 3-Major | BT1116513 | Route-domains should not be allowed on name server addresses via the GUI. |
1111361-4 | 3-Major | BT1111361 | Refreshing DNS wide IP pool statistics returns an error |
1108557-5 | 3-Major | BT1108557 | DNS NOTIFY with TSIG is failing due to un-matched TSIG name |
1108237-1 | 3-Major | BT1108237 | Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM. |
1100197-1 | 3-Major | BT1100197 | GTM sends wrong commit_id originator for iqsyncer to do gtm group sync |
1096165-5 | 3-Major | BT1096165 | Tmm cored for accessing the pool after the gtm_add command is run |
1078669-1 | 3-Major | BT1078669 | iRule command “RESOLVER::name_lookup” returns null for TCP resolver with TC (truncated) flag set. |
1073677-2 | 3-Major | BT1073677 | Add a db variable to enable answering DNS requests before reqInitState Ready |
1070953-5 | 3-Major | BT1070953 | Dnssec zone transfer could cause numerous gtm sync events. |
1060145-4 | 3-Major | BT1060145 | Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2. |
1051125-2 | 3-Major | BT1051125 | GTM marks virtual servers offline even when LTM virtual servers are available. |
1040153-4 | 3-Major | BT1040153 | Topology region returns narrowest scope netmask without matching |
264701-7 | 4-Minor | K10066, BT264701 | The zrd exits on error from bind about .jnl file error |
1186789-1 | 4-Minor | BT1186789 | DNSSEC keys stored on an internal FIPS card do not work after upgrading to versions >= 16.x |
1143985-1 | 4-Minor | TMUI options to configure Nameserver Minimum RTT are unavailable in DNS Cache and Net Resolver | |
1128405-4 | 4-Minor | BT1128405 | DNS overall Request/Second counter can be inaccurate |
1125161-3 | 4-Minor | BT1125161 | Wideip fails to display or delete in the Link Controller GUI. |
1121937-5 | 4-Minor | BT1121937 | ZoneRunner GUI is unable to display CAA records with "Property Value" set to ";" |
1067821-5 | 4-Minor | BT1067821 | Stats allocated_used for region inside zxfrd is overflowed |
1054717-4 | 4-Minor | BT1054717 | Incorrect Client Summary stats for transparent cache. |
1122153-5 | 5-Cosmetic | BT1122153 | Zonerunner GUI displaying incorrect error string "RRSig Covers Unsupported Record Type" |
Application Security Manager Issues
ID Number | Severity | Links to More Info | Description |
1105341-1 | 0-Unspecified | BT1105341 | Decode_application_payload can break exponent notation in JSON |
923821-2 | 2-Critical | BT923821 | Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack |
850141-3 | 2-Critical | BT850141 | Possible tmm core when using Dosl7/Bot Defense profile |
1113161-1 | 2-Critical | BT1113161 | After upgrade, Learning and Blocking Settings page is not loading because some policies are still pointing to deleted factory Negsig sets★ |
1095185-1 | 2-Critical | BT1095185 | Failed Configuration Load on Secondary Slot After Device Group Sync |
928997-4 | 3-Major | BT928997 | Less XML memory allocated during ASM startup |
890169-5 | 3-Major | BT890169 | URLs starting with double slashes might not be loaded when using a Bot Defense Profile. |
1216297-2 | 3-Major | BT1216297 | TMM core occurs when using disabling ASM of request_send event |
1196537-4 | 3-Major | BT1196537 | BD process crashes when you use SMTP security profile |
1194173-1 | 3-Major | BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value | |
1190365-2 | 3-Major | BT1190365 | OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly |
1186401-1 | 3-Major | BT1186401 | Using REST API to change policy signature settings changes all the signatures. |
1184841-1 | 3-Major | Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API | |
1173493-3 | 3-Major | BT1173493 | Bot signature staging timestamp corrupted after modifying the profile |
1156889-4 | 3-Major | BT1156889 | TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions |
1148009-1 | 3-Major | BT1148009 | Cannot sync an ASM logging profile on a local-only VIP |
1144497-1 | 3-Major | Base64 encoded metachars are not detected on HTTP headers | |
1141665-1 | 3-Major | Significant slowness in policy creation following Threat Campaign LU installation | |
1137993-1 | 3-Major | BT1137993 | Violation is not triggered on specific configuration |
1136833-3 | 3-Major | BT1136833 | Unparseable request content subviolation override cannot be configured on microservices |
1134441-3 | 3-Major | BT1134441 | Inactive policy synced to peer results ASM removed from virtual server only for sync-only DG |
1132981-3 | 3-Major | BT1132981 | Standby not persisting manually added session tracking records |
1132741-1 | 3-Major | BT1132741 | Tmm core when html parser scans endless html tag of size more then 50MB |
1128689-1 | 3-Major | BT1128689 | Performance improvement in signature engine |
1127809-1 | 3-Major | Due to incorrect URI parsing, the system does not extract the expected domain name | |
1126409-2 | 3-Major | BD process crash | |
1117245-1 | 3-Major | BT1117245 | Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file |
1113881-1 | 3-Major | Headers without a space after the colon trigger an HTTP RFC violation | |
1112805-5 | 3-Major | BT1112805 | ip_address_intelligence field is not populated with value in ArcSight remote log when source IP is IPv4 |
1110281-1 | 3-Major | BT1110281 | Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable |
1106937-4 | 3-Major | ASM may skip signature matching | |
1105485 | 3-Major | BT1105485 | Emulated Interaction Events occurs when using Bot Defense Profile and Datasafe keylogger protection feature |
1102301-1 | 3-Major | Content profiles created for types other than video and image allowing executable | |
1100669-2 | 3-Major | BT1100669 | Brute force captcha loop |
1100393-1 | 3-Major | BT1100393 | Multiple Referer header raise false positive evasion violation |
1099193-1 | 3-Major | Incorrect configuration for "Auto detect" parameter is shown after switching from other data types | |
1098609-2 | 3-Major | BD crash on specific scenario | |
1095041-1 | 3-Major | BT1095041 | ASM truncates cookies that contain a space in the name and TS cookie as part of cookie list. |
1089853-1 | 3-Major | "Virtual Server" or "Bot Defense Profile" links in Request Details are not working | |
1085661-2 | 3-Major | BT1085661 | Standby system saves config and changes status after sync from peer |
1083913-5 | 3-Major | BT1083913 | Missing error check in ICAP handling |
1080613-4 | 3-Major | BT1080613 | LU configurations revert to default and installations roll back to genesis files★ |
1078065-1 | 3-Major | BT1078065 | The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA. |
1077281-1 | 3-Major | BT1077281 | Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages |
1072165-5 | 3-Major | BT1072165 | Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format |
1070833-3 | 3-Major | BT1070833 | False positives on FileUpload parameters due to default signature scanning |
1069137-1 | 3-Major | BT1069137 | Missing AWAF sync diagnostics |
1067589-4 | 3-Major | BT1067589 | Memory leak in nsyncd |
1065681-2 | 3-Major | BT1065681 | Sensitive data is not masked under certain conditions. |
1059513-2 | 3-Major | BT1059513 | Virtual servers may appear as detached from security policy when they are not. |
1048949-7 | 3-Major | BT1048949 | TMM xdata leak on websocket connection with asm policy without websocket profile |
1029373-3 | 3-Major | BT1029373 | Firefox 88+ raising Suspicious browser violations with bot defense |
1023229-5 | 3-Major | BT1023229 | False negative on specific authentication header issue |
1021609-5 | 3-Major | BT1021609 | Improve matching of URLs with specific characters to a policy. |
1017557-5 | 3-Major | BT1017557 | ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN |
1225677-1 | 4-Minor | Challenge Failure Reason is not functioning in ASM remote logging | |
1211437-3 | 4-Minor | When mobile cookie is too long, Anti-Bot SDK is failing | |
1210569-2 | 4-Minor | BT1210569 | User defined signature rule disappears when using high ASCII in rule |
1210053-2 | 4-Minor | BT1210053 | The cred_stuffing_fail_open Internal Parameter does not cause Leaked Credential violation in case of expiration or error |
1189865-1 | 4-Minor | BT1189865 | "Cookie not RFC-compliant" violation missing the "Description" in the event logs |
1154725-5 | 4-Minor | Custom or predefined method is not changing the behavior while changing from GET to POST method | |
1133997-2 | 4-Minor | BT1133997 | Duplicate user-defined Signature Set based on untagged signatures is created upon policy import |
1132925-2 | 4-Minor | BT1132925 | Bot defense does not work with DNS Resolvers configured under non-zero route domains |
1132705-4 | 4-Minor | BT1132705 | Failed on insert entry to DCC.ACCOUNT_LOGIN_OBJECT_ATTRIBUTES |
1123153-4 | 4-Minor | "Such URL does not exist in policy" error in the GUI | |
1120529-2 | 4-Minor | BT1120529 | Illegal internal request in multipart batch request |
1113753-1 | 4-Minor | Signatures might not be detected when using truncated multipart requests | |
1111793-1 | 4-Minor | BT1111793 | New HTTP RFC Compliance check for incorrect newline separators between request line and first header |
1108657-2 | 4-Minor | No notification about disabled "Virus detected" violation in case of enabling "Anti-Virus Protection" | |
1106897-1 | 4-Minor | Broken link under Cryptographic Failure section in OWASP page | |
1092965-1 | 4-Minor | Disabled "Illegal Base64 value" violation is detect for staged base64 parameter with attack signature in value | |
1087005-1 | 4-Minor | BT1087005 | Application charset may be ignored when using Bot Defense Browser Verification |
1084857-1 | 4-Minor | BT1084857 | ASM::support_id iRule command does not display the 20th digit |
1083513-3 | 4-Minor | BT1083513 | BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd |
1076825-2 | 4-Minor | BT1076825 | "Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases. |
1048445-4 | 4-Minor | BT1048445 | Accept Request button is clickable for unlearnable violation illegal host name |
1035361-7 | 4-Minor | BT1035361 | Illegal cross-origin after successful CAPTCHA |
1021637-5 | 4-Minor | BT1021637 | In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs |
1020717-5 | 4-Minor | BT1020717 | Policy versions cleanup process sometimes removes newer versions |
1003765-3 | 4-Minor | BT1003765 | Authorization header signature triggered even when explicitly disabled |
1113333-4 | 5-Cosmetic | Change ArcSight Threat Campaign key names to be camelCase | |
1048989-1 | 5-Cosmetic | Slight correction of button titles in the Data Guard Protection Enforcement | |
1041469-1 | 5-Cosmetic | Request Log Page: Line break in the middle of the word in the note next to Block this IP Address |
Application Visibility and Reporting Issues
ID Number | Severity | Links to More Info | Description |
1111189-1 | 3-Major | BT1111189 | Listing errors in tmsh and installation failures when the configuration includes an AVR scheduled-report. |
Access Policy Manager Issues
ID Number | Severity | Links to More Info | Description |
831737-4 | 2-Critical | BT831737 | Memory Leak when using Ping Access profile |
1122473-5 | 2-Critical | TMM panic while initializing URL DB | |
1106757-4 | 2-Critical | Horizon VDI clients are intermittently disconnected | |
1082581-3 | 2-Critical | Apmd sees large memory growth due to CRLDP Cache handling | |
796065-3 | 3-Major | BT796065 | PingAccess filter can accumulate connections increasing memory use. |
1224377-1 | 3-Major | BT1224377 | Policy Sync fails for a policy when default-all Address Space assigned to Network Access resource |
1196401-1 | 3-Major | Restarting TMM does not restart APM Daemon | |
1189761 | 3-Major | BT1189761 | Multiple APM sessions are created after login into the Citrix webtop through a workspace in Linux Client |
1188417-1 | 3-Major | BT1188417 | SelfTest/Integrity test failure detected, triggering reboot action |
1173669-4 | 3-Major | Unable to reach backend server with Per Request policy and Per Session together | |
1167985-1 | 3-Major | BT1167985 | Network Access resource settings validation errors |
1166937-2 | 3-Major | BT1166937 | The path_match is missing in RCL path when path_match string is "Any String" |
1166449-1 | 3-Major | BT1166449 | APM - NTLM authentication will stop working if any of DC FQDN is not resolvable in the configured DC list |
1147621-1 | 3-Major | BT1147621 | AD query do not change password does not come into effect when RSA Auth agent used |
1146017-4 | 3-Major | WebUI does not displays error when parent rewrite profile is not assigned to user defined rewrite profile | |
1108109-5 | 3-Major | BT1108109 | APM policy sync fails when access policy contains customization images★ |
1101321-2 | 3-Major | BT1101321 | APM log files are flooded after a client connection fails. |
1100549-4 | 3-Major | BT1100549 | "Resource Administrator" role cannot change ACL order |
1091509-4 | 3-Major | BT1091509 | SAML Artifact resolution service fails to resolve artifacts on same IP after reboot |
1089101-3 | 3-Major | BT1089101 | Apply Access Policy notification in UI after auto discovery |
1050165-2 | 3-Major | BT1050165 | APM - users end up with SSO disabled for their session, admin intervention required to clear session |
1039941-4 | 3-Major | BT1039941 | [WIN]Webtop offers to download f5vpn when it is already installed |
1037877-5 | 3-Major | BT1037877 | OAuth Claim display order incorrect in VPE |
1010809-4 | 3-Major | BT1010809 | Connection is reset when sending a HTTP HEAD request to APM Virtual Server |
1218813-5 | 4-Minor | BT1218813 | "Timeout waiting for TMM to release running semaphore" after running platform_diag |
1088389-3 | 4-Minor | BT1088389 | Admin to define the AD Query/LDAP Query page-size globally |
1079441-4 | 4-Minor | BT1079441 | APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries |
1041985-4 | 4-Minor | BT1041985 | TMM memory utilization increases after upgrade★ |
1028081-2 | 4-Minor | BT1028081 | [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page |
WebAccelerator Issues
ID Number | Severity | Links to More Info | Description |
941961-5 | 3-Major | BT941961 | Upgrading system using WAM TCP profiles may prevent the configuration from loading |
Service Provider Issues
ID Number | Severity | Links to More Info | Description |
1141853-3 | 2-Critical | BT1141853 | SIP MRF ALG can lead to a TMM core |
1189513-5 | 3-Major | BT1189513 | SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header |
1167941-4 | 3-Major | CGNAT SIP ALG INVITE loops between BIG-IP and Server | |
1156149-2 | 3-Major | BT1156149 | Early responses on standby may cause TMM to crash |
1213469-6 | 4-Minor | BT1213469 | MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP dropped |
1184629-1 | 4-Minor | Validate content length with respective to SIP header offset instead of parser offset | |
1116941-2 | 4-Minor | Need larger Content-Length value supported for SIP |
Advanced Firewall Manager Issues
ID Number | Severity | Links to More Info | Description |
609878-7 | 2-Critical | BT609878 | Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server |
1106273-4 | 2-Critical | BT1106273 | "duplicate priming" assert in IPSECALG |
1080957-5 | 2-Critical | BT1080957 | TMM Seg fault while Offloading virtual server DOS attack to HW |
990461-6 | 3-Major | BT990461 | Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★ |
1209409-4 | 3-Major | BT1209409 | Address lists with thousands of addresses can cause MCPD to become unresponsive and use 100% CPU |
1137133-3 | 3-Major | Stats rate is showing incorrect data for broadcast, multicast and arp flood vectors | |
1132449-3 | 3-Major | BT1132449 | Incomplete or missing IPv6 IPI database results to connection reset and/or high TMM CPU usage |
1127117-2 | 3-Major | BT1127117 | High Memory consumption for NAT translations of NAPT/PBA End Point Independent modes |
1114089-1 | 3-Major | BT1114089 | Frequent SIGSEGV TMM crash/core in AFM FQDN | fw_iptbl_fqdn_ctx_check |
1079985-2 | 3-Major | BT1079985 | int_drops_rate shows an incorrect value |
1070737-3 | 3-Major | BT1070737 | AFM does not detect NXDOMAIN attack at virtual context when DNS cache is activated. |
1053589-2 | 3-Major | BT1053589 | DDoS functionality cannot be configured at a Zone level |
926425-6 | 4-Minor | BT926425 | Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts |
1215401-3 | 4-Minor | Under Shared Objects, some country names are not available to select in the Address List | |
1211021-5 | 4-Minor | Enforcement does not happen for entries in new and modified IPI feed lists due to lock issues | |
1123189-3 | 4-Minor | BT1123189 | De-Provisioning AFM does not disable SYN-ACK cookie generation |
1084901-2 | 4-Minor | BT1084901 | Updating the firewall rule list for IPv6 with route domain throws an error in the GUI, works from tmsh |
1038117-3 | 4-Minor | BT1038117 | TMM SIGSEGV with BDoS attack signature |
1003377-4 | 4-Minor | BT1003377 | Disabling DoS TCP SYN-ACK does not clear suspicious event count option |
Policy Enforcement Manager Issues
ID Number | Severity | Links to More Info | Description |
1159397-3 | 1-Blocking | BT1159397 | The high utilization of memory when blade turns offline results in core |
1186925-5 | 2-Critical | BT1186925 | When FUA in CCA-i, PEM does not send CCR-u for other rating-groups |
1095989-2 | 2-Critical | BT1095989 | PEM behaviour on receiving CCA with result code: 4012 and FUA on the Gy interface |
1091565-2 | 2-Critical | BT1091565 | Gy CCR AVP:Requested-Service-Unit is misformatted/NULL |
924589-6 | 3-Major | BT924589 | PEM ephemeral listeners with source-address-translation may not count subscriber data |
1207381-4 | 3-Major | BT1207381 | PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored |
1174085-2 | 3-Major | BT1174085 | spmdb_session_hash_entry_delete releases the hash's reference |
1174033-1 | 3-Major | BT1174033 | The UPDATE EVENT is triggered with faulty session_info and resulting in core |
1108681-5 | 3-Major | BT1108681 | PEM queries with filters return error message when a blade is offline |
1093357-5 | 3-Major | BT1093357 | PEM intra-session mirroring can lead to a crash |
1089829-4 | 3-Major | BT1089829 | PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers |
Carrier-Grade NAT Issues
ID Number | Severity | Links to More Info | Description |
1183877-3 | 3-Major | BT1183877 | CGNAT related links are unavailable in Statistics section |
1096317-5 | 3-Major | BT1096317 | SIP msg alg zombie flows |
1128429-6 | 4-Minor | BT1128429 | Rebooting one or more blades at different times may cause traffic imbalance results High CPU |
Fraud Protection Services Issues
ID Number | Severity | Links to More Info | Description |
1060393-2 | 3-Major | BT1060393 | Extended high CPU usage caused by JavaScript Obfuscator. |
Anomaly Detection Services Issues
ID Number | Severity | Links to More Info | Description |
1211297-2 | 2-Critical | Handling DoS profiles created dynamically using iRule and L7Policy | |
1046469-3 | 3-Major | BT1046469 | Memory leak during large attack |
1060409-5 | 4-Minor | BT1060409 | Behavioral DoS enable checkbox is wrong. |
Traffic Classification Engine Issues
ID Number | Severity | Links to More Info | Description |
1161965-2 | 3-Major | BT1161965 | File descriptor(fd) and shared memory leak in wr_urldbd |
1168137-4 | 4-Minor | PEM Classification Auto-Update for month is working as hourly | |
1167889-4 | 4-Minor | PEM classification signature scheduled updates do not complete | |
1144329-5 | 4-Minor | BT1144329 | Traffic Intel does not classify Microsoft app properly |
1117297-2 | 4-Minor | BT1117297 | Wr_urldbd continuously crashes and restarts★ |
Device Management Issues
ID Number | Severity | Links to More Info | Description |
1196477-4 | 3-Major | BT1196477 | Request timeout in restnoded |
iApp Technology Issues
ID Number | Severity | Links to More Info | Description |
889605-1 | 3-Major | BT889605 | iApp with Bot profile is unavailable if application folder includes a subpath |
1004697-4 | 3-Major | BT1004697 | Saving UCS files can fail if /var runs out of space |
Protocol Inspection Issues
ID Number | Severity | Links to More Info | Description |
1182305-3 | 4-Minor | BT1182305 | Descriptions requested for IPS IDs |
1098837-4 | 4-Minor | BT1098837 | Configuration failure due to the DB validation exception happening in the ips_inspection_sig and ips_inspection_compl tables |
1135073-4 | 5-Cosmetic | IPS signature update webUI warning message "An active subscription is required to access certain inspections" is always enabled |
In-tmm monitors Issues
ID Number | Severity | Links to More Info | Description |
1107549-1 | 2-Critical | BT1107549 | In-TMM TCP monitor memory leak |
1110241-1 | 3-Major | BT1110241 | in-tmm http(s) monitor accumulates unchecked memory |
1046917-5 | 3-Major | BT1046917 | In-TMM monitors do not work after TMM crashes |
1019261-4 | 3-Major | BT1019261 | In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile. |
SSL Orchestrator Issues
ID Number | Severity | Links to More Info | Description |
922737-3 | 2-Critical | BT922737 | TMM crash |
1104037-1 | 2-Critical | BT1104037 | Tmm crash after changing "connection.vlankeyed" to disabled on system with L2 wire |
969297-2 | 3-Major | BT969297 | Virtual IP configured on a system with SelfIP on vwire becomes unresponsive |
1095145-4 | 4-Minor | BT1095145 | Virtual server responding with ICMP unreachable after using /Common/service |
Bot Defense Issues
ID Number | Severity | Links to More Info | Description |
1106337-1 | 2-Critical | Unable to add tenant ID greater than 12 characters in Bot Defense profile | |
1209961-1 | 3-Major | While disabling Web Application in scope through webUI, 'Mobile Identifier - Request Headers' list is set to null | |
1200985-1 | 3-Major | While disabling Mobile Application type through WebUI, 'Mobile Identifier - Request Headers' list is getting set to null | |
1196173-1 | 3-Major | Bot Defense profile 'API Hostname - Web' configuration is hidden in case of Advanced/Premium service level | |
1185689-1 | 3-Major | In Bot Defense, TCP RST is sent if the complete body is not received in client request | |
1183581-1 | 3-Major | BT1183581 | Encoded URLs are not normalised for protected endpoint check for Advanced/Premium service level for both Web and Mobile requests |
1145797-1 | 3-Major | In BD profile, query segment in the client request URI is not ignored for protect endpoint match | |
1112137-1 | 3-Major | In Bot Defense profile, the SSE API timeout value is not considered for mobile requests | |
1107041-1 | 3-Major | The header ISTL-INFINITE-LOOP might get forwarded to origin server | |
1104381-1 | 3-Major | Incorrect value for "sed-api-host" is sent to Distributed Cloud with API call | |
1065109-1 | 3-Major | BT1065109 | In Bot Defense profile, tot_http_requests and tot_requests_forwarded_to_origin are not populated correctly |
1110689-1 | 4-Minor | Fail to reset INSL statistics |
Known Issue details for BIG-IP v17.0.x
999669-4 : Some HTTPS monitors are failing after upgrade when config has different SSL option★
Links to More Info: BT999669
Component: Local Traffic Manager
Symptoms:
Some HTTPS monitors are failing after upgrade when the config has different SSL option properties for different monitors.
Conditions:
-- Individual SSL profiles exist for different HTTPS monitors with SSL parameters.
-- A unique server SSL profile is configured for each HTTP monitor (one with cert/key, one without).
Impact:
Some HTTPS monitors fail. Pool is down. Virtual server is down.
Workaround:
None
992865-4 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances
Links to More Info: BT992865
Component: TMOS
Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.
Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
+ BIG-IP i11000 series (C123)
+ BIG-IP i15000 series (D116)
Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.
Workaround:
None
992053-7 : Pva_stats for server side connections do not update for redirected flows
Links to More Info: BT992053
Component: TMOS
Symptoms:
Pva_stats for server side connections do not update for the re-directed flows
Conditions:
-- Flows that are redirected to TMM.
-- Server flows are offloaded to PVA.
Impact:
PVA stats do not reflect the offloaded flow.
Workaround:
None
991829-4 : Continuous connection refused errors in restjavad
Links to More Info: BT991829
Component: TMOS
Symptoms:
Continuous connection refused errors observed in restjavad.
[com.f5.rest.workers..AsmConfigWorker] nanoTime:[879945045679087] threadId:[63] Exception:[org.apache.thrift.transport.TTransportException: java.net.ConnectException: Connection refused (Connection refused)
[8100/tm/asm/owasp/task OWASPTaskScheduleWorker] Unexptected exception in getting all the polcies: org.apache.thrift.transport.TTransportException: java.net.ConnectException: Connection refused (Connection refused)
Conditions:
The errors are observed regardless of asm provisioning
Impact:
This causes noisy log file of restjavad.
Workaround:
None
990461-6 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★
Links to More Info: BT990461
Component: Advanced Firewall Manager
Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.
Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.
Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.
Workaround:
Manually update the SYN cookie threshold values after an upgrade.
990173-7 : Dynconfd repeatedly sends the same mcp message to mcpd
Links to More Info: BT990173
Component: Local Traffic Manager
Symptoms:
If dynconfd sends a single message to mcpd containing two or more operations, and one of the operations fails mcpd validation, dynconfd repeatedly sends same message to mcpd.
An example of two operations in one mcp message would be an ephemeral node creation and an ephemeral pool member creation in a single mcp message.
Conditions:
This can occur when:
-- Using FQDN nodes and FQDN pool members.
-- There is an additional issue where the message from dynconfd fails validation within mcpd (e.g., a misconfiguration in which the monitor assigned to the pool is configured with a wildcard destination and the pool member is added to the pool with a port of '0' or 'any'.
Impact:
By repeatedly resending the same messages, which fail repeatedly, dynconfd causes increased mcpd CPU utilization.
This might cause the population of ephemeral nodes and pool members to fail and become out of sync with what the DNS server is resolving.
Workaround:
Examine the LTM logs for mcpd error messages indicating failed attempts to create ephemeral nodes or ephemeral pool members, and resolve the cause of the failed node or pool-member creation.
988745-5 : On reboot, 'could not find platform object' errors may be seen in /var/log/ltm
Links to More Info: BT988745
Component: TMOS
Symptoms:
During a reboot, several error messages are logged in /var/log/ltm:
-- err mcpd[9401]: 01070710:3: Database error (0), get_platform_obj: could not find platform object - sys/validation/Platform.cpp, line 188.
-- err chmand[6578]: 012a0003:3: hal_mcp_process_error: result_code=0x1070710 for result_operation=eom result_type=eom
Conditions:
This occurs when either of the following conditions is met:
-- A fresh installation of a BIG-IP system.
-- A reboot after forcing the mcpd process to reload the BIG-IP configuration,
Impact:
There is no functional impact to these error messages.
Workaround:
None.
979045-5 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms
Links to More Info: BT979045
Component: TMOS
Symptoms:
After installing an Engineering Hotfix version of BIG-IP v14.1.0 or later, certain BIG-IP hardware systems. The Trusted Platform Module (TPM), status is showing as INVALID.
Conditions:
This may occur:
-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
- ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
- ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
- ID963017 (https://cdn.f5.com/product/bugtracker/ID963017.html)
-- The issue is observed only on the following platforms:
- i11600 / i11800
- i11400-DS / i11600-DS / i11800-DS
Impact:
The TPM status INVALID indicates that the system integrity is compromised when it is actually valid.
Workaround:
None.
969297-2 : Virtual IP configured on a system with SelfIP on vwire becomes unresponsive
Links to More Info: BT969297
Component: SSL Orchestrator
Symptoms:
Virtual IP ARP does not get resolved when a SelfIP is configured on a virtual-wire.
Conditions:
Issue happens when a SelfIP address is configured and a Virtual IP address is configured for a Virtual Server.
Impact:
The virtual server is unreachable.
Workaround:
None
966949-7 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node
Links to More Info: BT966949
Component: TMOS
Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.
Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230
This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.
Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.
Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")
966785-4 : Rate Shaping stops TCP retransmission
Links to More Info: BT966785
Component: Local Traffic Manager
Symptoms:
When rate shaping is applied to a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.
Conditions:
This issue occurs when both of the following conditions are met:
-- Virtual server configured with a rate shaping.
-- Standard type of virtual server.
Impact:
The BIG-IP system does not retransmit unacknowledged data segments.
Workaround:
None
966461-8 : Tmm memory leak
Links to More Info: BT966461
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm leaks memory for DNSSEC requests.
Conditions:
NetHSM is configured but disconnected.
or
Internal FIPS card is configured and tmm receives more DNSSEC requests than the FIPS card is capable of handling.
Impact:
Tmm memory utilization increases over time.
Workaround:
None
964533-6 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.
Links to More Info: BT964533
Component: TMOS
Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.
Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.
Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.
There is no impact other than additional log entries.
Workaround:
None.
962477-1 : REST calls that modify GTM objects as a user other than admin may take longer than expected
Links to More Info: BT962477
Component: TMOS
Symptoms:
After performing a REST call to modify a GTM object, subsequent requests may take longer than expected to complete. Delays of 800-1000ms are possible for a brief time after a GTM object is modified.
Conditions:
Modifying a GTM object with a user other than "admin". When a device is part of a GTM sync group.
Impact:
Slower than expected REST performance. Scripts that perform a series of modifications and subsequent queries could be heavily impacted.
Workaround:
Use the admin account or use transactions.
950201-5 : Tmm core on GCP
Links to More Info: BT950201
Component: TMOS
Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.
TMM panic with this message in a tmm log file:
panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.
Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141
-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.
Note: Using either workaround has a performance impact.
950153-4 : LDAP remote authentication fails when empty attribute is returned
Links to More Info: BT950153
Component: TMOS
Symptoms:
LDAP/AD Remote authentication fails and the authenticating service may crash.
The failure might be intermittent.
Conditions:
LDAP/AD server SearchResEntry includes attribute with empty or NULL value.
This can be seen in tcpdump of the LDAP communication in following ways
1. No Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue:
2. 1. NULL Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue: 00
Impact:
Logging in via the GUI will fail silently
Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log
The logs will be similar to :
info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000]
info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0
Workaround:
There is no Workaround on the LTM side.
For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue
949137-8 : Clusterd crash and vCMP guest failover
Links to More Info: BT949137
Component: Local Traffic Manager
Symptoms:
Clusterd crashes and a vCMP guest fails over.
Conditions:
The exact conditions under which this occurs are unknown. It can occur during normal operation.
Impact:
Memory corruption and clusterd can crash, causing failover.
Workaround:
None.
947125-8 : Unable to delete monitors after certain operations
Links to More Info: BT947125
Component: Local Traffic Manager
Symptoms:
Unable to delete monitor with an error similar to:
01070083:3: Monitor /Common/my-mon is in use.
Conditions:
-- Monitors are attached directly to pool members, or node-level monitors exist.
-- Issuing the "reloadlic" command, which causes the configuration to get rebuilt implicitly.
Impact:
Unable to delete object(s) no longer in use.
Workaround:
When the system enters this state, save and reload the configuration using the following command:
tmsh save sys config && tmsh load sys config
945413-5 : Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync
Links to More Info: BT945413
Component: TMOS
Symptoms:
The BIG-IP system constantly downloads the certificate bundle if the CA-bundle manager config includes a URL.
Symptoms are different depending on if BIG-IP systems is in a manual or automatic sync device group.
Manual sync device groups will not stay in sync.
Automatic sync device groups will constantly sync.
Conditions:
The CA-bundle manager is configured.
Impact:
The keymgmtd and mcpd process gets into a loop that causes constant config changes and if the ca-bundle-manager includes a URL, the BIG-IP system constantly downloads the bundle.
945189-6 : HTTPS monitor fails due to missing ECDHE-RSA-AES256-CBC-SHA★
Links to More Info: BT945189
Component: Local Traffic Manager
Symptoms:
After upgrade, the 'DEFAULT' cipher in the server SSL profile attached to the HTTPS monitor does not include the ECDHE-RSA-AES256-CBC-SHA cipher suite in the Client Hello.
Conditions:
After upgrade, HTTPS monitor cipherlist is read from server SSL profile ciphers and set to DEFAULT after upgrade.
Impact:
1. Upgrade breaks the SSL pool monitoring.
2. It is also possible that the pools monitoring succeeds but with unexpected ciphers from the 'DEFAULT' list which may cause increased resource usage or unexpectedly weaker encryption.
Note: The ciphers negotiated between the HTTPS backend being monitored and the server SSL profile will still belong to the 'DEFAULT' list.
Workaround:
BIG-IP provides ways to customize the cipher string used by the server SSL profile.
Via the configuration utility:
https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-ltm-configuring-custom-cipher-string-for-ssl-negotiation/configuring-a-custom-cipher-string-for-ssl-negotiation.html
Via tmsh commands:
https://support.f5.com/csp/article/K65292843
941961-5 : Upgrading system using WAM TCP profiles may prevent the configuration from loading
Links to More Info: BT941961
Component: WebAccelerator
Symptoms:
If a BIG-IP is on version 13.1.0 through 15.1.x and has profiles in use that use wam-tcp-wan-optimized and/or wam-tcp-lan-optimized as parent profiles, then when the configuration is upgraded to 16.0.0, the configuration fails to load, with an error similar to:
err mcpd[10087]: 01020036:3: The requested parent profile (/Common/wam-tcp-wan-optimized) was not found.
Conditions:
-- Upgrading from version 13.1.0 through 15.1.x.
-- Using profiles derived from wam-tcp-wan-optimized and/or wam-tcp-lan-optimized.
Impact:
Configuration does not load.
Workaround:
Remove these profiles and adjust the configuration elements that use them accordingly.
Here are two examples:
-- Copy the definition of 'wam-tcp-wan-optimized' from /defaults/wam_base.conf into /config/bigip.conf, and then reload the configuration.
-- Change the references to wam-tcp-wan-optimized to something else in your config file (e.g., tcp-wan-optimized), and then reload the configuration.
940733-6 : Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt★
Links to More Info: BT940733
Component: Global Traffic Manager (DNS)
Symptoms:
The system fails during the boot-up process, reports a libcrypto validation error, and the system halts. The console will show this error:
Power-up self-test failures:
OpenSSL: Integrity test failed for libcrypto.so
This occurs after one of the following:
-- Upgrading a FIPS-enabled BIG-IP system, booting to a volume running an earlier software version
-- Running big3d_install from a BIG-IP GTM configuration to a BIG-IP LTM
On a FIPS-licensed BIG-IP LTM configuration, when checking the big3d version you may see something similar to this:
/shared/bin/big3d -V
fips.c:204:f5_get_library_path: failed to dlopen libcrypto.so.1.0.2za
./big3d version big3d Version 17.0.0.0.0.22 for linux
Conditions:
-- FIPS-licensed BIG-IP system.
-- Upgrade.
-- Boot into a volume running an earlier version of the software.
Another way to encounter the issue is:
-- FIPS-licensed BIG-IP LTM.
-- BIG-IP DNS (GTM) device running a higher software version than the LTM.
-- Run big3d_install from a BIG-IP GTM-configuration pointing to FIPS-licensed BIG-IP LTM configuration.
Impact:
System boots to a halted state or big3d may continuously restart.
Workaround:
Before booting to the volume with the earlier version, delete /shared/bin/big3d.
Note: This issue might have ramifications for DNS/GTM support. DNS/GTM is not FIPS-certified.
If the target software volume has already experienced this issue (the system boots to a halted state), addition to deleting /shared/bin/big3d, follow the instructions in K25205233: BIG-IP System halted while booting. Halt at boot after FIPS Integrity Check Result FAIL :: https://support.f5.com/csp/article/K25205233 .
For additional information, see K29290121: Rollback after upgrade or big3d_install may cause FIPS to halt system on boot :: https://support.f5.com/csp/article/K29290121.
939757-6 : Deleting a virtual server might not trigger route injection update.
Links to More Info: BT939757
Component: TMOS
Symptoms:
When multiple virtual servers share the same virtual address, deleting a single virtual server might not trigger a route injection update.
Conditions:
-- Multiple virtual servers sharing the same destination address
-- One of the virtual servers is deleted
Impact:
The route remains in the routing table.
Workaround:
Disable and re-enable the virtual address after deleting a virtual server.
937649-5 : Flow fwd broken with statemirror.verify enabled and source-port preserve strict
Links to More Info: BT937649
Component: Local Traffic Manager
Symptoms:
Flow forwarding does not work with statemirror.verify enabled and source-port is preserve strict. Depending on the number of tmms and the IP addresses/ports on the network, this causes return traffic to get dropped.
Traffic captures show packets leaving the BIG-IP system on one tmm and being returned on another. The return traffic that encounters the second tmm is dropped.
Conditions:
-- Mirroring is enabled.
-- High availability (HA) peer is connected.
-- The source-port setting is preserve-strict.
-- The statemirror.verify option is enabled.
-- There is more than one tmm.
Impact:
Server-side return traffic to the BIG-IP is dropped. This causes connection timeouts and resets.
Workaround:
-- Disable statemirror.verify, disable source-port preserve-strict, disable mirroring.
-- On BIG-IP Virtual Edition (VE), add the following to tmm_init.tcl on both units and restart tmm:
ndal ignore_hw_dag yes
936501-7 : Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled
Links to More Info: BT936501
Component: TMOS
Symptoms:
When attempting to Export/Import a file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf via SCP, you receive an error dialog:
"file not allowed"
Conditions:
-- fips140 or common criteria mode enabled
-- Export/Import file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf
Impact:
Import/Export file using scp tool from/to the BIG-IP file path(s) /var/local/ucs or /var/local/scf not allowed when fips140 or cc mode enabled even if the file is encrypted.
Workaround:
None
936417-5 : DNS/GTM daemon big3d does not accept ECDH or DH ciphers
Links to More Info: BT936417
Component: Global Traffic Manager (DNS)
Symptoms:
The DNS/GTM big3d daemon does not accept ECDH or DH ciphers.
Conditions:
Connections to big3d with ECDH or DH ciphers.
Impact:
ECDH/DH ciphers do not work with big3d.
Workaround:
Re-generate big3d cert and key with EC parameters.
932461-6 : Cert update on server SSL profile on HTTPS monitor: BIG-IP not using the updated certificate.
Links to More Info: BT932461
Component: Local Traffic Manager
Symptoms:
If you overwrite the certificate that is configured on the server SSL profile and used with the HTTPS monitor, the BIG-IP system still uses an old certificate.
After you update the certificate, the stored certificate is incremented, but monitor logging indicates it is still using the old certificate.
Conditions:
--Create a pool with an HTTPS pool member.
--Create an HTTPS monitor with cert and key.
--Assign the HTTPS monitor to the HTTPS pool.
--Update the certificate via GUI or tmsh.
Impact:
The monitor still tries to use the old certificate, even after the update.
Workaround:
Use either of the following workarounds:
-- Restart bigd:
bigstart restart bigd
-- Modify the server SSL profile cert key, set it to 'none', and switch back to the original cert key name.
The bigd utility successfully loads the new certificate file.
931149-4 : Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings
Links to More Info: BT931149
Component: Global Traffic Manager (DNS)
Symptoms:
RESOLV::lookup returns an empty string.
Conditions:
The name being looked up falls into one of these categories:
-- Forward DNS lookups in these zones:
- localhost
- onion
- test
- invalid
-- Reverse DNS lookups for:
- 127.0.0.0/8
- ::1
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 0.0.0.0/8
- 169.254.0.0/16
- 192.0.2.0/24
- 198.51.100.0/24
- 203.0.113.0/24
- 255.255.255.255/32
- 100.64.0.0/10
- fd00::/8
- fe80::/10
- 2001:db8::/32
- ::/64
Impact:
RESOLV::lookup fails.
Workaround:
Use a DNS Resolver ('net dns') and RESOLVER::name_lookup / DNSMSG:: instead of RESOLV::lookup:
1. Configure a local 'net dns' resolver, replacing '192.88.99.1' with the IP address of your DNS resolver:
tmsh create net dns-resolver resolver-for-irules answer-default-zones no forward-zones add { . { nameservers add { 192.88.99.1:53 } } }
2. Use an iRule procedure similar to this to perform PTR lookups for IPv4 addresses:
proc resolv_ptr_v4 { addr_v4 } {
# Convert $addr_v4 into its constituent bytes
set ret [scan $addr_v4 {%d.%d.%d.%d} a b c d]
if { $ret != 4 } {
return
}
# Perform a PTR lookup on the IP address $addr_v4, and return the first answer
set ret [RESOLVER::name_lookup "/Common/resolver-for-irules" "$d.$c.$b.$a.in-addr.arpa" PTR]
set ret [lindex [DNSMSG::section $ret answer] 0]
if { $ret eq "" } {
# log local0.warn "DNS PTR lookup for $addr_v4 failed."
return
}
# Last element in '1.1.1.10.in-addr.arpa. 600 IN PTR otters.example.com'
return [lindex $ret end]
}
-- In an iRule, instead of:
RESOLV::lookup @192.88.9.1 $ipv4_addr
Use:
call resolv_ptr_v4 $ipv4_addr
930393-1 : IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration
Links to More Info: BT930393
Component: TMOS
Symptoms:
-- IPsec tunnel does not start.
-- Remote IPsec networks unavailable.
Conditions:
-- Using IKEv1 and one of the following:
+ Performing an upgrade.
+ IPsec tunnel reconfiguration generally involving a change to, or addition of, a traffic-selector.
Impact:
IPsec tunnel is down permanently.
Workaround:
-- Reconfigure or delete and re-create the traffic selectors associated with the IPsec tunnel that does not start.
Special Notes:
-- This occurs rarely and does not happen spontaneously, without intentional changes (reconfiguration or upgrade).
-- A BIG-IP reboot or a restart of tmipsecd does not resolve this condition.
-- This symptom might also occur due to a genuine misconfiguration.
-- After major version upgrades, default ciphers can change, double-check the encryption and authentication ciphers for the tunnel.
929429-9 : Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed
Links to More Info: BT929429
Component: Local Traffic Manager
Symptoms:
Whenever you create Oracle or SQL (mssql, mysql or postgresql) database monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.
Conditions:
-- Create an Oracle or SQL database LTM monitor.
-- Add a pool member to the Oracle or SQL database monitor created.
-- Platform FIPS is licensed.
Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.
Workaround:
None.
929173-5 : Watchdog reset due to CPU stall detected by rcu_sched
Links to More Info: BT929173
Component: TMOS
Symptoms:
Rcu_sched detected CPU stall, which can cause vCMP host reboot. The device reboots without core and records "Host Watchdog timeout."
Typically there will logs in kern.log similar to:
err kernel: : [526684.876928] INFO: rcu_sched detected stalls on CPUs/tasks: ...
Conditions:
Host undergoing a watchdog reset in a vCMP environment.
Impact:
CPU RCU stalls and host watchdog reboots
928997-4 : Less XML memory allocated during ASM startup
Links to More Info: BT928997
Component: Application Security Manager
Symptoms:
Smaller total_xml_memory is selected during ASM startup.
For example, platforms with 32GiB or more RAM should give ASM 1GiB of XML memory, but it gives 450MiB only. Platform with 16MiB should give ASM 450MiB but it gives 300MiB.
Conditions:
Platforms with 16GiB, 32GiB, or more RAM
Impact:
Less XML memory allocated
Workaround:
Use this ASM internal parameter to increase XML memory size.
additional_xml_memory_in_mb
For more details, refer to the https://support.f5.com/csp/article/K10803 article.
928445-7 : HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2
Links to More Info: BT928445
Component: Local Traffic Manager
Symptoms:
HTTPS monitor state is down when server_ssl profile cipher string has the value 'TLSv1_2'.
-- configured cipherstring TLSv1_2/TLSv1_1 is rejected by OpenSSL.
Conditions:
-- Pool member is attached with HTTPS monitor.
-- Monitor is configured with an SSL profile.
-- The configured server_ssl profile has cipher string as DEFAULT:!TLSv1_2.
Impact:
Pool status is down.
Workaround:
-- Enable 'in-tmm' monitoring.
-- Use SSL options available in the server SSL profile to disable TLSv1_2 or TLSv1_1 instead of cipher string.
-- Use the same cipher string with cipher group / cipher rule that is attached to the SSL profile.
926425-6 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
Links to More Info: BT926425
Component: Advanced Firewall Manager
Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection continue to be unsupported until hardware SYN cookies are disabled.
Conditions:
SYN Cookie activated on Neuron-capable platforms:
+ VIPRION B4450N blade
+ BIG-IP iSeries devices (ix800) except the i850, ix2800, and ix4800:
-- BIG-IP i5800 Series
-- BIG-IP i7800 Series
-- BIG-IP i11800 Series
-- BIG-IP i15800 Series
Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.
Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options are not taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.
Workaround:
You can use any of the following to clear the HSB issue:
-- Restart neurond.
-- Restart TMM,
-- Reboot the device.
926085-3 : In WebUI node or port monitor test is not possible, but it works in TMSH
Links to More Info: BT926085
Component: Local Traffic Manager
Symptoms:
When attempting to test a newly created Pool Member monitor, node address field is disabled, you cannot enter a node address. This prevents from using the Test operation to test this type of monitor in the WebUI.
Conditions:
-- Create a new Pool Member monitor (not a Node Address monitor). For example, HTTP, HTTPS, FTP, TCP, or Gateway ICMP.
-- With the monitor configuration displayed in the WebUI, click the Test tab.
-- View the Address field, and try to run the test.
Impact:
The Address field is disabled, with *.* in the field. You cannot enter a node address. The test fails with following message:
invalid monitor destination of *.*:80.
invalid monitor destination of *.*:443. (:port used to test)
Workaround:
Run either of the following TMSH commands:
-- tmsh run ltm monitor <type> <name> destination <IP address>:<port>
-- tmsh modify ltm monitor <type> <name> destination *:*
For example, for HTTP:
-- tmsh run ltm monitor http my_http destination <IP address>:<port>
-- tmsh modify ltm monitor http my_http destination *:*
For example, for HTTPS:
-- tmsh run ltm monitor https my_https destination <IP address>:<port>
-- tmsh modify ltm monitor https my_https destination *:*
925469-4 : SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo
Links to More Info: BT925469
Component: TMOS
Symptoms:
When using the Certificate Order Manager to request new Multi-Domain certificate from the Sectigo Certificate Authority (CA), the request the BIG-IP sends is missing the field 'subjectAltName'.
Conditions:
-- Certificate Order Manager is configured to send requests to the Comodo/Sectigo CA.
-- Configure a new key with Subject Alternative Name (SAN).
Impact:
The BIG-IP system sends a request to the Sectigo CA that is missing the 'subjectAltName' field. That makes Certificate Order Manager not suitable for requesting Multi-Domain certificates.
Workaround:
There is no workaround other than not using Certificate Order Manager for Multi-Domain certificates.
924589-6 : PEM ephemeral listeners with source-address-translation may not count subscriber data
Links to More Info: BT924589
Component: Policy Enforcement Manager
Symptoms:
When a PEM profile is associated with a protocol that can create dynamic server-side listeners (such as FTP), and source-address-translation is also enabled on the virtual server, traffic on that flow (for example ftp-data) is not associated with the subscriber, and is therefore not counted or categorized.
Conditions:
-- Listener configured with PEM and FTP profiles
-- Some form of source address translation is enabled on the listener (for example, SNAT, Automap, SNAT Pool)
Impact:
Inaccurate subscriber traffic reporting and classification.
Workaround:
None.
923821-2 : Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack
Links to More Info: BT923821
Component: Application Security Manager
Symptoms:
When mitigated action is set to CSI followed by captcha for credential stuffing attack, captcha is not triggered even after successful CSI challenge.
Conditions:
1) Mitigated action is set to CSI followed by captcha for credential stuffing attack.
2) Credential stuffing attack occurs.
3) CSI challenge is success.
Impact:
Captcha is not triggered leading to less than configured mitigation action for credential stuffing attack.
Workaround:
None
922737-3 : TMM crash
Links to More Info: BT922737
Component: SSL Orchestrator
Symptoms:
TMM crashes with a sigsegv while passing traffic
Conditions:
Virtual server with a Connector profile that redirects to an internal virtual server on the same BIG-IP system
Impact:
Traffic disrupted while tmm restarts.
921149-7 : After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy
Links to More Info: BT921149
Component: TMOS
Symptoms:
All Bandwidth Controller (BWC) stats are 0 (zero) even though traffic is passing.
Conditions:
-- A BWC policy is attached to a virtual server.
-- The virtual server with the attached BWC policy is modified.
Impact:
The system disassociates the BWC policy from the virtual server. Traffic is no longer throttled according to the policy rules.
Workaround:
To reattach the policy, detach the Bandwidth Controller policy from the virtual server, and then reapply it.
915141-6 : Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'
Links to More Info: BT915141
Component: TMOS
Symptoms:
Availability status of virtual server can be left 'available' even if the corresponding pool's availability becomes 'unknown'.
Conditions:
- Pool member is configured as an FQDN node.
- You set monitor to 'none' with the pool.
Impact:
Inconsistent availability status of pool and virtual server.
Workaround:
Set the FQDN node to 'force offline', and then 'enable'. This triggers virtual server's status updates and syncs to pool.
912293-6 : Persistence might not work properly on virtual servers that utilize address lists
Links to More Info: BT912293
Component: Local Traffic Manager
Symptoms:
-- Connections to the virtual server might hang.
-- Increased tmm CPU utilization.
Conditions:
-- A virtual server is configured with a traffic-matching-criteria that utilizes a source-address-list and/or destination-address-list.
-- The virtual server utilizes certain persistence one of the following persistence types:
+ Source Address (but not hash-algorithm carp)
+ Destination Address (but not hash-algorithm carp)
+ Universal
+ Cookie (only cookie hash)
+ Host
+ SSL session
+ SIP
+ Hash (but not hash-algorithm carp)
Impact:
-- High tmm CPU utilization.
-- Stalled connections.
Workaround:
Enable match-across-virtuals in the persistence profile.
Note: Enabling match-across-virtuals might might affect the behavior of other virtual servers in the configuration that utilize persistence.
908453-6 : Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly
Links to More Info: BT908453
Component: TMOS
Symptoms:
When a trunk is configured with a name longer than 32 characters on a vCMP host, guests update the working-mbr-count for the trunk incorrectly when another trunk on the host changes. This might result in vCMP guests failing over unexpectedly.
Conditions:
-- Trunk configured with a name longer than 32 characters on vCMP host.
-- Trunk made available to guests for high availability (HA) Group scoring.
-- At least one other trunk configured on vCMP host.
-- Interface state changes in any other trunk.
Impact:
The vCMP guests may fail over unexpectedly.
Workaround:
Do not use trunk names longer than 32 characters.
904661-5 : Mellanox NIC speeds may be reported incorrectly on Virtual Edition
Links to More Info: BT904661
Component: TMOS
Symptoms:
Speeds for Mellanox NICs on BIG-IP Virtual Edition may be reported incorrectly. The behavior varies depending on what driver is in use:
- Speeds are always reported as 10G when the mlxvf5 driver is used, regardless of the actual speed of the interface.
- Speeds are reported as either 10G or 40G when the xnet driver is used. This is accurate unless the actual NIC speed is greater than 40G, in which is it will still be reported as 40G.
Conditions:
-- BIG-IP Virtual Edition
-- Using a Mellanox NIC with the mlxvf5 or xnet driver
Impact:
Possibly incorrect media speed reported. (Actual speed is correct, regardless of what is displayed.)
901569-5 : Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.
Links to More Info: BT901569
Component: Local Traffic Manager
Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow.
Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.).
Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server.
Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue.
891333-3 : Very rarely the HSB can get into a corrupted state resulting in ARP entry in BIG-IP stuck incomplete.
Links to More Info: K32545132, BT891333
Component: TMOS
Symptoms:
Comparing the ARP response captured on the originator with the BIG-IP shows a single bit is flipped in the MAC address.
The incomplete ARP entry can produce secondary symptoms with network connectivity problems reflected in the status. For example: Config Sync, health monitor(s), etc.
Wireshark and tshark can interpret this issue as "unknown ARP opcode" as the ARP response is not 2 and "duplicate use of <IP> detected" as one IP shares two different MAC addresses, the correct one and the one with the flipped bit.
Conditions:
This can occur on BIG-IP hardware platforms containing a high-speed bridge (HSB).
Impact:
Network connectivity problems on some traffic passing through the affected HSB. Could be reflected in the status of Config Sync or more health monitors down on one member of high availability (HA) pair.
Workaround:
Reboot the affected device.
890169-5 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
Links to More Info: BT890169
Component: Application Security Manager
Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.
Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.
Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.
Workaround:
None.
889605-1 : iApp with Bot profile is unavailable if application folder includes a subpath
Links to More Info: BT889605
Component: iApp Technology
Symptoms:
iApp with Bot profile is unavailable if the application folder includes a subpath. If the subpath is not present then iApp with bot profile is available.
Conditions:
1) Create default "Bot Protection" or "Web Application Comprehensive Protection" with an enabled "Bot Defense" use case in WGC without a virtual server.
2) Go to "iApps >> Application Services: Applications" and refer to the created iApp.
Impact:
iApp cannot be loaded when tried to open through iApps >> Applications view in TMUI.
Workaround:
View the configuration created from Guided configuration as mentioned: iApps >> Application Services >> Applications LX menu
887265-5 : BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration★
Links to More Info: BT887265
Component: Local Traffic Manager
Symptoms:
When booting to a boot location for the first time, the system does not come on-line.
Conditions:
-- There is a large configuration.
-- VLAN failsafe is configured, and the failsafe-action is something other than failover.
-- The BIG-IP system is an appliance.
Impact:
BIG-IP processes continually restart (VLAN failsafe-action failover-restart-tm), or the BIG-IP system continually reboots (VLAN failsafe-action reboot)
Workaround:
Either disable VLAN failsafe or set the failsafe-action to failover during an upgrade.
879969-9 : FQDN node resolution fails if DNS response latency >5 seconds
Links to More Info: BT879969
Component: TMOS
Symptoms:
When resolving FQDN names for FQDN nodes/pool members, pending DNS requests are timed out after 5 seconds with no response from the DNS server.
If there is a persistent latency of 5 seconds or greater in the DNS server responses, FQDN name resolution will fail and ephemeral nodes/pool members will not be created.
Conditions:
- BIG-IP using FQDN nodes/pool members
- Persistent latency of 5 seconds or greater in the DNS server responses
Impact:
Ephemeral pool members may not be created, thus no traffic will be sent to the intended pool members.
Workaround:
Resolve any persistent latency issues that might cause delays of 5 seconds or more in DNS server responses.
878641-4 : TLS1.3 certificate request message does not contain CAs
Links to More Info: BT878641
Component: Local Traffic Manager
Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4
Conditions:
TLS1.3 and client authentication
Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected
857769-2 : FastL4+HTTP or FastL4+Hash-Persistence virtual servers do not work correctly in DSR mode.
Links to More Info: BT857769
Component: Local Traffic Manager
Symptoms:
Given a long-lived TCP connection that can carry multiple client requests (for example, but not limited to, HTTP requests), the BIG-IP system fails to forward requests after the forty-eighth one.
The client will try re-transmitting the answered request, but the BIG-IP system will persist in dropping it.
Conditions:
This issue occurs when all of the following conditions are met:
1) The virtual server uses the FastL4 profile.
2) The virtual server also uses the HTTP or Hash-Persistence profiles.
3) The virtual server operates in DSR (Direct Server Return) mode (also known as N-Path).
Impact:
The BIG-IP system fails to forward traffic.
Workaround:
Do not use the HTTP or Hash-Persistence profiles with a FastL4 virtual server operating in DSR mode.
Note: It is fine to use an iRule that calls hash persistence commands (for example, "persist carp [...]") as long as the Hash-Persistence profile is not associated to the virtual server. This technique will allow you to persist on a hash based on L4 information that you can extract at CLIENT_ACCEPTED time. For example, the following iRule correctly persists a specific client socket to a pool member in a FastL4 DSR configuration:
when CLIENT_ACCEPTED {
persist carp [IP::client_addr]:[TCP::client_port]
}
851121-7 : Database monitor DBDaemon debug logging not enabled consistently
Links to More Info: BT851121
Component: Local Traffic Manager
Symptoms:
Debug logging in the database monitor daemon (DBDaemon) for database health monitors (mssql, mysql, postrgresql, oracle) is enabled on a per-monitor basis.
When a ping is initiated for a particular monitor with debug logging enabled in the monitor configuration, debug logging in DBDaemon is enabled.
When a ping is initiated for a particular monitor with debug logging disabled in the monitor configuration, debug logging in DBDaemon is disabled.
When monitoring database pool members with a mix of monitors with debug logging enabled vs. disabled, the result can be that debug logging in DBDaemon is enabled and disabled at times which do not correspond to all actions related to a specific database monitor, or pool members monitored by that monitor.
In addition, debug messages logging internal DBDaemon state related to the management of the full collection of monitored objects, active threads, etc. may not be logged consistently.
Conditions:
-- Using multiple database health monitors (mssql, mysql, postrgresql, oracle)
-- Enabling debug logging on one or more database health monitors, but not all
Debug logging for database health monitors is enabled by configuring the "debug" property of the monitor with a value of "yes".
Debug logging is disabled by configuring the "debug" property with a value of "no" (default).
# tmsh list ltm monitor mysql mysql_example debug
ltm monitor mysql mysql_example {
debug yes
}
Impact:
Logging of database monitor activities by DBDaemon may be inconsistent and incomplete, impeding efforts to diagnose issues related to database health monitors.
Workaround:
When attempting to diagnose database health monitor issues with DBDaemon debug logging, enable debug logging for ALL database monitors currently in use.
Once diagnostic data collection is completed, disable debug logging for all database monitors currently configured/in use.
850141-3 : Possible tmm core when using Dosl7/Bot Defense profile
Links to More Info: BT850141
Component: Application Security Manager
Symptoms:
Tmm crashes.
Conditions:
-- Dosl7/Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- An asynchronous iRule is attached to the virtual server
OR:
-- Device ID feature is enabled, and the current request requires a complex Device ID generation.
-- The connection is closed before the response arrives.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
842669-7 : Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log
Links to More Info: BT842669
Component: TMOS
Symptoms:
Systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log. Bare ')' being logged to /var/log/user.log., for example:
cat /var/log/user.log
[...]: Deleting file /shared/core/*.core.*
[...]: Deleting file /shared/core/*.core.*
[...] )
[...] )
Conditions:
This occurs when the system logs syslog messages containing embedded newlines, such as
- The cron process tries and fails to send an email because of output from a cron script.
- Modifying the syslog 'include' configuration
- Applying ASM policy configuration change
- GTM.debugprobelogging output from big3d
- iqsyncer mcpd message debug output (log.gtm.level=debug)
Impact:
The logging subsystem accepts syslog messages with embedded newlines, and writes first line to the appropriate file, and remaining lines to /var/log/user.log.
Workaround:
View the logs using journalctl
831737-4 : Memory Leak when using Ping Access profile
Links to More Info: BT831737
Component: Access Policy Manager
Symptoms:
The memory usage by pingaccess keeps going up when sending request with expired session cookie to a virtual server with PingAccess Profile.
Conditions:
1. BIG-IP virtual server that contains PingAccess Profile.
2. Request sent with expired session cookie.
Impact:
Memory leak occurs in which ping access memory usage increases.
796065-3 : PingAccess filter can accumulate connections increasing memory use.
Links to More Info: BT796065
Component: Access Policy Manager
Symptoms:
Currently the maximum http header count value for ping access is 64. The connection to the backend is aborted if there are more than 64 headers.
Conditions:
1. Ping access is configured.
2. The HTTP header count is more than 64.
Impact:
Connection is aborted by the BIG-IP system users are unable to access the backend.
Workaround:
None
778513-4 : APM intermittently drops log messages for per-request policies
Links to More Info: BT778513
Component: TMOS
Symptoms:
APM may intermittently drop log messages, leading to missing information on policy execution or other events.
Conditions:
Using APM per-request policies, or ACCESS::log iRule commands.
Impact:
Administrator may fail to report certain logging events, hindering troubleshooting or auditing efforts.
Workaround:
No workaround is possible. When reviewing APM logs, keep in mind that during periods of high activity (greater than 100 log messages in 1-to-2 seconds) that the system may drop some log messages.
776117-5 : BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type
Links to More Info: BT776117
Component: TMOS
Symptoms:
The BIG-IP Virtual Edition's virtio driver is incompatible with the Q35 machine type.
Conditions:
-- BIG-IP Virtual Edition with the virtio driver.
-- Setting the machine type to Q35 on the hypervisor.
Impact:
The BIG-IP will not use the virtio driver, using the sock (or unic, in versions prior to 14.1.0) driver instead.
775845-7 : Httpd fails to start after restarting the service using the iControl REST API
Links to More Info: BT775845
Component: TMOS
Symptoms:
After restarting httpd using the iControl REST API, httpd fails to start, even with a subsequent restart of httpd at the command line.
Similar to the following example:
config # restcurl -u admin:admin /tm/sys/service -X POST -d '{"name":"httpd", "command":"restart"}'
{
"kind": "tm:sys:service:restartstate",
"name": "httpd",
"command": "restart",
"commandResult": "Stopping httpd: [ OK ]\r\nStarting httpd: [FAILED]\r\n(98)Address already in use: AH00072: make_sock: could not bind to address n.n.n.n:n\nno listening sockets available, shutting down\nAH00015: Unable to open logs\n"
}
config # tmsh restart sys service httpd
Stopping httpd: [ OK ]
Starting httpd: [FAILED]
Conditions:
Restarting httpd service using iControl REST API.
Impact:
Httpd fails to start.
Workaround:
To recover from the failed httpd state, you can kill all instances of the httpd daemon and start httpd:
killall -9 httpd
tmsh start sys service httpd
760982-4 : An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios
Links to More Info: BT760982
Component: TMOS
Symptoms:
Soft out reset does not work for the default route.
Conditions:
-- BGP enabled
-- A route configuration change is made and 'clear ip bgp <IP-addr> soft in/out' is executed
Impact:
A default-route is not propagated in Network Layer Reachability Information (NLRI) by 'soft out' request.
Workaround:
None
760354-16 : Continual mcpd process restarts after removing big logs when /var/log is full
Links to More Info: BT760354
Component: TMOS
Symptoms:
The BIG-IP device suddenly stops passing traffic. You might see errors similar to the following:
err mcpd[15230]: 01070596:3: An unexpected failure has occurred, TAP creation failed (tmm): Permission denied - net/validation/routing.cpp, line 168, exiting...
Conditions:
This might occur when when /var/log is full and then you remove big logs.
Impact:
The mcpd process restarts continuously. This occurs because tmm blocks mcpd from restarting after /var/log fills up.
Workaround:
Empty the contents of big size log files under /var/log and reboot the BIG-IP system.
If that does not resolve the problem, restart all processes (bigstart restart) or reboot the box.
755207-4 : Large packets silently dropped on VE mlxvf5 devices
Links to More Info: BT755207
Component: TMOS
Symptoms:
Jumbo frames are disabled by default for Mellanox ConnectX-4 and ConnectX-5 devices using the mlxvf5 driver (i.e., many BIG-IP Virtual Edition (VE) configurations). Packets larger than 1500 bytes are silently dropped. Only packets up to 1500 bytes are supported when jumbo framers are disabled.
Conditions:
BIG-IP VE with SR-IOV using Mellanox ConnectX-4 or ConnectX-5 NICs.
Typically this represents VE configurations running on private Cloud environments such as VMware, KVM, OpenStack, and others.
Note: You can determine your environment by running the following commands:
# tmctl -d blade tmm/device_probed
# tmctl -d blade xnet/device_probed
Configurations exhibiting this issue either:
1. reports a value of 'mlxvf5' in the driver_in_use column in tmm/device_probed, and possibly reports 'tmctl: xnet/device_probed: No such table.'
2. reports a value of 'xnet' in the driver_in_use column in tmm/device_probed, and a value of 'mlxvf5' in the driver_in_use column in xnet/device_probed.
Impact:
Packets larger than 1500 bytes are dropped without a warning.
Workaround:
Enable jumbo frames and then restart tmm.
1. Add the following line to /config/xnet_init.tcl:
drvcfg mlxvf5 jumbo_support 1
2. Restart tmm:
bigstart restart tmm
Important: There are two possible mlxvf5 drivers. It is possible to enable jumbo frames only for the xnet-based driver.
Important: Enabling jumbo frames causes a performance loss for 1500-byte-size packet, but offers higher throughput at lower CPU usage for larger packets. Note that 1500 bytes is the most common size for internet packets.
739475-7 : Site-Local IPv6 Unicast Addresses support.
Links to More Info: BT739475
Component: Local Traffic Manager
Symptoms:
No reply to Neighbor Advertisement packets.
Conditions:
Using FE80::/10 addresses in network.
Impact:
Cannot use FE80::/10 addressees in network.
Workaround:
N/A
737692-7 : Handle x520 PF DOWN/UP sequence automatically by VE
Links to More Info: BT737692
Component: TMOS
Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that is passed to the BIG-IP-VE). If an x520 device's PF is set down and then up, tmm does not recover traffic on that interface.
Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.
Impact:
VE does not process any traffic on that VF.
Workaround:
Reboot VE.
662301-10 : 'Unlicensed objects' error message appears despite there being no unlicensed config
Links to More Info: BT662301
Component: TMOS
Symptoms:
An error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.
Examination of the configuration and license shows that there are no configuration errors or unlicensed configuration objects. The device is operational.
Conditions:
The BIG-IP system is licensed and the configuration loaded.
Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.
Workaround:
On an appliance, restart mcpd by running the following command:
bigstart restart mcpd
On a VIPRION or vCMP guest running on a VIPRION, restart MCPD on all blades by running the following command:
clsh bigstart restart mcpd
Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.
658943-6 : Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants
Links to More Info: BT658943
Component: TMOS
Symptoms:
During the platform migration from a physical BIG-IP system to a BIG-IP vCMP guest/F5OS Tenant, the load fails with one of the following messages:
01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.
01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.
Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest/F5OS Tenant.
Impact:
The platform migration fails and the configuration does not load.
Workaround:
You can use one of the following workarounds:
-- Remove all trunks from the source configuration prior to generation of the UCS.
-- Before loading the UCS archive onto the target BIG-IP, edit the archive and remove the trunk configuration from ./config/bigip_base.conf, and then repack the UCS.
-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.
-- K50152613
652877-8 : Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades
Links to More Info: BT652877
Component: TMOS
Symptoms:
All services on one or all secondary blades in a VIPRION chassis restart, and MCPD logs errors similar to the following:
-- err mcpd[9063]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)
-- err mcpd[9063]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3:Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)... failed validation with error 17237812.
In versions prior to v11.6.0, the error is: 'Can't save/checkpoint DB object,' rather than 'Can't update_indexes/checkpoint DB object'.
Conditions:
Multi-bladed VIPRION system, where the 'if-index' value for VLANs differs between blades.
You can check the 'if-index' value by running the following command on each blade: tmsh list net vlan all if-index.
Impact:
MCPD restart on all secondary blades results in partial service outage.
Workaround:
Reactivate the license only on a system that is standby/offline.
632553-7 : DHCP: OFFER packets from server are intermittently dropped
Links to More Info: K14947100, BT632553
Component: Local Traffic Manager
Symptoms:
With a DHCP relay virtual server, OFFER packets from DHCP server are intermittently not forwarded to the client and dropped on BIG-IP system.
Conditions:
It is not known exactly what triggers this condition, but it occurs intermittently when the DHCP relay virtual server is in use.
Impact:
Client machines joining the network do not receive DHCP OFFER messages.
Workaround:
Manually delete the serverside to force it to be recreated by the next DHCP request.
For example, if the flow to the DHCP server 10.0.66.222 is broken, issue the following tmsh command:
tmsh delete sys connection ss-server-addr 10.0.66.222 cs-server-port 67
609878-7 : Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server
Links to More Info: BT609878
Component: Advanced Firewall Manager
Symptoms:
When loose-init is set, which has the implicit semantics of "every ACK packet can create a connection". Hence, there is never a "Bad ACK" to drop. This behavior is expected as per design, so while enabling this option one should aware of the side effects it will cause.
Conditions:
This issue will be seen when loose-init is enabled on the fastL4 profile and when the box is flooded with asymmetric ACK packets (or) Bad-Acks.
Impact:
Enabling loose initiation may make it more vulnerable to denial of service attacks.
Workaround:
When loose-init is set in the fastL4 profile, we need to turn on connection-limits on the virtual and also Eviction Policy to prevent flow-table exhaustion.
566995-5 : bgpd might crash in rare circumstances.
Links to More Info: BT566995
Component: TMOS
Symptoms:
Under unspecified conditions and in rare cases, bgpd might crash. Although bgpd restarts right away, routing table might be impacted.
Conditions:
The conditions under which this occurs are not known.
Impact:
This might impact routing table and reachability.
Workaround:
None known.
264701-7 : The zrd exits on error from bind about .jnl file error
Links to More Info: K10066, BT264701
Component: Global Traffic Manager (DNS)
Symptoms:
The zrd process exits and cannot be restarted.
Conditions:
This issue occurs when the journal is out-of-sync with the zone.
Impact:
The zrd process cannot be restarted.
Workaround:
Ensure that no one else is making configuration changes, it is recommended to make changes making changes during a maintenance window.
On a working system, perform the following steps:
1. Run command # rndc freeze $z
(Do this for all nonworking zones. Do not perform the thaw until you finish copying all reuqired files to the nonworking system.)
2. Run command # tar zcvf /tmp/named.zone.files namedb/db.[nonworking zones].
3. Run command # rndc thaw $z
On each non-working system, perform the following steps:
1. Run command # bigstart stop zrd; bigstart stop named.
2. Copy the non-working /tmp/named.zone.files from a working GTM system.
3. Run command # bigstart start named; bigstart start zrd.
Note: Before continuing, review /var/log/daemon.log for named errors, and review /var/log/gtm for zrd errors0.
Repeat these steps until all previously non-working systems are working.
On a working GTM system, run the following command:
# touch /var/named/config/named.conf.
1225677-1 : Challenge Failure Reason is not functioning in ASM remote logging
Component: Application Security Manager
Symptoms:
Challenge Failure Reason is not functioning in ASM remote logging.
Conditions:
Using ASM remote logging.
Impact:
Lack of logging information in ASM remote logger.
Workaround:
None
1225061-2 : The zxfrd segfault with numerous zone transfers
Links to More Info: BT1225061
Component: Global Traffic Manager (DNS)
Symptoms:
the zxfrd restart loop with cores occasionally.
Conditions:
Numerous dns express zones are doing zone transfers at the same time.
Impact:
he zxfrd restart loops or cores.
Workaround:
Do not add large number of DNS express zones at the same time and also reduce the total number of DNS express zones.
1224377-1 : Policy Sync fails for a policy when default-all Address Space assigned to Network Access resource
Links to More Info: BT1224377
Component: Access Policy Manager
Symptoms:
Following error is observed during policy sync:
01b70105:3: System built-in APM resource address-space (/Common/default-all) cannot be modified.
Conditions:
Network Access resource has "default-all" address-space.
Impact:
Policy Sync failure.
Workaround:
Remove the 'default-all' address space from the network access configuration, sync the policy, then add it back on the source and destination devices.
1218813-5 : "Timeout waiting for TMM to release running semaphore" after running platform_diag
Links to More Info: BT1218813
Component: Access Policy Manager
Symptoms:
The platform_diag might not complete properly leaving TMM in an inoperational state. The 'bigstart restart' is required to recover.
Conditions:
Running platform_diag tool on a platform licensed with URL filtering.
Impact:
Unable to run platform_diag tool. TMM remains inoperative.
Workaround:
Open /etc/bigstart/scripts/urldb and modify the dependency list to be:
# wait for processes we are dependent on
depend ${service} mcpd running 1 ${start_cnt}
require ${service} urldbmgrd running 1 ${start_cnt}
require ${service} tmm running 1 ${start_cnt}
Then restart urldb:
> bigstart restart urldb
1217473 : All the UDP traffic is sent to a single TMM
Component: TMOS
Symptoms:
BIG-IP dataplane's VMXNET3 driver implementation is missing the Receive Side Scaling (RSS) support for the User Datagram Protocol (UDP) available as part of the VMXNET3 version 4.
Conditions:
BIG-IP VE instance is running on a VMWare host and handling UDP traffic.
Impact:
The traffic distribution does not happen evenly across all TMMs but rather all of the UDP traffic is sent to a single TMM.
Workaround:
None
1216297-2 : TMM core occurs when using disabling ASM of request_send event
Links to More Info: BT1216297
Component: Application Security Manager
Symptoms:
When adding an iRule to disable ASM on request_send event, the TMM core occurs.
Conditions:
ASM is provisioned and attached to policy.
Add iRule that disables ASM and HTTP on HTTP_REQUEST_SEND event.
Impact:
TMM cores, system is down.
Workaround:
Remove the iRule, or disable ASM for all events of the URL.
1216053-5 : Regular monitors do not use options from SSL profiles
Links to More Info: BT1216053
Component: Local Traffic Manager
Symptoms:
The HTTPS monitors do not use the options from the SSL profile it is set with.
Conditions:
The HTTPS monitor(s) are set with an SSL profile with Non-default options set.
Impact:
Pool members may be incorrectly marked up or down as the incorrect SSL options are used.
1215401-3 : Under Shared Objects, some country names are not available to select in the Address List
Component: Advanced Firewall Manager
Symptoms:
Users can create a shared object list to define countries to block traffic from. On searching a name, a list will be shown from which the user can choose and add it to the address list.
There is a limit of only 8 entries in the drop-down menu to choose from.
Some countries are not shown in this list due to the ordering of entries returned from the database.
Conditions:
DOS is enabled
Impact:
As some countries are not available to select, they cannot be included in the Address List to block traffic.
Workaround:
Instead of the country (which is not available to select), all the regions within the country can be added to the block list. This is very cumbersome and error-prone as the list of regions should be known that are configurable in BIG IP.
1213469-6 : MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP dropped
Links to More Info: BT1213469
Component: Service Provider
Symptoms:
BIG-IP not translating SDP or via headers IP with listener IP for an outbound call which causes to drop the 200 OK response.
Conditions:
In SIP ALG, INVITE request with FQDN Route header.
Impact:
Media pinholes are not created for INVITE.
Workaround:
In the SIP_REQUEST event, a specific Route header could be removed and Insert it again in the SIP_REQUEST_SEND event before sending the request out. For example,
when SIP_REQUEST {
set pd_route_hdr_count [SIP::header count Route]
set pd_route_unset 0
set pd_route [SIP::header Route]
if {[SIP::method] == "INVITE" && ($pd_route_hdr_count equals 1) && $pd_route contains "sip:total.acc.nl;lr" } then {
SIP::header remove "Route"
set pd_route_unset 1
}
}
when SIP_REQUEST_SEND {
if {[SIP::method] == "INVITE" && ($pd_route_unset == 1)} then {
SIP::header insert "Route" $pd_route
}
}
1212081-1 : The zxfrd segfault and restart loop due to incorrect packet processing
Links to More Info: BT1212081
Component: Global Traffic Manager (DNS)
Symptoms:
The zxfrd is in restart loop and cores.
Conditions:
During the no transfer of zone, the zxfrd is cored when performing the packet processing.
Impact:
DNS express does not work properly.
Workaround:
None
1211437-3 : When mobile cookie is too long, Anti-Bot SDK is failing
Component: Application Security Manager
Symptoms:
When mobile (TS_72) cookie is longer then 511, it get truncated by BIG-IP and cannot be parsed.
Conditions:
- Bot Defense profile is attached to virtual server, with Mobile SDK enabled.
- Application name is long (causing the cookie to be long).
Impact:
Anti-Bot SDK is failing, clients cannot be handled as mobiles.
Workaround:
None
1211341-5 : Failed to delete custom monitor after dissociating from virtual server
Component: Global Traffic Manager (DNS)
Symptoms:
When dissociated from virtual server, unable to delete custom monitor.
Conditions:
- Dissociate the custom monitor from virtual server
- Delete the custom monitor
Impact:
Unable to delete custom monitor.
Workaround:
None
1211297-2 : Handling DoS profiles created dynamically using iRule and L7Policy
Component: Anomaly Detection Services
Symptoms:
Persistant connections with HTTP requests that may switch according to dynamic change of DoS policy (using iRule or L7Policy) can cause a TMM crash.
Conditions:
A request arrives to BIG-IP and is waiting to be served (it is delayed using iRule), however, if the DoS profile is unbound during that time from the virtual server and a dynamic DoS profile change decision is made, it could potentially cause the request to be incorrectly associated with a context that has already been freed.
Impact:
In few scenarios, when DoS policy is changed during connection lifetime, TMM might crash.
Workaround:
None
1211021-5 : Enforcement does not happen for entries in new and modified IPI feed lists due to lock issues
Component: Advanced Firewall Manager
Symptoms:
Entries added or updated in IP Intelligence (IPI) feed lists are not enforced. This occurs when threads in Dynamic White or Black Daemon (DWBLD) module are in deadlock.
Conditions:
- IPI license is enabled.
- Feed lists and policies are configured.
Impact:
Enforcement of entries in new and updated IPI feed lists does not happen.
Workaround:
Run the command "bigstart restart dwbld" to resolve the issue.
Check for "Empty items" message in /var/log/dwbld.log. If same message is seen for more than 100 times continuously, threads are in lock state and we can recover by restarting DWBLD module.
1210569-2 : User defined signature rule disappears when using high ASCII in rule
Links to More Info: BT1210569
Component: Application Security Manager
Symptoms:
WebUI display is empty.
Conditions:
When the configured rule has high ASCII (greater than 127) value.
Impact:
Unable to see the rule in webUI.
Workaround:
Use the following steps:
1. Navigate to Security > Options > Application Security > Attack Signatures.
2. Create a new signature in Advanced Edit Mode. After setting, confirm the setting value with the developer tool.
3. Add it to the signature set (backed by actual signature detection confirmation).
4. Remove the old signatures from signature set.
1210469-2 : TMM can crash when processing AXFR query for DNSX zone
Links to More Info: BT1210469
Component: Local Traffic Manager
Symptoms:
TMM crash with SIGABRT and multiple log messages with "Clock advanced by" messages.
Conditions:
Client querying AXFR to a virtual server or wideip listener that has DNSX enabled in the DNS profile and has a large amount of DNSX zones with a large amount of resource records.
Impact:
TMM cores and runs slow with "Clock advanced by" messages.
Workaround:
Disable zone transfer for the DNS profile associated with the virtual server.
1210053-2 : The cred_stuffing_fail_open Internal Parameter does not cause Leaked Credential violation in case of expiration or error
Links to More Info: BT1210053
Component: Application Security Manager
Symptoms:
In case of Leaked Credential server error, there is an internal parameter to raise Leaked Credentials Violation:
cred_stuffing_fail_open (default value is not to raise violation)
Changing the internal parameter value does not trigger the violation.
Conditions:
- ASM is provisioned.
- WAF Policy is attached to virtual server with Credential Stuffing enabled.
- Internal Parameter cred_stuffing_fail_open is set to 0.
- A server error (or timeout) occurred during leaked credential check.
Impact:
Leaked Credential violation is not raised.
Workaround:
None
1209961-1 : While disabling Web Application in scope through webUI, 'Mobile Identifier - Request Headers' list is set to null
Component: Bot Defense
Symptoms:
When both Mobile and Web applications are in scope for Bot Defense profile, while disabling the Web Application through webUI, the 'Mobile Identifier - Request Headers' list is deleted.
Conditions:
- If both Web and Mobile applications are in scope initially,
then disabling Web Application type through webUI.
Impact:
The 'Mobile Identifier - Request Headers' list is deleted.
Workaround:
Disable or enable Web Application type through TMSH.
1209589-6 : BFD multihop does not work with ECMP routes
Links to More Info: BT1209589
Component: TMOS
Symptoms:
BFD multihop does not work with ECMP routes. TMMs are unable to agree on session ownership and dropping the session after 30 seconds.
Conditions:
On a multi-TMM box, configure BFD multihop peer reachable over ECMP route.
Impact:
BFD multihop does not work with ECMP routes and BFD session is getting dropped every 30 seconds.
Workaround:
None
1209409-4 : Address lists with thousands of addresses can cause MCPD to become unresponsive and use 100% CPU
Links to More Info: BT1209409
Component: Advanced Firewall Manager
Symptoms:
If there are thousands of addresses in an address list, validation of the addresses can take extended time. While MCPD is validating the addresses it will use nearly 100% of the CPU. Also, during this time, other daemon might timeout their connection with MCPD and/or restart.
Conditions:
- Thousands of addresses in an address list.
Impact:
- Longer load /sys configuration time including on upgrade.
- Longer configuration sync time, where full configuration sync is more prone to cause this issue.
- Modifications using the webUI consume longer time and might timeout.
Depending on how long MCPD spends validating the addresses, other daemons, including TMM, might timeout their connection to MCPD and/or restart.
Workaround:
None
1207381-4 : PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored
Links to More Info: BT1207381
Component: Policy Enforcement Manager
Symptoms:
From the following example, a PEM policy rule flow filter
matches the traffic from any source address and any port, to any destination address and port 81 (the port number is an example):
Source Address Source Port VLAN Destination Address Destination Port
0.0.0.0/0 0 ANY 0.0.0.0/0 81
When the rule is updated through the GUI or CLI to match traffic from any source address and any port, to any destination address and any port:
Source Address Source Port VLAN Destination Address Destination Port
0.0.0.0/0 0 ANY 0.0.0.0/0 0
The updated rule is correctly saved into the configuration as shown by the GUI and the CLI, but the new flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule (destination port 81 in the example).
Conditions:
An existing PEM policy rule flow filter that is updated through GUI or CLI selecting Source Port '0' ('any') and/or destination port '0' ('any').
Impact:
The updated flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule.
Workaround:
- Restart TMM to make the updated flow filter effective.
or
- Remove the flow filter altogether instead of replacing it with a filter like '0.0.0.0/0:0 --> 0.0.0.0/0:0' .
The intended result is the same: the rule will catch all traffic.
or
- Create a new additional rule with port number 0 and place in higher precedence (under the same policy).
- For example, rule with precedence 10 allow flow for port 80 (instead of modifying this rule) and
- Create a new rule with precedence 9 to allow flow for port "0" and delete the old rule.
1205509-1 : Region cache fails to update appropriately after referenced region update
Links to More Info: BT1205509
Component: Global Traffic Manager (DNS)
Symptoms:
GSLB region object containing records which reference other GSLB regions fail to update its cache when the regions referenced by its records are updated.
Conditions:
- GSLB region object containing records which reference other GSLB regions.
- Region cache was not updated correctly after referenced region updates.
Impact:
DNS query resolution fails to return correct results.
Workaround:
Instead of creating two regions for "not regions", use one region and create following topology record:
gtm topology ldns: not region /Common/_usr_gslbRegion_internalNet server: pool /Common/_usr_gslbPool_alpha {
order 2
}
gtm topology ldns: not region /Common/_usr_gslbRegion_internalNet server: pool /Common/_usr_gslbPool_bravo {
order 1
...
}
1205501-3 : The iRule command SSL::profile can select server SSL profile with outdated configuration
Links to More Info: BT1205501
Component: Local Traffic Manager
Symptoms:
Under few circumstances, an iRule selected server SSL profile can send previously configured certificate to the peer.
Conditions:
The iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made to the profile.
Impact:
The TLS handshake may use an outdated certificate that does not match the current configuration, potentially leading to handshake failures.
Workaround:
Terminate all traffic running on the virtual servers that are using the iRule command for the update to take effect.
or
Do not make changes to a profile that is actively being used by the iRule command.
1205061-1 : DNSSEC keys removed from the configuration before expiration date when iQuery connection goes down
Links to More Info: BT1205061
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC keys removed from the configuration before expiration date.
Conditions:
On a GTM sync group, if the iQuery connection goes down, the DNSSEC keys are removed from the configuration before expiration date on DNS device with gtm.peerinfolocalid greater than zero.
Impact:
Removing KSK from the configuration before the expiration date can cause the outage if the user has not updated DS record.
Workaround:
None
1205045-5 : WMI monitor does not put pool members into an offline/unchecked state when BIG-IP receives HTTP responses other than 200
Links to More Info: BT1205045
Component: Local Traffic Manager
Symptoms:
With no credentials, WMI monitor status still displays "UP".
Conditions:
With no credentials or stale/expired credentials, the WMI monitor stats displays "UP".
Impact:
The user is misinformed about the status of the WMI monitor.
Workaround:
None
1200985-1 : While disabling Mobile Application type through WebUI, 'Mobile Identifier - Request Headers' list is getting set to null
Component: Bot Defense
Symptoms:
While disabling Mobile Application type through WebUI, the 'Mobile Identifier - Request Headers' list is deleted.
Conditions:
- Disabling and enabling Mobile Application type through WebUI.
Impact:
The 'Mobile Identifier - Request Headers' list is deleted.
Workaround:
Disable or enable Mobile Application type through TMSH.
1200929-3 : GTM configuration objects larger than 16384 bytes can cause the GTM sync process to hang
Links to More Info: BT1200929
Component: Global Traffic Manager (DNS)
Symptoms:
If GTM objects larger than 16384 bytes are created, then the GTM sync process will not complete. In addition, the gtm_add process (which requests a GTM sync for all objects) will not complete.
Following is the symptom for gtm_add:
After "Retrieving remote GTM configuration...", the process will pause for 300 seconds (5 minutes), and then exit, with a message "Syncer failed to retrieve configuration".
For a normal GTM sync, where gtm_add is not being used, the symptom is that the synchronisation of configuration changes is not working.
Conditions:
The presence of any MCPD object in the GTM configuration (/config/bigip_gtm.conf) which is larger than 16384 bytes, for example a large GTM rule.
Note: The GTM iRules are distinct from LTM iRules. Only GTM objects, such as GTM rules (applied to wideIPs) are relevant to this issue.
Impact:
Unable to complete GTM sync, unable to add a new GTM into the sync group.
Workaround:
Reduce the size of the problematic object to lower than 16384 bytes. For example, if the issue is with a GTM iRule, then try removing comments, blank lines, or unnecessary log statements that do not affect the functionality of the rule.
1196537-4 : BD process crashes when you use SMTP security profile
Links to More Info: BT1196537
Component: Application Security Manager
Symptoms:
The BD process may crash when an SMTP security profile is attached to a virtual server, and the SMTP request is sent to the same virtual server.
Conditions:
- SMTP security profile is attached to VS
- SMTP request is sent to VS
Impact:
Intermittent BD crash
Workaround:
N/A
1196477-4 : Request timeout in restnoded
Links to More Info: BT1196477
Component: Device Management
Symptoms:
The below exception can be observed in restnoded log
Request timeout., stack=Error: [RestOperationNetworkHandler] request timeout.
At ClientRequest. <anonymous> (/usr/share/rest/node/src/infrastructure/restOperationNetworkHandler.js:195:19)
Conditions:
When BIG-IP is loaded with a heavy configuration.
Impact:
SSL Orchestrator deployment will not be successful.
Workaround:
1. mount -o remount,rw /usr
2. In getDefaultTimeout : function() at /usr/share/rest/node/src/infrastructure/restHelper.js
replace 60000 with required required timeout.
3. bigstart restart restnoded
4. mount -o remount /usr
1196401-1 : Restarting TMM does not restart APM Daemon
Component: Access Policy Manager
Symptoms:
Due to asynchronous nature of TMM threads and APM plugin channel threads, a core can trigger when TMM exited and APM Daemon (APMD) is still available with earlier TMM plugin handlers.
Conditions:
When TMM restarts and APM still has old TMPLUGIN handle (which will become invalid eventually).
Impact:
Might observe APMD core.
Workaround:
Restart APM, when TMM is restarted.
1196173-1 : Bot Defense profile 'API Hostname - Web' configuration is hidden in case of Advanced/Premium service level
Component: Bot Defense
Symptoms:
The Bot Defense (BD) profile 'API Hostname - Web' configuration is hidden in case of Advanced/Premium service level.
Conditions:
- BD profile is configured from webUI
- Advance/Premium Service level is configured
Impact:
The configuration field 'API Hostname - Web' is unavailable in webUI.
Workaround:
Configure 'API Hostname - Web' using TMSH.
1195377-1 : Getting Service Indicator log for disallowed RSA-1024 crypto algorithm
Component: TMOS
Symptoms:
Displaying disallowed algorithm as approved. It must not display approved log for disallowed algorithms when FIPS license is installed on the platform.
Conditions:
- FIPS license is installed on the platform.
- Creating a bit key.
Impact:
Creating keys for approved algorithms only
Workaround:
Change log statements or do not create a key for disallowed algorithms.
1194409-1 : Dropped messages seen in auditforwarder logging
Links to More Info: BT1194409
Component: TMOS
Symptoms:
Dropped message "255 State: PendingSend" is seen.
Conditions:
- Radius is configured.
- Audit forwarder is enabled.
Impact:
Although there is no problem in functionality of Radius, dropped messages are seen which is a false alarm.
Workaround:
None
1194173-1 : BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value
Component: Application Security Manager
Symptoms:
Attack signature check is not run on normalised parameter value.
Conditions:
- A parameter with location configured as a cookie is present
in the parameters list.
- Request contains the explicit parameter with URL encoded
base64 padding value.
Impact:
- Attack signature not detected.
Workaround:
None
1191349-1 : The dns_cache_derived_stat show corrupted values.
Links to More Info: BT1191349
Component: Global Traffic Manager (DNS)
Symptoms:
In few scenarios, attributes of dns_cache_derived_stat shows corrupted value. For example, server_max_wait_response as 18446744073709551615.
Conditions:
Checking the tmctl stats for dns_cache_derived_stat.
Impact:
Might create confusion for users.
Workaround:
None
1191137-4 : WebUI crashes when the localized form data fails to match the expectations
Links to More Info: BT1191137
Component: TMOS
Symptoms:
In the Chinese BIG-IP, when multicast rate limit field is checked (enabled) and updated, the webUI is crashing.
Conditions:
On the Chinese BIG-IP:
- Navigate to the System Tab > Configuration.
- In Configuration, select Local Traffic > General.
- In Multicast Section, enable Maximum Multicast Rate Checkbox and click on Update.
Impact:
Chinese BIG-IP webUI is crashing.
Workaround:
None
1190777-1 : Unable to add a device to a device trust when the BigDB variable icontrol.basic_auth is set to disable on target device
Component: TMOS
Symptoms:
When the DB variable "icontrol.basic_auth" is set to "disable" on a device, that device cannot be added to a device trust.
The system from which an administrator is attempting to add the new device will log an error:
err devmgmtd[5541]: 015a0000:3: getDeviceInfo failed: iControl authorization failed
Conditions:
DB variable "icontrol.basic_auth" is set to disable
Impact:
Unable to add a device to a device trust.
Workaround:
On the device being added to the trust:
1. Enable basic auth for iControl
tmsh modify /sys db icontrol.basic_auth value enable
2. Restart httpd on the device being added.
bigstart restart httpd
3. Add the device to the trust.
4. If you want mitigate ID1143073 (https://support.f5.com/csp/article/K94221585), disable basic authentication again.
tmsh modify /sys db icontrol.basic_auth value disable
bigstart restart httpd
The dbvar is synchronized if you add the new device to a sync/failover device group, so check each device in the device group.
Use the following to command to check if it's disabled.
# tmsh list /sys db icontrol.basic_auth
sys db icontrol.basic_auth {
value "disable"
}
If any device has basic auth enabled, disable it and restart httpd on all devices in the device group.
1190365-2 : OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly
Links to More Info: BT1190365
Component: Application Security Manager
Symptoms:
The method used by Bot Defense to serialize an OpenAPI object configured with "style:form", "explode:true", and "type:object" is not functioning as expected.
Conditions:
Repeated occurrences of parameter names in the query string with "type:object/explode:true/style:form" configured OpenAPI file.
Impact:
The violation "JSON data does not comply with JSON schema" is raised due to the repeated parameters from the query string with "array" configuration.
Workaround:
None
1189877-5 : The option /dev/random is depreciated from rndc-confgen with the latest BIND 9.16
Component: Global Traffic Manager (DNS)
Symptoms:
The option /dev/random is deprecated from the rndc-confgen after the BIND upgrade.
The keygen.sysinit scripts using the rndc-confgen with the deprecated option /dev/random leading to the failure in creation of the rndc.key file.
The ZRD daemon waits for the rndc.key but as the key creation failed the daemon waits for the key creation infinitely and will be in a down state.
Conditions:
Upgrade the BIND package from 9.11 to 9.16.
Impact:
The ZRD daemon will be down till the rndc.key is created.
Workaround:
Create the key manually without the deprecated option.
Run the following command:
bigstart stop zrd
rm -f /config/rndc.key
/usr/sbin/rndc-confgen -t /var/named -a -c /config/rndc.key
ln -sf /var/named/config/rndc.key /config/rndc.key
chown -f named:named /var/named/config/rndc.key
bigstart start zrd
1189865-1 : "Cookie not RFC-compliant" violation missing the "Description" in the event logs
Links to More Info: BT1189865
Component: Application Security Manager
Symptoms:
When a request is blocked due to "Cookie not RFC-compliant' violation, the description field in the request log details is shown as "N/A" instead of having the description (for example "Invalid equal sign preceding cookie name" or "Invalid space in cookie name").
Conditions:
The violation is blocked due to "Cookie not RFC-compliant" violation and we are looking at the request log details.
Impact:
The description is empty and we can't know what is the problem with the request.
1189761 : Multiple APM sessions are created after login into the Citrix webtop through a workspace in Linux Client
Links to More Info: BT1189761
Component: Access Policy Manager
Symptoms:
Only one APM session must be created, but multiple sessions are created when users login to Citrix workspace in Linux client.
Conditions:
1. Create Citrix VDI configuration through iAPP.
2. Login to webtop through Citrix workspace in Linux Client.
3. Observing multiple (2) APM sessions in BIG-IP.
Impact:
Multiple APM sessions are created when users login to Citrix workspace in Linux client.
Workaround:
None
1189513-5 : SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header
Links to More Info: BT1189513
Component: Service Provider
Symptoms:
The SIP MRF failed to extract the SDP data and not created media flow pinholes, if SDP Multipurpose Internet Mail Extensions (MIME) multipart body is not generated with content-length header.
Conditions:
An INVITE message contained a MIME multipart payload and body parts miss content-length header.
Impact:
Media flow pinholes are not created.
Workaround:
None
1188417-1 : SelfTest/Integrity test failure detected, triggering reboot action
Links to More Info: BT1188417
Component: Access Policy Manager
Symptoms:
Device reboot unexpectedly due to OpenSSL. The DRBG Continuous RNG test failed. Which led to SelfTest/Integrity test failure, triggering reboot action.
Following is an example:
Oct 27 13:23:41 <hostname> err websso.7[8608]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
Oct 27 13:23:41 <hostname> err fips_monitor[18947]: 01da0011:3: SelfTest/Integrity test failure detected, triggering reboot action
Conditions:
- WebSSO configured
Impact:
BIG-IP reboots unexpectedly.
Workaround:
None
1186925-5 : When FUA in CCA-i, PEM does not send CCR-u for other rating-groups
Links to More Info: BT1186925
Component: Policy Enforcement Manager
Symptoms:
When Final Unit Action (FUA) in CCA-i, the traffic is immediately blocked for that rating-group.
But, PEM does not send CCR-u for other rating-groups any more, which causes all other rating-groups traffic to pass through.
If FUA in CCA-u, everything works as expected.
Conditions:
When FUA received in in CCA-i.
Impact:
PEM receives FUA redirect first and ignores further requests.
Workaround:
Use iRule to remove FUA in CCA-i.
1186789-1 : DNSSEC keys stored on an internal FIPS card do not work after upgrading to versions >= 16.x
Links to More Info: BT1186789
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC signatures are not generated after the upgrade.
Conditions:
DNSSEC key stored on FIPS card;
and
Upgrade to versions >= 16.x.
Impact:
DNSSEC signing will not work.
Workaround:
Edit bigip_gtm.conf and add a hex-character after existing key generation handles to make 32-hex characters and then run these commands:
# tmsh load sys config gtm-only
# bigstart restart gtmd
1186401-1 : Using REST API to change policy signature settings changes all the signatures.
Links to More Info: BT1186401
Component: Application Security Manager
Symptoms:
When you use iControl REST to modify the signatures associated with a policy, the modifications are applied to all the signatures.
Conditions:
-- Create a policy named 'test'
-- Associate a signature set like "SQL Injection Signatures" to the policy
For example, remove the "Generic Detection Signatures (High/Medium Accuracy)" set
-- Look at the low-risk signatures associated with the policy
Commmand:
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' | jq . | head
-- Turn off staging for these signatures:
Commands:
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": false }' -X PATCH | jq . | head
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": true }' -X PATCH | jq . | head
-- The "totalItems" shows that 187 signatures were changed
Impact:
The user was unable to leverage the REST API to make the desired changes to the ASM signature policy.
Workaround:
Add 'inPolicy eq true' to the filter
Command :
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low+and+inPolicy+eq+true' -d '{ "performStaging": false }' -X PATCH | jq . | head
1186249-1 : TMM crashes on reject rule
Links to More Info: BT1186249
Component: Local Traffic Manager
Symptoms:
The TMM crashes when the configuration has a rule that contains a reject in an HTTP_RESPONSE.
Conditions:
The crash happens when this rule is processed after a client has disconnected.
Impact:
TMM crashes every time this condition occurs.
Workaround:
If possible, avoid the use of reject or use HTTP::disable before the reject.
1185929-1 : Under rare circumstances, the TCL interpreter can crash TMM after a long time
Links to More Info: BT1185929
Component: Local Traffic Manager
Symptoms:
While using iRules with suspending commands, under rare circumstances, the TCL interpreter can crash TMM after a long time.
Conditions:
While using iRules with suspending commands, under rare circumstances, the TCL interpreter can crash TMM after a long time.
Impact:
TMM crashes.
Workaround:
None
1185689-1 : In Bot Defense, TCP RST is sent if the complete body is not received in client request
Component: Bot Defense
Symptoms:
Client request's connection can get reset with reason "SAAS: not received complete body".
Conditions:
- Bot Defense profile configured with protected endpoint, client request is sent to protected endpoint without complete body.
Impact:
Client request's connection resets with reason "SAAS: not received complete body".
Workaround:
None
1185605-4 : The iCall EventTriggeredHandler in non-common partition break after scriptd daemon restart
Links to More Info: BT1185605
Component: TMOS
Symptoms:
After scriptd daemon restart triggered, handler information become none/unknown in "show sys icall handler" output for the non-common partition.
Conditions:
1. Create triggered handler in non-common partition.
2. Restart the scriptd daemon or upgrade the device.
Impact:
The iCall Event Triggered Handler in non-common partition is not working after device upgrade from 15.1.2.1 to 15.1.5.1.
Workaround:
Configure iCall in common partition.
1185257-5 : BGP confederations do not support 4-byte ASNs
Links to More Info: BT1185257
Component: TMOS
Symptoms:
The BGP confederations do not support 4-byte AS numbers. Only 2-byte ASNs are supported.
Conditions:
Using BGP confederations.
Impact:
Unable to configure 4-byte AS number under BGP confederation.
Workaround:
None
1185133-1 : ILX streaming plugins limited to MCP OIDs less than 10 million
Links to More Info: BT1185133
Component: Local Traffic Manager
Symptoms:
When trying to get started with iRules LX, every script attempted results in the following error:
"Sep 16 11:16:26 pid[6958] streaming tm_register failed"
Conditions:
MCP configuration (MCP OID's) should go beyond 10 million.
Impact:
Unable to run iRules LX streaming plugins.
Workaround:
The below command forces MCPD to load the configuration from the text file with an empty database, thus the OID counter is reset to 0.
bigstart stop
rm -f /var/db/mcpdb*
bigstart start
1184841-1 : Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API
Component: Application Security Manager
Symptoms:
Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API.
Conditions:
- ASM-Sync enabled
- Auto-Sync enabled
- Updating URL through REST API
Impact:
Configuration will be de-synced.
Workaround:
Use TMUI to update configuration.
1184653 : TMSH help text for TCP profiles should be updated for timeout attributes
Component: TMOS
Symptoms:
WebUI and TMSH help text are not consistent for TCP profiles attributes fin-wait-timeout, fin-wait-2-timeout, close-wait-timeout. Should update the values according to webUI help text.
Conditions:
- LTM license is installed.
- Execute the following command:
tmsh help ltm profile tcp
Impact:
Same behavior is observed for both TMSH and webUI but help text is misleading.
Workaround:
None
1184629-1 : Validate content length with respective to SIP header offset instead of parser offset
Component: Service Provider
Symptoms:
The SIP parser is validating the content length of the SIP message with respective to the parser offset instead of SIP actual header. Validating the content length with parser offset is inaccurate.
Conditions:
The SIP message should have content length greater than zero and should have content.
Impact:
The SIP parser is calculating the SIP message body size inaccurately.
Workaround:
None
1184153-1 : TMM crashes when you use the rateshaper with packetfilter enabled
Links to More Info: BT1184153
Component: Local Traffic Manager
Symptoms:
Tmm might crash when you use the packet-filter with the packetfilter.established option enabled, and when rate-class is applied via packet-filter rule.
Conditions:
- packet-filter with packetfilter.established option enabled.
AND
- rate-class is applied via packet-filter rule.
Impact:
TMM crash/failover.
Workaround:
Do not apply rate-class via packetfilter or disable the packetfilter.established option.
1183877-3 : CGNAT related links are unavailable in Statistics section
Links to More Info: BT1183877
Component: Carrier-Grade NAT
Symptoms:
Following webUI links are unavailable:
Statistics >> Analytics >> LSN Pools
Statistics >> Module Statistics >> Carrier Grade Nat
Conditions:
CGNAT enabled and provisioned
Impact:
CGNAT related statistical pages cannot be accessed from Statistics section.
Workaround:
None
1183581-1 : Encoded URLs are not normalised for protected endpoint check for Advanced/Premium service level for both Web and Mobile requests
Links to More Info: BT1183581
Component: Bot Defense
Symptoms:
Client requests with encoded URL are not normalised for protected endpoint check for Advanced/Premium service level for both Web and Mobile requests. This may cause these requests not to be treated as protected requests.
Conditions:
- In BD profile Advanced/Premium is set as service level
- Client request with encoded URL
Impact:
Requests with encoded URL may not be treated as protected requests.
Workaround:
None
1182353-1 : DNS cache consumes more memory because of the accumulated mesh_states
Links to More Info: BT1182353
Component: Global Traffic Manager (DNS)
Symptoms:
DNS cache consumes more memory and the mesh_states are accumulated quickly.
Conditions:
Mixed queries with rd flag set and cd flag set/unset.
Impact:
TMM runs out of memory.
1182305-3 : Descriptions requested for IPS IDs
Links to More Info: BT1182305
Component: Protocol Inspection
Symptoms:
Few inspection IDs of signatures in IPS do not have a complete description.
Conditions:
Navigate to Security > Protocol Inspection and create a profile for any of the services like HTTP, DNS, or FTP and check the inspection IDs mentioned in the description.
Impact:
No functional impact.
Workaround:
None
1181757-5 : BGPD assert when sending an update due to cq_wbuf mishandling
Links to More Info: BT1181757
Component: TMOS
Symptoms:
BGPD might trip an assert when sending an update due to buffer space mishandling.
Conditions:
No straightforward way to reproduce it. It requires a specific update layout to get triggered.
At a minimum you need 2 BGP peers (the more the better) sending at least 800 prefixes each (need to fill around 4096 bytes when sending a withdrawn update - 5 bytes/prefix + headers).
Also, send at least 800 prefixes towards these peers. Adding as-path prepending and/or communities when sending these routes towards remote peers will greatly increase the chances of hitting the problem.
Impact:
BGPD may get crash or core rarely.
Workaround:
None
1181613-2 : IPsec IKEv2: BIG-IP version 16.1.0 introduced RFC5996 non-compliance in IKE SA delete
Links to More Info: BT1181613
Component: TMOS
Symptoms:
After the deletion of an IKE SA, the child IPsec SAs will not be deleted.
Conditions:
-- IKEv2 IPsec tunnels
-- Tunnels use Route Domains.
-- An IPsec SA is deleted.
Impact:
The BIG-IP believes it still has valid IPsec SAs to use, while the remote peer does not. In this case, if the BIG-IP is normally the initiator, the tunnel will be unusable until the lifetime expires on the existing IPsec SAs.
1178221-4 : In IPsec IKEv2, packet memory corruption after retransmitted ISAKMP with NAT
Links to More Info: BT1178221
Component: TMOS
Symptoms:
When the retransmit happens, and other side is not reachable, the BIG-IP logs the "err packet length does not match field of ikev2 header" and then "ERR dropping unordered message".
Conditions:
Tunnel is established between Initiatior and Responder.
Responder is able to send DPD request. but not able to receive response.
Impact:
Wrong information logged.
DPD response packet corruption.
Workaround:
None
1174085-2 : spmdb_session_hash_entry_delete releases the hash's reference
Links to More Info: BT1174085
Component: Policy Enforcement Manager
Symptoms:
multiple references accessing and trying to modify the same entry
Conditions:
when failover from active to stand by while stalling the connection
Impact:
Illegal access of the memory.
Workaround:
NA
1174033-1 : The UPDATE EVENT is triggered with faulty session_info and resulting in core
Links to More Info: BT1174033
Component: Policy Enforcement Manager
Symptoms:
The UPDATE EVENT requires a proper initialization of the session_info which in turn is used to set the tcl pcb's cmdctx. With properly defined cmdctx, the sess_data is populated successfully. But, without proper initialization of the session_info makes the cmdctx to carry incorrect vaules, thus resulting in a core when populating the sess_data.
Conditions:
Enable the Global UPDATE-EVENT option and make sure you log
some session attributes as part of the UPDATE EVENT.
Impact:
Results in a core.
Workaround:
None
1173669-4 : Unable to reach backend server with Per Request policy and Per Session together
Component: Access Policy Manager
Symptoms:
It is observed that backend pool is not reachable.
Conditions:
The OAuth case with Per Request policy and Per Session together.
Impact:
Backend Pool is not reachable.
Workaround:
None
1173493-3 : Bot signature staging timestamp corrupted after modifying the profile
Links to More Info: BT1173493
Component: Application Security Manager
Symptoms:
Bot signature timestamp is not accurate.
Conditions:
Have a bot signature "A" in staging, record the timestamp.
Using webUI, set another bot signature "B" to be in staging and click Save.
The time stamp on "A" is updated and shows the year 1970 in webUI.
Impact:
Can not verify from when the signature was in staging.
Workaround:
Use TMSH, instead of webUI, to update the profile.
1173441-4 : The 'tmsh save sys config' call is being triggered when REST Authentication tokens (X-F5-Auth-Token) are deleted or expired
Component: TMOS
Symptoms:
The 'tmsh save sys config' call is being triggered when REST authentication tokens (X-F5-Auth-Token) are deleted or expired.
Conditions:
The REST authentication tokens (X-F5-Auth-Token) are deleted or expired.
Impact:
There is no functional impact. However, in the BIG-IPs where there is huge configuration, a 'tmsh save sys config' call takes a lot of time and thus impacts the performance.
Workaround:
None
1169141-4 : Bash tab-completion of '~' to '\~'
Links to More Info: BT1169141
Component: TMOS
Symptoms:
With the fix of CVE-2012-6711 for bash vulnerability, the bash tab completion of ~ is auto completing it to \~, which is resulting in not listing the directories under ~.
In earlier versions without the fix
# cd ~
~adm/ ~daemon/ ~lp/ ~nobody/
With the fix for CVE,
# cd \~ (even though we press cd ~, it is auto completing to cd \~)
The suggestions were not listed.
Conditions:
This issue is seen on the versions which have fix for Bug 830361 (https://cdn.f5.com/product/bugtracker/ID830361.html).
Impact:
Tab-completion of user home directories (~username) in bash does not work.
Workaround:
Do not attempt to tab-complete user home directories (e.g. ~root), and instead type out the path completely.
1168137-4 : PEM Classification Auto-Update for month is working as hourly
Component: Traffic Classification Engine
Symptoms:
After configuring PEM classification signature auto-update as monthly, but it runs on hourly.
If the update schedule is set to daily or weekly, then the latest IM package is downloaded based on the set update schedule. But, when it is set to monthly, it is working on hourly.
Conditions:
Automatic updates for classification signatures is configured and enabled, and update schedule should be set to monthly.
Impact:
Classification update is not working on monthly basis.
Workaround:
None
1167985-1 : Network Access resource settings validation errors
Links to More Info: BT1167985
Component: Access Policy Manager
Symptoms:
When trying to add "0.0.0.0/1" under the IPV4 LAN Address Space and in a Network Access resource, the UI would throw such error:
"Invalid IP or Hostname"
When trying to add DNS Exclude Address Space starting with an underscore (such as "_ldap._tcp.dc._msdcs.test.lan"), the UI would throw such error:
01b7005b:3: APM Network Access (/Common/test) DNS name (_ldap._tcp.dc._msdcs.test.lan) is not a valid domain name
Conditions:
Use a Network Access resource in split tunneling mode.
Add "0.0.0.0/1" under the IPV4 LAN Address Space
Add DNS Exclude Address Space starting with an underscore
Impact:
Administrators could not correctly configure some network access resource settings.
1167941-4 : CGNAT SIP ALG INVITE loops between BIG-IP and Server
Component: Service Provider
Symptoms:
On an inbound call on the ephemeral listener, if the INVITE message TO header is not registered, and From header is registered, then INVITE is sent out on the ephemeral listener which might cause a loop issue, if the server sends back the INVITE to BIG-IP again.
Conditions:
It occurs with inbound calls.
Impact:
It could lead to performance issue if the loop continues.
Workaround:
Step 1 or 2 can be used as a workaround based on the use case.
1)If the From and To headers are the same, 400 bad response is given.
Also, the packets are dropped in case the destination address is not translated.
ltm rule sip_in_rule {
when SIP_REQUEST_SEND {
if {[SIP::method] == "INVITE" && [IP::addr [IP::remote_addr] equals $localAddr]} {
SIP::discard
}
}
when SIP_REQUEST {
set localAddr [IP::local_addr]
set from [substr [SIP::header from] 0 ";"]
set to [substr [SIP::header to] 0 ";"]
if {[SIP::method] == "INVITE" && $from equals $to} {
SIP::respond 400 "Bad Request"
}
}
(tmos)# modify ltm virtual vs_alg_sip_private { rules { sip_in_rule } }
2)below Irule would drop all inbound calls.
ltm rule sip_drop_rule {
when MR_INGRESS {
if { [MR::transport] contains "_$" } {
MR::message drop
}
}
(tmos)# modify ltm virtual vs_alg_sip_private { rules { sip_drop_rule } }
1167889-4 : PEM classification signature scheduled updates do not complete
Component: Traffic Classification Engine
Symptoms:
After configuring PEM classification signature updates to run at an defined interval, the updates may not actually occur.
Via tmsh:
ltm classification auto-update settings { }
via GUI:
Traffic Intelligence -> Applications -> Signature Update -> Automatic Update Settings
In the /var/log/ltm log, the following message may be seen
mcpd[xxxx]: 01070827:3: User login disallowed: User (guest) is not an administrator, does not have a UID of zero, and has not been assigned a role on a partition.
Conditions:
Automatic updates for classification signatures is configured and enabled.
Impact:
The classification updates do not occur.
Workaround:
Run the classification update manually.
1166937-2 : The path_match is missing in RCL path when path_match string is "Any String"
Links to More Info: BT1166937
Component: Access Policy Manager
Symptoms:
The capital letter "A" should be generated at the end while "Any String" is selected in RCL builder in webUI.
Conditions:
- Go to rewrite profile and create a new rewrite profile.
- Enable split tunneling in the webUI.
- Go to RCL builder and select "Any String" and leave the path empty.
- Click Add On.
- Update the page.
Impact:
The capital letter "A" at the end of the RCL list is not appended while "Any String" is selected for Path Match field of the RCL builder
Workaround:
None
1166481-4 : The vip-targeting-vip fastL4 may core
Links to More Info: BT1166481
Component: Local Traffic Manager
Symptoms:
The TMM cores or VIP does not behave as expected.
Conditions:
- fastL4 virtual
- iRule uses virtual command to redirect flows to a second fastL4 virtual
- first virtual configuration is changed before a flow times out
Impact:
Configuration data is freed but continued to be used by the flow, leading to the configuration appearing to be corrupted causing cores or unexpected behavior.
Workaround:
Ensure that there are no active flows for the virtual being changed.
1166449-1 : APM - NTLM authentication will stop working if any of DC FQDN is not resolvable in the configured DC list
Links to More Info: BT1166449
Component: Access Policy Manager
Symptoms:
NTLM authentication will stop working.
Conditions:
If any of the DC FQDN is not resolvable in the configured NTLM Auth Config DC list during below scenarios:
- Create/Modify NTLM Auth Configuration
- Restart ECA/NTLM service
- Restart, Power cycle or after upgrade
- Active/Stand by switch over.
Impact:
NTLM authentications targeted towards this NTLM Auth Config will start to fail.
Workaround:
User need to remove the non-resolvable DC FQDN from the NTLM Auth configuration's DC list.
1166329-1 : The mcpd process fails on secondary blades, if the predefined classification applications are updated.
Links to More Info: BT1166329
Component: TMOS
Symptoms:
If a user installs and deploys a classification update (classification-update-*.im) the predefined classification applications are changed to "user modified".
This change causes the mcpd process to fail and restart on secondary blades during startup.
Conditions:
- Multi-slot VIPRION or vcmp guest
- PEM provisioned
- Classification applications updated either with tmsh load sys config merge or by using the Signature Update option in the Traffic Intelligence tab from the GUI or tmsh
Impact:
No impact
Workaround:
None
1162221-1 : Probing decision will skip local GTM upon reboot if net interface is not brought up soon enough
Links to More Info: BT1162221
Component: Global Traffic Manager (DNS)
Symptoms:
Resources will be marked timed out.
Conditions:
iQuery connection between local gtmd and big3d is not established before probing decision is made.
Impact:
Resources be marked DOWN unexpectedly.
Workaround:
Modify max-synchronous-monitor-requests to a new value which will trigger probing decision re-evaluation.
1162081-7 : Upgrade the bind package to fix security vulnerabilities
Component: Global Traffic Manager (DNS)
Symptoms:
Upgrade the bind package to fix the following security vulnerabilities:
- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178
Conditions:
Upgrade the bind package to fix the following security vulnerabilities:
- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178
Impact:
Upgrade the bind package to fix the following security vulnerabilities:
- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178
Workaround:
None
1161965-2 : File descriptor(fd) and shared memory leak in wr_urldbd
Links to More Info: BT1161965
Component: Traffic Classification Engine
Symptoms:
When updating the customdb, fd and shared memory leaks were observed in wr_urldbd.
Conditions:
The issue happens when a urldb feed list is modified multiple times in a loop.
Impact:
Updating customdb will not work.
Workaround:
No
1161913 : Upgrade from 15.1.8 or 15.1.8.1 to 16.x or 17.x fails, and leaves device INOPERATIVE★
Links to More Info: BT1161913
Component: TMOS
Symptoms:
Loading configuration process fails after an upgrade from 15.1.8 or 15.1.8.1 to any release 16.0 or above.
The system posts errors similar to the following:
-- crit tmsh[16188]: 01420001:2: Can't load keyword definition (vlan.dag_adjustment) : framework/SchemaCmd.cpp, line 825
-- crit tmsh[25644]: 01420001:2: Can't load keyword definition (vlan.nti) : framework/SchemaCmd.cpp, line 825
-- Can't find matched schema tag for association's attribute fw_zone_log_profile.pzname during loading cli version syntax: 15.1.8
-- Can't find matched schema tag for association's attribute fw_protected_zone.pzname during loading cli version syntax: 15.1.8
-- Unexpected Error: "Can't load keyword definition (vlan.dag_adjustment)"
-- fatal: (Can't load keyword definition (vlan.nti)) (framework/SchemaCmd.cpp, line 825), exiting...
-- emerg load_config_files[16186]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Loading schema version: 15.1.8
-- err mcpd[10702]: 01070422:3: Base configuration load failed.
Conditions:
Upgrade from one of the following releases:
-- v15.1.8 or later in the v15.1.x branch.
to any of the following releases:
-- v16.0 through v16.1.3.3
-- v17.0 through v17.0.0.1
Impact:
After upgrade, config does not load. The system hangs at the base configuration load failure status. The system is inoperative.
Workaround:
It is not possible to avoid running into a config load failure when attempting the upgrade or restoring a UCS archive from v15.1.8 or v15.1.8.1 on one of the listed versions. However, as long as the systme is not using the ZBDDOS AFM functionality, it is possible to load the configuration after the upgrade via a manual workaround:
1. While the system is inoperative, log into the system as root or an administrative user and launch bash.
2. Copy and paste the following series of commands and run them in bash
### BEGIN COMMANDS
(shopt -s nullglob; sed -E -i.workaround.bak -e '/dag-adjustment /d' /config/bigip_base.conf /config/partitions/*/bigip_base.conf)
sed -E -i -e '/^KEYWORD dag-adjustment/d' -e '/^KEYWORD nti/d' /var/libdata/tmsh/syntax/15.1.8*/auto_schema_data_net_cli.dat
for dir in /var/libdata/tmsh/syntax/15.1.8*; do
mv "$dir"/auto_schema_data_security_cli.dat{,.workaround.bak}
awk '
/^<REF_CMD fw-protected-zone / { refcmd=1; depth=1; next }
/^<CMD fw-protected-zone/ { cmd=1; depth=1; next }
/^<ASSOCIATION.*fw-protected-zone/ { depth=depth+1; next }
/^>/ {
if (refcmd || cmd) {
if (!--depth) {
refcmd = 0;
cmd = 0;
}
next;
}
}
/.?/ {
if (refcmd || cmd) next
print
}' < "$dir"/auto_schema_data_security_cli.dat.workaround.bak > "$dir"/auto_schema_data_security_cli.dat
rm "$dir"/auto_schema_data_security_cli.dat.workaround.bak
done
### END COMMANDS
3. Load the configuration again:
tmsh load sys config
4. If the config loads successfully, save it once:
tmsh save sys config
1161241-6 : BIND default behavior changed from 9.11 to 9.16
Component: Global Traffic Manager (DNS)
Symptoms:
The default behavior of BIND configurations for minimal-responses and dnssec-validation is changed in BIND 9.16 and leaving the issues for existing test cases and expected behavior.
Conditions:
Upgrade BIND package from version 9.11.36 to 9.16.27.
Impact:
Behavior change for minimal-responses and dnssec-validation.
Workaround:
None
1159569-3 : Persistence cache records may accumulate over time
Links to More Info: BT1159569
Component: Local Traffic Manager
Symptoms:
The persistence cache records accumulate over time if the expiration process does not work reliably. The 'persist' memory type grows over time when multiple TMMs are sharing the records.
Conditions:
- Non-cookie, persistence configured.
- Multi TMM box
- Traffic that activates persistence is occurring.
Impact:
Memory pressure eventually impacts servicing of traffic in multiple ways. Aggressive mode sweeper runs and terminates active connections. TMM may restart. Traffic is disrupted while TMM restarts.
Workaround:
None
1159397-3 : The high utilization of memory when blade turns offline results in core
Links to More Info: BT1159397
Component: Policy Enforcement Manager
Symptoms:
The TMM memory utilization continue to increase after a blade turns offline.
Conditions:
Blade turns offline.
Impact:
The TMM memory utilization will finally cause out-of-memory errors or cores and TMM processes will restart. The service will be interrupted.
Workaround:
None
1156889-4 : TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions
Links to More Info: BT1156889
Component: Application Security Manager
Symptoms:
When using bot-defense profile with a browser verification and performing redirect actions, there is a memory leak in TMM.
Conditions:
- The bot-defense profile with "Verify After Access" or "Verify Before Access" browser verification is configured.
- Surfing using a browser, during grace period (5 Minutes after config change) to a non-qualified URL, or configuring "Validate Upon Request" in "Cross Domain Requests" configuration, and configuring A and B as "Related Site Domains".
- Surfing using a browser from Domain A to Domain B.
Impact:
Degraded performance, potential eventual out-of-memory.
Workaround:
None
1156697-4 : Translucent VLAN groups may pass some packets without changing the locally administered bit
Links to More Info: BT1156697
Component: Local Traffic Manager
Symptoms:
Translucent VLAN groups may pass some packets without changing the locally administered bit.
Conditions:
The destination mac address of the ingress packet does not match the nexthop.
Impact:
Connections may fail, packet captures show the packets being egressed the VLAN group with the locally administered bit set.
Workaround:
None
1156149-2 : Early responses on standby may cause TMM to crash
Links to More Info: BT1156149
Component: Service Provider
Symptoms:
TMM cores with an early response and retransmit mechanism and has also happened during a failover event.
Conditions:
If the response of the request message reaches before the request on standby box.
Impact:
Causes a failover while TMM is restarting.
Workaround:
None
1156105-1 : Proxy Exclusion List is not configurable if VLAN group and route-domain are in non default partition
Links to More Info: BT1156105
Component: Local Traffic Manager
Symptoms:
Unable to add IP apart from /Common to Proxy Exclusion List.
Conditions:
- Route-Domain is created with default-route-domain in same partition.
#tmsh create auth partition part5
#tmsh create net route-domain /part5/rd5 id 5
#tmsh modify auth partition part5 default-route-domain 5
Impact:
The following command fails:
tmsh modify net vlan-group /part5/RD5-VLAN-GRP proxy-excludes add { 10.10.20.196 }
Workaround:
- The following command is used to create route-domain in /Commom:
#tmsh create net route-domain /part5/rd5 id 5
Modify this command as following:
#tmsh create net route-domain rd5 id 5
- Manually edit the bigip.conf file in partitions and add IP address manually, and then reload the config.
1155733-3 : NULL bytes are clipped from the end of buffer
Component: TMOS
Symptoms:
In logs the key length is less then the actual key length.
Conditions:
- Establish IPSec tunnel.
- Check the logs.
Impact:
Incomplete information in the logs.
Workaround:
None
1155393-3 : Failure to remove chunk headers from chunked response with Rewrite/HTML profile and compression
Links to More Info: BT1155393
Component: Local Traffic Manager
Symptoms:
The BIG-IP fails to remove chunk headers when compressing a chunked response from a pool member.
The chunk headers are compressed and delivered to the client as part of the payload.
Conditions:
-- Version with the fix for ID902377
-- Rewrite/HTML profile
-- Compression profile
-- Chunked response from pool member (With "Transfer-Encoding: Chunked" header)
-- HTTP response eligible for compression
Impact:
Chunk header and terminating 0 length chunk are compressed and delivered to the client as part of the payload, resulting in broken application functionality.
Workaround:
Remove the compression profile, or modify the compression profile to ensure the response in question is no longer eligible for compression.
1154725-5 : Custom or predefined method is not changing the behavior while changing from GET to POST method
Component: Application Security Manager
Symptoms:
Changing the user defined method from GET to POST is not changing the behavior, it will change the behavior
once we delete the user defined method and add it back again.
Conditions:
Configure flows to URLs of Act as Method.
Impact:
Flow enforcement will not match the expected method.
Workaround:
Delete the custom method and recreate again with require GET
or POST method.
1154685-2 : Error log "Database error (13)" seen during the bootup
Links to More Info: BT1154685
Component: TMOS
Symptoms:
Database error (13) will be logged in /var/log/ltm during the bootup if the VLAN is created on the device.
Following is an example:
Log: err mcpd[]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:private_mac_addr_freelist status:13 - EdbCfgObj.cpp, line 127.
Conditions:
-- Configure the VLAN
Impact:
It is a cosmetic error and observed only once during the bootup.
Workaround:
None
1154381-5 : The tmrouted might crash when management route subnet is received over a dynamic routing protocol
Links to More Info: BT1154381
Component: TMOS
Symptoms:
The tmrouted might crash when management route subnet is received over a dynamic routing protocol.
Conditions:
- Management route subnet is received over a dynamic routing protocol.
- Multi-bladed VIPRION.
- Blade failover or IP address change occurs.
Impact:
Dynamic routes are lost during tmrouted restart.
Workaround:
Do not advertise a management subnet over a dynamic routing protocol towards BIG-IP. Use route-map to suppress incoming update.
1153865-5 : Restjavad OutOfMemoryError errors and restarts after upgrade★
Links to More Info: BT1153865
Component: TMOS
Symptoms:
After upgrade to an affected version, restjavad restarts intermittently or frequently, and/or may use high CPU.
The restjavad logs, /var/log/restjavad.X.log, may report the following errors:
java.lang.OutOfMemoryError: Java heap space
restjavad may instead, or as well, run many full garbage collection cycles one after another, causing high CPU. This will be shown by frequent logs with [FullGC] in /var/log/restjavad-gc.log.X.current
Conditions:
- Update to affected version: 14.1.5.1-, 15.1.7-, 16.1.3.1-, 17.0.0.1- or later versions.
- Value of sys db restjavad.useextramb is true.
- Value of sys db provision.restjavad.extramb is 192 or lower than previous restjavad heap size.
- Use of REST API calls that need a lot of memory. Heavy users of REST API may be very affected such as SSLO.
Impact:
May have problems in TMUI with certain pages or tabs, such as network map with very config or SSLO or iLX related tabs.
Other services that use REST API, internal and external to BIG-IP, may be impacted with low performance or service instability
Workaround:
Before upgrade - if you set sys db restjavad.useextramb to value false before install of new version you will have more restjavad memory, the default 384MB, after upgrade.
tmsh modify sys db restjavad.useextramb value false
If you restart restjavad you can see if that value works before upgrade. If you don't restart then it will come into effect after reboot.
If that no longer has issues after update then leave that setting at false. Otherwise set back to true (no restart) and increase provision.restjavad.extramb as in After upgrade section below.
After upgrade:
Set sys db provision.restjavad.extramb to an appropriate value and restart restjavad.
Run the following command:
tmsh modify sys db provision.restjavad.extramb value X
bigstart restart restjavad
Iterate as necessary.
The value of X is derived by using one of the following formulae:
- When updating from versions before 14.1.4 and 15.1.3, to affected versions, a value that preserves the maximum previous restjavad heap size is:
192MB + 80% of MIN(provision.extramb|2500)
the minimum possible heap size was:
192MB + 20% of MIN(provision.extramb|2500)
The actual restjavad heap size would be between those extremes. SSLO systems would typically need the maximum.
- When updating from 14.1.4-14.1.5, from 15.1.3-15.1.6.1 or from 16.0.x to affected versions:
384MB + 80% of MIN(provision.extramb|2500)
- When updating from 16.1.0-16.1.3 or from 17.0.0.0 to affected versions:
384MB + 90% of MIN(provision.extramb|4000)
1153853-5 : Revision of default value for provision.restjavad.extramb to avoid OOM errors in restjavad
Links to More Info: BT1153853
Component: TMOS
Symptoms:
- restjavad may be out memory as determined from restjavad logs, /var/log/restjavad.X.log, showing 'java.lang.OutOfMemoryError'. This may lead to frequent restjavad restarts and high CPU.
- restjavad may instead, or as well, run many full garbage collection cycles one after another, causing high CPU. This will be shown by frequent logs with [FullGC] in /var/log/restjavad-gc.log.X.current
Conditions:
- Update to affected version: 14.1.5.1-, 15.1.7-, 16.1.3.1-, 17.0.0.1- or later versions.
- Value of sys db restjavad.useextramb is true.
- Value of sys db provision.restjavad.extramb is 192 or lower than previous restjavad heap size.
- Use of REST API calls that need a lot of memory. Heavy users of REST API may be very affected such as SSLO.
Impact:
May have problems in TMUI with certain pages or tabs, such as network map with very config or SSLO or iLX related tabs.
Other services that use REST API, internal and external to BIG-IP, may be impacted with low performance or service instability
Workaround:
Before upgrade - if you set sys db restjavad.useextramb to value false before install of new version you will have more restjavad memory, the default 384MB, after upgrade.
tmsh modify sys db restjavad.useextramb value false
If you restart restjavad you can see if that value works before upgrade. If you don't restart then it will come into effect after reboot.
If that no longer has issues after update then leave that setting at false. Otherwise set back to true (no restart) and increase provision.restjavad.extramb as in After upgrade section below.
After upgrade:
Set sys db provision.restjavad.extramb to an appropriate value and restart restjavad.
Run the following command:
tmsh modify sys db provision.restjavad.extramb value X
bigstart restart restjavad
Iterate as necessary.
The value of X is derived by using one of the following formulae:
- When updating from versions before 14.1.4 and 15.1.3, to affected versions, a value that preserves the maximum previous restjavad heap size is:
192MB + 80% of MIN(provision.extramb|2500)
the minimum possible heap size was:
192MB + 20% of MIN(provision.extramb|2500)
The actual restjavad heap size would be between those extremes. SSLO systems would typically need the maximum.
- When updating from 14.1.4-14.1.5, from 15.1.3-15.1.6.1 or from 16.0.x to affected versions:
384MB + 80% of MIN(provision.extramb|2500)
- When updating from 16.1.0-16.1.3 or from 17.0.0.0 to affected versions:
384MB + 90% of MIN(provision.extramb|4000)
1148065-1 : HTTP::header exists and value iRule commands will not return successful even if the header is present
Links to More Info: BT1148065
Component: Local Traffic Manager
Symptoms:
Virtual Servers configured with the fastHTTP profile will always have the iRule commands and HTTP::header exists and value return as not found, even if the header is present.
Conditions:
A virtual server configured with fastHTTP, and an iRule that makes use of either the HTTP::header exists or value commands.
Impact:
The iRules may not perform as expected when the HTTP header is already present, as HTTP::header exists and value will not find it.
Workaround:
None
1148009-1 : Cannot sync an ASM logging profile on a local-only VIP
Links to More Info: BT1148009
Component: Application Security Manager
Symptoms:
If an ASM profile, such as a logging profile is applied to a virtual that is local-only, then the state changes to "Changes Pending" but configuration sync breaks.
Conditions:
- ASM provisioned
- high availability (HA) pair
- ASM profile, such as a logging profile is applied to a virtual that is local-only.
Impact:
The state changes to "Changes Pending" but configuration sync breaks.
Workaround:
None
1147621-1 : AD query do not change password does not come into effect when RSA Auth agent used
Links to More Info: BT1147621
Component: Access Policy Manager
Symptoms:
When RSA auth along with AD query is used the Negotiate login page checkbox "Do not change password" is not working as expected.
Even though "Do not change password" is checked the AD query is receiving F5_challenge post parameter with earlier RSA auth agent OTP content, And PSO criteria would not meet.
So when they click on "logon", it states 'The domain password change operation failed. Your new password must be more complex to meet domain password complexity requirements' and prompts for the fields "New password" and "verify password" again.
Conditions:
RSA Auth with OTP along with AD query agent with the negotiate logon page.
Impact:
User readability/experience even though "Do not change password" is checked it prompts as if user entered the logon credentials.
Workaround:
If you click on "logon" again in the Negotiate page, it goes to the webtop (next agent) with the previous logon or last logon credentials.
1146377-1 : FastHTTP profiles do not insert HTTP headers triggered by iRules
Links to More Info: BT1146377
Component: Local Traffic Manager
Symptoms:
Virtual servers configured with the FastHTTP profile will not insert HTTP headers even when triggered by iRules.
Conditions:
A virtual server configured with FastHTTP, and an iRule that would insert an HTTP header.
Impact:
The expected headers will not be inserted on packets sent to servers.
Workaround:
None
1146241-1 : FastL4 virtual server may egress packets with unexpected and erratic TTL values
Links to More Info: BT1146241
Component: Local Traffic Manager
Symptoms:
A FastL4 virtual server may egress (either towards the client or the server) IP packets with unexpected and erratic TTL values. The same also applies to IPv6, where the TTL field is known as Hop Limit.
Conditions:
- The BIG-IP system is a Virtual Edition (VE).
- The Large Receive Offload (LRO) is enabled on the system (which it is by default), and is operating in software mode. You can determine whether LRO is enabled on the system by inspecting the tm.tcplargereceiveoffload DB key, and you can determine whether LRO is operating in software mode by trying to query the tcp_lro tmstat table (tmctl -d blade tcp_lro). If the table exists, LRO will be operating in software mode.
- The FastL4 profile is configured to decrement the TTL (this is the default mode).
- The virtual server uses mismatched IP versions on each side of the proxy (for example, an IPv6 client and an IPv4 server).
Impact:
Depending on the actual TTL values that will be sent out on the wire (which can be random and anything within the allowed range for the field) traffic can be dropped by routers on the way to the packet's destination.
This will happen if there are more routers (hops) on the way to the packet's destination than the value specified in the TTL field.
Ultimately, this will lead to retransmissions and possibly application failures.
Workaround:
You can work around this issue by doing either of the following things:
- Disable LRO on the BIG-IP system by setting DB key tm.tcplargereceiveoffload to disable.
- Use a TTL mode for the FastL4 profile other than decrement (for example, use proxy or set).
1146017-4 : WebUI does not displays error when parent rewrite profile is not assigned to user defined rewrite profile
Component: Access Policy Manager
Symptoms:
WebUI does not show error when parent profile is empty.
Conditions:
1) Navigate to Access > Connectivity/VPN > Portal Access > Rewrite.
2) Enter the details, do not assign any parent rewrite profile.
3) Click Create.
Impact:
No webUI error is seen as parent profile is not assigned to user defined rewrite profile.
Workaround:
Enter details in the parent profile field and click Create.
1145797-1 : In BD profile, query segment in the client request URI is not ignored for protect endpoint match
Component: Bot Defense
Symptoms:
In Bot Defense (BD) profile, query segment in the client request URI is not ignored for protect endpoint match.
This is applicable for both Web and Mobile endpoints, and applicable for both Standard and Advanced/Premium service levels.
Conditions:
- BD profile is configured with protected endpoints.
Impact:
Client request containing query segment is not ignored for endpoint match, so these requests are not considered for bot detection.
Workaround:
None
1145749-5 : Locally defined BIG-IP users can be lost during a failed config-sync
Links to More Info: BT1145749
Component: TMOS
Symptoms:
If a configuration sync to a BIG-IP devices fails, for example, due to an MCPD validation error, locally-defined users on the receiving BIG-IP device may be lost.
This issue applies to locally-defined users (for accessing the management UI or CLI), but does not affect the built-in "admin" or "root" logins.
The users will still be present in /config/bigip_user.conf, but will be missing from /etc/passwd and /etc/shadow, which prevents them from being able to log in to the device.
Messages similar to the following may be seen in /var/log/secure when those users attempt to log in to the BIG-IP device.
"User 'exampleuser' (fallback: false) - not authenticated: User not known to the underlying authentication module"
Conditions:
- A third (or subsequent) BIG-IP device is added to an existing sync group.
- The config-sync operation fails to load the new configuration, for example, because it is performed in the wrong direction, and the new empty device tries to overwrite and remove configuration from the existing ones, which is blocked by non-shared object references.
Impact:
Locally defined users on the receiving BIG-IP device are removed.
Workaround:
Log in as admin or root, and manually reset the passwords on the affected local user accounts. This will repopulate the users into the unix passwd and shadow files.
1144845-5 : GARPs from a newly active unit may be bridged for a brief time while the peer chassis transitions to standby
Links to More Info: BT1144845
Component: Local Traffic Manager
Symptoms:
When a VIPRION chassis goes into Standby there is a brief period of time in which all the blades transition. If GARPs are sent from the newly Active device during this time, they may be bridged.
Conditions:
VIPRION, multiple blades, vlan-groups.
Impact:
Switches / routers may have incorrect ARP information after a failover.
Workaround:
Use proxy exclude list to exclude all virtual addresses.
1144729-5 : PVA stats may be incorrect when PVA offloaded flows have their nexthops changed to a different VLAN
Links to More Info: BT1144729
Component: TMOS
Symptoms:
The PVA stats and corresponding service graph may be inaccurate if there are multiple routes to a destination and those routes are on different VLANS.
Conditions:
Multiple routes to a destination that exist on different VLANS. A flow that changes from one route to another.
Impact:
PVA stats or service graph may show significantly higher numbers than expected.
Workaround:
Disable PVA acceleration for the affected traffic.
Create LTM profile fastl4 and other-pva-offload-direction server-to-client-only.
1144497-1 : Base64 encoded metachars are not detected on HTTP headers
Component: Application Security Manager
Symptoms:
Base64 encoded illegal metachars are not detected.
Conditions:
No specific condition.
Impact:
False negative, illegal characters are not detected and request not blocked.
Workaround:
None
1144477-2 : IKE_SA_INIT uses src port 500 and dst port 4500 after IKE SA deleted
Links to More Info: BT1144477
Component: TMOS
Symptoms:
The new IPsec tunnel IKE INIT exchange source port is 500, and the destination port is 4500, but the destination port should be 500.
Conditions:
This issue is observed after deleting IKE SA from tmsh.
Impact:
Interoperability issue, tunnel will not get established with other devices.
Workaround:
None
1144329-5 : Traffic Intel does not classify Microsoft app properly
Links to More Info: BT1144329
Component: Traffic Classification Engine
Symptoms:
Some of the Microsoft teams based URLs are marked uncategorized or categorized as SSL and http2 by traffic intelligence categorization.
Conditions:
Geolocation based traffic not classified.
Impact:
Incorrect classification of Microsoft application.
Workaround:
None
1144117-4 : "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands
Links to More Info: BT1144117
Component: Local Traffic Manager
Symptoms:
The "More data required" TCL error may occur and the connection may be terminated prematurely when using the 'HTTP::payload' or 'HTTP::payload length' commands.
Conditions:
Using the 'HTTP::payload' or 'HTTP::payload length' TCL commands.
Impact:
Some HTTP transactions might fail.
Workaround:
Do not use the 'HTTP::payload' or 'HTTP::payload length' TCL commands.
1143985-1 : TMUI options to configure Nameserver Minimum RTT are unavailable in DNS Cache and Net Resolver
Component: Global Traffic Manager (DNS)
Symptoms:
The webUI field to configure the option NameServer Minimum RTT in DNS Cache and/or Net resolver is unavailable.
Conditions:
- The DNS Cache is configured and used in a DNS profile associated with a GTM listener.
or
- A DNS Resolver is used.
Impact:
The features provided by the option NameServer Minimum RTT cannot be managed through TMUI.
Workaround:
Use TMSH to configure the options.
1143833-3 : ILX (iRules LX) may corrupt tmstat (profile statistics) memory
Links to More Info: BT1143833
Component: Local Traffic Manager
Symptoms:
iRulesLX do not show statistics after any changes made on the workspace and reload the plugin.
Conditions:
-- Using iRules LX
Impact:
iRulesLX do not show statistics after any changes made on the workspace and reload the plugin.
Workaround:
None
1143809-2 : Unable to modify SNMP monitors from webUI
Links to More Info: BT1143809
Component: TMOS
Symptoms:
While attempting to modify Interval, Timeout, and other SNMP monitors, following error is displayed:
Error: 'an error occurred while trying to process your request'
Conditions:
Modify SNMP monitor parameters from webGUI.
Impact:
Unable to modify any SNMP monitors from webUI.
Workaround:
Modify the SNMP monitors from TMSH , use the following command :
tmsh modify ltm monitor snmp-dca <monitor-name> cpu-coefficient <value>"
1142445-5 : Multicast handling on wildcard virtual servers leads to TMM memory leak
Links to More Info: BT1142445
Component: TMOS
Symptoms:
Multicast handling on wildcard virtual servers leads to TMM memory leak.
Conditions:
- Multicast license
- Multicast is enabled on a route-domain (ip multicast-routing)
- Wildcard virtual server matching multicast address space.
Impact:
TMM memory usage increasing over time.
Workaround:
None.
1142225-1 : Regular and In-TMM HTTPS monitors advertise different cipher suites with SSL profile is set to None
Links to More Info: BT1142225
Component: Local Traffic Manager
Symptoms:
The HTTPS monitors advertise different cipher suites if the SSL profile setting is set to None, irrespective of whether the in-TMM monitoring is enabled.
Conditions:
The Https monitor(s) are set with the default SSL profile of "None".
Impact:
Pool members may be marked down when switching between regular and in-TMM monitoring due to differing cipher suites.
Workaround:
Assign an SSL profile to HTTPS monitors.
1142153-1 : DNS Resource Records for Wide IPs are potentially misleading when creating or deleting a large number of Wide IPs
Links to More Info: BT1142153
Component: Global Traffic Manager (DNS)
Symptoms:
BIND records do not match configured Wide IPs and pools.
Conditions:
If the BIG-IP is a member of a DNS/GTM sync-group and "synchronize-zone-files" is enabled.
Impact:
Resources that are down in GTM do not receive appropriate answers from BIND, and clutter builds up in BIND database over time.
Workaround:
None
1141853-3 : SIP MRF ALG can lead to a TMM core
Links to More Info: BT1141853
Component: Service Provider
Symptoms:
SIP MRF ALG can lead to a TMM core
Conditions:
SIP MRF ALG in use
Impact:
TMM core
Workaround:
None
1141845-5 : RULE_INIT with a call that contains an extra colon character (:) will crash BIG-IP.
Links to More Info: BT1141845
Component: Local Traffic Manager
Symptoms:
If a RULE_INIT contains an extra colon character (:)
when RULE_INIT {
catch { call sv::hsl:open "/Common/publisher-syslog_server_pool" }
}
It will crash instead of reporting the error.
In this example, the extra : before 'open' is an error. Instead of logging the error, it crashes the process.
Conditions:
RULE_INIT contains more than 2 colon characters (:) on a rule.
Impact:
The tmm process crashes.
Workaround:
Avoid creating a RULE_INIT containing a third colon character(:).
1141665-1 : Significant slowness in policy creation following Threat Campaign LU installation
Component: Application Security Manager
Symptoms:
Significant and consistent slowness in policy creation in Layered Policies suites in BVT (asmdp).
Conditions:
Slowness was triggered by installing a Threat Campaign LU.
Impact:
Slow policy creation when we have Threat Campaign LU.
Workaround:
None
1141213-1 : Peer is aborting the connection when PEM client runs diameter traffic over SCTP
Links to More Info: BT1141213
Component: TMOS
Symptoms:
PEM is initiating connection with successful CER/CEA. But, every time the connection gets aborted by the peer and a new connection is opened when diameter traffic is being sent from PEM client over SCTP.
Conditions:
Configure PEM as Gx diameter endpoint and let PEM to connect with MRF Diameter VS.
Impact:
MRF is resetting the PEM connection.
Workaround:
None
1138101-1 : Tunnel connections might not come up when using pool routes
Links to More Info: BT1138101
Component: Local Traffic Manager
Symptoms:
When using a pool route with service-down action set to drop or reset, tunnel flows might not work properly after pool route gateway goes down and comes up.
Conditions:
- Tunnel flow using a pool route for nexthop resolution.
- Pool route with service-action-down set to drop or reset.
- Pool is marked down and then up.
Impact:
Traffic no longer goes through tunnel.
Workaround:
Do not use service-action-down feature.
1137993-1 : Violation is not triggered on specific configuration
Links to More Info: BT1137993
Component: Application Security Manager
Symptoms:
The HTTP compliance violation is not triggered for the unparsable requests due to a specific scenario.
Conditions:
A microservice is configured in the security policy.
Impact:
Specific violation is not triggered. A possible false negative.
Workaround:
It is possible to do an irule workaround that checks the length of the URL and issues a custom violation.
1137717-1 : There are no dynconfd logs during early initialization
Links to More Info: BT1137717
Component: Local Traffic Manager
Symptoms:
Regardless of the log level set, the initial dynconfd log entries are not displayed.
Setting the dynconfd log level (through DB variable or /service/dynconfd/debug touch file) will not catch the early logging during startup.
Conditions:
This occurs when using FQDN nodes or pool members on affected BIG-IP versions.
Impact:
Missing some informational logging from dynconfd during startup.
Workaround:
None
1137485-1 : Gtmd produces excessive logging and may also crash (SIGSEGV) repeatedly
Links to More Info: BT1137485
Component: Global Traffic Manager (DNS)
Symptoms:
1. --An excessive number log lines are seen in /var/log/gtm, which indicate a state change even though a state change has not occurred (eg, blue --> blue, green --> green), for example:
/var/log/gtm:
alert gtmd[13612]: 011a6006:1: SNMP_TRAP: virtual server ltm1 (ip:port=192.168.0.1:0) (Server /Common/vs1) state change blue --> blue ()
2. If, on affected version, the GTM configuration contains virtual servers with a depends-on clause, the gtmd process can exit abnormally ("crash") and produce a gtmd core file. The process restarts immediately automatically, but may then exit and restart again every few seconds or minutes, and continues to do this indefinitely.
In /var/log/user.log, many messages similar to the following may be seen
notice logger[26789]: Started writing core file: /var/core/gtmd.bld0.0.6.core.gz for PID 26739
notice logger[26800]: Finished writing 35032053 bytes for core file: /var/core/gtmd.bld0.0.6.core.gz for PID 26739
Conditions:
- For the excessive logging issue: A GTM server object exists with one or more virtual servers configured under it
- For the gtmd crashing issue: One or more GTM server object's virtual-servers has a depends-on clause referring to another virtual-server.
Impact:
- Flood of SNMP trap logs are seen
- gtmd process exits abnormally, bringing down iquery connection and potentially impacting GTM monitoring
1137269-5 : MCPD fails to reply if a request is proxied to another daemon and the connection to that daemon closes
Links to More Info: BT1137269
Component: TMOS
Symptoms:
MCPD does not reply to the request if the publisher's connection closes or fails. In this case, when bcm56xxd
is restarted, the perceivable signs of failure are:
- The snmpwalk failing with a timeout and
- The "MCPD query response exceeding" log messages.
Conditions:
1) Configure SNMP on the BIG-IP to run snmpwalk locally on the BIG-IP.
2) From the first session on the BIG-IP, run a snmpwalk in the while loop.
while true;do date; snmpwalk -v2c -c public 127.0.0.1 sysDot1dbaseStat;sleep 2;done
Sample output:
Sat Aug 21 00:57:23 PDT 2021
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatResetStats.0 = INTEGER: 0
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatMacAddr.0 = STRING: 0:23:e9:e3:8b:41
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatNumPorts.0 = INTEGER: 12
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatType.0 = INTEGER: transparentonly(2)
3) From a second session on the BIG-IP restart bcm56xxd
bigstart restart bcm56xxd
4) The snmpwalk will continually report the following:
Timeout: No Response from 127.0.0.1
And snmpd will continually log "MCPD query response exceeding" every 30 seconds in /var/log/ltm.
Impact:
SNMP stopped responding to queries after upgrade.
Workaround:
Restart SNMP.
1137217-1 : DNS profile fails to set TC flag for responses containing RRSIG algorithm 13
Links to More Info: BT1137217
Component: Global Traffic Manager (DNS)
Symptoms:
DNS express sends a malformed response when UDP size limit is set to 512.
Conditions:
The UDP size limit is set to exactly 512 and a zone that is signed with algorithm 13 (ECDSA Curve P-256 with SHA-256), the DNS express responds with a malformed packet.
Impact:
Malformed DNS express responses is received when UDP size limit set to exactly 512 and a zone is signed with algorithm 13.
Workaround:
None
1137133-3 : Stats rate is showing incorrect data for broadcast, multicast and arp flood vectors
Component: Advanced Firewall Manager
Symptoms:
At tenant side stats_rate is almost double.
Conditions:
Appliance has two ATSE's.
AFM is enabled and licensed and broadcast or multicast packets are sent.
Impact:
Stats_rate is shown as double than sent traffic rate.
If vector is configured and traffic is passing with higher rate than mitigation value, stats_rate and int_drops_rate will be shown as double data rate.
Workaround:
None
1136921-5 : BGP might delay route updates after failover
Links to More Info: BT1136921
Component: TMOS
Symptoms:
The BGP might delay route updates after failover.
Conditions:
- The BGP configured on an High Availability (HA) pair of BIG-IP devices.
- The BGP redistributing kernel routes.
- Failover occurs.
Impact:
New active unit might delay route advertisement up to 15 sec.
New standby unit might delay route withdrawal up to 15 sec.
Workaround:
None
1136837-5 : TMM crash in BFD code due to incorrect timer initialization
Links to More Info: BT1136837
Component: TMOS
Symptoms:
TMM crashes in BFD code due to incorrect timer initialization.
Conditions:
- BFD configured
- Multi-bladed system
- One of blades experiences failure.
Impact:
Crash or core.
Workaround:
None.
1136833-3 : Unparseable request content subviolation override cannot be configured on microservices
Links to More Info: BT1136833
Component: Application Security Manager
Symptoms:
A configuration option is missing for the unparseable request content subviolation override.
Conditions:
The option is missing in the UI and REST.
Impact:
It is not possible to configure an override for this subviolation on a microservice.
Workaround:
An iRule can be used to mitigate this condition. The specific iRule will be different according to the use case, the following is an example (psaudo code):
when ASM_REQUEST_DONE
{
if {[ASM::microservice] eq "/foo/*a/"}
{
if { [HTTP::uri] length > X}
#trigger ASM custom violation
}
1136781-1 : Incorrect parsing of 'bfd notification' CLI in IMI Shell (imish)
Links to More Info: BT1136781
Component: TMOS
Symptoms:
-- Cannot load a file containing 'bfd notifications enable'.
-- After restarting the Advanced Shell services or rebooting, the 'bfd notifications enable' command is missing in the show running-config.
Conditions:
-- In imish, configure "bfd notification enable".
-- Reboot or TMSH restart sys service tmrouted.
-- The "bfd notification enable" is not present in the show running-config.
Impact:
Unable to restore or survive the bfd notification CLI.
Workaround:
None
1136429-5 : Closing of unrelated MCPD connection causes an errant reply to an in-progress transaction or request group
Links to More Info: BT1136429
Component: TMOS
Symptoms:
MCPD can send an unexpected (another request group) result response message to a current processing request group in the middle of a transaction
Conditions:
While MCPD processing multiple request groups.
Impact:
MCPD closes the connection of the current request group and
subscriber of that particular request group never get requested data.
Workaround:
Restart the subscriber daemon.
1136013-6 : The tmrouted generates core with double free or corruption
Links to More Info: BT1136013
Component: TMOS
Symptoms:
A tmrouted core is generated.
Conditions:
The system is a multi-blade system.
Impact:
The tmrouted core is generated. There are no other known impacts.
Workaround:
None
1135961-6 : The tmrouted generates core with double free or corruption
Links to More Info: BT1135961
Component: TMOS
Symptoms:
A tmrouted core is generated.
Conditions:
The system is a multi-blade system.
Impact:
A tmrouted core is generated. There are no other known impacts.
Workaround:
None
1135393-2 : The pfmand support is not available on i15820-DF (D120)
Links to More Info: BT1135393
Component: TMOS
Symptoms:
The vCMP host is not running pfmand, while the vCMP guest is runiing. The guests logs the following error:
"pfmand[5334]: 01660005:4: No connection to hypervisor."
Conditions:
On vCMP guest, it is running the pfmand service and giving following error logs:
"pfmand[5334]: 01660005:4: No connection to hypervisor."
Impact:
No functional impact as device is processing the crypto and compression traffic to Nitrox5 device, but pfmand will not be able to monitor Nitrox5 device.
Workaround:
None
1135313-5 : Pool member current connection counts are incremented and not decremented
Links to More Info: BT1135313
Component: Local Traffic Manager
Symptoms:
With a certain configuration the connection counts on a gateway pool may increment and not be decremented.
Conditions:
- A gateway pool with more than one member.
- Autolasthop disabled.
- A pool monitor with a TCP monitor where the pool member responds to the TCP handshake with data. Common services that do this are SSH, SMTP, and FTP.
Impact:
The connection counts are inflated.
Workaround:
- Configure autolasthop.
- Configure a receive string on the TCP monitor.
1135073-4 : IPS signature update webUI warning message "An active subscription is required to access certain inspections" is always enabled
Component: Protocol Inspection
Symptoms:
Following warning message is displayed on BIG-IP webUI in Security ›› Protocol Security: Inspection Updates:
"An active subscription is required to access certain inspections"
Conditions:
If the BIG-IP has AFM and IPS subscription license, then this warning message on webUI should not be displayed.
Impact:
There is no impact if AFM and IPS subscription license are installed on BIG-IP. All the IPS signatures and compliances will work as usual.
Workaround:
None
1134509-5 : TMM crash in BFD code when peers from ipv4 and ipv6 families are in use.
Links to More Info: BT1134509
Component: TMOS
Symptoms:
TMM crashes in BFD code when peers from ipv4 and ipv6 families are in use.
Conditions:
- BFD configured
- Mixed IPv4 and IPv6 peers.
Impact:
Crash or core
Workaround:
None.
1134441-3 : Inactive policy synced to peer results ASM removed from virtual server only for sync-only DG
Links to More Info: BT1134441
Component: Application Security Manager
Symptoms:
An ASM policy is suddenly detached from a virtual server and deactivated.
Conditions:
-- sync-only device group.
-- ASM sync enabled.
-- A policy is used on device ASM-A (attached to virtual server/device group).
-- The same policy is not used on device ASM-B (not attached to virtual server/device group).
Impact:
Inactive policy is synced to the peer, resulting in ASM being unassigned from the Virtual Server.
Workaround:
To prevent Policy Sweeper from deactivating any ASM policy, create a non-functioning device group and attach the unused ASM policies to that device group.
1134301-4 : IPsec interface mode may stop sending packets over tunnel after configuration update
Links to More Info: BT1134301
Component: TMOS
Symptoms:
An interface mode IPsec policy handles traffic through a route-domain to send over the IPsec tunnel. When the traffic-selector is updated, the static default route for the route-domain no longer works. Even if the tunnel is functional, traffic is not sent over it.
Conditions:
- IPsec tunnel with ipsec-policy in interface mode.
- Static routes pointing to the IPsec interface.
- Tunnel configuration updated.
Other unknown conditions could trigger the behavior, but updating the tunnel configuration is a confirmed condition.
Impact:
The tunnel is functional but the BIG-IP does not send packets into it. No ESP packets related to that tunnel will be seen leaving the BIG-IP.
Workaround:
There are two similar workaround options for when the issue is observed:
Option 1: Delete the route to the remote network that points to the IPsec interface and create the route again.
Option 2: Alternatively, leave the existing route in place and create a similar specific route that points to the same IPsec interface. The issue should be immediately resolved and so the new route can be immediately deleted.
1134257-1 : TMM cores when pingaccess profile is modified multiple times and configuration is loaded
Links to More Info: BT1134257
Component: Local Traffic Manager
Symptoms:
TMM cores.
Conditions:
- The APM pingaccess profile is configured.
- Before configuration load, modify pingaccess profile multiple times.
Impact:
TMM cores.
Workaround:
None
1134057-5 : BGP routes not advertised after graceful restart
Links to More Info: BT1134057
Component: TMOS
Symptoms:
The BGP routes not advertised after a graceful restart.
Conditions:
The BGP with graceful restart configured.
Impact:
The BGP routes not advertised after graceful restart.
Workaround:
None
1133997-2 : Duplicate user-defined Signature Set based on untagged signatures is created upon policy import
Links to More Info: BT1133997
Component: Application Security Manager
Symptoms:
A duplicate user-defined Signature Set is created upon policy import when the Set has a filter using untagged signatures.
Conditions:
A policy using a user-defined Signature Set with a filter using untagged signatures is exported.
Impact:
A duplicate user-defined Signature Set is created upon policy import.
Workaround:
Modify the policy to use the original Signature Set, and then delete the duplicated Signature Set.
1133881-1 : Errors in attaching port lists to virtual server when TMC is used with same sources
Links to More Info: BT1133881
Component: Local Traffic Manager
Symptoms:
When creating a virtual server that has identical traffic matching criteria with another virtual server, but uses a source address defined same as configured in TMC object, and when we try to attach the port-list it fails, with an error similar to the following:
01b90011:3: Virtual Server /Common/vs2-443's Traffic Matching Criteria /Common/vs2-443_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs1-443 destination address, source address, service port.
Conditions:
- Port lists are used.
- The first virtual server uses a wildcard source, for example, 0.0.0.0/0.
- The second virtual server uses an identical destination, protocol, and port, with the same source address configured in TMC object.
Impact:
Inability to utilize 'port lists' to configure the virtual server.
Workaround:
None
1133625-1 : The HTTP2 protocol is not working when SSL persistence and session ticket are enabled
Links to More Info: BT1133625
Component: Local Traffic Manager
Symptoms:
Connection gets dropped when SSL persistence is enabled with session ticket and HTTP2 protocol.
Conditions:
When SSL persistence is enabled with session ticket and HTTP2 protocol.
Impact:
Connection will get dropped.
Workaround:
-- Disable SSL persistence OR
-- Disable session ticket.
1133557-1 : Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name
Links to More Info: BT1133557
Component: Local Traffic Manager
Symptoms:
When the BIG-IP (dynconfd process) is querying a DNS server, dynconfd log messages do not identify which server it is sending the request to. When more than one DNS server is used and there is a problem communicating with one of them, it might be difficult for system admin to identify the problematic DNS server.
Conditions:
This occurs when using FQDN nodes or pool members on affected BIG-IP versions.
Impact:
There are no show commands or log displaying which DNS is currently being used to resolve LTM node using FQDN. Problems with communications between the BIG-IP and DNS server(s) may be more difficult to diagnose without this information.
Workaround:
You can confirm which DNS server is being queried by monitoring DNS query traffic between the BIG-IP and DNS server(s).
1132981-3 : Standby not persisting manually added session tracking records
Links to More Info: BT1132981
Component: Application Security Manager
Symptoms:
The Session tracking records, with Infinite Block-All period, have an expiration time on the Standby unit after sync.
Conditions:
ASM provisioned
Session Tracking enabled
session tracking records, with Infinite Block-All period, are added
Impact:
Infinite Session Tracking records being removed from standby ASMs.
Workaround:
Use auto-sync DG (instead of manual sync).
After changing the configuration on UI at Security->Application Security: Sessions and Logins: Session Tracking.
You must "Apply Policy" and wait for the DG status to become In-Sync before adding new data-points on UI at Security->Reporting: Application: Session Tracking Status.
1132957-2 : Modifying IPsec tunnels tunnel object may result in TMM core
Links to More Info: BT1132957
Component: TMOS
Symptoms:
Changing the configuration of an IPsec interface mode tunnel may result in a TMM core.
Conditions:
- IPsec with ipsec-policy in interface mode.
- Configuration is changed for that tunnel.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Before reconfiguring an IPsec interface mode tunnel, disable the ike-peer associated with the tunnel.
1132949-5 : GUI reported error when changing password after mgmt port was changed
Links to More Info: BT1132949
Component: TMOS
Symptoms:
GUI reports an error, but the password can be changed successfully anyway:
An error has occurred while trying to process your request.
Conditions:
This issue is seen when an SSL port change happens, followed by password change for a given user.
Impact:
The BIG-IP system is unable to provide the following functionality:
1. Gossip Framework : REST high availability (HA) sync framework will not work.
2. Licensing via BIG-IQ
3. selfLinks will be wrong
4. iAppLx, SSL Orchestrator, Access Guided Configuration, AS3 will be affected as these modules depends on Gossip
Workaround:
This issue is seen only when the SSL port is other than 443 (which is default SSL port).
To work around this, keep 443 as SSL port.
1132925-2 : Bot defense does not work with DNS Resolvers configured under non-zero route domains
Links to More Info: BT1132925
Component: Application Security Manager
Symptoms:
When a DNS Resolver is configured under a non-zero route domain, the bot defense does not use the DNS resolver to perform DNS queries, resulting in some bots not being detected.
Conditions:
DNS Resolver is configured under non-zero route domain.
Impact:
Some bots are not detected by bot defense mechanism.
Workaround:
Configure DNS Resolver under route domain 0.
1132765-5 : Virtual server matching might fail in rare cases when using virtual server chaining.
Links to More Info: BT1132765
Component: Local Traffic Manager
Symptoms:
When using virtual server chaining (for example iRule 'virtual' command sending traffic to another virtual server explicitly), a small percentage of packets might be dropped.
Conditions:
- Virtual server chaining.
- virtual servers have the vlan_enabled feature configured.
- DatagramLB or idle-timeout = 0 configured on protocol profile.
- High packet rate of incoming traffic.
Impact:
Some packets fail to match a virtual server and get dropped.
Workaround:
- Remove vlan_enabled feature
- OR remove datagramLB/set idle-timoeut > 0 on protocol profile.
1132741-1 : Tmm core when html parser scans endless html tag of size more then 50MB
Links to More Info: BT1132741
Component: Application Security Manager
Symptoms:
Tmm core, clock advanced by X ticks printed
Conditions:
- Dos Application or Bot defense profile assigned to a virtual server
- Single Page Application or Validate After access.
- 50MB response with huge html tag length.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Exclude html parser for url in question.
tmsh modify sys db dosl7.parse_html_excluded_urls value <url>
1132705-4 : Failed on insert entry to DCC.ACCOUNT_LOGIN_OBJECT_ATTRIBUTES
Links to More Info: BT1132705
Component: Application Security Manager
Symptoms:
When importing two policies that have the same url object configured, adding the url parameter to one on of the policies causes apply policy to fail.
Conditions:
1. Both policies use the same url parameter.
2. Type of parameters are different (one can be http and the other can be https for example).
Impact:
Apply policy fails.
Workaround:
Change the name of one of the policies.
1132449-3 : Incomplete or missing IPv6 IPI database results to connection reset and/or high TMM CPU usage
Links to More Info: BT1132449
Component: Advanced Firewall Manager
Symptoms:
Following IPv4 database load message is present in /var/log/ltm:
015c0010:5: Initial load of IPv4 Reputation database has been completed
Note the absence of:
015c0010:5: Initial load of IPv6 Reputation database has been completed
Some scenarios would result in elevated TMM CPU utilization, for example, when using IPI in global policy.
Conditions:
Failure to download IPv6 database from localdb-ipv6-daily.brightcloud.com.
Impact:
Any of the following:
- TCL error results when IPI is used in an iRule resulting in connection being reset.
- When using IPI in global policy, increased TMM CPU utilization may occur which leads to idle enforcer being triggered, TMM clock advanced messages appearing in LTM logs, or TMM restarting without core when MCPD is unable to communicate with TMM.
Workaround:
Ensure that BIG-IP is able to communicate with BrightCloud servers, including localdb-ipv6-daily.brightcloud.com. See K03011490.
1132405-5 : TMM does not process BFD echo pkts with src.addr == dst.addr
Links to More Info: BT1132405
Component: Local Traffic Manager
Symptoms:
TMM does not process BFD echo pkts with src.addr == dst.addr.
Conditions:
- TMM does not process BFD echo pkts with src.addr == dst.addr.
Impact:
TMM does not process BFD echo pkts with src.addr == dst.addr.
Workaround:
None
1128689-1 : Performance improvement in signature engine
Links to More Info: BT1128689
Component: Application Security Manager
Symptoms:
The signature engine in BD uses more CPU cycles than it actually needs to complete the task.
Conditions:
ASM provisioned and in use
Impact:
Slower system performance
High CPU utilization with BD
Workaround:
For header-based signatures that appear on the top in ACY_PERF, the header exclusions can be added only on explicit headers. This should decrease the CPU usage.
1128629-3 : Neurond crash observed during live install through test script
Links to More Info: BT1128629
Component: TMOS
Symptoms:
Neurond core is observed during live install followed by FPGA firmware upgrade through the test script.
Conditions:
Live install through the test script
Impact:
No functional impact
Workaround:
None
1128505-1 : HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy
Links to More Info: BT1128505
Component: Local Traffic Manager
Symptoms:
The ORBIT framework added HUDEVT_ACCEPTED handling through hud_orbit_accepted_handling. This allows ORBIT to move releasing HUDEVT_ACCEPTED from the filter to ORBIT, HTTP adopted this new feature.
When HTTP is disabled, HUDEVT_ACCEPTED handling is explicitly disabled by HTTP when going into passthru, subsequent enabling of HTTP does not restore this handling. If this sequence happens prior to the first HTTP request, then HUDEVT_ACCEPTED is released prematurely up the chain, thus the server-side connection may be established before the first request is processed. Attempts to manipulate the LB criteria at that point may fail due to the criteria being locked, this may result in the connection being RST with an "Address in use" reset cause.
Conditions:
-- HTTP Virtual server
-- HTTP::disable is called from CLIENT_ACCEPTED and the subsequently re-enabled before the first request arrives at HTTP in CLIENTSSL_HANDSHAKE
Impact:
Connection is reset with "Address in use" reset cause.
Workaround:
None
1128429-6 : Rebooting one or more blades at different times may cause traffic imbalance results High CPU
Links to More Info: BT1128429
Component: Carrier-Grade NAT
Symptoms:
One or more TMMs are consuming more CPU cycles than the other TMMs. The increased CPU usage is caused by a significant number of internal TMM traffic redirections.
Conditions:
- LSN pools enabled.
- The sp-dag configured on the client-side and server-side VLANs (cmp-hash src-ip and cmp-hash dst-ip respectively).
Impact:
Increased TMM CPU usage on one or more TMMs.
Workaround:
- Set up an High Availability (HA) pair of VIPRIONs and make an active VIPRION cluster standby before doing any operation that involves the rebooting, insertion, or removal of one or more blades.
Or if the VIPRION is a stand-alone cluster:
- Stop all external traffic to the VIPRION before rebooting, inserting, or removing one or more blades.
- Restart or reboot all the blades at the same time from the primary, using the following "clsh" command:
"clsh reboot volume <NEW_VOLUME>" or "clsh bigstart restart".
1128405-4 : DNS overall Request/Second counter can be inaccurate
Links to More Info: BT1128405
Component: Global Traffic Manager (DNS)
Symptoms:
In the output of "tmsh show ltm profile dns" (which shows overall stats for all DNS profiles) can indicate an inaccurate value for the "Request/Second" counter.
The counters for individual DNS profiles will have accurate values.
Conditions:
A DNS profile is associated with a virtual server, and then later removed (or switched to use another DNS profile).
Impact:
The overall view showing statistics for DNS Requests/Second is inaccurate.
Workaround:
Reset the profile stats, although this will only be effective until the next time a DNS profile is removed from a virtual server.
1128169-2 : TMM core when IPsec tunnel object is reconfigured
Links to More Info: BT1128169
Component: TMOS
Symptoms:
TMM may core when a "tunnel tunnels" object related to an IPsec interface is reconfigured.
For example, a command that changes the IP address of the object may lead to a core:
# tmsh modify net tunnels tunnel my-ipsec-tunnel remote-address 1.2.3.4
Conditions:
-- IPsec IKEv1 or IKEv2.
-- Tunnel is in "interface" mode.
-- Tunnel object is reconfigured while the tunnel is up.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure the tunnel is down before reconfiguring it.
-- Set the IKE-Peer config state to disabled.
-- Delete an established IKE SA and IPsec SA related to that peer.
For example:
# tmsh modify net ipsec ike-peer <Name> state disabled
# tmsh delete net ipsec ike-sa peer-ip <IP>
# tmsh delete net ipsec ipsec-sa dst-addr <IP>
"Name" is the specific name given to the ike-peer config object.
"IP" is the address configured to use for the remote peer.
Then make the desired changes and enable the IKE-Peer.
# tmsh modify net ipsec ike-peer <name> state enabled
1127881-1 : Deprecate sysClientsslStatFullyHwAcceleratedConns, sysClientsslStatPartiallyHwAcceleratedConns and sysClientsslStatNonHwAcceleratedConns
Links to More Info: BT1127881
Component: TMOS
Symptoms:
SSL Hardware Acceleration MIBs are still in use which are meant to be deprecated.
Conditions:
Run snmpwalk for these MIBS and it's active.
#snmpwalk -c public localhost -v2c F5-BIGIP-SYSTEM-MIB::sysClientsslStatFullyHwAcceleratedConns
F5-BIGIP-SYSTEM-MIB::sysClientsslStatFullyHwAcceleratedConns.0 = Counter64: 0
# snmpwalk -c public localhost -v2c F5-BIGIP-SYSTEM-MIB::sysClientsslStatPartiallyHwAcceleratedConns
F5-BIGIP-SYSTEM-MIB::sysClientsslStatPartiallyHwAcceleratedConns.0 = Counter64: 0
# snmpwalk -c public localhost -v2c F5-BIGIP-SYSTEM-MIB::sysClientsslStatNonHwAcceleratedConns
F5-BIGIP-SYSTEM-MIB::sysClientsslStatNonHwAcceleratedConns.0 = Counter64: 0
Impact:
SSL MIB not up-to-date
Workaround:
None
1127809-1 : Due to incorrect URI parsing, the system does not extract the expected domain name
Component: Application Security Manager
Symptoms:
The system will fail to send webhook requests to the server.
Conditions:
Add webhook to the policy and execute Apply policy on BIG-IP.
Impact:
Webhook requests will fail
1127805-1 : Server.crt containing "<" will cause frequent reconnects between local gtmd and big3d
Links to More Info: BT1127805
Component: Global Traffic Manager (DNS)
Symptoms:
Resources flap, frequent reconnects occur between the local gtmd and big3d.
Logs similar to this:
Jul 15 22:56:32 GSLB2 warning gtmd[11773]: 011ae023:4: XML parsing error not well-formed (invalid token) at line 483
Jul 15 05:36:54 GSLB2 notice gtmd[6917]: 011ae01a:5: SSL handshake complete to 10.10.10.10
Jul 15 05:37LB2 notice gtmd[6917]: 011ae01a:5: SSL handshake complete to 10.10.10.10
Jul 15 05:37:24 GSLB2 notice gtmd[6917]: 011ae01a:5: SSL handshake complete to 10.10.10.10
Jul 15 05:37:34 GSLB2 notice gtmd[6917]: 011ae01a:5: SSL handshake complete to 10.10.10.10
Conditions:
Server.crt containing "<"
Impact:
-- GTMs frequently leave/join the GTM sync group
-- Resources are marked up and down.
Workaround:
1. On each GTM, run bigip_add for all defined BIG-IP servers.
Or
2. Remove "<" from the server.crt file.
1127445-4 : Performance degradation after Bug ID 1019853
Links to More Info: BT1127445
Component: Performance
Symptoms:
Performance degradation is observed with BD in TPS in the versions that have the fix for Bug ID 1019853.
Conditions:
Versions that have the fix for Bug ID 1019853.
Impact:
Lower TPS performance with BD.
Workaround:
None
1127241-5 : AS3 tenants don't sync reliably in GTM sync groups.
Links to More Info: BT1127241
Component: Global Traffic Manager (DNS)
Symptoms:
GTM AS3 tenants do not sync across GTM sync groups when using AS3 declarations.
Conditions:
-- GTM sync group.
-- Remove tenant in GTM1.
-- Sync does not happen and the tenant remains in GTM2.
Impact:
GTM sync fails to sync the AS3 tenants.
Workaround:
None
1127169-2 : The BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG
Links to More Info: BT1127169
Component: TMOS
Symptoms:
There is a possibility that BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG.
Conditions:
- BIG-IP versions 16.1.3 and above.
- FIPS 140-3 license is installed on BIG-IP or it is a FullBoxFIPS device.
- Establish multiple SSL/TLS connections.
Impact:
The BIG-IP device reboots randomly.
Workaround:
None
1127117-2 : High Memory consumption for NAT translations of NAPT/PBA End Point Independent modes
Links to More Info: BT1127117
Component: Advanced Firewall Manager
Symptoms:
Memory consumption increases with the number of connections.
Conditions:
1. Configure LSN Pool in CGNAT with Persistence mode with Address and Port.
OR
1. Configure AFM NAT source Translations with DPAT and PBA with End Point Independent Mode
Impact:
Memory keeps increasing and eventually might reach 100% utilization.
Sample Comparison table below:
Connection_Count: 30M
Memory_Usage_on_14.x_Version: ~3GB
Memory_usage_on_15+_Version: ~30GB
Workaround:
-- Increase the available RAM if possible
OR
-- Reduce the connection timeout interval
OR
-- Try using other options like Address Pooling Paired Mode in PBA
1126841-4 : HTTP::enable can rarely cause cores
Links to More Info: BT1126841
Component: Local Traffic Manager
Symptoms:
The TMM crashes with seg fault.
Conditions:
- SSL profile used.
- The iRule that uses HTTP::enable.
Impact:
The TMM restarts causing traffic interruption.
Workaround:
None
1126805-4 : TMM CPU usage statistics may show a lower than expected value on Virtual Edition
Links to More Info: BT1126805
Component: TMOS
Symptoms:
The self-reported CPU statistics of TMM may show a usage value that is lower than the expected number. Some TMM threads may show lower CPU usage than others even if the threads are processing the same amount of traffic. When this issue occurs, a high number of idle polls are observed in the tmm_stat table for the affected TMM.
Conditions:
Virtual Edition
Impact:
TMM CPU stats may not be accurate.
1126409-2 : BD process crash
Component: Application Security Manager
Symptoms:
BD process restarts with a core file.
Conditions:
Unknown
Impact:
The unit goes offline for a short period of time.
Workaround:
None
1126329-1 : SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT★
Links to More Info: BT1126329
Component: Local Traffic Manager
Symptoms:
SSL Orchestrator sends a TLS client hello instead of the expected HTTP CONNECT, leading to a failure in the client environment after an upgrade.
Conditions:
SSL Orchestrator in explicit proxy mode with proxy chaining enabled
Impact:
The exit proxy gives an HTTP 5xx error in response to the unexpected TLS Client Hello.
Workaround:
None
1126181-1 : ZebOS "no log syslog" configuration is not surviving reboot
Links to More Info: BT1126181
Component: TMOS
Symptoms:
ZebOS "log syslog" or "no log syslog" are not surviving reboot according to the user performed operations. Always revert to default setting, which is enabled.
Conditions:
-- Under Configure no log syslog.
-- Perform reboot or upgrade.
Impact:
If syslog logging has been disabled using 'no log syslog', and then ZebOS is restarted. For example, by rebooting or upgrading the BIG-IP, syslog logging will revert to the default setting, which is enabled.
Workaround:
None
1125733-5 : Wrong server-side window scale used in hardware SYN cookie mode
Links to More Info: BT1125733
Component: TMOS
Symptoms:
Client enables Window Scale in the first SYN packet with a specific factor value, however the BIG-IP system disables Window Scale in its SYN/ACK response.
Instead, disabling the Window Scale TCP option in both peer BIG-IPs, TMM honors the Window Scale presented by the client in the first SYN, whereas client assumes Window Scale is disabled. This will cause BIG-IP to send data payload bytes exceeding the client's Windows Size.
Conditions:
Below conditions must be met in order to match this issue:
- Client and server enables timestamp TCP option.
- Client enables Window Scale TCP option.
- SYN Cookie HW is activated in BIG-IP.
Impact:
This can cause performance issues because some packets could need to be retransmitted.
In rare cases where client TCP stack is configured to abort connection when it receives window overflow the connection will be RST by client.
Workaround:
The preferred workaround is changing to Software SYN Cookie mode.
1125561-1 : Add nameserver-min-rtt (infra-cache-min-rtt) feature support for DNS validating resolver cache
Component: Global Traffic Manager (DNS)
Symptoms:
- A DNS Validating resolver returns SERVFAIL responses to clients, despite the BIG-IP system receiving a valid (albeit delayed) response from upstream servers.
- When this happens, the BIG-IP system rejects the responses from the upstream servers with following ICMP error:
Destination unreachable - Port unreachable.
- If the db key dnscacheresolver.loglevel is set to debug5, the following error message is visible in the /var/log/ltm file when this issue occurs:
debug tmm[13147]: DNScache: request example.com. has exceeded the maximum number of glue fetches 17 to a single delegation point
Conditions:
This issue occurs when the following conditions are met:
- A DNS Validating resolver is in use on the BIG-IP system.
- The aforementioned object is configured with a forward-zone that uses multiple servers to perform resolutions.
- The RTT of the servers fluctuates. For example, the servers are generally fast to reply for most domains, but take extra time to reply for a given domain.
- 'Randomize Query Character Case' is enabled in the DNS Validating resolver.
- If the requests for the domain take a long time to resolve, BIG-IP may reply with SERVFAIL.
Impact:
Clients of the BIG-IP DNS Validating Resolver are not returned an answer. As a result, application failures may occur.
Workaround:
You can work around this issue by changing 'Randomize Query Character Case' to 'No' in the DNS Validating resolver settings.
1125381-1 : Extraneous warnings recorded in when using only intermediate certificates
Links to More Info: BT1125381
Component: Local Traffic Manager
Symptoms:
When client authentication is enabled on the client SSL profile but the trusted-ca file includes only an intermediate certificate and no CA root cert to build the whole cert chain, although the TLS connection is made, as expected, there is an error message reported.
Conditions:
Trusted-ca includes only inter-cert and no root CA-cert
is configured.
Impact:
Although the TLS handshake succeeds without any issue and the connection is processed, as expected, a confusing warning is reported.
Workaround:
Because the connection is made, you can safely ignore this message.
Note: This issue does not occur if the root CA cert is also configured in the CA-cert bundle.
1125161-3 : Wideip fails to display or delete in the Link Controller GUI.
Links to More Info: BT1125161
Component: Global Traffic Manager (DNS)
Symptoms:
Attempting to display (i.e. click on) a WideIP in the Link Controller GUI returns an error similar to the following example:
General error: Error parsing value of "null" of type "gtm_qtype_t" in statement [SELECT SINGLE *, gtm_pool.name as pool_name FROM gtm_wideip, gtm_pool WHERE (name = '/Common/example.com' AND type = '1' AND pool_name = 'null' AND pool_type = 'null')]
Attempting to delete a Wideip in the Link Controller GUI returns an error similar to the following example (and the delete operation fails):
01020036:3: The requested Pool (A /Common/example.com) was not found.
Conditions:
-- Link Controller system.
-- The Wideip in question has no associated Pool. This is likely the result of improperly creating the Wideip via the tmsh utility, or upgrading the system from an earlier version which caused your configuration to be automatically fixed up (such as creating distinct A and AAAA Wideips from an earlier unique Wideip entry).
Impact:
The GUI cannot be used to display or delete the Wideip.
Workaround:
Link Controller, unlike GTM, does not expose the concept of Pools. Link Controller only exposes WideIPs and Virtual Servers. Pools exist, but are managed automatically by the system on your behalf.
If a WideIPs created using the GUI, the WideIP will be assigned a Pool of the same type and name automatically. This also happens if you initially decide to assign no Virtual Servers to the WideIP (and things work as intended in the BIG-IP GUI).
However, the tmsh utility is not aligned with this Link Controller requirement, and allows you to create WideIPs with no associated Pool.
If you have experienced this issue:
1) Deleted the affected WideIP using the tmsh utility.
2a) Going forward, use the GUI to define more Link Controller WideIPs.
2b) Alternatively, if you must use the tmsh utility to do so, ensure each WideIP you create is assigned an identically named Pool of the same type, even if initially you decide to place no Virtual Servers in the Pool. For example, define something like the following:
gtm pool a /Common/example.com { }
gtm wideip a /Common/example.com {
pools {
/Common/example.com {
order 0
}
}
}
1124733-2 : Unnecessary internal traffic is observed on the internal tmm_bp vlan
Component: TMOS
Symptoms:
Unnecessary internal traffic can be observed on the internal tmm_bp vlan. It is a UDP broadcast on 62965 port.
Conditions:
Always
Impact:
Unnecessary traffic that does not disrupt normal operation.
Workaround:
None
1124217-5 : Big3d cores on CTCPSocket::TCPReceive and connector
Links to More Info: BT1124217
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d crashes.
Conditions:
Big3d keeps restarting and coring on gtm with a large quantity of monitors configured.
Impact:
Segmentation fault and big3d restarts.
Workaround:
None
1124209-4 : Duplicate key objects when renewing certificate using pkcs12 bundle
Links to More Info: BT1124209
Component: TMOS
Symptoms:
Duplicate key objects are getting created while renewing the certificate using the pkcs12 bundle command.
Conditions:
When the certificate and key pair is present at the device and the pkcs12 command is executed to renew it.
Impact:
1) If the certificate and key pair is attached to the profile then certificate renewal is failing.
2) Duplicate key objects are getting created.
Workaround:
Delete the existing cert and key pair, and then execute the pkcs12 bundle command.
1124085-5 : iRules command [info hostname] does not reflect modified hostname
Links to More Info: BT1124085
Component: Local Traffic Manager
Symptoms:
Result from [info hostname] iRules command does not change after modifying system hostname.
Conditions:
- iRules [info hostname] command is being used.
- System hostname is modified.
Impact:
iRules command [info hostname] might reflect incorrect/old hostname
Workaround:
Use $static::tcl_platform(machine) insted of [info hostname]
1123885-1 : A specific type of software installation may fail to carry forward the management port's default gateway.
Links to More Info: BT1123885
Component: TMOS
Symptoms:
After performing a specific type of software installation, the unit returns on-line without the management port's default gateway.
Conditions:
-- A software installation that does not carry forward the entirety of the BIG-IP system's configuration is performed. For example, this is achieved by running "image2disk --format=volumes <...>", or by using the live-install subsystem after disabling the liveinstall.saveconfig and liveinstall.moveconfig db keys. This type of installation, however, does carry forward the management port's configuration (IP address, subnet mask, and default gateway).
-- In addition to the default gateway, the management port is configured with additional static routes (for example, to a log server, dns server, etc.).
-- When mcpd is queried for the management routes, the default gateway is not the first entry in mcpd's reply (this is something outside of your control that entirely depends on the name of the objects and how the config was loaded).
Impact:
On Virtual Edition systems, this issue coupled with the removal of autolasthop from the management port means you will not be able to connect to the BIG-IP system's management port from non-directly connected clients after the installation.
On all systems, this issue means the BIG-IP system will not be able to initiate connections to non-directly connected systems over the management port after the installation.
Note: If the system is configured for dual-stack (IPv4 and IPv6) this issue can affect either (or both) stack.
Workaround:
After the issue has occurred, you can connect to the affected BIG-IP system by means of serial console or video console and apply the default gateway again.
If you are trying to prevent this issue, you can remove all management routes except the default one before performing this type of installation.
1123189-3 : De-Provisioning AFM does not disable SYN-ACK cookie generation
Links to More Info: BT1123189
Component: Advanced Firewall Manager
Symptoms:
The AFM de-provision is not in sync with TCP-SYNACK-FLOOD cookies with 'suspicious' enabled mode.
Conditions:
The TCP-SYNACK-FLOOD cookies with 'suspicious' enabled not getting disabled when AFM license is de-provisioned.
Impact:
Cookies (SYNACK) generations is happening even after AFM module is de-provisioned.
Workaround:
None
1123169-2 : Error saving an iRule when calling a procedure from HTML_TAG_MATCHED event
Links to More Info: BT1123169
Component: Local Traffic Manager
Symptoms:
When the BIG-IP system tries to save an iRule that calls a procedure from HTML_TAG_MATCHED event, an error occurs.
Conditions:
-- configure an iRule with event HTML_TAG_MATCHED
-- The event calls a procedure
Impact:
A TCL error is thrown: Rule checker ::tclCheck::checkScript did not complete: can't read "BIGIP::ltmEventCategoryHierarchy(CLIENTSIDE)": no such element in array
Workaround:
None
1123153-4 : "Such URL does not exist in policy" error in the GUI
Component: Application Security Manager
Symptoms:
Unable to create a parameter under Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs ›› URL Parameters
Conditions:
When the policy setting "Differentiate between HTTP/WS and HTTPS/WSS URLs" is set to "Disabled".
Impact:
User is unable to create a Parameter with a URL.
Workaround:
N/A
1123149-1 : Sys-icheck fail for /etc/security/opasswd
Links to More Info: BT1123149
Component: TMOS
Symptoms:
In common criteria mode, when password-memory is set to > 0 and create the user and login from CLI causes the system integrity check to failed
An error message may be logged "ERROR: S.5...... c /etc/security/opasswd (no backup)"
Conditions:
--- common criteria mode enabled
--- password-memory set to > 0 in password-policy configuration
--- create a new user and login first time using CLI
--- run sys-icheck
Impact:
System integrity check failure when common criteria mode is enabled
Workaround:
None
1122497-3 : Rapid response not functioning after configuration changes
Links to More Info: BT1122497
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Rapid Response is not functioning and stats are not present and/or not changing as requests are being sent to the virtual server.
Conditions:
- DNS Rapid Response is set on the virtual.
- Rapid response is toggled off and back on in the DNS profile.
Impact:
DNS rapid response remains disabled.
Workaround:
Restarting services will allow rapid-response to begin functioning again.
1122473-5 : TMM panic while initializing URL DB
Component: Access Policy Manager
Symptoms:
TMM panic because of a race condition which prevents the TMM from accessing files related to the URL database.
Conditions:
While the BIG-IP system is rebooting, if an infrequent timing delay occurs, one or more files related to the URL database may be created in the wrong order of sequence.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None. Repeated attempts at rebooting may eventually succeed.
1122377-1 : If-Modified-Since always returns 304 response if there is no last-modified header in the server response
Links to More Info: BT1122377
Component: Local Traffic Manager
Symptoms:
Requests sent with an If-Modified-Since header always return a 304 Not Modified response
Conditions:
The Last Modified header is not included in the origin server response headers.
Impact:
When the Last Modified header is not present in the response, its default value i.e., Thu, 01 Jan 1970 00:00:00 GMT, is used and 304 Not Modified is sent to the client.
Workaround:
Add the Last-Modified header to the response headers using iRule
when HTTP_RESPONSE priority 1 {
set time [clock format [clock seconds] -gmt 1 -format "%a, %d %b %Y %H:%M:%S %Z"]
HTTP::header insert Last-Modified $time
log local0.debug "Inserting Last-Modified header as $time"
}
1122153-5 : Zonerunner GUI displaying incorrect error string "RRSig Covers Unsupported Record Type"
Links to More Info: BT1122153
Component: Global Traffic Manager (DNS)
Symptoms:
Zonerunner is displaying incorrect error information when it is unable to parse the value.
Conditions:
Zonerunner displays such errors when it is unable to parse the value when displaying records.
Impact:
The error message suggests it is a DNSSEC issue (RRSig) and is misleading.
Workaround:
None
1122021-4 : Killall command might create corrupted core files
Links to More Info: BT1122021
Component: TMOS
Symptoms:
When killing multiple processes via the 'killall' command, a single corrupted core file is created.
Conditions:
- using killall command
- killing multiple processes
Impact:
Corrupted core file is created.
Workaround:
Kill single specific processes instead
1121937-5 : ZoneRunner GUI is unable to display CAA records with "Property Value" set to ";"
Links to More Info: BT1121937
Component: Global Traffic Manager (DNS)
Symptoms:
If you try to view CAA record in ZoneRunner with "Property Value" set to ";", then "RRSig Covers Unsupported Record Type<none>:1: <none>:1: expected a string" message is displayed in GUI.
Conditions:
- Navigate to DNS :: Zones :: ZoneRunner :: Resource Record List :: Search All Records.
- Click on record of type CAA where the "Property Value" is set to ";".
Impact:
Unable to view or update CAA records through GUI where the "Property Value" is set to ";".
Workaround:
Manually edit or view the BIND configuration from the command line.
1121517-1 : Interrupts on Hyper-V are pinned on CPU 0
Links to More Info: BT1121517
Component: TMOS
Symptoms:
CPU 0 utilization is higher relative to other CPUs.
Conditions:
BIG-IP is deployed on a Hyper-V platform.
Impact:
Performance is degraded.
1121349-1 : CPM NFA may stall due to lack of other state transition
Links to More Info: BT1121349
Component: Local Traffic Manager
Symptoms:
The CPM NFA string state machines may stall due to missing data.
Conditions:
-- HTTP virtual server with LTM policy and iRule
Impact:
LTM policy rule does not trigger on HTTP URI path condition
Workaround:
Change rule from "HTTP URI path contains" to "HTTP URI full string contains"
1121169-4 : Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use
Links to More Info: BT1121169
Component: TMOS
Symptoms:
On systems where ID1004833 has been fixed, the resizing instructions for /appdata from K74200262 no longer work.
Conditions:
When the jitterentropy-rngd is started by systemd which is the default state of the BIG-IP.
Impact:
A filesystem resize operation may fail with the following error:
# lvreduce --resizefs --size -40G /dev/mapper/vg--db--sda-dat.appdata
Do you want to unmount "/appdata"? [Y|n] y
fsck from util-linux 2.23.2
/dev/mapper/vg--db--sda-dat.appdata is in use.
e2fsck: Cannot continue, aborting.
resize2fs 1.42.9 (28-Dec-2013)
resize2fs: Device or resource busy while trying to open /dev/mapper/vg--db--sda-dat.appdata
Couldn't find valid filesystem superblock.
fsadm: Resize ext3 failed
fsadm failed: 1
Filesystem resize failed.
Workaround:
Unmount /appdata and restart the jitterentropy-rngd, and then retry the resize operation.
1120685-1 : Unable to update the password in the CLI when password-memory is set to > 0
Links to More Info: BT1120685
Component: TMOS
Symptoms:
A BIG-IP system with password-memory enabled will fail to update the user password in the first login using the CLI
Conditions:
Password-memory set to > 0 in password-policy configuration
Impact:
Not able to update the user password in the first login using the CLI.
Workaround:
Create the user using the GUI and log in from the GUI.
1120529-2 : Illegal internal request in multipart batch request
Links to More Info: BT1120529
Component: Application Security Manager
Symptoms:
Request parser for inner request is intolerant for a linefeed that results in a HTTP Protocol Compliance violation with the following details.
HTTP Validation Bad multipart parameters parsing
Details Illegal internal request in multipart batch request
Conditions:
- multipart/batch(ing) request
- inner requests use LF for end-of-line marker, instead of canonical marker CRLF
Impact:
Request gets blocked
Workaround:
None
1120433-1 : Removed gtmd and big3d daemon from the FIPS-compliant list
Links to More Info: BT1120433
Component: TMOS
Symptoms:
The gtmd is not able to establish a secure connection to big3d due to failure in handshake because no common ciphers were found between big3d and gtmd in FIPS mode.
Conditions:
-- BIG-IP versions 16.1.3 and above
-- FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device.
-- Connections are established between big3d and gtmd in FIPS mode.
Impact:
SSL handshakes fail between big3d and gtmd because no common ciphers are present.
Workaround:
None
1120345-7 : Running tmsh load sys config verify can trigger high availability (HA) failover
Links to More Info: BT1120345
Component: TMOS
Symptoms:
When running tmsh 'load sys config verify' on a config that contains both an high availability (HA) group and a traffic group referencing that high availability (HA) group, this will trigger an high availability (HA) fault and failover.
Conditions:
- Running 2 BIG-IP systems in an high availability (HA) pair
- Run tmsh 'load sys config verify' on a config with the following conditions:
- Config to be verified contains an high availability (HA) group
- Config to be verified also contains a traffic group referencing the high availability (HA) group
Impact:
HA fault and failover. high availability (HA) pair will enter a degraded state.
Workaround:
No workaround currently known, but the failover fault can be cleared by running tmsh 'load sys config' on the system that had 'load sys config verify' run on it.
1117305-7 : The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials
Links to More Info: BT1117305
Component: TMOS
Symptoms:
The /api returns 401 when incorrect Basic Authorization credentials are supplied.
The /api returns 404 when correct Basic Authorization credentials are supplied.
Conditions:
Irrespective of the DB variable "httpd.basic_auth" value set to enable or disable.
Impact:
There is no functional impact, but all other non-existent URIs return a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials, /api should also be invariably exhibiting the same behavior.
Workaround:
None
1117297-2 : Wr_urldbd continuously crashes and restarts★
Links to More Info: BT1117297
Component: Traffic Classification Engine
Symptoms:
Malloc failed while wr_urldb is started
Conditions:
Intermittently reproduced when rebooting to a new version or after restarting wr_urldbd
Impact:
Wr_urldbd crashes.
Workaround:
- Stop the wr_urldbd to stabilize(#bigstart stop wr_urldbd)
-- Update the customdb(i.e. delete or add custom urls) on the backend server
-- Start wr_urldbd to download and load the new DB(#bigstart start wr_urldbd)
1117245-1 : Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file
Links to More Info: BT1117245
Component: Application Security Manager
Symptoms:
You only see this message in /var/log/tomcat/liveupdate.log file. No other log messages are written, causing troubleshooting capability with LiveUpdate.
liveupdate.script file is corrupted, live update repository initialized with default schema
This error is emitted during tomcat startup.
/var/log/tomcat/catalina.out
java.io.FileNotFoundException: /usr/share/tomcat/logs/liveupdate.log (Permission denied)
Conditions:
You are running on a version which has a bug fix for ID907025. For more information see https://cdn.f5.com/product/bugtracker/ID907025.html
Impact:
Losing troubleshooting capability with LiveUpdate
Workaround:
chown tomcat:tomcat /var/log/tomcat/liveupdate.log
bigstart restart tomcat
1116941-2 : Need larger Content-Length value supported for SIP
Component: Service Provider
Symptoms:
SIP MRF sends error 413 when the content_length value in the SIP message is greater than 65535 (0xff).
Conditions:
The SIP content_length has to be greater than 65535 (0xff) on SIP MRF configuration
Impact:
The SIP messages with content_length greater than 65535 can't be processed by the BIG-IP successfully because of the hard coded constraint on the SIP content_length
Workaround:
None
1116845-3 : Interfaces using the xnet driver are not assigned a MAC address
Links to More Info: BT1116845
Component: TMOS
Symptoms:
Interfaces on BIG-IP Virtual Edition that are capable of 100gb are unusable when the default driver of xnet is used.
The following validation error will be present in /var/log/ltm
"01071ab7:3: 'not-supported' is an invalid forward-error-correction setting for Interface"
The interfaces will not report a MAC address in either of:
- tmsh list /net interfaces
- tmsh show /sys mac
Conditions:
BIG-IP Virtual Edition where the interfaces report a 100gb max speed and the xnet driver is used.
Impact:
Interfaces are not assigned a MAC address, therefore are unusable.
Workaround:
Force the interface(s) to use a driver other then xnet.
In order to apply the workaround you will need to get 1) the available drivers and 2) the pci id of the interfaces.
The available drivers are reported using this tmctl command:
# tmctl -d blade tmm/device_probed
pci_bdf pseudo_name type available_drivers driver_in_use
------------ ----------- --------- -------------------- -------------
0000:00:03.0 F5DEV_PCI mlxvf5, xnet, sock,
0000:00:05.0 1.1 F5DEV_PCI mlxvf5, xnet, sock, xnet
0000:00:06.0 1.2 F5DEV_PCI mlxvf5, xnet, sock, xnet
The pci id is reported with the lspci -nnvvv command:
In this example: the pci id is 15b3:101a
# lspci -nnvvv | grep -i ethernet
00:03.0 Ethernet controller [0200]: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function] [15b3:101a]
00:05.0 Ethernet controller [0200]: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function] [15b3:101a]
00:06.0 Ethernet controller [0200]: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function] [15b3:101a]
And to force the use of a different driver you need to modify /config/tmm_init.tcl by adding a line such as:
device driver vendor_dev 15b3:101a mlxvf5
Where the last values of that line are the pci id and driver name.
1116513-4 : Route-domains should not be allowed on name server addresses via the GUI.
Links to More Info: BT1116513
Component: Global Traffic Manager (DNS)
Symptoms:
Route domains are allowed on nameserver address when configuring them via the GUI.
Conditions:
Create a DNS resolver via the GUI and include route domain for nameserver IP address.
Eg : Navigate to Network > DNS Resolvers > DNS Resolver List and can create a DNS resolver name server address with Route domain.
Impact:
Inconsistency between the GUI and TMSH for dns resolver namserver address.
Workaround:
None
1115041-2 : BIG-IP does not forward the response received after GOAWAY, to the client.
Links to More Info: BT1115041
Component: Local Traffic Manager
Symptoms:
After receiving a GOAWAY from the server followed by data on the same stream, the BIG-IP system does not forward that data to the client but rather sends RESET_STREAM.
Conditions:
1. Configure an NGINX server to handle two streams per connection
2. Virtual server with http2 profile
3. Send more than two requests on the same connection
Impact:
The client does not get a proper response
Workaround:
None
1114253-5 : Weighted static routes do not recover from BFD link failures
Links to More Info: BT1114253
Component: TMOS
Symptoms:
If a BFD link fails and recovers, the weighted static route that should be preferred does not populate back into the routing table.
Conditions:
Weighted static routes with BFD configured, this is an example of the affected configuration:
ip route 0.0.0.0/0 10.8.8.4 100
ip route 0.0.0.0/0 10.8.8.34 200
ip static 0.0.0.0/0 10.8.8.4 fall-over bfd
ip static 0.0.0.0/0 10.8.8.34 fall-over bfd
After BFD session to 10.8.8.4 fails and recovers the default route will still be pointing to 10.8.8.34.
Impact:
Incorrect route nexthop.
Workaround:
Re-add route config statements.
1114137-5 : LibUV library for latest bind 9.16
Component: TMOS
Symptoms:
The latest bind software requires the latest libuv for performance improvements and to support new protocol layers (for example, DNS over TLS).
Conditions:
The latest bind software requires the latest libuv for performance improvements and to support new protocol layers (for example, DNS over TLS).
Impact:
None
Workaround:
None
1114089-1 : Frequent SIGSEGV TMM crash/core in AFM FQDN | fw_iptbl_fqdn_ctx_check
Links to More Info: BT1114089
Component: Advanced Firewall Manager
Symptoms:
TMM crash or core
Conditions:
Two FQDNs associated to BIG-IP firewall rules point to same IP in the DNS server at any instance of time.
Impact:
1. One of the FW rules may not work.
2. TMM crash or core.
Workaround:
Use IP addresses on such places of firewall rules.
1113961-2 : BIG-IP 16.1.3 VE with FIPS 140-3 May Fail to start in AWS-China
Links to More Info: K43391532, BT1113961
Component: TMOS
Symptoms:
BIG-IP 16.1.3 VE with FIPS 140-3 may fail to start in AWS-China
Conditions:
Running BIG-IP 16.1.3 VE with FIPS 140-3 with 16.1.3 in AWS China region
Impact:
BIG-IP 16.1.3 VE with FIPS 140-3 may fail to start in AWS-China
Workaround:
Upgrade to 16.1.3.1 when it is available.
1113881-1 : Headers without a space after the colon trigger an HTTP RFC violation
Component: Application Security Manager
Symptoms:
An "Unparsable request content" violation is detected for valid headers without a space after the headers name ':'
Conditions:
Any header without a space between the ':' and the header value will trigger "Unparsable request content"
Impact:
Requests that suppose to pass are blocked by ASM enforcer
Workaround:
The client has to send headers with space after ':'
1113753-1 : Signatures might not be detected when using truncated multipart requests
Component: Application Security Manager
Symptoms:
On special cases when sending long requests that include a multipart section, signatures that should be detected in the multipart body might not be detected.
Conditions:
1. WAF-policy is attached to virtual server.
2. Signatures are enabled in the WAF policy.
3. Signatures contain special characters, i.e. ;"=\n
4. Request is longer than the value in max_raw_request_len.
5. Sending a multipart request.
Impact:
Signature is not detected.
Workaround:
None
1113549-2 : System boots into an inoperative state after installing engineering hotfix with FIPS140-2/140-3 License★
Links to More Info: BT1113549
Component: Local Traffic Manager
Symptoms:
The BIG-IP system persistently starts up in an inoperative state after installing an engineering hotfix with a console error similar to:
*** FIPS or Common Criteria power-up self-test failure.
*** This system has been placed in an error state.
*** To recover return to the grub menu and select another volume
*** or reinstall the system.
***
*** On many devices pressing the escape key followed by the (
*** key will bring up a menu which allows the system to be restarted.
Power-up self-test failures: <number>
Unmounting file systems
System halting.
Conditions:
- First boot after installing an engineering hotfix.
- FIPS 140-2 or FIPS140-3 license.
Impact:
You are unable to boot the BIG-IP system into an operational state after applying an engineering hotfix, and you are required to boot to a known good volume.
For more information, see K52534643: Overview of the Platform FIPS BIG-IP system :: https://support.f5.com/csp/article/K52534643
Workaround:
None
1113333-4 : Change ArcSight Threat Campaign key names to be camelCase
Component: Application Security Manager
Symptoms:
The threat_campagin_names and staged_threat_campaign_names do not follow other key name format. Changing these key names to be camelCase (threatCampaignNames and stagedThreatCampaignNames).
Conditions:
ArcSight is in use with ASM remote logging.
Impact:
Inconsistent key name formatting.
Workaround:
None
1113181-1 : Self-IP allows no traffic following a modification from "Allow Custom (Include Default)" to "Allow Custom".
Links to More Info: BT1113181
Component: Local Traffic Manager
Symptoms:
Although a Self-IP address appears configured correctly (for example, when this is inspected using the WebUI or the tmsh utility), the Self-IP address does not allow through any traffic. Effectively, the Self-IP address behaves as if it was set to "Allow None".
Conditions:
The port-lockdown setting of the Self-IP address was recently modified from "Allow Custom (Include Default)" to "Allow Custom".
Impact:
The Self-IP does not allow through any traffic, whereas it should allow through the traffic in your custom list of ports and protocols.
Workaround:
You can work around this issue by temporarily setting the affected Self-IP to "Allow None" and then again to "Allow Custom", specifying your desired custom list of ports and protocols.
1113161-1 : After upgrade, Learning and Blocking Settings page is not loading because some policies are still pointing to deleted factory Negsig sets★
Links to More Info: BT1113161
Component: Application Security Manager
Symptoms:
Learning and Blocking Settings page is not loading
Conditions:
Some policies are using factory sets which were deleted in later versions, and an upgrade was performed.
Impact:
When trying to open "Security ›› Application Security : Policy Building : Learning and Blocking Settings" page, GUI is stuck on 'loading' status
Workaround:
Run this mysql in the BIG-IP in order to fix the database, it will remove all unreferenced policy sets from the system:
mysql -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password(user => q{root})'` -e "delete from PLC. PL_POLICY_NEGSIG_SETS where set_id not in (SELECT set_id from PLC.NEGSIG_SETS);"
1112805-5 : ip_address_intelligence field is not populated with value in ArcSight remote log when source IP is IPv4
Links to More Info: BT1112805
Component: Application Security Manager
Symptoms:
The key used for the ip_address_intelligence field is mapped to an IPv6 Address in the latest CEF standard.
Conditions:
-- IP Intelligence is enabled.
-- An ArcSight remote logger is configured.
-- A HTTP transaction is carried out with a malicious Source IP Address
Impact:
The ip_address_intelligence field value is not populated in the ArcSight remote log
Workaround:
None
1112745-1 : System CPU Usage detailed graph is not accessible on Cerebrus+
Links to More Info: BT1112745
Component: Local Traffic Manager
Symptoms:
When accessing performance reports of CPU usage detailed graph, error "Error trying to access the database." is displayed since the CPU graph name is getting truncated.
Conditions:
When on a single blade, if we have more than 17 TMMs this error will be seen.
Impact:
Detailed graph for system CPU usage will not be accessible.
Workaround:
No workaround
1112537-1 : LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete.
Links to More Info: BT1112537
Component: TMOS
Symptoms:
Upon attempting to delete a LTM or GTM monitor, the system returns an error similar to the following example, even though the monitor being deleted is no longer in use anywhere:
01070083:3: Monitor /Common/my-tcp is in use.
Conditions:
-- The configuration was loaded from file (for example, as restoring a UCS archive would do).
-- A BIG-IP Administrator deletes all objects using the monitor, and then attempts to delete the monitor itself.
Impact:
LTM or GTM monitor no longer in use anywhere cannot be deleted from the configuration.
Workaround:
Run one of the following sets of commands (depending on the affected module) and then try to delete the monitor again:
tmsh save sys config
tmsh load sys config
tmsh save sys config gtm-only
tmsh load sys config gtm-only
1112385-4 : Traffic classes match when they shouldn't
Links to More Info: BT1112385
Component: Local Traffic Manager
Symptoms:
Traffic classes may match when they should not.
Conditions:
* Fix for ID1074505 is present (without that fix this bug is hidden).
* Traffic class uses none (or equivalently all 0s) for source-address.
Impact:
Traffic is not categorized properly.
Workaround:
Specify a source address, e.g.
ltm traffic-class /Common/blah {
source-address 1.1.1.1
source-mask none
...
}
Note that because the mask is none this won't have any effect (other than working around this bug).
1112349-5 : FIPS Card Cannot Initialize
Links to More Info: BT1112349
Component: Local Traffic Manager
Symptoms:
Initializing the FIPS card for the first time which contains the FIPS firmware CNN35XX-NFBE-FW-1.1-02 may cause the below error and will not be able to initialize the card:
Enter new Security Officer password (min. 0, max. 0 characters):
ERROR: Too long input (max.: 0 characters)
ERROR: Failed to read password
ERROR: INITIALIZATION FAILED!
Conditions:
First time initialization of new device with "tmsh run util fips-util -f init" command which contains the FIPS firmware CNN35XX-NFBE-FW-1.1-02
Impact:
FIPS card cannot be used for the FIPS key traffic and will not be able to re-initialize.
Workaround:
None
1112205-1 : HTTP/2 may garble responses if the client-side stream aborts while response headers are on the wire
Links to More Info: BT1112205
Component: Local Traffic Manager
Symptoms:
If the client-side stream aborts while response headers are on the wire, the subsequent requests may receive a garbled response.
Conditions:
- HTTP2 profile is used on both client and server side.
- The client terminates the stream while the response has not yet reached the BIG-IP system.
Impact:
The client will receive an obscure response
Workaround:
None
1112137-1 : In Bot Defense profile, the SSE API timeout value is not considered for mobile requests
Component: Bot Defense
Symptoms:
Distributed Cloud API timeout is not considered for Mobile endpoint requests.
Conditions:
- Bot Defense profile configured with mobile endpoints.
- Distributed Cloud API timeout value is configured.
- Requests to mobile endpoint are sent from client, which triggers API request to SSE but the response is not received within the timeout configured.
Impact:
Distributed Cloud API timeout is not considered for Mobile endpoint requests.
Workaround:
None
1112109-5 : Unable to retrieve SCP files using WinSCP or relative path name
Links to More Info: BT1112109
Component: TMOS
Symptoms:
When you attempt to retrieve a file with WinSCP, you receive an error dialog and the session will be terminated:
"SCP Protocol error: Invalid control record (r; elative addresses not allowed)
Copying files from the remote side failed."
If you attempt to transfer a file by the relative path with a command line utility the transfer will fail with the message:
"relative addresses not allowed"
Conditions:
-- Running BIG-IP version with a fix for ID 915981
-- Using WinSCP set to use SCP protocol to retrieve files from a BIG-IP system.
-- Using a relative remote path to transfer a file with the command line SCP utility.
Impact:
Cannot use WinSCP to retrieve files such as packet captures, log archives, or other diagnostic data from the BIG-IP system.
Workaround:
Use a command line SCP tool that allows specifying an absolute path for the source and/or destination file (a path that starts with a forward slash /), when the source and/or destination locations are a BIG-IP device.
You may use WinSCP in SFTP mode if the user ID is permitted to do so.
1111793-1 : New HTTP RFC Compliance check for incorrect newline separators between request line and first header
Links to More Info: BT1111793
Component: Application Security Manager
Symptoms:
ASM does not enforce incoming HTTP requests where the request line and the first header are separated with a line feed ('\n').
Conditions:
Any HTTP request with a line feed only at the end of the request line will not be enforced.
Impact:
Invalid requests might pass through ASM enforcement.
Workaround:
None
1111629-5 : Messages with "Failed Read: User, referer" are logged in /var/log/httpd/httpd_errors
Links to More Info: BT1111629
Component: TMOS
Symptoms:
After logging in to the GUI you may observe these logs under /var/log/httpd/httpd_errors
warning httpd[7698]: [auth_pam:warn] [pid 7698] [client 10.6.4.2:61221] AUTHCACHE Error processing cookie AFQ6MCL2VWASB6NZTAWGQLFFWY - Failed Read: User, referer:
Conditions:
- Using token authentication for rest calls
- Login to the GUI
Impact:
- Increase log space usage
Workaround:
None
1111473-5 : "Invalid monitor rule instance identifier" error after sync with FQDN nodes
Links to More Info: BT1111473
Component: Local Traffic Manager
Symptoms:
The following log messages may be observed in /var/log/ltm:
bigip1 err mcpd[4783]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 29.
This may also result in some monitors stuck in "checking" state.
Conditions:
-- FQDN nodes exist on the configuration.
-- A full config sync occurs
-- Device contains a fix for ID1017513
-- May happen regardless of bigd or in-tmm monitoring
Impact:
Some monitor statuses may not be correctly reported. Some monitors may be stuck in "checking" state.
Workaround:
Force the mcpd process to reload the BIG-IP configuration: K13030.
1111421-4 : TMSH/GUI fails to display IPsec SAs info
Links to More Info: BT1111421
Component: TMOS
Symptoms:
Ipsec SAs are not visible in GUI/TMSH in tunnel/interface mode
GUI network -> ipsec -> diagnostic -> traffic-selectors -> security association details shows no SAs
The 'tmsh show net ipsec ipsec-sa traffic-selector ts' command shows no SA
Conditions:
-- Configure the ipsec with tunnel/Interface mode.
-- Create the tunnel.
-- Check the ipsec-sa
Impact:
You are unable to see ipsec-sa in GUI/TMSH
Workaround:
None
1111361-4 : Refreshing DNS wide IP pool statistics returns an error
Links to More Info: BT1111361
Component: Global Traffic Manager (DNS)
Symptoms:
Refreshing the wide IP pool statistics results in the error message 'An error has occurred while trying to process your request'.
Conditions:
Go to "Statistics > Module Statistics > DNS > GSLB > Wide IPs > Statistic Pools", and click "Refresh".
Impact:
No results are returned, and the error message 'An error has occurred while trying to process your request' is displayed.
Workaround:
N/A.
1111189-1 : Listing errors in tmsh and installation failures when the configuration includes an AVR scheduled-report.
Links to More Info: BT1111189
Component: Application Visibility and Reporting
Symptoms:
-- The tmsh utility may return an error when listing analytics configuration.
-- TMOS installations may fail and return an error.
-- Saving new UCS archives may fail and return an error.
In all cases, the error is similar to the following example:
TSocket::open() getaddrinfo() <Host: 127.3.0.2
Port: 9090>Name or service not known
std exception: (Could not resolve host for client socket.), exiting...
Conditions:
-- Multi-blade VIPRION system (either metal or in the form of a vCMP guest).
-- AVR is provisioned.
-- At least one AVR scheduled-report is present in the configuration.
-- An action such as listing the config, saving a UCS archive, performing a TMOS installation, etc. is performed on a secondary blade.
Impact:
The operation you were attempting fails and an error is returned.
Workaround:
The only workaround consists in removing all AVR scheduled-reports, performing the intended task, and then re-defining the AVR scheduled-reports as necessary. This is of course disruptive and may not be indicated for your site. If you require an Engineering Hotfix for this issue, please contact F5 Support.
1110949-3 : Updating certKeyChain of parent SSL profile using iControl does not change the cert and key outside certKeyChain of the child profile
Links to More Info: BT1110949
Component: Local Traffic Manager
Symptoms:
Invalid config after iControl call: the certificate and key of the child profile do not change as expected.
Conditions:
1. The SSL profile should default from a parent profile.
2. iControl REST is used to change the certkeychain of the parent profile.
3. The issue cannot be seen after the first call but from the second call, it's always reproducible.
Impact:
1. The child profile has an incorrect configuration.
2. The older certificate/key can not be deleted as they are still in use in the child profile.
Workaround:
Can use currently deprecated iControl call by using key and cert instead of certkeychain as follows:
curl -k -u admin:admin -H "Content-Type: application/json" -X PATCH https://10.155.75.246/mgmt/tm/ltm/profile/client-ssl/parent.example.com -d '{"key":"/Common/default.key","cert":"/Common/default.crt"}'
1110893-5 : Some portions of the BIG-IP GUI do not work when accessed behind an HTTP proxy
Links to More Info: BT1110893
Component: TMOS
Symptoms:
Some sections of the BIG-IP GUI fail to load properly, and may report "An error occurred:" Additionally, iControl REST calls may fail with a 401 unauthorized error.
Conditions:
-- BIG-IP GUI or iControl REST is accessed behind a proxy that that includes an X-Forwarded-For header
-- The "httpd.matchclient" BigDB key is set to true (this is the default).
Impact:
Some portions of the GUI are broken as well as iControl REST calls may fail.
Workaround:
Disable the "httpd.matchclient" DB key:
tmsh modify sys db httpd.matchclient value false
bigstart restart httpd
1110813-4 : Improve MPTCP retransmission handling while aborting
Component: Local Traffic Manager
Symptoms:
- MPTCP enabled TCP connection is aborting.
- TMM cores.
Conditions:
- MPTCP is enabled.
- MPTCP enabled TCP connection is aborting.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable MPTCP option in the TCP profile.
1110689-1 : Fail to reset INSL statistics
Component: Bot Defense
Symptoms:
Below INSL statistics reset failure on profile in it or from TMSH:
- tot_requests_instl_endpoints_matched
- tot_requests_instl_served
Conditions:
- Bot Defense profile is configured.
- Interstitial endpoint is configured.
Impact:
Below statistics can display higher numbers than expected:
- tot_requests_instl_endpoints_matched
- tot_requests_instl_served
Workaround:
None
1110485-4 : SSL handshake failures with invalid profile error
Links to More Info: BT1110485
Component: Local Traffic Manager
Symptoms:
1. TMM reports SSL handshake failures with reason "hud_ssl_handler:1208: alert(40) invalid profile unknown on VIP"
2. There will be Certificate read errors in the ltm log "reading: Unknown error."
Conditions:
-- The certificates associated with the SSL profile are corrupted by modifying/adding/deleting them manually/Venafi
-- There are frequent unintentional Certificate updates
Impact:
-- The BIG-IP system will not be able process the traffic
-- All traffic to particular virtual servers fails
Workaround:
1. Correct the certificates which are corrupted and make them valid.
2. Deattach/Remove the corresponding SSL profile from all virtual servers to which it is applied.
3. In the GUI open the virtual server and click on update and make sure there are no errors shown on the screen.
4. Now re-apply the SSL profile to the virtual server
1110281-1 : Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable
Links to More Info: BT1110281
Component: Application Security Manager
Symptoms:
Non-HTTP traffic is not forwarded to the backend server.
Conditions:
- ASM provisioned
- Behavioral DoS profile assigned to a virtual server
- DOSL7::disable and HTTP::disable applied at when CLIENT_ACCEPTED {}
Impact:
Broken webapps with non-HTTP traffic.
Workaround:
Instead of using DOSL7::disable, redirect non-HTTP traffic to a non-HTTP aware virtual server using the iRule command virtual <virtual_server_name>.
1110241-1 : in-tmm http(s) monitor accumulates unchecked memory
Links to More Info: BT1110241
Component: In-tmm monitors
Symptoms:
Connflows growing larger than expected/desired.
Conditions:
-- in-TMM monitors are enabled
-- http(s) monitors are configured
-- Pool members continue spooling chunked data
Impact:
If an http(s) server does not close its connection to BIG-IP and continues spooling chunked data, the connflow remains and can eventually cause similar issues.
Workaround:
Three possible:
1. Fix the server.
2. Periodically reboot the server.
3. Use BigD LTM monitors.
1110205-3 : SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown
Links to More Info: BT1110205
Component: Local Traffic Manager
Symptoms:
If a virtual server has an iRule performing SSL payload processing in CLIENTSSL_DATA, TMM fails to process or forward an ingress TCP FIN from a client, leaving the connection in a zombie state until it eventually idles out.
Conditions:
The issue occurs only when SSL::collect is used in CLIENTSSL_DATA
when CLIENTSSL_DATA {
log local0. "."
SSL::release
SSL::collect
}
Impact:
Unexpected growth in the number of connections idling on a virtual server leads to memory pressure.
Workaround:
None
1109953-5 : TMM may crash if a data-group is used when an SSL Forward Proxy Bypass/Intercept list contains extremely long entry
Links to More Info: BT1109953
Component: Local Traffic Manager
Symptoms:
A very long entry (exceeding the maximum length allowed by internet stndards) in a data-group used for SSL Forward Proxy Bypass/Intercept hostname list may cause TMM to crash.
Conditions:
All of the below conditions have to be met:
-- A virtual server uses SSL profile
-- This SSL profile has Forward Proxy enabled.
-- The SSL profile has Forward Proxy Bypass enabled.
-- The SSL profile uses Hostname Bypass and/or Hostname Intercept data-group.
-- Anny to the data-groups contains entries which are longer than 255 characters.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Make sure all entries in the data-group used for intercept/bypass hostnanme list do not exceed 255 characters. According to RFC 1035 section 2.3.4, longer hostnames are not valid.
1109833-2 : HTTP2 monitors not sending request
Links to More Info: BT1109833
Component: Local Traffic Manager
Symptoms:
HTTP2 monitors do not send monitor traffic, incorrectly marking pool members down.
Conditions:
HTTP2 monitor configured.
Impact:
Pool members marked down erroneously.
Workaround:
Use different monitor type, if possible.
1108681-5 : PEM queries with filters return error message when a blade is offline
Links to More Info: BT1108681
Component: Policy Enforcement Manager
Symptoms:
Attempting to retrieve subscriber session data for a specific subscriber returns the following error: "Data Input Error: ERROR: 'query_view' query reply did not contain a result object."
Conditions:
One of the blades is disabled, and the pem sessiondb query contains a filter, for example subscriber-id or session-ip.
Impact:
Cosmetic error, no impact.
Workaround:
Enable the disabled blades, or send a pem sessiondb query without filters.
1108657-2 : No notification about disabled "Virus detected" violation in case of enabling "Anti-Virus Protection"
Component: Application Security Manager
Symptoms:
If the "Virus detected" violation is disabled, there is no notification about it after enabling "Anti-Virus Protection".
Conditions:
1. In Security ›› Application Security : Policy Building : Learning and Blocking Settings screen, for Virus Detected violation set at least one of the Learn, Alarm, or Block checkboxes as empty.
2. In Security ›› Application Security : Security Policies : Policies List ›› <selected_policy> screen - check the Scan HTTP Uploads (in Anti-Virus Protection field)
3. No warning is shown.
Impact:
No warning is shown to user which indicates that the related violation settings are switched off (Learning, Alarming or Blocking)
Workaround:
None
1108557-5 : DNS NOTIFY with TSIG is failing due to un-matched TSIG name
Links to More Info: BT1108557
Component: Global Traffic Manager (DNS)
Symptoms:
DNS NOTIFY messages are ignored.
Conditions:
The TSIG on the secondary needs to have the same algorithm and secret, but one or more characters in the name must be a different case.
Impact:
Failure to update the zone in a timely fashion.
Workaround:
Remove the offending TSIG on the secondary and re-create it with case matching the primary server.
1108237-1 : Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM.
Links to More Info: BT1108237
Component: Global Traffic Manager (DNS)
Symptoms:
It is possible for monitor probes to a certain destination to be owned by no GTM device in the sync-group. As a result, no monitoring of the destination will be performed, and the monitored object will be incorrectly marked down with reason "no reply from big3d: timed out".
Conditions:
-- GTM sync-group with multiple GTM devices (including a sync-group that contains only a single GTM server with more than one GTM device in it).
-- Monitors specifying an explicit destination to connect to (e.g. with the property "destination 192.168.1.1:*").
-- The destination of a monitored object (e.g. the IP address of the gtm server) is different from the destination explicitly defined in a monitor assigned to the object.
-- The two mismatching destination values are assigned to different GTM devices in the sync-group for monitoring.
Impact:
Monitored GTM objects may have an incorrect status.
Workaround:
None
1108109-5 : APM policy sync fails when access policy contains customization images★
Links to More Info: BT1108109
Component: Access Policy Manager
Symptoms:
APM policy sync fails after an upgrade. Mcpd logs an error
err mcpd[6405]: 01b70117:3: local_path (/tmp/psync_local_file) starts with invalid directory. Valid directories are /var/config/rest/, /var/tmp/, /shared/tmp/.
Conditions:
APM access policy contains a custom image file
Impact:
APM policy sync fails.
Workaround:
None
1107605-2 : TMM crash reported with specific policy settings
Links to More Info: BT1107605
Component: Local Traffic Manager
Symptoms:
TMM crashes when HTTPS request for a non-existent document
Conditions:
1) Virtual server with HTTP Profile
2) LTM Policy with "shutdown connection" for 400/404 response codes
3) Request for non-existent document
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove the policy and use an iRule with the same conditions as in the policy.
1107565-1 : SSL Persistence behavior change for TLS1.3 connection between v16.1.0 and v16.1.2.2
Links to More Info: BT1107565
Component: Local Traffic Manager
Symptoms:
The BIG-IP system resets TLS 1.3 connections when the client-hello contains a session-ID.
Conditions:
-- Virtual server has ssl persistence enabled
-- TLS 1.3 is used
-- The client-hello message contains a session-ID.
Impact:
Traffic uses TLS 1.3 and SSL persistence is disrupted.
Workaround:
None
1107549-1 : In-TMM TCP monitor memory leak
Links to More Info: BT1107549
Component: In-tmm monitors
Symptoms:
TMM memory use grows unbounded; aggressive sweeper is engaged
Conditions:
-- In-TMM TCP monitors are enabled
Impact:
TCP peer ingress accumulates over time. Over an extended period of time the aggressive sweeper begins freeing memory.
Workaround:
1. Rebooting the BIG-IP system after the change is made is one potential remedy.
2. Use regular LTM monitors.
1107453-1 : Performance drop observed in some Ramcache::HTTP tests on BIG-IP i10800 platform
Links to More Info: BT1107453
Component: Local Traffic Manager
Symptoms:
Drop in TPS of around 6.5% observed for Ramcache::HTTP tests.
Conditions:
- BIG-IP i10800 l7-performance-fpga platform
- 5KB file size with 1 Request Per Connection
- 5KB file size with 100 Request Per Connection
Virtual server with the following profiles -
1. http
2. tcp profile with nagle disabled
3. web acceleration profile with following attributes -
- cache-max-age 36000
- cache-object-max-size 1500001
- cache-object-min-size 1
Impact:
Delay in client side response during peak traffic flow due to lowered throughput.
Workaround:
None
1107041-1 : The header ISTL-INFINITE-LOOP might get forwarded to origin server
Component: Bot Defense
Symptoms:
The internal header ISTL-INFINITE-LOOP is forwarded to the origin server.
Conditions:
- Bot Defense profile is in use.
- Interstitial endpoint is configured.
Impact:
Origin server receives internal header 'ISTL-INFINITE-LOOP header'.
Workaround:
None
1106937-4 : ASM may skip signature matching
Component: Application Security Manager
Symptoms:
Under certain conditions ASM skips signature matching.
Conditions:
Authorization header type is Bearer.
- When input contains less than or more than 3 parts of JWT token values.
- When base64 decode fails while decoding JWT token.
Impact:
Signature matching gets skipped.
Workaround:
None
1106897-1 : Broken link under Cryptographic Failure section in OWASP page
Component: Application Security Manager
Symptoms:
The link for Mask Credit Card Numbers in Request Log is broken.
Conditions:
1. Navigate to Security ›› Overview : OWASP Compliance page.
2. Click on a policy which has an OWASP score.
3. Under A2 Cryptographic Failures category, find the Mask Credit Card Numbers field in Request Log.
4. Click the FULFILLED/NOT FULFILLED link.
The link does not load the requested page.
Impact:
The user does not have an easy access for the policy details page from OWASP page.
Workaround:
Navigate to Security ›› Application Security : Security Policies : Policies List ›› <policy_name> page and find the entry of Mask Credit Card Numbers in Request Log.
1106757-4 : Horizon VDI clients are intermittently disconnected
Component: Access Policy Manager
Symptoms:
VMware Horizon Clients experience intermittent freezes and disconnects as the mapping between blast UUID and session id in CLIENT_CLOSED function is maintained only for 20 seconds.
Conditions:
-- VMware VDI is configured via an iApp
-- The connection to the virtual server is lost for more than 20 seconds
Impact:
VMware Horizon Clients experience freezes and disconnects intermittently.
Workaround:
None
1106673-4 : Tmm crash with FastL4 virtual servers and CMP disabled
Links to More Info: BT1106673
Component: Local Traffic Manager
Symptoms:
With CMP disabled, all traffic is forwarded to one TMM thread. A crash occurs when these flows are torn down.
Conditions:
The following is configured on a virtual server:
-- A fastL4 profile
-- CMP is disabled
-- An IPS firewall policy
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Enable CMP on the virtual server.
tmsh modify ltm virtual <virtual_server_name> cmp-enabled yes
1106489-1 : GRO/LRO is disabled in environments using the TMM raw socket "sock" driver.
Links to More Info: BT1106489
Component: TMOS
Symptoms:
GRO/LRO packets are not received: "tmctl -d blade tmm/ndal_rx_stats" shows "0" in "lro". The linux host has GRO disabled: "ethtool -k eth1 | grep generic-receive-offload" shows "off".
Conditions:
-- BIG-IP is deployed in a Hyper-V environment.
-- Any environment such that "tmctl -d blade tmm/device_probed" displays "sock" in "driver_in_use".
Impact:
Performance is degraded.
Workaround:
Manually enable GRO on the device: ethtool -K eth1 gro on
Check that it's enabled with: ethtool -k eth1 | grep generic-receive-offload
1106337-1 : Unable to add tenant ID greater than 12 characters in Bot Defense profile
Component: Bot Defense
Symptoms:
The tenant ID field is limited to 12 characteristics in Bot Defense profile and if user provides more than 12 characters, then an error is displayed that field is limited to 12 characters length.
Tenant ID length should be minimum of 16 characters length and maximum of 64 characters in Bot Defense profile. To be compatible minimum length has been set to 12 characters
which is valid for both F5CS portal and F5XC.
Conditions:
- Configuring Bot Defense profile.
Impact:
User cannot configure tenant ID successfully, subsequently Bot Defense profile configuration will not be successful.
Workaround:
None
1106273-4 : "duplicate priming" assert in IPSECALG
Links to More Info: BT1106273
Component: Advanced Firewall Manager
Symptoms:
This is a specific issue with a complicated firewall/NAT/IPSEC scenario. In this case, when applying changes to a firewall policy in transparent mode, IPSECALG triggers a "duplicate priming" assert
Conditions:
When an IPSec session is established from a device with a source IP which has a firewall policy (transparent mode). As soon as traffic is passed over the new IPSec tunnel, this clash in the rules results in a tmm core.
Impact:
TMM asserts with "duplicate priming" assert.
Traffic disrupted while tmm restarts.
Workaround:
None
1105969-4 : Gratuitous ARP not issued for non-floating self-IP on clicking "Update" via the GUI
Links to More Info: BT1105969
Component: Local Traffic Manager
Symptoms:
A gratuitous ARP (GARP) is not issued as per K15858.
Conditions:
After the BIG-IP system is fully started and interfaces are online, select the non-floating self IP address in the Configuration utility and then select Update (without making any changes).
Impact:
You cannot force non-floating self-IPs to send a gratuitous ARP post-boot.
Workaround:
None
1105901-1 : Tmm crash while doing high-speed logging
Links to More Info: BT1105901
Component: TMOS
Symptoms:
Tmm crashes
Conditions:
-- High-speed logging is configured
-- Network instability occurs with the logging pool members
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1105757 : Creating CSR with invalid parameters for basic-constraints, tmsh does not generate meaningful errors
Links to More Info: BT1105757
Component: TMOS
Symptoms:
A similar error as below is observed:
Key management library returned bad status: -45, No Error
Conditions:
Always observed.
Impact:
The error thrown is not meaningful hence it is difficult to identify the invalid parameters.
Workaround:
N/A
1105485 : Emulated Interaction Events occurs when using Bot Defense Profile and Datasafe keylogger protection feature
Links to More Info: BT1105485
Component: Application Security Manager
Symptoms:
Datasafe keylogger protection feature causes the Bot Defense profile to detect untrusted events.
Conditions:
-- Bot Defense profile is attached to a virtual server
-- Datasafe profile is attached to the virtual server, with keylogger protection feature enabled.
Impact:
Legitimate users are getting mitigated.
Workaround:
Modify bigDB:
tmsh modify sys db botdefense.cshui_checked_trusted_events value "mousedown, mouseup, mousemove, touchstart, touchmove, touchend"
1105341-1 : Decode_application_payload can break exponent notation in JSON
Links to More Info: BT1105341
Component: Application Security Manager
Symptoms:
With decode_application_payload set to 1, the single pass of decoding prior to JSON parsing will convert positive exponents to ascii characters ie "+" to " ". This results in Malformed numeric value violations
Conditions:
Positive exponents with decode_application_payload set to 1.
Impact:
Malformed JSON violations
Workaround:
Disable decode_application_payload
decode_application_payload set to 0.
1104553-3 : HTTP_REJECT processing can lead to zombie SPAWN flows piling up
Links to More Info: BT1104553
Component: Local Traffic Manager
Symptoms:
In the execution of a specific sequence of events, when TCL attempts to execute the non-existing event, it follows a path which in turn makes SPAWN flow to become a zombie, which pile up over time showing up on the monitoring system.
Conditions:
-- http2, client-ssl, optimized-caching filters on the virtual server
-- HTTP::respond iRule with LB_FAILED event and set of iRules like HTTP_REQUEST, HTTP_RESPONSE, CLIENTSSL_HANDSHAKE, CACHE_RESPONSE, ASM_REQUEST_BLOCKING
-- send http2 request through the virtual server
Impact:
Clients may not be able to connect to the virtual server after a point in time.
1104381-1 : Incorrect value for "sed-api-host" is sent to Distributed Cloud with API call
Component: Bot Defense
Symptoms:
Incorrect Value of "sed-api-host:" is sent to Distributed Cloud in requests to "ibd-ebus.fastcache.net/api/v1/decision".
Conditions:
- Virtual with Bot Defense profile attached is in used.
Impact:
Incorrect sed-host-ip value is received at Distributed Cloud.
Workaround:
None
1104037-1 : Tmm crash after changing "connection.vlankeyed" to disabled on system with L2 wire
Links to More Info: BT1104037
Component: SSL Orchestrator
Symptoms:
Tmm crashes.
Conditions:
Changing "connection.vlankeyed" from enabled to disabled on a system configured for L2 wire
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Keep "connection.vlankeyed" enabled
1103953-2 : SSMTP errors in logs every 20 minutes
Links to More Info: BT1103953
Component: TMOS
Symptoms:
An error is logged every 20 minutes to /var/log/maillog
err sSMTP[9797]: Unable to connect to "localhost" port 25.
err sSMTP[9797]: Cannot open localhost:25
The symptoms are similar to what you see in https://support.f5.com/csp/article/K60914243 but the solution in that article will not help. K60914243 talks about 15.x while current issue is on 16.x.
Conditions:
This occurs in one of the following happens
1. You have manually deleted restjavad or restnoded log files with following commands
rm /var/log/restjavad*
rm /var/log/restnonded*
2. One of the restjavad/restnoded log files is small and unable to rotate (rotation fails). This happens when file size does not exceed default "max-file-size"
Impact:
Log rotation for restjavad/restnoded will be stuck. You may see system emails about sSMTP errors every 20 minutes.
Workaround:
This issue subsides if you manually create a file for the stuck log file.
1. Open a command terminal
2. Run # ls -l /var/log/restnoded*
3. If you find that restnonded1.log is missing then manually create it
# touch /var/log/restnoded/restnoded1.log
4. Run # ls -l /var/log/restjavad*.log
5. If you find that restjavad.1.log is missing then manually create it
# touch /var/log/restjavad.1.log
1103833-1 : Tmm core with SIGSEGV in gtmpoolmbr_UpdateStringProc
Links to More Info: BT1103833
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm cored with SIGSEGV.
Conditions:
-- iRule pool command with member which is determined at run-time
-- A pool member is used for the iRule
-- The previous pool member is deleted and then re-created using the same name
-- That pool member is picked again for the next iRule event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use a string command to category the pool member variable like this:
pool dnspool member [string trim $pool_member]
1103617-5 : 'Reset on Timeout' setting might be ignored when fastl4 is used with another profile.
Links to More Info: BT1103617
Component: Local Traffic Manager
Symptoms:
'Reset on Timeout' setting might be ignored when Fastl4 profile is configured along with some other profile.
Conditions:
Fastl4 profile is configured along with some other profile (for example IPS).
Impact:
Traffic might be reset unexpectedly.
Workaround:
None
1103117-1 : iAppLX extension using express with httpserver script leaves lingering client-side flow on HTTP requests.
Links to More Info: BT1103117
Component: Local Traffic Manager
Symptoms:
While using an iAppLX extension using express with simple HTTP server script, tmsh show sys conn shows a lingering client-side flow that is eventually expired by the sweeper.
Conditions:
Virtual server with iAppLX extension using express with a simple httpserver script like below:
app.use(express.static('public'));
var plugin = new f5.ILXPlugin();
plugin.startHttpServer(app);
Impact:
The connection table (tmsh show sys conn) shows a lingering client-side flow that is eventually expired by the sweeper.
Workaround:
None
1102849-4 : Less-privileged users (guest, operator, etc) are unable to run top level commands
Links to More Info: BT1102849
Component: TMOS
Symptoms:
Less privileged users are no longer able to run top-level commands such as "show running-config recursive". Executing this command from TMOS results in an error:
Unexpected Error: Can't display all items, can't get object count from mcpd
and mcpd throws error:
result_message "01070823:3: Read Access Denied: user (test) type (Abort Ending Agent)"
Conditions:
User account with a role of guest, operator, or any role other than admin.
Impact:
You are unable to show the running config, or use list or list sys commands.
Workaround:
Logon with an account with admin access.
1102429-1 : iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases.
Links to More Info: BT1102429
Component: Local Traffic Manager
Symptoms:
Invoking the iRule command 'reject' under the iRule event 'FLOW_INIT' may, in some cases, fail to send out the intended reject packet (i.e. TCP reset or ICMP port unreachable).
Conditions:
The issue occurs when the BIG-IP system does not have a route back to the client, and should instead deliver the reject packet by means of autolasthop.
Impact:
The connection is actually removed from the BIG-IP system's connection table, and correctly does not progress. However, the lack of a reject packet could make the client retransmit its initial packet or insist in opening more connections.
1102301-1 : Content profiles created for types other than video and image allowing executable
Component: Application Security Manager
Symptoms:
When creating "API Security" policy, "Disallow File Upload of Executables" options are disabled for contents different than video/* or image/*.
Conditions:
Create "API Security" policy with binary content URL.
Impact:
Incorrect violation is raised.
Workaround:
None
1101741-1 : Virtual server with default pool down and iRule pool up will flap for a second during a full config-sync.
Links to More Info: BT1101741
Component: TMOS
Symptoms:
During a full manual config-sync, a virtual server with a default pool which is down and an iRule pool which is up will flap for a second on the receiving unit.
For instance:
Apr 22 13:52:31 bigip-ntr-b.local notice mcpd[7733]: 01071682:5: SNMP_TRAP: Virtual /Common/my_vs has become unavailable
Apr 22 13:52:31 bigip-ntr-b.local notice mcpd[7733]: 010719e7:5: Virtual Address /Common/10.0.0.71 general status changed from GREEN to RED.
Apr 22 13:52:31 bigip-ntr-b.local notice mcpd[7733]: 010719e8:5: Virtual Address /Common/10.0.0.71 monitor status changed from UP to DOWN.
<...>
Apr 22 13:52:32 bigip-ntr-b.local notice mcpd[7733]: 01071681:5: SNMP_TRAP: Virtual /Common/my_vs has become available
Apr 22 13:52:35 bigip-ntr-b.local notice mcpd[7733]: 010719e7:5: Virtual Address /Common/10.0.0.71 general status changed from RED to GREEN.
Apr 22 13:52:35 bigip-ntr-b.local notice mcpd[7733]: 010719e8:5: Virtual Address /Common/10.0.0.71 monitor status changed from DOWN to UP.
Conditions:
-- device-group configured for full manual sync
-- virtual server with default pool up and iRule pool down
-- a config sync is initiated
Impact:
There is no impact to application traffic during the flapping, as the virtual server continues to function correctly even when the unit receiving the config-sync is the Active one.
However, the logs (and the ensuing SNMP traps) may be confusing to BIG-IP Administrators and/or network operators monitoring alarms from the system.
Workaround:
You can work around this issue by configuring the device-group for incremental config-sync instead (either manual or automatic).
1101697-3 : TLS1.3 connection failure with 0-RTT and Hello Retry Request (HRR).
Links to More Info: BT1101697
Component: Local Traffic Manager
Symptoms:
Connection failure.
Conditions:
This condition can occur when:
- The 0-RTT is enabled.
- When TLS1.3 session goes for Hello Retry Request (HRR).
Impact:
Connection failure.
Workaround:
Disable the 0-RTT.
1101453-7 : MCPD SIGABRT and core happened while deleting GTM pool member
Links to More Info: BT1101453
Component: TMOS
Symptoms:
Mcpd crashes while deleting a pool member.
Conditions:
-- Huge GTM configuration
-- One pool members is referenced by 1000 wide IPs
Impact:
Traffic disrupted while mcpd restarts.
Workaround:
None
1101369-5 : MQTT connection stats are not updated properly
Component: Local Traffic Manager
Symptoms:
Negative values can be seen in current connections.
Conditions:
This issue can be seen when the 'CONNECT' message is dropped by iRule or when the first message received is not 'CONNECT.'
Impact:
MQTT profile stats are not incremented correctly with CONNECT message.
Workaround:
NA
1101321-2 : APM log files are flooded after a client connection fails.
Links to More Info: BT1101321
Component: Access Policy Manager
Symptoms:
Once a client connection fails, the var/log/apm log files get flooded with repeat error messages like "queue.cpp func: "printx()" line: 359 Msg: Queued fd"
Conditions:
When the client connection fails, for example, when the client connection is no longer valid, the log files are flooded with all queued connections which are available at that point of time.
Impact:
The continuous error messages in the log files may cause high CPU issues.
Workaround:
N/A
1101181-4 : HTTP request payload not forwarded by BIG-IP when serverside is HTTP/2 and HTTP MRF router is enabled on virtual server
Links to More Info: BT1101181
Component: Local Traffic Manager
Symptoms:
The BIG-IP forwards HTTP request headers to pool member, but does not forward the request body. This results in a connection stall, and the connection eventually timing out and failing.
Conditions:
-- Virtual server with HTTP/2 full proxy configured (HTTP MRF router is enabled, and HTTP/2 profile present on virtual server).
-- Virtual server has request-logging profile assigned.
-- Serverside connection uses HTTP/2.
-- Client sends a request that includes a payload body (e.g. a POST).
Impact:
HTTP transaction fails; traffic does not pass.
Workaround:
Remove the request-logging profile.
1100721-1 : IPv6 link-local floating self-IP breaks IPv6 query to BIND
Links to More Info: BT1100721
Component: Local Traffic Manager
Symptoms:
A IPv6 link-local floating self-IP breaks IPv6 query to BIND.
Conditions:
1. Create a DNS record in BIND.
2. Create an IPv6 floating self-IP (for example, 2002::139) and place it into traffic-group-1.
3. Create an IPv6 DNS listener using the newly created self-IP (2002::139).
So far a DNS query should be answered properly by BIND and TMM.
4. Create a dummy IPv6 floating self-IP using a link-local IP (for example, fe80::4ff:0:0:202) and place it into traffic-group-1.
Now, the DNS query from outside will be timed out.
Impact:
DNS requests will get timed out.
Workaround:
None
1100669-2 : Brute force captcha loop
Links to More Info: BT1100669
Component: Application Security Manager
Symptoms:
Captchas for a user that failed to login after several attempts will continue after a successful login.
Conditions:
-- A user fails to log in after several attempts.
-- The mitigation is captcha mitigation.
Impact:
If the user eventually provides the correct password, the user will be able to log in.
Workaround:
None
1100609-1 : Length Mismatch in DNS/DHCP IPv6 address in logs and pcap
Links to More Info: BT1100609
Component: TMOS
Symptoms:
The wrong length is shown in logs for DNS/DHCP IPv6 addresses.
Conditions:
-- DNS/DHCP IPv6 configured in IKE-PEER configuration.
-- The tunnel is established.
Impact:
The length is reported incorrectly in the logs. It is reported as 15 when it should be reported as 16.
Workaround:
None
1100549-4 : "Resource Administrator" role cannot change ACL order
Links to More Info: BT1100549
Component: Access Policy Manager
Symptoms:
You encounter a 'No Access' error when trying to change ACL order
Conditions:
You are logged in with a Resource Administrator role.
Impact:
You are unable to change the ACL order
Workaround:
None
1100409-5 : Valid connections may fail while a virtual server is in SYN cookie mode.
Component: TMOS
Symptoms:
Some of the valid connections to a TCP virtual server may fail while the virtual server is in SYN cookie mode due to an attack.
Conditions:
-- BIG-IP i4x00 platform.
-- TCP virtual server under SYN flood attack.
Impact:
Failed connections, service degradation.
Workaround:
Disabling SYN cookie in the TCP or fastL4 profile is a possible workaround, but that would leave the virtual server open to SYN flood attacks.
1100393-1 : Multiple Referer header raise false positive evasion violation
Links to More Info: BT1100393
Component: Application Security Manager
Symptoms:
When Multiple Referer headers contains a backslash character ('\') in query string portion, 'IIS backslashes' evasion technique violation is raised.
Conditions:
- 'Url Normalization' is turned on and 'Evasion Techniques Violations' is enabled.
- Multiple Referer header contains a backslash character ('\') in query string part.
Impact:
False positive evasion technique violation is raised for Referer header.
Workaround:
In the HTTP Header Properties screen, turn off the 'Url Normalization' on the 'Normalization Settings' section of the 'referer' property.
1100321-4 : MCPD memory leak
Links to More Info: BT1100321
Component: TMOS
Symptoms:
Viewing virtual server firewall policy rules leaks some memory in MCPD.
Conditions:
- BIG-IP AFM is provisioned
- Virtual server firewall policy rules are viewed, e.g. by running one of the following commands:
tmsh show ltm virtual fw-enforced-policy-rules
tmsh show ltm virtual fw-staged-policy-rules
Impact:
A memory leak occurs when the command is run.
Workaround:
None
1100249-1 : SNAT with FLOW_INIT firewall rule may core TMM due to wrong type of underlying flow structure
Links to More Info: BT1100249
Component: Local Traffic Manager
Symptoms:
Tmm crashes with SIGSEGV while passing firewall traffic.
Conditions:
-- SNAT + firewall rule
-- FLOW_INIT used in an iRule
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1100197-1 : GTM sends wrong commit_id originator for iqsyncer to do gtm group sync
Links to More Info: BT1100197
Component: Global Traffic Manager (DNS)
Symptoms:
GTM sends wrong commit_id originator for iqsyncer to do gtm group sync, which converts an incremental sync into a full sync.
Conditions:
Frequent GTM group syncs.
Impact:
Unnecessary GTM full sync.
Workaround:
None
1099545-1 : Tmm may core when PEM virtual with a simple policy and iRule is being used
Links to More Info: BT1099545
Component: Local Traffic Manager
Symptoms:
Tmm cores with SIGSEGV.
Conditions:
-- PEM virtual with a simple policy and iRule attached.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1099373-3 : Virtual Servers may reply with a three-way handshake when disabled or when processing iRules
Links to More Info: BT1099373
Component: Local Traffic Manager
Symptoms:
Virtual servers may complete a three-way handshake before resetting a connection when they are disabled or when iRules process traffic for disabled virtual servers.
Conditions:
-- Virtual Server with a pool assigned
-- Pool is disabled administratively
Impact:
When a virtual server is marked as disabled and a client attempts to connect to it, tmm will normally send a reset to the first SYN packet. However, if you then administratively disable the pool ( disabled pool members - Not forced offline) tmm will complete the three-way handshake before sending resets. Additionally, when in this state, iRules will process and can pass traffic to pools if the iRule is configured to do that even though the virtual server status is disabled.
Workaround:
Avoid marking pools disabled or use forced offline for virtual servers that you want to administratively disable.
1099229-5 : SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present
Links to More Info: BT1099229
Component: Local Traffic Manager
Symptoms:
-- A connection to the virtual server hangs from the client device.
-- A memory leak occurs in tmm
Conditions:
-- Virtual server has an L7 policy configured.
-- Virtual server has iRules configured.
Impact:
-- Clients are unable to connect to the virtual server.
-- A memory leak occurs.
Workaround:
Remove the L7 policy or the iRules from the virtual server configuration.
1099193-1 : Incorrect configuration for "Auto detect" parameter is shown after switching from other data types
Component: Application Security Manager
Symptoms:
The Configuration shown in the GUI for the "Auto detect" Parameter value type is incorrect after certain steps are performed.
Conditions:
1. Create a default policy
2. Create new a Parameter with "User-input value" as a Parameter Value Type, and "File Upload" as the Data Type.
3. Save the settings above, and go back to the newly created Parameters settings.
4. Change its Parameter Value Type to "Auto detect".
Impact:
You either see unrelated fields, e.g. "Disallow File Upload of Executables" or missing tabs, like Value Meta Characters.
Workaround:
You can save a configuration with "User-input value" as a Parameter Value type, and "Alpha-Numeric" as Data Type, and then set "Auto detect" as Parameter Value Type.
1098837-4 : Configuration failure due to the DB validation exception happening in the ips_inspection_sig and ips_inspection_compl tables
Links to More Info: BT1098837
Component: Protocol Inspection
Symptoms:
During the upgrade, configuration error with reason DB validation exception occurs and unique constraint violation in the tables ips_inspection_sig and ips_inspection_compl.
Conditions:
During the upgrade of the device, there should not be a configuration error with a DB exception message.
Impact:
Some of the signatures and compliances will not load into the MCPD database tables ips_inspection_sig and ips_inspection_compl respectively.
Workaround:
Store the details of the signatures and compliances into the file and run the following command:
"tmsh load sys config merge filename"
1098609-2 : BD crash on specific scenario
Component: Application Security Manager
Symptoms:
BD crashes while passing traffic.
Conditions:
Specific request criterias that happens while there is a configuration change.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
1097193-4 : Unable to SCP files using WinSCP or relative path name
Links to More Info: BT1097193
Component: TMOS
Symptoms:
When attempting to retrieve a file with WinSCP, you receive an error dialog and the session will be terminated:
"SCP Protocol error: Invalid control record (r; elative addresses not allowed)
Copying files from remote side failed."
If attempting to transfer a file by relative path with a command line utility the transfer will fail with the message:
"relative addresses not allowed"
Conditions:
-- Running BIG-IP version with fix for ID 915981
-- Using WinSCP set to use SCP protocol to retrieve files from a BIG-IP system.
-- Using a relative remote path to transfer a file with command line scp utility.
Impact:
No longer able to use WinSCP to retrieve files such as packet captures, log archives, or other diagnostic data from the BIG-IP system.
Workaround:
Use a command line SCP tool that allows specifying an absolute path for the source and/or destination file (a path that starts with a forward slash /), when the source and/or destination locations are a BIG-IP device.
If the user ID is permitted to do so, you may use WinSCP in SFTP mode.
1096893-3 : TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection
Links to More Info: BT1096893
Component: Local Traffic Manager
Symptoms:
When route metrics are applied by the TCP filter to a connection initiated by a syncookie, TCP sets the effective MSS for packetization, thereafter the egress_mtu will be set as per the route metrics entry, if present. The packets falling between the effective MSS and the lowered egress_mtu end up being unexpectedly IP-fragmented.
Conditions:
SYN cookies enabled and activated. A route metrics PMTU entry for the destination address that is smaller than the VLAN's egress MTU.
Impact:
Application traffic can fail or see disruption due to unexpected IP fragmentation.
Workaround:
Disable syn cookies (Reference: https://support.f5.com/csp/article/K80970950).
Alternatively, you can apply a lower static MTU to the interface.
1096461-1 : TACACS system-auth Accounting setting has no effect when set to send-to-all-servers/send-to-first-server
Links to More Info: BT1096461
Component: TMOS
Symptoms:
If the destination address is a single server, then the accounting info is sent to only the particular server.
If the destination has multiple servers, then the accounting info is sent to all servers irrespective of the setting "auth tacacs system-auth accounting"
Conditions:
Select multiple destination addresses and change the "auth tacacs system-auth accounting" to send-to-first-server, the accounting information is sent to all the destination servers.
Impact:
You are unable to use send-to-first server functionality
Workaround:
None
1096317-5 : SIP msg alg zombie flows
Links to More Info: BT1096317
Component: Carrier-Grade NAT
Symptoms:
The SIP msg alg can disrupt the expiration of a connflow in a way that it stays alive forever.
Conditions:
SIPGmsg alg with suspending iRule commands attached.
Impact:
Zombie flow, which cannot be expired anymore.
Workaround:
Restart TMM.
1096165-5 : Tmm cored for accessing the pool after the gtm_add command is run
Links to More Info: BT1096165
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm can crash
Conditions:
TMM process fails seconds after the gtm_add command is run.
Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.
Workaround:
Reduce the number of pools and the number of region records.
1095989-2 : PEM behaviour on receiving CCA with result code: 4012 and FUA on the Gy interface
Links to More Info: BT1095989
Component: Policy Enforcement Manager
Symptoms:
PEM received Radius Acct req, and sent Both Gx Gy Interface CCR. When receiving Gy CCA Multi-Services-Credit-Control.Result-code:4012 (Diameter_Credit_Limit_Reached),Final-Unit-Action (Redirect) and "Redirect-Server-address" is NOT installed on the PEM session.
Conditions:
Session quota information is passed from OCS to PCEF on the Gy interface.
Impact:
The action specified in FUI does not get applied to the session. Quota management will not work properly for the session.
1095973-4 : Config load failure when Trusted CA Bundle is missing and URL is present in the Bundle Manager
Links to More Info: BT1095973
Component: TMOS
Symptoms:
1. BIG-IP will come up but there will be a config load failure.
2. During the upgrade, config sync issues occur.
Conditions:
1. Bundle Manager contains URL( exclude-url/include-url)
2. Trusted CA Bundle is not populated in the Bundle Manager.
Impact:
1. BIG-IP will be in "Inoperative"/"Not All Devices Synced" state
Workaround:
Add the Trusted CA Bundle (default ca-bundle.crt) to the Bundle Manager.
OR
Remove the URLS (both exclude-url and include-url) from the Bundle Manager.
1095217-2 : Peer unit incorrectly shows the pool status as unknown after merging the configuration
Links to More Info: BT1095217
Component: TMOS
Symptoms:
The peer unit incorrectly shows the state of pool members as "checking" after merging the configuration from the terminal.
Conditions:
This is encountered if 2 or more configurations are specified for an already configured pool on the peer device when using the "tmsh load sys config merge from-terminal" command.
For example:
Existing pool:
ltm pool http_pool {
members {
member1:http {
address 10.82.243.131
monitor http
}
}
}
tmsh load sys config merge from-terminal:
ltm pool http_pool {
members none
}
ltm pool http_pool {
members replace-all-with {
member1:http {
address 10.82.243.131
monitor http
}
}
}
Impact:
Pool members are marked with a state of "Checking".
Workaround:
Define all object properties at once (in a single configuration block) instead of multiple times (in multiple configuration blocks) when merging the configuration from the terminal.
1095205-5 : Config.auditing.forward.multiple db Variable with value "none" is not working as expected with multiple destination addresses in audit_forwarder.
Links to More Info: BT1095205
Component: TMOS
Symptoms:
When config.auditing.forward.multiple db is set to none, BIG-IP should restrict the system to send it to only one destination when multiple destination addresses are configured.
Conditions:
When configured to "none", logs are broadcasted to all the destination addresses. Working as "broadcast" mode.
Impact:
End user could not use "none" functionality
1095185-1 : Failed Configuration Load on Secondary Slot After Device Group Sync
Links to More Info: BT1095185
Component: Application Security Manager
Symptoms:
Configuration synchronization fails on secondary slots after the primary slot receives a full sync from a peer in a device group.
Conditions:
Bladed chassis devices are configured in an ASM enabled device group
Impact:
Incorrect enforcement on secondary slots.
Workaround:
None
1095145-4 : Virtual server responding with ICMP unreachable after using /Common/service
Links to More Info: BT1095145
Component: SSL Orchestrator
Symptoms:
After adding /Common/service profile and removing it from the virtual server, the virtual server starts dropping traffic with ICMP unreachable.
This profile is normally only needed in SSLo deployments.
Conditions:
/Common/service was attached and removed from a virtual server.
Impact:
Traffic is dropped on a virtual server.
Workaround:
Restart TMM after making the configuration change.
1095041-1 : ASM truncates cookies that contain a space in the name and TS cookie as part of cookie list.
Links to More Info: BT1095041
Component: Application Security Manager
Symptoms:
HTTP requests are truncated at the cookie and raise a violation.
Conditions:
-- Cookie list contains TS cookie
-- A cookie contains a space in the name
-- TS cookie stripping is enabled (db asm.strip_asm_cookies is set as true)
Impact:
Backend server does not receive a complete cookie.
Workaround:
Sys db asm.strip_asm_cookies is set as false.
1093973-8 : Tmm may core when BFD peers select a new active device.
Links to More Info: BT1093973
Component: TMOS
Symptoms:
Tmm cores.
Conditions:
-- BFD is in use
-- the active/owner BFD device changes
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1093717-5 : BGP4 SNMP traps are not working.
Links to More Info: BT1093717
Component: TMOS
Symptoms:
BGP4 SNMP traps are not working and returning snmpwalk result of "BGP4-MIB::bgp = No Such Object available on this agent at this OID" or similar errors for all OIDs under the .1.3.6.1.2.1.15 MIB.
Conditions:
--Perform any BGP related event and check for snmp traps.
--Run snmpwalk -Of -Os -v 2c -c <community_name> localhost .1.3.6.1.2.1.15
Impact:
No BGP monitoring.
Workaround:
None
1093553-5 : OSPF "default-information originate" injects a new link-state advertisement
Links to More Info: BT1093553
Component: TMOS
Symptoms:
When configured with "default-information originate", the BIG-IP system might inject a new 0.0.0.0 link-state advertisement when receiving a default route from an OSPF neighbor.
This results in two 0.0.0.0 link-state advertisements being advertised from the box.
Conditions:
"default-information originate" is configured.
Impact:
Duplicate link-state advertisements
Workaround:
None
1093545-5 : Attempts to create illegal virtual-server may lead to mcpd crash.
Links to More Info: BT1093545
Component: Local Traffic Manager
Symptoms:
Mcpd crashes after the creation of virtual server with incorrect or duplicate configuration is attempted.
Conditions:
-- One or more attempts to create a virtual server with an illegal configuration are performed (i.e. attempts to create a virtual server that shares a configuration with an existing virtual server or has an incorrect configuration)
Impact:
Mcpd crashes with __GI_abort. Traffic disrupted while mcpd restarts.
Workaround:
None
1093357-5 : PEM intra-session mirroring can lead to a crash
Links to More Info: BT1093357
Component: Policy Enforcement Manager
Symptoms:
TMM crashes while passing PEM traffic
Conditions:
-- PEM mirroring enabled and passing traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1093313-1 : CLIENTSSL_CLIENTCERT iRule event is not triggered for TLS1.3 when the client sends an empty certificate response
Links to More Info: BT1093313
Component: TMOS
Symptoms:
When an SSL client connects to the BIG-IP system using TLS 1.3 and sends an empty certificate, the CLIENTSSL_CLIENTCERT iRule event is not triggered.
Conditions:
-- Virtual server configured on BIG-IP with SSL and iRule added
-- Client authentication for client certificates is set to "request"
-- iRule relying on CLIENTSSL_CLIENTCERT
-- A client connects to BIG-IP using TLSv1.3 protocol without a certificate(empty certificate)
Impact:
CLIENTSSL_CLIENTCERT irules aren't triggered.
Workaround:
None
1093061-1 : MCPD restart on secondary blade during hot-swap of another blade
Links to More Info: BT1093061
Component: Local Traffic Manager
Symptoms:
In rare instances, inserting a new blade into a VIPRION system can trigger a config error on another secondary blade due to attempting to delete the old blade's physical disk while it is still "in use":
err mcpd[7965]: 01070265:3: The physical disk (S3F3NX0J902788) cannot be deleted because it is in use by a disk bay (1).
err mcpd[7965]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070265:3: The physical disk (S3F3NX0J902788) cannot be deleted because
This causes MCPD to restart on the secondary blade due to the config error.
Conditions:
-- VIPRION system with at least 3 blades
-- Remove a blade and replace it with a different one
Impact:
-- MCPD restarts on the secondary blade other than the blade that was replaced.
The config error triggering this is due to an issue with the cluster syncing process between blades; however, the config issue is temporary, and should be resolved after mcpd restarts on the secondary blade.
Workaround:
None
1092965-1 : Disabled "Illegal Base64 value" violation is detect for staged base64 parameter with attack signature in value
Component: Application Security Manager
Symptoms:
An "Illegal Base64 value" violation will be reported for a staged parameter even though Alarm/Blocking/Learning is disabled for this violation.
Conditions:
- A parameter has to be set to staging mode with base64 decoding.
- The Alarm/Blocking/Learning flags has to be disabled for the violation "Illegal Base64 value".
- The incoming request has to have the defined parameter in QS with an attack signature that is not base64 encoded in the parameter value.
Impact:
The violation "Illegal Base64 value" is reported.
Workaround:
None
1091969-4 : iRule 'virtual' command does not work for connections over virtual-wire.
Links to More Info: BT1091969
Component: Local Traffic Manager
Symptoms:
iRule 'virtual' command does not work for connections over virtual-wire.
Conditions:
- Connection over a virtual-wire.
- Redirecting traffic to another virtual-server (for example, using an iRule 'virtual' command)
Impact:
Connection stalls on the first virtual-server and never completes.
1091785-1 : DBDaemon restarts unexpectedly and/or fails to restart under heavy load
Links to More Info: BT1091785
Component: Local Traffic Manager
Symptoms:
While under heavy load, the Database monitor daemon (DBDaemon) may:
- Restart for no apparent reason
- Restart repeatedly in rapid succession
- Log the following error while attempting to restart:
java.net.BindException: Address already in use (Bind failed)
- Fail to start (remain down) after several attempts, leaving database monitors disabled and marking monitored resources Down.
Conditions:
- One or more active GTM and/or LTM database monitors are configured with short probe-timeout, interval and timeout values (for example, 2, 5, or 16 respectively).
- A large number (for example, 2,000) of GTM and/or LTM database monitor instances (combinations of above monitor and pool member) are configured.
- Active GTM and/or LTM database monitors are configured with debug yes and/or count 0.
Impact:
The DBDaemon restarts for no apparent reason.
The DBDaemon fails to start (remain down) after several attempts, leaving database monitors disabled and marking monitored resources Down.
Workaround:
The conditions that are suspected to cause these symptoms include effects of ID1025089. Measures to prevent or reduce occurrences of ID1025089 (by reducing database monitor workload) will likely also prevent or reduce occurrences of these symptoms.
If the DBDaemon fails to restart, the following steps may allow DBDaemon to restart successfully upon the next database monitor probe:
-- Check for a running instance of DBDaemon with the following command:
ps ax | grep -v grep | grep DBDaemon
-- If DBDaemon is running, this command will return a set of parameters including the numerical process ID (PID) at the beginning of the line and a command line that begins with "/usr/lib/jvm/jre/bin/java" and includes the parameter "com.f5.eav.DBDaemon", such as:
24943 ? Ssl 46:49 /usr/lib/jvm/jre/bin/java -cp /usr/lib/jvm/jre/lib/rt.jar:/usr/lib/jvm/jre/lib/charsets.jar:/usr/share/monitors/postgresql-jdbc.jar:/usr/share/monitors/DB_monitor.jar:/usr/share/monitors/log4j.jar:/usr/share/monitors/mssql-jdbc.jar:/usr/share/monitors/mysql-connector-java.jar:/usr/share/monitors/ojdbc6.jar -Xmx512m -Xms64m -XX:-UseLargePages -DLogFilePath=/var/log/DBDaemon-0.log com.f5.eav.DBDaemon 1521 24943 0
-- If a running DBDaemon process is identified, use the "kill" command to terminate the running DBDaemon process:
kill #
(where # is the DBDaemon PID from the above "ps" command)
-- Repeat the above "ps" command to confirm that the DBDaemon process has been terminated. If a new DBDaemon process has not been started (with a different PID), proceed to the next steps.
-- Check the /var/run directory for the presence of any files with names beginning with "DBDaemon", such as:
/var/run/DBDaemon-0.lock
/var/run/DBDaemon-0.pid
/var/run/DBDaemon-0.start.lock
Note: The numeric value in the above example filenames corresponds to the Route Domain of pool members monitored by database monitors. If the database monitors are only applied to pool members in the default route domain (RD 0), that value will be "0" as seen above. If database monitors are applied to pool members in a non-default route domain (RD 7, for example), the numeric value will correspond to that route domain, such as:
/var/run/DBDaemon-7.lock
/var/run/DBDaemon-7.pid
/var/run/DBDaemon-7.start.lock
-- If no DBDaemon process is running, delete any /var/run/DBDaemon* files. It is especially important to delete:
/var/run/DBDaemon-#.start.lock (indicates DBDaemon restart is in progress and that no further restart actions should be attempted)
/var/run/DBDaemon-#.pid (indicates current DBDaemon PID)
-- If the above actions do not result in DBDaemon restarting upon the next database monitor ping, then a complete BIG-IP restart will likely be required to recover from unknown conditions within the Java subsystem that may prevent successful DBDaemon operation:
bigstart restart
or:
reboot
1091725-5 : Memory leak in IPsec
Links to More Info: BT1091725
Component: TMOS
Symptoms:
Slow memory growth of tmm over time.
This leak affects both the active and standby BIG-IPs.
Conditions:
IPsec is in use.
Security associations are being created or recreated.
Impact:
Over time, tmm may exhaust its memory causing a tmm crash.
1091565-2 : Gy CCR AVP:Requested-Service-Unit is misformatted/NULL
Links to More Info: BT1091565
Component: Policy Enforcement Manager
Symptoms:
Observed diameter protocol warning when Requested Service Unit(RSU) is empty for CCR-I and CCR-U requests.
Conditions:
If the 'Initial Quota' is EMPTY in policy under Policy Enforcement ›› Rating Groups, the BIG-IP system reports empty data in AVP: Requested-Service-Unit.
Impact:
In Wireshark, a protocol warning occurs.
Workaround:
None
1091509-4 : SAML Artifact resolution service fails to resolve artifacts on same IP after reboot
Links to More Info: BT1091509
Component: Access Policy Manager
Symptoms:
Unable to authenticate, following error message in the APM log will occur:
<DATE> <HOSTNAME> err apmd[13026]: 0149021a:3: /Common/SPTesting_ap:Common:524ba34e: SAML Agent: /Common/SPTesting_ap_act_saml_auth_ag failed to process SAML artifact, error: Failed to resolve Artifact
<DATE> <HOSTNAME> err apmd[13026]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "sendSAMLArtifactResolveRq()" line: 6328 Msg: Failed to connect to artifact resolution service. Error (56): Failure when receiving data from the peer
<DATE> <HOSTNAME> err apmd[13026]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "resolveSAMLArtifact()" line: 6380 Msg: Error resolving artifact
Conditions:
- APM as SP with Artifact Resolution
- ARS service uses internal IP
- Configured serverssl profile for Artifact Resolution Service in IDP connector
Impact:
ARS will fail to resolve and users will not be able to authenticate.
Workaround:
Disable the 'serverssl-profile-name' in the IDP connector configuration.
1091021-1 : The BIG-IP system may take no fail-safe action when the bigd daemon becomes unresponsive.
Links to More Info: BT1091021
Component: Local Traffic Manager
Symptoms:
You may observe LTM monitors are malfunctioning on your system. For instance, you may notice some probes are not sent out on the network, and some monitored objects are showing the wrong status.
Conditions:
-- The bigd daemon consists of multiple processes (which you can determine by running "ps aux | grep bigd").
-- One or more of the processes (but not all of them) becomes disrupted for some reason, and stops serving heartbeats to the sod daemon.
Under these conditions, sod will not take any fail-safe action and the affected bigd processes will continue running impaired, potentially indefinitely.
Impact:
LTM monitoring is impacted.
Workaround:
If you have determined, or if you suspect, this issue is present on your system, you can resolve it by killing all bigd processes using the following command:
pgrep -f 'bigd\.[0-9]+' | xargs kill -9
However, this does not prevent the issue from manifesting again in the future if the cause for bigd's disruption occurs again.
Monitoring may become further disrupted as bigd restarts, and a failover may occur depending on your specific configuration.
1090441-4 : IKEv2: Add algorithm info to SK_ logging
Links to More Info: BT1090441
Component: TMOS
Symptoms:
Shared key logs do not contain the authentication and encryption algorithm name
Conditions:
When sys-db "ipsec.debug.logsk" is enabled, the shared keys are logged for debugging purpose, but it does not contain the algorithm names.
Impact:
The encryption algorithm name is not included in the logs.
Workaround:
None
1090313-4 : Virtual server may remain in hardware SYN cookie mode longer than expected
Links to More Info: BT1090313
Component: TMOS
Symptoms:
A virtual server may remain in hardware SYN cookie mode longer than expected after the SYN flood attack has stopped. The TMSH 'show ltm virtual' command shows that the virtual has already exited SYN Cookie mode, but the SYN packets are still responded from hardware for a few minutes longer.
Conditions:
The problem is a result of a race condition in TMM, so the issue might show up intermittently.
Impact:
Discrepancy between the actual SYN Cookie mode and the reported SYN Cookie mode for a short period of time after a SYN flood attack.
Workaround:
Disable hardware SYN Cookie mode.
1089853-1 : "Virtual Server" or "Bot Defense Profile" links in Request Details are not working
Component: Application Security Manager
Symptoms:
Nothing happens when you click the link for "Virtual Server" or "Bot Defense Profile" in request details on "Security ›› Event Logs : Bot Defense : Bot
Requests" page.
Conditions:
1. Go to Security ›› Event Logs : Bot Defense : Bot
Requests" page and click a Bot Request for details.
2. If "Virtual Server" or "Bot Defense Profile" has a hyperlink, the link does not work.
Impact:
You cannot reach the related pages of Virtual Server or Bot Profile details
Workaround:
Right-click one of the links above - and choose to open it in a new tab or new window.
1089829-4 : PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers
Links to More Info: BT1089829
Component: Policy Enforcement Manager
Symptoms:
SIGSEGV tmm cores with back trace in PEM area.
"pem_sessiondump --list" command will show session with custom attribute name as empty/NULL.
Conditions:
Setting pem session custom attribute value with length more than (1024- attribute name length).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
In the iRule, make sure the custom attribute value size + custom attribute name length is not more than 1024.
1089101-3 : Apply Access Policy notification in UI after auto discovery
Links to More Info: BT1089101
Component: Access Policy Manager
Symptoms:
"apply access policy notification" pops up in GUI
Conditions:
1. OAuth auto discovery is enabled for OAuth provider
2. The relevant access policy has macros in it.
Impact:
Traffic may fail until "apply access policy" is clicked manually
Workaround:
Access policy can be modified to not have macros in it.
1089005-5 : Dynamic routes might be missing in the kernel on secondary blades.
Links to More Info: BT1089005
Component: TMOS
Symptoms:
Dynamic routes might be missing in the kernel on secondary blades.
Conditions:
- Long VLAN names (16+ characters).
- MCPD unable to load configuration from binary database (software update/forceload was performed).
Impact:
Kernel routes are missing on secondary blades.
Workaround:
Restart tmrouted on the affected secondary blade. Note, this will also briefly affect TMM dynamic routes.
<bigstart restart tmrouted>
1088597-1 : TCP keepalive timer can be immediately re-scheduled in rare circumstances
Links to More Info: BT1088597
Component: Local Traffic Manager
Symptoms:
In rare circumstances, the TCP timer is rescheduled immediately due to the utilization of the interval encompassing also the idle_timeout.
Conditions:
Virtual Server with:
- TCP Profile
- SSL Profile with alert timeout configured
Another way this can occur is by manually deleting connections, which effectively only sets the idle timeout to 0.
Impact:
High CPU utilization potentially leading to reduced performance.
Workaround:
If the alert timeout is not re-enabled in the SSL Profile that should be sufficient.
1088429-5 : Kernel slab memory leak
Links to More Info: BT1088429
Component: TMOS
Symptoms:
The Linux kernel unreclaimable slab leaks kmalloc-64 (64 byte) allocations due to an issue with ext4 filesystem code.
The kmalloc-64 leaks occur when specific operations are executed on ext4 filesystems, such as copy of file with extended attribute preservation.
Red Hat have documented the issue, refer to the links below.
Note: Red Hat account with appropriate access are required to view these pages.
Posix ACL object is leaked in setattr and fsetxattr syscalls
https://access.redhat.com/solutions/4967981.
This issue is tracked by Red Hat as bug 1543020
https://bugzilla.redhat.com/show_bug.cgi?id=1543020.
Conditions:
This usually happens a small amount, such as 100MB over a year on most systems.
On some systems memory use can grow much faster and the precise file manipulations that might do this are not known at this time.
Impact:
Kernel unreclaimable slab memory grows over time. This will be growth of what F5 term host memory, and will appear as increased other and/or swap memory on memory graphs.
Usually the amount leaked is quite small and has no impact.
If large enough this may leave system with too little host memory and trigger typical out of memory symptoms such as:
- sluggish management by TMUI (GUI) and CLI shell
- possible invocation of oom-killer by kernel leading to termination of a process
- if severe, the system may thrash and become unstable, leading to cores and possibly reboot.
The amount of slab usage can be tracked with the following commands executed from the advanced shell (bash).
# cat /proc/meminfo | grep ^SUnreclaim
SUnreclaim: 46364 kB
The precise use of slab memory by component can be viewed using:
/bin/slabtop --once
Note: This includes both reclaimable and unreclaimable slab use. High reclaimable slab is usually not a concern because as host memory gets filled it can be freed (reclaimed).
Look for the amount of memory in use by kmalloc-64. There will be some use even without the leak documented here. The amount can be compared with free or easily freeable host memory, a good estimate of which is given by the following command:
# cat /proc/meminfo | grep ^MemAvailable
MemAvailable: 970852 kB
Workaround:
None
1088389-3 : Admin to define the AD Query/LDAP Query page-size globally
Links to More Info: BT1088389
Component: Access Policy Manager
Symptoms:
The page-size is fixed value in LDAP and AD query.
Earlier the value was 1000 and later increased to 2048, after the increase in the value the session got failed as the AD Servers are configured with lesser value.
Require a configurable page-size.
Conditions:
As the latest page-size value is 2048 the AD Query/LDAP Query with the same may have problem with the AD server whose configured/supported value is 1000 which is lower than 2048.
Impact:
AD/LDAP may fail due to the page-size issue.
Workaround:
None
1088173-3 : With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile
Links to More Info: BT1088173
Component: Local Traffic Manager
Symptoms:
Log files indicate that the client certificate is retained when it should not be.
Conditions:
Enable TLS 1.3 and disable retain-certificate parameter in SSL profile
Impact:
Storage of client certificates will increase memory utilization.
Workaround:
None
1088037-2 : VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers
Links to More Info: BT1088037
Component: TMOS
Symptoms:
The VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers.
Use `tmsh list/modify net vlan vlan-XYZ dag-adjustment` to view or change the settings.
The recommended and default setting is xor-5mid-xor-5low.
Conditions:
- only even port numbers are used (usually by a Linux client)
Impact:
- only even TMM threads are processing traffic
Workaround:
None
1087569-5 : Changing max header table size according HTTP2 profile value may cause stream/connection to terminate
Links to More Info: BT1087569
Component: Local Traffic Manager
Symptoms:
BIG-IP initializes HEADER_TABLE_SIZE to the profile value and thus when it exceeds 4K (RFC default), the receiver's header table size is still at the default value. Therefore, upon receiving header indexes which has been removed from its table, receiver sends GOAWAY (COMPRESSION_ERROR)
Conditions:
-- HTTP2 profile used in a virtual server
-- In the HTTP2 profile, 'Header Table Size' is set to a value greater than 4096
Impact:
Stream/connection is terminated with GOAWAY (COMPRESSION_ERROR)
Workaround:
Issue can be avoided by restoring the header-table-size value to the default of 4096
1087469-3 : iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate.
Links to More Info: BT1087469
Component: Local Traffic Manager
Symptoms:
When an SSL client connects to BIG-IP system and sends an empty certificate, the CLIENTSSL_CLIENTCERT is not triggered for iRules.
Conditions:
- Virtual server configured on BIG-IP with a clientssl profile
- Client authentication on the virtual server is set to "request"
- iRule relying on CLIENTSSL_CLIENTCERT
- A client connects to BIG-IP using an empty certificate
Impact:
CLIENTSSL_CLIENTCERT irules aren't triggered.
Workaround:
None
1087217-3 : TMM crash as part of the fix made for ID912209
Links to More Info: BT1087217
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
BIG-IP versions 16.1.0 or later which includes the fix of ID912209.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1087005-1 : Application charset may be ignored when using Bot Defense Browser Verification
Links to More Info: BT1087005
Component: Application Security Manager
Symptoms:
In some cases, when using Bot Defense Browser Verification, the application <meta charset> tag may be ignored.
Conditions:
-- Bot Defense Profile is attached to a virtual server.
-- Bot Defense "Browser Verification" is configured to "Verify Before Access" or "Verify After Access"
-- Backend application uses non-standard charset.
Impact:
Random meta chars are viewed in the web page.
Workaround:
Run the command:
tmsh modify sys db dosl7.parse_html_inject_tags value "after,body"
1086517-3 : TMM may not properly exit hardware SYN cookie mode
Links to More Info: BT1086517
Component: TMOS
Symptoms:
Due to a race condition, when one TMM exits SYN cookie mode, another may immediately re-enter hardware SYN cookie mode, keeping the virtual server in SYN cookie mode and the mitigation offloaded to hardware. The SYN cookie status of the virtual server is not properly updated and will show 'not-activated'.
Conditions:
Hardware SYN cookie protection is enabled and SYN cookie mode is triggered.
Impact:
A virtual server that once entered hardware SYN cookie mode may remain in that state indefinitely. The reduced MSS size may affect performance of that virtual server.
Workaround:
Disable hardware SYN cookie either locally via the TCP or FastL4 profile, or globally by the PvaSynCookies.Enabled BigDB variable. Software SYN cookie mode is unaffected.
1086473-4 : BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake
Links to More Info: BT1086473
Component: Local Traffic Manager
Symptoms:
When a client attempts to resume the TLS session using the Session-ID in its Client Hello from a previous session, the BIG-IP agrees by using the same Session-ID in its Server Hello, but then proceeds to perform a full handshake (Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done) instead of an abbreviated handshake (Server Hello, Change Cipher Spec, Server Hello Done).
This is a violation of the TLS RFC.
Conditions:
- High availability (HA) pair of two BIG-IP units.
- LTM virtual server with a client-ssl profile.
- Mirroring enabled on the virtual server
Impact:
Client-side TLS session resumption not working.
Workaround:
Disable mirroring on the virtual server
1086393-3 : Sint Maarten and Curacao are missing in the GTM region list
Links to More Info: BT1086393
Component: TMOS
Symptoms:
Sint Maarten and Curacao are missing in the GTM region list.
Conditions:
- Create a GTM region record.
- Create a GTM region of Country Sint Maarten or Curacao.
Impact:
Cannot select Sint Maarten and Curacao from the GTM country list.
Workaround:
None
1085837-3 : Virtual server may not exit from hardware SYN cookie mode
Links to More Info: BT1085837
Component: TMOS
Symptoms:
Once a virtual server enters hardware SYN cookie mode it may not exit until a TMM restart.
Conditions:
-- On B2250 and B4450 platforms.
-- A condition triggers SYN cookie mode and then goes back to normal.
Impact:
-- Virtual servers in hardware SYN cookie mode do not receive TCP SYN packets.
-- The limited number of possible TCP MSS values may have a light performance impact.
Workaround:
Disable hardware SYN cookie mode on the affected objects.
1085805-5 : UCS restore with SSL Orchestrator deployed fails due to multiple iFiles and incorrect iFile reference.
Component: TMOS
Symptoms:
The UCS restore process with SSL Orchestrator deployment fails due to multiple iFiles. This happens because the UCS restore process does not clean up the existing iFile belonging to SSL Orchestrator. On restore, the BIG-IP system contains two iFiles, one created as a part of the UCS and the other existing iFile belonging to SSL Orchestrator.
Additionally, the path in the rest storage referencing the iFile object does not get updated.
In the bigip.conf, the iFile version does not point to the iFile that is restored as part of the UCS restore process.
To check the reference in restDB use the following https://<<MGMT-IP>>/mgmt/tm/sys/file/ifile/~Common~ssloF_global.app~SSL OrchestratoriFile?options=-hidden.
new bug was created https://bugzilla.olympus.f5net.com/show_bug.cgi?id=1185001 for iFile reference issue in bigip.conf file ,issue caused by save/sys/config call triggered from SSL Orchestrator code base.
Conditions:
-- UCS contains SSL Orchestrator deployment
-- iFile version number in the UCS and on the BIG-IP before restoring the UCS is different.
-- Multiple iFile which belongs to SSL Orchestrator after restore. This can be verified by executing the below command on the box
ll /config/filestore/files_d/Common_d/ifile_d/ | grep SSL Orchestrator
Impact:
-- Error in the SSL Orchestrator UI.
-- You are unable to make changes through the SSL Orchestrator UI.
Workaround:
Mitigation depends on the user state.
State 1: when you know that a restore will cause multiple iFile creation, use the following.
Before restoring the UCS file, perform the following steps:
a) Delete the iFile object using the following command. Do not create any configuration using SSL Orchestrator UI after deleting the iFile.
tmsh delete sys application service ssloF_global.app/ssloF_global
b) Restore the UCS.
State 2: when you already tried the UCS restore and it is in an error state, use the following
a) On UCS restore when the system is in an error state, use the following command to verify multiple files:
ll /config/filestore/files_d/Common_d/ifile_d/ | grep SSL Orchestrator
b) Use the following commands, to delete the multiple iFiles:
tmsh delete sys application service ssloF_global.app/ssloF_global
rm -fr /config/filestore/files_d/Common_d/ifile_d/\:Common\:ssloF_global.app\:SSL OrchestratoriFile_*
c) Restore the UCS
1085661-2 : Standby system saves config and changes status after sync from peer
Links to More Info: BT1085661
Component: Application Security Manager
Symptoms:
After running config sync from an Active to a Standby device, the sync status is in SYNC for a short period time.
After a while, it automatically goes to Changes Pending status.
The same symptom was reported via ID698757 and fixed in earlier versions, but the same can happen via different scenario.
Conditions:
Create an ASM policy and let the system determining language encoding from traffic.
Impact:
The high availability (HA) configuration goes out of SYNC.
Workaround:
To prevent the issue from happening, you can manually configure language encoding
1085597-2 : IKEv1 IPsec peer cannot be created in config utility (web UI)
Links to More Info: BT1085597
Component: TMOS
Symptoms:
It is not possible to configure an IKE peer using the web UI.
Conditions:
-- Configuring an IKEv1 peer
-- Using the configuration utility (web UI)
Impact:
Configuration cannot be created.
Workaround:
Use the tmsh shell to create the ike-peer config.
1084965-4 : Low visibility of attack vector
Links to More Info: BT1084965
Component: Local Traffic Manager
Symptoms:
The DoS vector FIN 'Only Set' is not triggered and causes lack of visibility of the attack vector.
Conditions:
-- Using BIG-IP Virtual Edition
Impact:
There is reduced visibility of possible attacks on the BIG-IP.
Workaround:
Check 'drop_inv_pkt' with the tmctl table, "tmm/ndal_rx_stats".
1084901-2 : Updating the firewall rule list for IPv6 with route domain throws an error in the GUI, works from tmsh
Links to More Info: BT1084901
Component: Advanced Firewall Manager
Symptoms:
You are unable to modify IPV6 + Route domain for Network Firewall Rule Lists using the GUI
Conditions:
-- AFM is provisioned
-- IPv6 with route domain is being used in an address list
Impact:
Unable to create/manage Firewall rule lists for IPv6 with a route domain.
Workaround:
Use tmsh to create/manage firewall rule lists for IPv6 with a route domain.
1084857-1 : ASM::support_id iRule command does not display the 20th digit
Links to More Info: BT1084857
Component: Application Security Manager
Symptoms:
ASM::support_id iRule command does not display the 20th digit.
A support id seen in REST/TMUI that has 20 digits, e.g 13412620314886537617 is displayed as 1341262031488653761 with the iRule command ( the last digit '7' is stripped ).
Conditions:
ASM::support_id iRule command
Impact:
Inability to trace request events using the support id
1083913-5 : Missing error check in ICAP handling
Links to More Info: BT1083913
Component: Application Security Manager
Symptoms:
Bd crashes.
Conditions:
Asm policy is configured for ICAP integration
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
1083621-5 : The virtio driver uses an incorrect packet length
Links to More Info: BT1083621
Component: Local Traffic Manager
Symptoms:
In some cases, tmm might drop network packets.
In rare circumstances, this might trigger tmm to crash.
Conditions:
BIG-IP Virtual Edition using the virtio driver. You can see this in /var/log/tmm ("indir" is zero):
notice virtio[0:5.0]: cso: 1 tso: 0 lro: 1 mrg: 1 event: 0 indir: 0 mq: 0 s: 1
Impact:
Tmm might drop packets.
In rare circumstances, this might trigger tmm to crash. Traffic disrupted while tmm restarts.
Workaround:
None
1083589-4 : Some connections are dropped on chained IPv6 to IPv4 virtual servers.
Links to More Info: BT1083589
Component: Local Traffic Manager
Symptoms:
IPv6 virtual servers targeting IPv4 virtual servers (for example, using the 'virtual' iRule command) might drop traffic coming from some clients unexpectedly.
Note: See also ID1002945 (https://cdn.f5.com/product/bugtracker/ID1002945.html), which is a closely related issue.
Conditions:
- IPv6 to IPv4 virtual server chaining.
Impact:
Traffic is dropped.
Workaround:
Apply a SNAT with an IPv4 address to the IPv6 virtual server.
1083513-3 : BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd
Links to More Info: BT1083513
Component: Application Security Manager
Symptoms:
"Challenge Failure Reason" field in a request event log shows N/A.
Conditions:
The db key has not been changed manually on the system.
Impact:
"Challenge Failure Reason" field is disabled.
Workaround:
Disable the key and re-enable, then save.
tmsh modify sys db botdefense.disable_challenge_failure_reporting value disable
tmsh modify sys db botdefense.disable_challenge_failure_reporting value enable
tmsh save sys config
1082581-3 : Apmd sees large memory growth due to CRLDP Cache handling
Component: Access Policy Manager
Symptoms:
Apmd memory keeps growing slowly over time and finally oom killer kills apmd.
Conditions:
Access policy has the crldp auth agent configured.
Impact:
Apmd killed by oom-killer thereby impacting traffic
Workaround:
None
1082193-4 : TMSH: Need to update the version info for SERVER_INIT in help page
Links to More Info: BT1082193
Component: TMOS
Symptoms:
The SERVER_INIT iRule event was introduced in version 14.0.0. But in tmsh help it is showing as version 13.1.0.
Conditions:
-- Using tmsh to configure an iRule event
-- The BIG-IP version is 13.1.0 and you use tab complete for 'tmsh help ltm rule event SERVER_INIT'
Impact:
The tmsh help makes it appear as if SERVER_INIT is supported in version 13.1.0 when it is not.
Workaround:
None
1081649-3 : Remove the "F5 iApps and Resources" link from the iApps->Package Management
Links to More Info: BT1081649
Component: TMOS
Symptoms:
The "F5 iApps and Resources" is being removed.
Conditions:
NA
Impact:
iApp page shows "F5"
Workaround:
None
1081641-5 : Remove Hyperlink to Legal Statement from Login Page
Links to More Info: BT1081641
Component: TMOS
Symptoms:
The hyperlink to the legal statement should be removed from the login page.
Conditions:
This appears on the login page of OEM-branded BIG-IP systems.
Impact:
The OEM GUI shows the F5 logo/info.
Workaround:
None
1080957-5 : TMM Seg fault while Offloading virtual server DOS attack to HW
Links to More Info: BT1080957
Component: Advanced Firewall Manager
Symptoms:
TMM crashes during virtual server DOS attack scenarios.
Conditions:
-- HSB-equipped hardware platforms.
-- The attack is detected on configured virtual server Dos Vector and trying to offload to hardware.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1080925-4 : Changed 'ssh-session-limit' value is not reflected after restarting mcpd
Links to More Info: BT1080925
Component: TMOS
Symptoms:
Change 'ssh-session-limit' field from 'disabled' to 'enable'. Save the config . Restart the mcpd and check the value of the field 'ssh-session-limit'. It appears to be the same 'disabled'.
Conditions:
The issue occurs when MCPD restores the configuration from its binary database file.
Impact:
Enabling and disabling "ssh-session-limit" will have an undesirable effect when creating ssh sessions, and you will not be able to edit the field.
Workaround:
None
1080613-4 : LU configurations revert to default and installations roll back to genesis files★
Links to More Info: BT1080613
Component: Application Security Manager
Symptoms:
The LiveUpdate configurations, such as 'Installation of Automatically Downloaded Updates', and the update installation history disappears and reverts to default, and the installations roll back to genesis files.
Conditions:
This occurs during the first tomcat restart, after upgrading to the versions that have the fix for ID907025.
Impact:
The LiveUpdate configuration and the installation history are reverted to the default.
Workaround:
Https://support.f5.com/csp/article/K53970412
1080569-3 : BIG-IP prematurely closes clientside HTTP1.1 connection when serverside is HTTP2 and HTTP MRF router is enabled on virtual server
Component: Local Traffic Manager
Symptoms:
When clientside is using HTTP1.1, serverside is using HTTP2 and two HTTP GET requests are sent by the client, BIG-IP completes the first HTTP transaction and sends a FIN, even though HTTP keepalive should be enabled.
Conditions:
-- HTTP2 full proxy is configured i.e. http profile, http2 profile and MRF router is enabled. As per https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-http2-full-proxy-configuration-14-1-0/http2-full-proxy-configuring.html
-- clientside uses HTTP1.1.
-- serverside uses HTTP2.
-- Two subsequent GET requests are sent by the client.
Impact:
Premature TCP connection termination on the clientside.
Workaround:
Disable the MRF router (httprouter).
The drawback is that serverside will always use HTTP1.1 in this case and it might be undesirable if you want to leverage HTTP2.
1080297-5 : ZebOS does not show 'log syslog' in the running configuration, or store it in the startup configuration
Links to More Info: BT1080297
Component: TMOS
Symptoms:
ZebOS does not show the 'log syslog' or 'no log syslog' in the running configuration, nor is it saved to the startup configuration.
There is no way to verify if the 'log syslog' is configured or not by checking the configuration.
Conditions:
-- Under Configure log syslog.
-- Check the show running-config.
Impact:
There is no way to verify if the 'log syslog' is configured or not by checking the configuration.
Workaround:
If logging to syslog is not desired, it must be re-disabled every time the ZebOS daemons are started, using 'no log syslog'.
1079985-2 : int_drops_rate shows an incorrect value
Links to More Info: BT1079985
Component: Advanced Firewall Manager
Symptoms:
int_drops_rate shows an incorrect value, it shows a cumulative value instead of an avg value, same as int_drops and syncookies.hw_syncookies.
Conditions:
A tcp-halfOpen attack or similar SYN attack where SYNs are flooded into the BIG-IP system.
Impact:
It is difficult to figure out the drop rate per second
Workaround:
None
1079705-5 : Restjavad may restart repeatedly if sys db provision.extramb is high
Links to More Info: BT1079705
Component: TMOS
Symptoms:
Restjavad restarts repeatedly when it has been configured to have a near maximal heap size by use of system database variables restjavad.useextramb and provision.extramb
Conditions:
Affected versions have fix for ID 776393 ( https://cdn.f5.com/product/bugtracker/ID776393.html )
Affected version do not have fix for ID 943653 ( https://cdn.f5.com/product/bugtracker/ID943653.html )
Value of sys db restjavad.useextramb is true.
Value of sys db provision.extramb is higher than approximately 2450MB (possibly could have issue from slightly lower values but above 2260MB and below will be safe)
Systems with higher numbers of CPU cores (8 and above) are more likely to be affected
Impact:
Restjavad restarts and REST API may be unavailable.
Workaround:
Lower sys db provision.extramb to a value of 2260 MB.
tmsh modify sys db provision.extramb value 2260
Note this is service affecting, and will need to be carried out in turn on each member of a device service cluster
Note this is likely to reduce host memory available which if left too low will increase likelihood of system issues. If in any doubt use a fixed version.
1079441-4 : APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries
Links to More Info: BT1079441
Component: Access Policy Manager
Symptoms:
APMD memory can grow over a period of time
Conditions:
-- A BIG-IP system with the patched cyrus-sasl/krb5 libraries
Impact:
APMD memory can grow over a period of time
Workaround:
None
1078741-3 : Tmm crash
Links to More Info: BT1078741
Component: Local Traffic Manager
Symptoms:
Tmm crashes while processing an iRule while handling traffic.
Conditions:
-- HTTP virtual server
-- HTTP profile with explicit proxy having default-connect-handling allowed
-- iRule with SERVER_CONNECTED event
Impact:
Traffic disrupted while tmm restarts.
1078669-1 : iRule command “RESOLVER::name_lookup” returns null for TCP resolver with TC (truncated) flag set.
Links to More Info: BT1078669
Component: Global Traffic Manager (DNS)
Symptoms:
“RESOLVER::name_lookup” returns null for TCP resolver with TC set.
Conditions:
Backend server returns very large DNS response.
Impact:
iRule command does not give any response but with TC set.
Workaround:
N/A
1078065-1 : The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA.
Links to More Info: BT1078065
Component: Application Security Manager
Symptoms:
The login page shows a blocking page instead of CAPTCHA or shows the blocking page after resolving a CAPTCHA.
Make five (configured in brute force configuration) failed login attempts and you will receive a blocking page.
Blocking Reason: Resource not qualified for injection.
Conditions:
HTML response message has an html page with a length greater than 32000 bytes.
Impact:
Users are blocked after failed login attempts.
Workaround:
Run tmsh modify sys db asm.cs_qualified_urls value <url value>.
1077789-5 : System might become unresponsive after upgrading.★
Links to More Info: BT1077789
Component: TMOS
Symptoms:
After upgrading, the system encounters numerous issues:
-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.
Conditions:
-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.
Exact conditions that trigger this issue are unknown and could be varied. In the environment in which it occurs, a datagroup is deleted, but an iRule still references it.
Impact:
-- System down, too busy to process traffic.
-- Difficulty logging in over SSH might require serial console access.
Workaround:
Reboot to an unaffected, pre-upgrade volume.
-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.
-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.
Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.
For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.
1077553-4 : Traffic matches the wrong virtual server after modifying the port matching configuration
Links to More Info: BT1077553
Component: Local Traffic Manager
Symptoms:
Traffic matches the wrong virtual server.
Conditions:
A virtual server configured to match any port is modified to matching a specific port. Alternatively, a virtual server matching a specific port is modified to match any port.
Impact:
Traffic may be directed to the wrong backend server.
Workaround:
Restart the TMM after the config change.
1077533-4 : BIG-IP fails to restart services after mprov runs during boot.
Links to More Info: BT1077533
Component: TMOS
Symptoms:
Very occasionally, after mprov runs after a reboot the BIG-IP may fail to start with logs similar to the following:
bigip1 info mprov:7459:[7459]: 'admd failed to stop.'
bigip1 err mprov:7459:[7459]: 'admd failed to stop, provisioning may fail.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
...
bigip1 err mcpd[5584]: 01071392:3: Background command '/usr/bin/mprov.pl --quiet --commit asm avr host tmos ui ' failed. The command was signaled.
Conditions:
Occurs rarely after a reboot.
Impact:
The BIG-IP is unable to finish booting.
Workaround:
Reboot the BIG-IP again.
1077405-1 : Ephemeral pool members may not be created with autopopulate enabled.
Links to More Info: BT1077405
Component: TMOS
Symptoms:
Ephemeral pool members might not be added to a pool with an FQDN pool member "autopopulate enabled".
When this issue occurs:
-- Some or all of the expected Ephemeral Pool Members will not be created for the affected pool.
-- A message will be logged in the LTM log similar to the following:
err mcpd[####]: 01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (/Common/_auto_<IP address>) has autopopulate set to disabled.
(Note that the node name here is an Ephemeral Node.)
Also note that if you attempt to create an FQDN Pool Member with autopopulate enabled while the corresponding FQDN Node has autopopulate disabled, you will see a similar error message:
01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (/Common/fred) has autopopulate set to disabled.
Conditions:
This issue can occur under the following conditions:
-- Two or more FQDN Nodes have FQDN names that resolve to the same IP address(es).
-- That is, some Ephemeral Nodes have addresses resolved by more than one FQDN name defined in FQDN Nodes.
-- At least one of these FQDN Nodes has "autopopulate enabled."
-- At least one of these FQDN Nodes does not have "autopopulate enabled."
-- That is, autopopulate is disabled for one or more of these FQDN Nodes.
-- The FQDN Pool Member(s) in the affected pool(s) has "autopopulate enabled."
Impact:
The affected LTM pool(s) are not populated with expected (or any) ephemeral pool members.
Workaround:
To allow some LTM pools to use FQDN pool members with autopopulate enabled (allowing multiple ephemeral pool members to be created) while other LTM pools use FQDN pool members with autopopulate (allowing only one ephemeral pool member to be created), configure the following:
-- Create all FQDN Nodes with FQDN names that might resolve to a common/overlapping set of IP addresses with "autopopulate enabled".
-- Create FQDN Pool Members with autopopulate enabled or disabled depending on the desired membership for each pool.
1077293-3 : APPIQ option still showing in BIG-IP GUI even though its functionality migrated to BIG-IQ.
Links to More Info: BT1077293
Component: TMOS
Symptoms:
AppIQ is still visible in the System :: Configuration screen.
Conditions:
Navigating to the System :: Configuration : AppIQ page.
Impact:
AppIQ appears to be able to be provisioned but it has been removed from the BIG-IP system.
Workaround:
N/A
1077281-1 : Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages
Links to More Info: BT1077281
Component: Application Security Manager
Symptoms:
When a policy contains an individual login page in session tracking, the exported xml policy fails to be imported back due to error “Malformed XML: Could not resolve foreign key dependence”.
Conditions:
The policy contains an individual login page in session tracking and the policy is exported in xml format
Impact:
Import the policy fails with an error: "Could not resolve foreign key dependence”.
Workaround:
This occurs when using XML format only, so you can use binary export/import
1076909-5 : Syslog-ng truncates the hostname at the first period.
Links to More Info: BT1076909
Component: TMOS
Symptoms:
Messages that are logged to journald use the configured hostname, while sylog-ng uses the hostname (machine name) and truncates it starting at the first '.' (period). This results in hostnames being inconsistent when it contains '.'; e.g., 'my.hostname' is logged as 'my' by syslog-ng, and 'my.hostname' by journald. This can make it difficult for log analysis tools to work with the log files.
Conditions:
-- Hostname contains a period.
-- Viewing log files emitted from journald and from syslog-ng.
Impact:
The full hostname is logged for system logs while logs that go directly to syslog-ng use a truncated hostname.
Workaround:
None
1076897-5 : OSPF default-information originate command options not working properly
Links to More Info: BT1076897
Component: TMOS
Symptoms:
OSPF default-information originate command options are not working properly.
Conditions:
Using OSPF default-information originate with metric/metric-type options.
Impact:
Incorrect route advertisement.
Workaround:
None
1076825-2 : "Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.
Links to More Info: BT1076825
Component: Application Security Manager
Symptoms:
"Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.
Conditions:
Upgrading to v16.1.x from earlier releases.
Impact:
Configuration of "Installation of Automatically Downloaded Updates" is lost and reverts to default.
Workaround:
Manually configure "Installation of Automatically Downloaded Updates" after the upgrade.
1076801-5 : Loaded system increases CPU usage when using CS features
Links to More Info: BT1076801
Component: TMOS
Symptoms:
When the BIG-IP system is under heavy load, datasyncd might create multiple java obfuscator processes running at the same time, which increases load even more.
Conditions:
-- CPU utilization on the BIG-IP system is high.
And one or more of the following conditions:
-- Bot Defense profile is attached to a virtual server
-- DoS profile with CS/Captcha mitigation is attached to the virtual server
-- ASM policy with brute force configuration is attached to the virtual server
Impact:
System load is increased.
Workaround:
None.
1076785-3 : Virtual server may not properly exit from hardware SYN Cookie mode
Links to More Info: BT1076785
Component: TMOS
Symptoms:
Virtual servers do not exit hardware SYN Cookie mode even after the SYN flood attack stops. The TMSH 'show ltm virtual' output shows 'full hardware' mode.
Conditions:
Selected HSB platforms where TMM is attached to multiple HSB modules. This depends on platform, BIG-IP version and selected Turboflex profile where applicable.
Impact:
The affected virtual server would not receive the TCP SYN packets until a TMM restart. The limited range of MSS values in SYN Cookie mode may slightly affect performance.
Workaround:
Disable hardware SYN Cookie mode on all virtual servers.
1076577-4 : iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg'
Links to More Info: BT1076577
Component: Local Traffic Manager
Symptoms:
The 'connect' iRule command fails to resume, causing processing of traffic to halt due to 'irule_scope_msg', which causes iRule processing to proceed in a way that 'connect' does not expect.
Conditions:
- iRule using 'connect' command
- Diameter/Generic-message 'irule_scope_msg' enabled
Impact:
Traffic processing halts (no crash)
1075905-4 : TCP connections may fail when hardware SYN Cookie is active
Links to More Info: BT1075905
Component: TMOS
Symptoms:
When an object is in hardware SYN Cookie mode, some of the valid connections are also rejected with "No flow found for ACK" reset cause.
Conditions:
VELOS and rSeries platforms.
Impact:
Service degradation.
Workaround:
Disable hardware SYN Cookie on all objects (virtual server, VLAN, etc.).
1073897-1 : TMM core due to memory corruption
Links to More Info: BT1073897
Component: Local Traffic Manager
Symptoms:
Tmm restarts
Conditions:
Unknown
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1073677-2 : Add a db variable to enable answering DNS requests before reqInitState Ready
Links to More Info: BT1073677
Component: Global Traffic Manager (DNS)
Symptoms:
When a new GTM is added to the Sync group, it takes a significant amount of time, and the newly added GTM won't become ready.
Conditions:
-- GTMs in a cluster with a large number of persist records
-- A new GTM device is added
Impact:
Clients of the BIG-IP GTM do not receive an answer, and application failures may occur.
Workaround:
None
1072377-2 : TMM crash in rare circumstances during route changes
Links to More Info: BT1072377
Component: Local Traffic Manager
Symptoms:
TMM might crash in rare circumstances when static/dynamic route changes.
Conditions:
Dynamic/static route changes.
Impact:
TMM can crash or core. Traffic processing stops during process restart.
Workaround:
None
1072165-5 : Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format
Links to More Info: BT1072165
Component: Application Security Manager
Symptoms:
Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format
Conditions:
ASM remote logging in ArcSight format
Impact:
Due to the missing fields, the remote message does not tell name of threat campaign name(s) that was detected.
Workaround:
Use other message format.
1070957-4 : Database monitor log file backups cannot be rotated normally.
Links to More Info: BT1070957
Component: Local Traffic Manager
Symptoms:
Debug log files used by the BIG-IP database monitor daemon (DBDaemon) do not exhibit the log-rotation behavior of other BIG-IP log files.
- The active DBDaemon log file is /var/log/DBDaemon-0.log
- DBDaemon log file size is limited to approximately 5MB. DBDaemon log files are backed up/rotated upon reaching this size.
- Exactly 9 (nine) DBDaemon log file backups are retained (/var/log/DBDaemon-0.log.[1-9])
- DBDaemon log file backups are not compressed.
- DBDaemon log file backup/rotation behavior is not user-configurable.
Conditions:
This issue applies when using BIG-IP database monitors:
-- mssql
-- mysql
-- oracle
-- postrgresql
Impact:
-- DBDaemon log file backups may consume more space under /var/log than desired.
-- When troubleshooting database monitor issues, DBDaemon log file rotation may occur so rapidly that older DBDaemon events may be lost, limiting the ability to capture meaningful diagnostic data.
Workaround:
It may be possible to work around this issue by periodically archiving DBDaemon log files, such as in a script with the following core functionality:
pushd /var/log;tar -czf DBDaemon_$(date +%Y%m%d%H%M).tgz DBDaemon-0.log*;popd
1070953-5 : Dnssec zone transfer could cause numerous gtm sync events.
Links to More Info: BT1070953
Component: Global Traffic Manager (DNS)
Symptoms:
GTM syncs for zone transfers that happen on other GTMs.
Conditions:
Dnssec zone transfer to client on peer GTM in the same GTM sync group.
Impact:
Numerous GTM sync and possible sync storm.
Workaround:
N/A
1070833-3 : False positives on FileUpload parameters due to default signature scanning
Links to More Info: BT1070833
Component: Application Security Manager
Symptoms:
False positives on FileUpload parameters due to signature scanning by default
Conditions:
A request containing binary content is sent in "FileUpload" type parameters
Impact:
False positives and ineffective resource utilization
Workaround:
Disable signature scanning on "FileUpload" parameters manually using GUI/REST.
1070789-1 : SSL fwd proxy invalidating certificate even through bundle has valid CA
Links to More Info: BT1070789
Component: Local Traffic Manager
Symptoms:
BIG-IP system rejects SSL forward proxy connections due to expired CA certificates present in ca-bundle even though other, valid CA certificates exist.
Conditions:
-- Forward proxy is enabled in client and server SSL profiles.
-- A valid CA certificate is followed by an expired CA certificate in ca-bundle.
Impact:
SSL handshakes will fail.
Workaround:
Remove all invalid trusted (i.e., expired) certificates from the certificate chain and replace them with a valid trusted certificate.
1070737-3 : AFM does not detect NXDOMAIN attack at virtual context when DNS cache is activated.
Links to More Info: BT1070737
Component: Advanced Firewall Manager
Symptoms:
When the DNS cache is activated, the NXDOMAIN DoS vector does not increase for the virtual server context. As a result, NXDOMAIN flood attack is never detected/mitigated at the virtual server context.
Note this does not happen with other vectors like DNS A query flood attack, only for NXDOMAIN.
Conditions:
Issue is only seen When DNS cache is activated and for NXDOMAIN Dos Vector.
Impact:
NXDOMAIN flood attack is never detected/mitigated at virtual server context.
Workaround:
N/A
1069137-1 : Missing AWAF sync diagnostics
Links to More Info: BT1069137
Component: Application Security Manager
Symptoms:
Complex issues related to Policy Synchronization over Device Sync Groups are difficult to diagnose.
More detailed logging is needed if errors occur.
Conditions:
Device Group Sync is enabled.
Impact:
Root cause analysis is lengthy and difficult.
Workaround:
Enable debug logs in the environment:
> tmsh modify sys db log.asm.asmconfiglevel value debug
> tmsh modify sys db log.asm.asmconfigvent.level value debug
> tmsh modify sys db log.asm.asmconfigverbose.level value debug
1068673-4 : SSL forward Proxy triggers CLIENTSSL_DATA event on bypass.
Links to More Info: BT1068673
Component: Local Traffic Manager
Symptoms:
The CLIENTSSL_DATA iRule event is triggered unexpectedly during SSL forward proxy bypass.
Conditions:
This issue is seen when SSL forward proxy with bypass is enabled on client & server SSL profiles.
Impact:
This can cause unexpected failure of existing iRules which only expect CLIENTSSL_DATA on intercepted (and decrypted) data.
Workaround:
N/A
1067821-5 : Stats allocated_used for region inside zxfrd is overflowed
Links to More Info: BT1067821
Component: Global Traffic Manager (DNS)
Symptoms:
No visible symptoms.
Conditions:
Large resource record addition and deletion for dns express zones.
Impact:
Internal zxfrd stats are incorrect.
1067589-4 : Memory leak in nsyncd
Links to More Info: BT1067589
Component: Application Security Manager
Symptoms:
The memory usage for nsyncd increases over time, forcing the device into OOM (out of memory).
Conditions:
-- High availability (HA) environment with ASM sync failover device group.
-- ASU files are being installed by Live Update.
Impact:
OOM activity causes random process restarts and disruption.
Workaround:
Restart the nsyncd daemon.
1065681-2 : Sensitive data is not masked under certain conditions.
Links to More Info: BT1065681
Component: Application Security Manager
Symptoms:
Sensitive data (or part of it) is visible in the request logs or the remote log.
Conditions:
A parameter that is defined as a JSON profile. That profile has the parse parameters flag set.
Impact:
Sensitive data is visible in the log.
Workaround:
There are 2 possible workarounds:
1. Make the parameter that contains the json a sensitive parameter.
2. In the json profile attached to the parameter, uncheck the parse parameters flag. You will see a tab of sensitive data added in the UI. In that tab, explicitly add the JSON element as a sensitive element.
1065353-2 : Disabling ciphers does not work due to the order of cipher suite.
Links to More Info: BT1065353
Component: Local Traffic Manager
Symptoms:
You are not able to disable a list of ciphers.
Conditions:
The cipher list is given in an order in the tmsh command 'tmm --clientciphers'
Impact:
Inconsistent behavior of the command "tmm --clientciphers".
Workaround:
Reorder the ciphers in the list and pass the reordered list to "tmm --clientciphers".
1065109-1 : In Bot Defense profile, tot_http_requests and tot_requests_forwarded_to_origin are not populated correctly
Links to More Info: BT1065109
Component: Bot Defense
Symptoms:
The tot_http_requests in Bot Defense profile is not populated for requests which are not matching with any endpoint.
The tot_requests_forwarded_to_origin is not updated for requests which are allowed or timeout occurred for Distributed Cloud API Request or scenario where protection pool is down.
Conditions:
Issue occurs when the following conditions are met:
1) Configure Bot Defense profile under Distributed Cloud Services.
2) Attach BD profile to Virtual Server.
3) Send requests from client.
Impact:
The tot_http_requests and tot_requests_forwarded_to_origin are not populated correctly.
Workaround:
None
1064753-5 : OSPF LSAs are dropped/rate limited incorrectly.
Links to More Info: BT1064753
Component: TMOS
Symptoms:
Some LSAs are dropped on BIG-IP with a log similar to:
"LSA is received recently".
Conditions:
Tuning OSPF min LSA arrival has no effect on some LSA handling.
Impact:
OSPF LSAs are dropped/rate limited incorrectly.
Workaround:
N/A
1063977-4 : Tmsh load sys config merge fails with "basic_string::substr" for non-existing key.
Links to More Info: BT1063977
Component: Local Traffic Manager
Symptoms:
"tmsh load sys config merge" fails with the following error.
Loading configuration...
/var/tmp/repro.txt
01070711:3: basic_string::substr
Unexpected Error: Loading configuration process failed.
Conditions:
The key referenced in the configuration of the SSL profile does not exist in the BIG-IP.
Impact:
"tmsh load sys config merge" fails which is expected, but the error is not meaningful.
Workaround:
Identify the missing SSL key used in the configuration and correct it.
1063653-3 : TMM Crash while processing traffic on virtual server.
Links to More Info: BT1063653
Component: Local Traffic Manager
Symptoms:
TMM core while processing traffic on a virtual server.
Conditions:
iRule Execution during processing HTTP response.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
1063237-6 : Stats are incorrect when the management interface is not eth0
Links to More Info: BT1063237
Component: TMOS
Symptoms:
The provision.managementeth db variable can be used to change which interface the management interface is bridged to:
https://clouddocs.f5.com/cloud/public/v1/shared/change_mgmt_nic_google.html
If this is changed to something other than eth0, the management interface stats will continue to be read from eth0 and thus be incorrect.
Conditions:
When provision.managementeth is changed to something other than eth0.
Impact:
Management interface stats are incorrect.
Workaround:
Reconfigure the management interface to use eth0
1060989-1 : Improper handling of HTTP::collect
Links to More Info: BT1060989
Component: Local Traffic Manager
Symptoms:
When a complete body has been received and a new HTTP::collect is attempted, an error occurs:
TCL error: /Common/rule_vs_server_15584 <HTTP_RESPONSE_DATA> - ERR_ARG (line 1) invoked from within "HTTP::collect 256000"
Conditions:
- HTTP Virtual server
- incremental HTTP::collect irule
Impact:
iRule failure
Workaround:
None
1060409-5 : Behavioral DoS enable checkbox is wrong.
Links to More Info: BT1060409
Component: Anomaly Detection Services
Symptoms:
Behavioral DoS Enabled indicator is wrongly reported after configuration change, when no traffic is injected to the virtual server.
Conditions:
Behavioral DoS is enabled and then disabled when no traffic is injected to the virtual server.
Impact:
After server health is stabilized and constant, the BIG-IP system doesn't report the configuration changes.
Workaround:
Send 1-2 requests to the server and the configuration will be updated.
1060393-2 : Extended high CPU usage caused by JavaScript Obfuscator.
Links to More Info: BT1060393
Component: Fraud Protection Services
Symptoms:
The Obfuscator process (compiler.jar) consumes excessive CPU for an extended period.
Conditions:
FPS is provisioned
OR:
ASM is provisioned
AND:
Bot profile is attached to VS
OR
ASM Policy with brute force feature enabled is attached to VS
OR
DoS profile with Captcha/CSI mitigation is attached to VS
Impact:
High CPU usage on the device.
Workaround:
None
1060369-2 : HTTP MRF Router will not change serverside load balancing method
Links to More Info: BT1060369
Component: Local Traffic Manager
Symptoms:
Selecting a different load balancing mechanism (i.e. an iRule or Local Traffic Policy selecting a different pool/node, the "virtual" command, etc) does not work for subsequent HTTP/1.x requests on a keep-alive connection.
Conditions:
-- "HTTP MRF Router" virtual server (virtual server has an "httprouter" profile attached)
-- Virtual server is handling HTTP/1.x traffic
Impact:
Traffic is load-balanced to incorrect destination.
Workaround:
None.
1060145-4 : Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2.
Links to More Info: BT1060145
Component: Global Traffic Manager (DNS)
Symptoms:
When secondary slot reboots and it gets the configuration from the primary blade, the secondary throws a validation error and enters into a restart loop.
The following error is logged:
Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/Common/bbt-generic-bigip 10.1.10.12 80 gtm-vs) was not found.... failed validation with error 16908342.
Conditions:
-- Change the virtual server address on the LTM (manual edit of bigip.conf and load).
-- Reboot the secondary slot.
Impact:
Mcpd enters a restart loop on the secondary slot.
Workaround:
N/A
1060021-3 : Using OneConnect profile with RESOLVER::name_lookup iRule might result in core.
Links to More Info: BT1060021
Component: Local Traffic Manager
Symptoms:
Tmm might core while using a OneConnect profile with iRule command RESOLVER::name_lookup.
Conditions:
1. One connect profile attached.
2. iRules with RESOLVER::name_lookup command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Don't use RESOLVER::name_lookup iRule on virtual that uses the oneconnect profile.
1059513-2 : Virtual servers may appear as detached from security policy when they are not.
Links to More Info: BT1059513
Component: Application Security Manager
Symptoms:
When browsing Security >> Overview: Summary page, the virtual servers may appear as detached. The larger the number of virtual servers are, the more likely you are to see all the virtual servers as detached from the security policy.
Conditions:
From a certain amount of virtual servers (20) that are attached to a security policy, the virtual servers may appear as detached from any security policy.
Impact:
Virtual servers are displayed as detached from any security policy, but this is not the case.
Workaround:
None
1056941-3 : HTTPS monitor continues using cached TLS version after receiving fatal alert.
Links to More Info: BT1056941
Component: Local Traffic Manager
Symptoms:
After an HTTPS monitor completes successfully, the TLS version is cached and used for subsequent monitor probes.
If the back end server TLS version changes between monitor polls and no longer allows the cached TLS version, the back end server correctly sends a fatal alert to the BIG-IP in response to the no longer allowed TLS version.
The BIG-IP will continue to use the cached, now prohibited, version in all subsequent probes resulting in a false down resource until the cached information is cleared on the BIG-IP.
Conditions:
ClientSSL profile is changed on backend BIG-IP device's virtual server,
Impact:
BIG-IP continues to send prohibited TLS version and reports the member as down.
Workaround:
-- Delete and re-add pool member.
-- Change HTTPS monitor to any other monitor (including another HTTPS monitor) and then back.
-- Restart bigd with "bigstart restart bigd" - Note that this impacts all monitoring on the BIG-IP.
-- Restart BIG-IP - Note that this impacts all traffic on the BIG-IP.
1054717-4 : Incorrect Client Summary stats for transparent cache.
Links to More Info: BT1054717
Component: Global Traffic Manager (DNS)
Symptoms:
The Client Summary section in transparent cache is incorrect for transparent cache.
Conditions:
Transparent cache attached to a DNS profile.
Impact:
Efficacy of DNS Transparent cache stats reduced.
Workaround:
N/A
1053741-5 : Bigd may exit and restart abnormally without logging a reason
Links to More Info: BT1053741
Component: Local Traffic Manager
Symptoms:
Certain fatal errors may cause the bigd daemon to exit abnormally and restart to recover.
For many such fatal errors, bigd logs a message in the LTM log (/var/log/ltm) indicating the fatal error that occurred.
For some causes, no message is logged to indicate what error occurred to cause big to exit abnormally and restart
Conditions:
This may occur when bigd encounters a fatal error when monitoring LTM pool members, particularly (although not exclusively) when using In-TMM monitor functionality (sys db bigd.tmm = enable).
Impact:
It may be difficult to diagnose the reason that caused bigd to exit abnormally and restart.
Workaround:
To enable logging of all fatal errors that cause bigd to exit abnormally and restart, enable bigd debug logging:
tmsh modify sys db bigd.debug value enable
With bigd debug logging enabled, bigd messages (including such fatal errors) will be logged to /var/log/bigdlog
1053589-2 : DDoS functionality cannot be configured at a Zone level
Links to More Info: BT1053589
Component: Advanced Firewall Manager
Symptoms:
DDoS functionality is supported at the global and virtual server level.
Conditions:
DDoS functionality configured on the BIG-IP system.
Impact:
Cannot enable DDoS at the Zone level.
Workaround:
N/A
1051125-2 : GTM marks virtual servers offline even when LTM virtual servers are available.
Links to More Info: BT1051125
Component: Global Traffic Manager (DNS)
Symptoms:
GTM virtual servers have a status of offline when they should be marked as available.
Conditions:
-- Sync group of two GTM devices with a large number of virtual servers (2k).
-- All the LTM virtual servers corresponding to GTM Virtual servers are available.
-- Add a third GTM into the sync group.
Impact:
LTM virtual servers are marked offline.
1050165-2 : APM - users end up with SSO disabled for their session, admin intervention required to clear session
Links to More Info: BT1050165
Component: Access Policy Manager
Symptoms:
If a user is trying to access a webtop resource that is configured behind APM single sign-on (SSO) which has failed for some reason, then the SSO process for that user is disabled for the rest of that session's life time.
Conditions:
-- Configure Kerberos SSO
-- Configure a network resource (a user's mail box configured on exchnage server, or an IIS based web service)
Impact:
BIG-IP Admin has to intervene to release the affected session manually.
Workaround:
None
1048989-1 : Slight correction of button titles in the Data Guard Protection Enforcement
Component: Application Security Manager
Symptoms:
A button title read as "Ignored URLs / Enforced URLs" instead of "Ignore URLs / Enforce URLs".
Conditions:
1. On the Security > Application Security > Security Policies > Policies List > <selected_policy> screen, click the Data Guard tab.
2. Look on the Data Guard Protection Enforcement (Wildcards Supported) button fields. The button title should appear as Ignore/Enforce URLs.
Impact:
The title of the button is misleading.
Workaround:
None
1048949-7 : TMM xdata leak on websocket connection with asm policy without websocket profile
Links to More Info: BT1048949
Component: Application Security Manager
Symptoms:
Excessive memory consumption, tmm core.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Websocket profile isn't attached to the virtual server
- Long lived websocket connection with messages
Impact:
Excessive memory consumption, tmm crash. Traffic disrupted while tmm restarts.
Workaround:
Attach the websocket profile to the virtual server
1048445-4 : Accept Request button is clickable for unlearnable violation illegal host name
Links to More Info: BT1048445
Component: Application Security Manager
Symptoms:
For the following violations:
- VIOL_HOSTNAME (Hostname violation)
- VIOL_HOSTNAME_MISMATCH (Hostname mismatch violation)
The accept button is clickable when it should not. Accept Request button should be disabled for this violations.
Conditions:
Generate an illegal host name or hostname mismatch violation.
Impact:
Request will not be accepted even though you have elected to accept the illegal request.
Workaround:
Do not accept the request to hostname and hostname mismatch violation, no ASM config changes will be triggered.
1046917-5 : In-TMM monitors do not work after TMM crashes
Links to More Info: BT1046917
Component: In-tmm monitors
Symptoms:
After TMM crashes and restarts, in-TMM monitors do not run. Monitored pool members are down.
Conditions:
-- In-TMM monitors are enabled.
-- TMM exits abnormally, as a result of one of the following:
+ TMM crashing and restarting
+ TMM being sent a termination signal (i.e. using 'pkill' to kill TMM)
Note: This issue does not occur if TMM is restarted using 'bigstart' or 'tmsh sys service'.
Impact:
Monitored pool members are offline.
Workaround:
One of the following:
1. Do not use in-TMM monitors.
2. After TMM restarts, manually restart bigd:
tmsh restart sys service bigd
3. Add an entry to /config/user_alert.conf such as the following, so that the system restarts bigd when TMM starts up.
On an appliance or single-slot vCMP guest/tenant:
alert id1046917 "Tmm ready - links up." {
exec command="bigstart restart bigd"
}
On a VIPRION or multi-slot vCMP guest/tenant:
alert id1046917 "Tmm ready - links up." {
exec command="clsh --color=all bigstart restart bigd"
}
Note: This change must be made separately on each device in a ConfigSync device group.
1046469-3 : Memory leak during large attack
Links to More Info: BT1046469
Component: Anomaly Detection Services
Symptoms:
ADMD daemon memory consumption increases over several days until it causes OOM.
Conditions:
A large DoS attack occurs and is not mitigated.
Impact:
ADMD daemon will get killed and restarted. Due to the restart, the BADoS protection might be disabled for a couple of seconds.
Workaround:
To workaround the issue before installing the fix, ADMD could be monitored by a script and restarted as needed. This is similar to the current behavior, but it will avoid reaching OOM which might affect other daemons.
1043009-6 : TMM dump capture for compression engine hang
Links to More Info: BT1043009
Component: Local Traffic Manager
Symptoms:
TMM crashes
Conditions:
The system detects a Nitrox hang and attempts to reset it.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Set Nitrox3.Compression.HangReset db variable to reset
1041985-4 : TMM memory utilization increases after upgrade★
Links to More Info: BT1041985
Component: Access Policy Manager
Symptoms:
TMM memory utilization increases after upgrading.
The keep-alive interval of the _tmm_apm_portal_tcp default profile is set to a value that is less than the Idle Timeout setting.
Conditions:
-- APM enabled and passing traffic
-- The configuration has a profile that uses or is derived from _tmm_apm_portal_tcp where the keep-alive interval was reduced to 60
Note that this can be encountered any time a tcp profile contains a keep-alive interval setting that is less than the idle timeout.
For more information about the relationship between keep-alive and idle time out, see K13004262: Understanding Idle Timeout and Keep Alive Interval settings in the TCP profile, available at https://support.f5.com/csp/article/K13004262
Impact:
TMM memory may increase while passing traffic.
Workaround:
Change the tcp keep alive interval to the default setting of 1800 seconds.
1041469-1 : Request Log Page: Line break in the middle of the word in the note next to Block this IP Address
Component: Application Security Manager
Symptoms:
Words may break in the middle before going to the next line.
Conditions:
1. Create Policy, for example Fundamental
2. Disable Alarm and Block flags for the "IP is blacklisted" violation in Learning and Blocking Settings
3. Apply Policy
4. Send request:
GET / HTTP/1.1
User-Agent: python-requests/2.21.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Request-Id: 003390
Host: 10.0.1.101:7000
5. open request details in Security ›› Event Logs : Application : Requests
6. click the arrow next to Source IP Address
7. Set Block this IP Address to Always
Impact:
Words at the end of the line and the beginning of the next line may seems broken. Only cosmetic impact.
Workaround:
None
1040465-2 : Incorrect SNAT pool is selected
Links to More Info: BT1040465
Component: Local Traffic Manager
Symptoms:
An incorrect SNAT pool is selected when an SSL Forward Proxy is configured and BYPASS is enabled along with an iRule to choose the SNAT pool.
Conditions:
-- Virtual Server has SSL Forward Proxy Deployment with BYPASS enabled
-- iRule configured to decide the SNAT pool members
-- Virtual Server passes the traffic
Impact:
Traffic diverted to incorrect SNAT pool when BYPASS happens.
1040277-6 : Syslog-ng issue may cause logging to stop and possible reboot of a system
Links to More Info: BT1040277
Component: TMOS
Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to logging via syslog-ng to stop.
For software version 13.1 only it may lead to BIG-IP unexpectedly rebooting due to host watchdog timeout, typically within hours to day or two after syslog-ng gets hung up.
The cessation of logging happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.
At this time syslog-ng typically spins, using near 100% CPU.
Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.
A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.
Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
The final log will of a broken connection only, usually one minute after the last established/broken pair in the very rare event that syslog-ng hangs.
Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.
Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable. If a remote server is not reachable remove it from the BIG-IP syslog configuration.
1040153-4 : Topology region returns narrowest scope netmask without matching
Links to More Info: BT1040153
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP returns malformed packets or the narrowest scope not matching the request.
Conditions:
Mixed sub networks with different mask length.
Impact:
Malformed packets.
Workaround:
Do not put mixed subnets in one region.
1039941-4 : [WIN]Webtop offers to download f5vpn when it is already installed
Links to More Info: BT1039941
Component: Access Policy Manager
Symptoms:
A pop-up window shows up and requests to download the client component.
Conditions:
Either of these conditions can trigger it:
#1
-- Network Access configured and webtop type to "Network Access"
-- VPE configured
[Machine Info (or Anti Virus Check)] -- [Resource Assignment (NA + Webtop)]
#2
-- Network Access (auto launch) and webtop configured
-- VPE configured
[Machine Info (or Anti Virus Check)] -- [Resource Assignment (NA + Webtop)]
Impact:
End users are unable to use the browser-based VPN.
Workaround:
Any of these workarounds will work:
-- Use Internet Explorer
-- Do not configure Network Access auto launch or "Network Access" for the webtop type
-- Insert the message box between Client Inspection (Machine info, etc.) and "Resource Assignment" on the VPE
-- Ignore the message (click "Click here"), and it allows you to move on to the next step
1038117-3 : TMM SIGSEGV with BDoS attack signature
Links to More Info: BT1038117
Component: Advanced Firewall Manager
Symptoms:
TMM core dumped with segmentation fault showing the below stack. Sometimes the crash stack might be different possibly due to memory corruption caused by the stale BDoS entries in sPVA temp table.
#0 0x00007fbb0f05fa01 in __pthread_kill (threadid=?, signo=signo@entry=11) at ../nptl/sysdeps/unix/sysv/linux/pthread_kill.c:61
#1 0x0000000001587e86 in signal_handler (signum=11, info=0x400a254018f0, ctx=0x400a254017c0) at ../kern/sys.c:3837
#2 <signal handler called>
#3 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:164
#4 0x000000000156319b in spva_search_temp_table (p_arg=<synthetic pointer>, spva=0x400a25401e70) at ../base/tmm_spva.c:1827
#5 spva_dyentries_ack_nack_response (status=SPVA_STATUS_SUCCESS, spva=0x400a25401e70) at ../base/tmm_spva.c:1872
#6 spva_read (status=SPVA_STATUS_SUCCESS, spva=...) at ../base/tmm_spva.c:1560
Conditions:
BDoS enabled. The Dynamic BDoS signature created, attack detected, and signature is offloaded to hardware.
Impact:
TMM core dumped and restarted.
Workaround:
Disable BDoS.
1037877-5 : OAuth Claim display order incorrect in VPE
Links to More Info: BT1037877
Component: Access Policy Manager
Symptoms:
In the visual policy editor (VPE), it is difficult to re-order custom previously created Claims in the oAuth Authorization agent.
The following error is thrown in the developer tools screen of the client browser:
common.js?m=st&ver=15.1.2.1-0.0.10.0:902 Uncaught TypeError: Cannot read property 'row' of undefined
at Object.common_class.swap (common.js?m=st&ver=15.1.2.1-0.0.10.0:902)
at multipleObjectsSelectionCBDialogue_class.swapEntries (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263)
at HTMLAnchorElement.<anonymous> (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185)
common_class.swap @ common.js?m=st&ver=15.1.2.1-0.0.10.0:902
multipleObjectsSelectionCBDialogue_class.swapEntries @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263
(anonymous) @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185
Conditions:
-- There are at least two claims in Access :: Federation : OAuth Authorization Server : Claim
-- You are attempting to reorder the claims in the visual policy editor
Impact:
It is not possible to re-order the claims
Workaround:
None
1036613-6 : Client flow might not get offloaded to PVA in embryonic state
Links to More Info: BT1036613
Component: TMOS
Symptoms:
The client flow is not offloaded in embryonic state, but only is only offloaded once the flow transitions to an established state.
Conditions:
-- FastL4 profile configured to offload TCP connections in embryonic state (this is the default)
-- Clientside and serverside ingress traffic is handled by different TMMs
-- Running on a platform with multiple HSB modules per TMM, i.e.:
--+ BIG-IP i11600 Series
--+ BIG-IP i15600 Series
Impact:
- minor performance degradation;
- PVA traffic counters show unexpectedly high values;
1035757-5 : iRulesLX restart leaves stale files in /var/tmstat/blade/tmplugin_ilx_*
Links to More Info: BT1035757
Component: Local Traffic Manager
Symptoms:
After restarting the ilx plugin, new tmplugin_ilx_rpc_* stat files are being created, but old files are not being deleted.
Conditions:
- ilx configured
- ilx plugin restarted
Impact:
The presence of too many of these leftover files might prevent merged from rolling up stats and providing graphs and cause such errors:
err merged[8523]: 011b0900:3: TMSTAT error tmstat_remerge: Cannot allocate memory.
Workaround:
Delete stale tmplugin_ilx_* files manually
1035361-7 : Illegal cross-origin after successful CAPTCHA
Links to More Info: BT1035361
Component: Application Security Manager
Symptoms:
After enabling CAPTCHA locally on BIG-IP with brute force, after configured login attempts, CAPTCHA appears, but after bypassing the CAPTCHA successfully the user receives a support ID with cross-origin violation.
Conditions:
- brute force with CAPTCHA mitigation enforced on login page.
- cross-origin violation is enforced on the login page.
- user fails to login until CAPTCHA appears
- user inserts the CAPTCHA correctly
Impact:
- blocking page appears.
- on the event log cross-origin violation is triggered.
Workaround:
- disable cross-origin violation enforcement.
1032257-5 : Forwarded PVA offload requests fail on platforms with multiple PDE/TMM
Links to More Info: BT1032257
Component: TMOS
Symptoms:
Forwarded PVA requests use a static bigip_connection that does not have its pva_pde_info initialized, which results in offload failure on platforms that have multiple PDEs per TMM.
Conditions:
Pva_pde_info is not initialized and Forwarded PVA requests occur.
Impact:
Hardware offload does not occur.
1029373-3 : Firefox 88+ raising Suspicious browser violations with bot defense
Links to More Info: BT1029373
Component: Application Security Manager
Symptoms:
Bot-defense might block legal traffic arriving from Firefox version 88
Conditions:
- ASM provisioned
- bot-defense profile assigned on a virtual server
Impact:
Legal traffic is blocked
Workaround:
Tmsh modify sys db botdefense.suspicious_js_score value 60
1029105-2 : Hardware SYN cookie mode state change logs bogus virtual server address
Links to More Info: BT1029105
Component: TMOS
Symptoms:
When a virtual server enters or exits hardware SYN cookie mode, a bogus IP address is logged in /var/log/ltm. For example:
Syncookie HW mode activated, server name = /Common/vs server IP = 0.0.0.3:0
Conditions:
A virtual server enters or exits hardware SYN cookie mode.
Impact:
Only the logging information is wrong, the hardware SYN cookie mode functions correctly.
Workaround:
None
1028081-2 : [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page
Links to More Info: BT1028081
Component: Access Policy Manager
Symptoms:
1. Users connecting with F5 Access from an Android device see string "function () {[native code]}" in the Logon Page Form 'Username' field.
2. This issue only affects the F5 Access embedded browser. It works fine when connecting from the same Android device using Chrome. F5 Access from iOS is also working fine.
Conditions:
Configure an access policy with modern customization that includes a Logon Page.
Impact:
The string "function () {[native code]}" appears in the Logon Page Form 'Username' field.
Workaround:
This solution is temporal as changes are lost after an upgrade.
steps:
1) create a copy of the original "main.js" file
# cp /var/sam/www/webtop/public/include/js/modern/main.js /var/sam/www/webtop/public/include/js/modern/main.js.origin
2) edit the file using an editor (e.g., vi).
# vi /var/sam/www/webtop/public/include/js/modern/main.js
modify
window.externalAndroidWebHost.getWebLogonUserName to window.externalAndroidWebHost.getWebLogonUserName()
and
window.externalAndroidWebHost.getWebLogonPassword to window.externalAndroidWebHost.getWebLogonPassword()
3) Restart BIG-IP
1027481-4 : The log messages 'error: /bin/haloptns unexpected error -- 768' generated on A110 and D112 platforms
Links to More Info: BT1027481
Component: TMOS
Symptoms:
The message 'error: /bin/haloptns unexpected error -- 768' is logged by system commands, including some startup scripts and the software installation process.
Running /bin/haloptns manually displays the following output:
'Expected 32 bit OPTN field, found field "" instead.'
Conditions:
-- One of the following platforms:
- D112 (10350v-F (FIPS) or 10150s-N (NEBS))
- A110 (VIPRION B4340N (NEBS) blades)
-- The system does not use RAID.
Impact:
Excessive "error: /bin/haloptns unexpected error -- 768" error messages in log files, and command output (for example, "cpcfg").
There is no other impact, and the messages can be ignored.
Workaround:
Ignore the error messages.
1026781-4 : Standard HTTP monitor send strings have double CRLF appended
Links to More Info: BT1026781
Component: Local Traffic Manager
Symptoms:
Standard (bigd-based, not In-TMM) HTTP monitors have a double CRLF appended (\r\n\r\n) to the send string. This does not comply with RFC1945 section 5.1 which states requests must terminate with a single CRLF (\r\n). This non-compliant behavior can lead to unexpected results when probing servers.
Conditions:
Standard bigd (not In-TMM) HTTP monitors
Impact:
Servers probed by these non-RFC-compliant HTTP monitors may respond in an unexpected manner, resulting in false negative or false positive monitor results.
Workaround:
There are several workarounds:
1. If running 13.1.0 or later, switch monitoring from bigd-based to In-TMM. In-TMM monitors properly follow RFC1945 and will send only a single CRLF (\r\n)
2. Remain with bigd-based monitoring and configure probed servers to respond to double CRLF (\r\n\r\n) in a desired fashion
Depending on server configuration, a customized send string, even with the double CRLF, may still yield expected responses.
1025089-6 : Pool members marked DOWN by database monitor under heavy load and/or unstable connections
Links to More Info: BT1025089
Component: Local Traffic Manager
Symptoms:
BIG-IP database monitors (mssql, mysql, oracle, postgresql) may exhibit one of the following symptoms:
- Under heavy, sustained load, the database monitoring subsystem may become unresponsive, causing pool members to be marked DOWN and eventually causing the database monitoring daemon (DBDaemon) to restart unexpectedly.
- If the network connection to a monitored database server is unstable (experiences intermittent interruptions, drops, or latency), pool members may be marked DOWN as the result of a momentary loss of connectivity. This is more likely to occur when a database monitor is used to monitor a GTM pool member instead of an LTM pool member, due to differences between how monitors are configured for GTM versus LTM.
Conditions:
These symptoms may occur under the following conditions:
- The database monitoring subsystem may become unresponsive, and the database monitoring daemon (DBDaemon) may restart unexpectedly, if a large number of LTM or GTM pool members are being monitored by database monitors, and/or with short polling intervals ("interval" of 10 seconds or less), or when GTM pool members are monitored by database monitors with a short "probe-timeout" value (10 seconds or less).
- The GTM pool members may be marked DOWN after a single interrupted connection if they are monitored by a database monitor, configured with a short "probe-timeout" value (10 seconds or less) and "ignore-down-response" configured as "disabled" (default).
Impact:
-- High CPU utilization is observed on control plane cores.
-- The database monitoring daemon (DBDaemon) may restart unexpectedly, causing GTM or LTM pool members monitored by a database monitor to be marked DOWN temporarily.
-- GTM or LTM pool members monitored by a database monitor may be marked DOWN temporarily if the network connection to the database server is dropped or times out.
Workaround:
Perform one of the following actions:
-- Configure the database (mssql, mysql, oracle, postgresql) monitor with a "count" value of "1". This prevents the caching or reuse of network connections to the database server between probes. Thus there is no cached connection to time out or get dropped. However, the overhead of establishing the network connection to the database server will be incurred for each probe and will result in generally higher (but more consistent) CPU usage by the database monitoring daemon (DBDaemon).
-- Configure the database monitor "interval" and "timeout" values (for an LTM monitor), or the "interval", "timeout", "probe-attempts", "probe-interval" and "probe-timeout" values (for a GTM monitor) such that multiple failed monitor probes are required before the monitored member is marked DOWN, and with a minimum value of 10 seconds or greater.
Note: A restart of bigd (and consequently the DBDaemon) might be necessary to properly clear any currently stale/stuck database connections.
1024421-4 : At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log
Links to More Info: BT1024421
Component: TMOS
Symptoms:
TMM log shows clock advancing and MPI timeout messages:
notice slot1 MPI stream: connection to node aborted for reason: TCP RST from remote system (tcp.c:5201)
notice slot1 tmm[42900]: 01010029:5: Clock advanced by 6320 ticks
Conditions:
-- pva.standby.flush DB key set to 1 (enabled). The default is 0.
-- Processing high traffic volume for some time
Impact:
Upstream switch could receive flow response from both active and standby units and cause a traffic disturbance.
1023529-4 : FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory.
Links to More Info: BT1023529
Component: Local Traffic Manager
Symptoms:
Command "tmsh show sys tmm-traffic" reports non-zero number of current connections but "tmsh show sys connection" shows nothing.
Conditions:
-- A virtual sever with fastL4 profile with infinite timeout enabled and an iRule containing "after" command. Having "-periodic" argument makes the problem more prominent.
-- Aggressive sweeper activated due to low memory conditions.
Impact:
Connections that were supposed to be removed by aggressive sweeper but were waiting for completion of an iRule may end up in a state where they are not reported by "tmsh show sys connection." Because of this issue, these connections cannot be deleted manually using 'tmsh del sys connection", but remain in memory. Their presence can be confirmed by non-zero number of current connections shown by "tmsh show sys tmm-traffic". Because of the infinite timeout setting, they will not timeout by themselves either.
Workaround:
N/A
1023229-5 : False negative on specific authentication header issue
Links to More Info: BT1023229
Component: Application Security Manager
Symptoms:
Blocking does not occur on a specific authentication header issue when a non-default internal parameter is set.
Conditions:
ignore_authorization_header_decode_failure is not set to 0
Impact:
A request with an authentication header issue can pass.
Workaround:
None
1021637-5 : In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs
Links to More Info: BT1021637
Component: Application Security Manager
Symptoms:
CSRF is sometimes enforced on URLs that do not match the CSRF URLs list
Conditions:
ASM policy with CSRF settings
Impact:
URLs that do not match the CSRF URLs list can be blocked due to CSRF violation.
Workaround:
None
1021609-5 : Improve matching of URLs with specific characters to a policy.
Links to More Info: BT1021609
Component: Application Security Manager
Symptoms:
Request with a URL containing specific characters is not matched to the correct policy.
Conditions:
URL of request contains specific percent-encoded characters.
Impact:
The request will not be matched by an expected policy rule.
Workaround:
Add an additional rule with explicit decoded characters.
1020717-5 : Policy versions cleanup process sometimes removes newer versions
Links to More Info: BT1020717
Component: Application Security Manager
Symptoms:
The policy versions cleanup process sometimes removes versions in incorrect order. Newer versions are removed while older versions are preserved.
Conditions:
"maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg" has very low value.
Impact:
Newer versions are removed.
Workaround:
increase value of "maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg"
1020645-7 : When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered
Links to More Info: BT1020645
Component: Local Traffic Manager
Symptoms:
In an explicit proxy configuration when an HTTP request is sent to an HTTPS destination server via proxy, the HTTP CONNECT method is sent, but the iRule event HTTP_RESPONSE_RELEASE is not fired.
Conditions:
- Simple HTTP explicit proxy virtual server
- An HTTP request from the client is sent to an 'https://' destination server
Impact:
iRule event HTTP_RESPONSE_RELEASE does not get triggered.
Workaround:
None
1019829-4 : Configsync.copyonswitch variable is not functioning on reboot
Links to More Info: BT1019829
Component: TMOS
Symptoms:
Configsync.copyonswitch variable is not functioning properly during reboot to another partition
Conditions:
-- db variable configsync.copyonswitch modified
-- hostname is changed in global-settings
-- reboot to another partition
Impact:
The hostname will be changed back to the default hostname after reboot
1019261-4 : In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile.
Links to More Info: BT1019261
Component: In-tmm monitors
Symptoms:
HTTPS monitors with SSL profile set to None (default) will not use the default ServerSSL profile of "serverssl" when In-TMM monitoring is enabled. Instead, another internal ServerSSL profile is used which has different values from "serverssl".
Conditions:
-- In-TMM monitoring is enabled
-- HTTPS monitor(s) with SSL profile field is set to the default of "None"
Impact:
The TLS settings for the HTTPS monitor monitor probes will not match those of the ServerSSL "serverssl" profile and may cause unexpected behavior such as utilizing TLS 1.3 (disabled by default in the "serverssl" profile) or random session IDs.
Workaround:
Specify a ServerSSL profile in every HTTPS monitor when using In-TMM monitoring.
Attaching the profile "serverssl" will result in the same behavior that SSL Profile "none" should provide, given that the "serverssl" profile should be the default.
1017557-5 : ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN
Links to More Info: BT1017557
Component: Application Security Manager
Symptoms:
ASM BD sends a reset back to the client when the backend server sends a response without proper terminating 0 chunk followed by FIN.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Backed server sends a bad chunked response
Impact:
Valid requests can be reset.
Workaround:
Any one of the following workarounds can be applied.
-- Fix backed server behavior.
-- Fix bad response using iRule, appending proper terminating 0 chunk
-- Change ASM internal /usr/share/ts/bin/add_del_internal update bypass_upon_load 1
1011081-4 : Connection lost to the Postgres client during the BIG-IP bootup process
Links to More Info: BT1011081
Component: TMOS
Symptoms:
During the boot process of BIG-IP, mcpd loses the connection to the Postgres with FATAL error with a "Broken Pipe" error.
Conditions:
-- BIG-IP devices are configured in high availability (HA).
-- BIG-IP configuration has the keys configured in Postgres Database.
Impact:
Mcpd loses the connection to the Postgres with FATAL error with a "Broken Pipe" error
1010809-4 : Connection is reset when sending a HTTP HEAD request to APM Virtual Server
Links to More Info: BT1010809
Component: Access Policy Manager
Symptoms:
Connection is reset when sending a HTTP HEAD request to APM Virtual Server
Conditions:
-- A virtual server with APM implemented
-- A HTTP HEAD request is sent to the virtual server
Impact:
Connection is reset
Workaround:
To work around this issue, implement the following iRule on the virtual server:
when HTTP_REQUEST priority 500 {
if {[HTTP::method] equals "HEAD"
&& [HTTP::path] equals "/"} {
HTTP::respond 404
}
}
1009793-4 : Tmm crash when using ipsec
Component: TMOS
Symptoms:
Tmm crashes.
Conditions:
Set sys db variable IPsec.RemoveRedundantSA to enable.
set sys db variable ipsec.removeredundantsa.delay to one.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Set sys db variable IPsec.RemoveRedundantSA to disable.
set sys db variable ipsec.removeredundantsa.delay to zero.
1009337-3 : LACP trunk down due to bcm56xxd send failure
Links to More Info: BT1009337
Component: TMOS
Symptoms:
Lacp reports trunk(s) down. lacpd reports having trouble writing to bcm56xxd over the unix domain socket /var/run/uds_bcm56xxd.
Conditions:
Not known at this time.
Impact:
An outage was observed.
Workaround:
Restart bcm56xxd, lacpd, and lldpd daemons.
1006449-3 : The default size of the subagent object cache possibly leading to slow snmp response time★
Links to More Info: BT1006449
Component: TMOS
Symptoms:
After upgrading from a 13.1.x release to a later release (such as 15.1.x), BIG-IP CPU utilization increases and SNMP is slow to respond.
Conditions:
SNMP client repeatedly polls BIG-IP for OIDs in multiple tables over a short period of time.
Impact:
SNMP queries take an unusually long time to return data, and BIG-IP CPU utilization is higher.
Workaround:
To the file /config/snmp/bigipTrafficMgmt.conf, add one line with the following content:
cacheObj 16
This could be accomplished by executing the following command line from bash:
# echo "cacheObj 16" >> /config/snmp/bigipTrafficMgmt.conf
After the above config file has been modified and saved, the "snmpd" daemon must be restarted, using one of two command variants:
(on a BIG-IP appliance or VE system)
# bigstart restart snmpd
(on a a multi-slot VIPRION or vCMP guest)
# clsh bigstart restart snmpd
(However, this adjustment will be lost when the BIG-IP software is next upgraded.)
1004697-4 : Saving UCS files can fail if /var runs out of space
Links to More Info: BT1004697
Component: iApp Technology
Symptoms:
When saving a UCS, /var can fill up leading to UCS failure and the following log message:
err diskmonitor[1441]: 011d0004:3: Disk partition /var has only 0% free
Conditions:
-- iApps LX installed.
-- Multiple iApps LX applications.
-- A /var partition of 1.5 GB.
Impact:
UCS archives can not be created.
Workaround:
You can use either of the following Workarounds:
-- Manually remove the /var/config/rest/node/tmp/BUILD and /var/config/rest/node/tmp/BUILDROOT directories.
-- Increase the size of /var/. For information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952
1003765-3 : Authorization header signature triggered even when explicitly disabled
Links to More Info: BT1003765
Component: Application Security Manager
Symptoms:
Requests with base64 encoded Authorization header with disabled signatures might result in a blocking page even though the specific signature is disabled.
Conditions:
Base64 encoded Authorization header is included in the request.
Impact:
A signature violation is detected, even though the signature is disabled.
Workaround:
None
1003377-4 : Disabling DoS TCP SYN-ACK does not clear suspicious event count option
Links to More Info: BT1003377
Component: Advanced Firewall Manager
Symptoms:
When the 'Only Count Suspicious Events' option is turned on for the TCP SYN ACK Flood vector and the vector gets disabled, TMM continues operating as if 'Only Count Suspicious Events' is still configured.
Conditions:
Disabling TCP SYN ACK Flood vector with 'Only Count Suspicious Events' enabled.
Impact:
BIG-IP system might continue altering TCP initial sequence numbers for SYN-ACK cookie validations.
Workaround:
Disable the 'Only Count Suspicious Events' option first, and then disable TCP SYN ACK Flood vector.
1002969-5 : Csyncd can consume excessive CPU time★
Links to More Info: BT1002969
Component: Local Traffic Manager
Symptoms:
Following a configuration change or software upgrade, the "csyncd" process becomes always busy, consuming excessive CPU.
Conditions:
-- occurs on a multiblade VIPRION chassis
-- may occur with or without vCMP
-- may occur after configuring F5 Telemetry Streaming, but may also occur in other circumstances
-- large numbers of files are contained in one or more of the directories being sync'ed between blades
Impact:
The overuse of CPU resources by "csyncd" may starve other control-plane processes. Handling of payload network traffic by the data plane is not directly affected.
Workaround:
To mitigate the processing load, identify which directory or directories contain excessive numbers of files being replicated between blades by "csyncd". If this replication is not absolutely needed (see below), such a directory can be removed from the set of directories being sync'ed.
For example: if there are too many files being generated in the "/run/pamcache" directory (same as "/var/run/pamcache"), remove this directory from the set being acted upon by "csyncd" by running the following commands to comment-out the associated lines in the configuration file:
# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"
# clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"
# clsh "bigstart restart csyncd"
If the problem was observed soon after the installation of F5 Telemetry Streaming, the configuration can be adjusted to make csyncd ignore the related files in a subdirectory of "/var/config/rest/iapps". Run the following commands:
# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"
# clsh "sed -i '/\/var\/config\/rest\/iapps/a \ \ \ \ \ \ \ \ ignore f5-telemetry' /etc/csyncd.conf"
# clsh "bigstart restart csyncd"
----
The impact of disabling replication for the pamcache folder is that in the event of a primary blade failover, the new primary blade would not be aware of the existing valid auth tokens, so the user (eg, a GUI user, or a REST script already in progress at the time of the failover) would need to authenticate again.
1000561-6 : HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side
Links to More Info: BT1000561
Component: Local Traffic Manager
Symptoms:
HTTP/2 virtual servers pass the chunk size bytes from the server-side (HTTP/1.1) to the client-side (HTTP/2) when OneConnect and request-logging profiles are applied.
This results in a malformed HTTP response.
Conditions:
-- BIG-IP configured with a HTTP/2 virtual server using OneConnect and request-logging profiles.
-- The pool member sends a chunked response.
Impact:
The HTTP response passed to the client-side includes chunk size header values when it should not, resulting in a malformed HTTP response.
Workaround:
Change HTTP response-chunking to either 'unchunk' or 'rechunk' in the HTTP profile for the virtual server.
1000069-5 : Virtual server does not create the listener
Links to More Info: BT1000069
Component: Local Traffic Manager
Symptoms:
A virtual-address is in an offline state.
Conditions:
An address-list is used on a virtual server in a non-default route domain.
Impact:
The virtual IP address remains in an offline state.
Workaround:
Using tmsh, create the traffic-matching-criteria. Specify the route domain, and attach it to the virtual server.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/