989517-4 : Acceleration section of virtual server page not available in DHD

Links to More Info: BT989517

Component: TMOS

Symptoms:
Cannot use Advanced Menu to create a virtual server for HTTP/2 on systems with DHD licenses. This occurs because the Acceleration section is not available.

You can via TMSH then it works, but at as soon as you use the GUI to modify the virtual server, it loses the HTTP/2 configuration.

Conditions:
The Acceleration section is not visible in case 'DoS' is provisioned (available with the DHD license).

Impact:
1) You are unable to use the GUI to modify any parameters of the Acceleration table in the virtual server page.

2) Loss of configuration items if making changes via the GUI.

Workaround:
A virtual server with parameters present in the Acceleration table can still be created using TMSH. However, do not edit that virtual server in the GUI, or the Acceleration parameters will be lost.

Fix:
The Acceleration table is now visible, and there is no loss of configuration items if making changes via the GUI.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1

977153-6 : Packet with routing header IPv6 as next header in IP layer fails to be forwarded

Links to More Info: BT977153

Component: Advanced Firewall Manager

Symptoms:
BIG-IP systems fail to follow RFC 5095, which specifies the traffic should be forwarded.

Conditions:
This symptom is found when the following conditions are met:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.

Impact:
This failure in forwarding ICMP error message prevents the BIG-IP AFM product from completing certification.

Workaround:
None.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7

957637-4 : The pfmand daemon can crash when it starts.

Links to More Info: BT957637

Component: TMOS

Symptoms:
The pfmand process crashes and writes out a core file during bootup (or if the process is manually restarted by an Administrator for any reason) on certain platforms.

The crash may happen more than once, until the process finally settles and is able to start correctly.

Conditions:
-- Platforms i4000/i2000/i4800/i2800/i4600/i2600/i850.

Impact:
Network connection lost while pfmand restarts.

Workaround:
None

Fix:
The issue causing the pfmand daemon to occasionally crash has been resolved.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1

948241-5 : Count Stateful anomalies based only on Device ID

Links to More Info: BT948241

Component: Application Security Manager

Symptoms:
Currently when Device ID is enabled, the BIG-IP system counts stateful anomalies on both IP and Device ID. When a client has a proxy (without XFF), and many requests arrive with the same IP, this can cause false positives

Conditions:
- Bot Defense profile is attached to a virtual server.
- Bot Defense profile has "Browser Verification" set to "Verify After Access" or "Device ID Mode" set to "Generate After Access".

Impact:
False positives may occur in case of a proxy without XFF

Workaround:
None

Fix:
Stateful anomalies are no longer counted on IP when Device ID is enabled

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1

947333-1 : Irrelevant content profile diffs in Policy Diff

Links to More Info: BT947333

Component: Application Security Manager

Symptoms:
Defense attributes' grayed out values are shown in the policy diff even if "any" is selected

Conditions:
-- Import a policy
-- Perform a policy diff

Impact:
Policy diff showing irrelevant diffs

Workaround:
None

Fix:
Removed grayed out diffs from policy diff content profile section

Fixed Versions:
17.0.0.1, 16.1.3.1

940225-5 : Not able to add more than 6 NICs on VE running in Azure

Links to More Info: BT940225

Component: TMOS

Symptoms:
Azure BIG-IP Virtual Edition (VE) with more than 6 NICs fails to boot.

Conditions:
-- Standard_DS4_v2 Azure instance type.
-- Mellanox ConnectX-3 ethernet controller.
-- A greater-than-2-NIC template is used, for example https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/standalone/n-nic/existing-stack/byol with "numberOfAdditionalNics" set.
-- Accelerated networking is enabled on two or more NICs.

Impact:
Not able to boot BIG-IP VM with 8 NICs, which should be supported for Standard_DS4_v2 instance type:
8 vCPU
28 GiB
8 Max NICs

Adding more NICs to the instance makes the device fail to boot.

Workaround:
None

Fixed Versions:
17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1

922413 : Excessive memory consumption with ntlmconnpool configured

Links to More Info: BT922413

Component: Local Traffic Manager

Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.

Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.

Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.

Workaround:
None.

Fix:
When an NTLM Conn Pool profile is attached to a virtual server, it no longer causes memory pressure on a large number connections with NTLM authentication.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7

919357-9 : iControl REST hardening

Links to More Info: K22505850, BT919357

911585-6 : PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval

Links to More Info: BT911585

Component: Policy Enforcement Manager

Symptoms:
PEM sessions go to a stale state and the Credit Control Request (CCRi) is not sent.

Conditions:
-- PEM is configured and passing normal PEM traffic.
-- Using BIG-IP Virtual Edition (VE)

Impact:
Session is not established.

Workaround:
None.

Fix:
Enhanced application to accept new sessions under problem conditions.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7

890917-10 : Performance may be reduced while processing SSL traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM and MCP may consume excessive resources while processing SSL traffic.

Conditions:
-- Using a virtual server with OCSP auth configured.

Impact:
High resource consumption may lead to reduced performance and eventually to a failover event.

Workaround:
None.

Fix:
TMM and MCP now process SSL traffic as expected.

Fixed Versions:
17.0.0.2, 15.1.8.1

886649-6 : Connections stall when dynamic BWC policy is changed via GUI and TMSH

Links to More Info: BT886649

Component: TMOS

Symptoms:
Connections stall when dynamic BWC policy is changed via GUI and TMSH.

Conditions:
Issue is seen when you have a dynamic bandwidth control policy configured, and you make a change to the policy via the GUI and TMSH.

Impact:
Connection does not transfer data.

Workaround:
Restart TMM. Delete the relevant configuration, create a new configuration, and apply it.

Fixed Versions:
17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1

886533-4 : Icap server connection adjustments

Links to More Info: BT886533

Component: Application Security Manager

Symptoms:
Request getting to the ICAP server takes a long time to process (several seconds), which makes the whole transaction slower than expected. When testing the connection to the ICAP server itself, you determine that it is fast.

Conditions:
This happens especially with large file uploads that are mixed with smaller file uploads. The smaller uploads are waiting for the bigger upload.

Impact:
Slow responses to specific requests.

Workaround:
None.

Fix:
This release provides greater responsiveness of the internal queue to the ICAP thread.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1

832133-6 : In-TMM monitors fail to match certain binary data in the response from the server

Links to More Info: BT832133

Component: In-tmm monitors

Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system marks them DOWN.

Conditions:
This issue occurs when all of the following conditions are met:

- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).

- One or more TCP or HTTP monitors specify a receive string using HEX encoding, in order to match binary data in the server's response.

- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.

Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.

Workaround:
Either one of the following workarounds can be used:

- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.

- Do not monitor the application through a binary response (if the application allows it).

Fix:
The monitor finds the recv string and shows the pool or member as available.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7

748886-5 : Virtual server stops passing traffic after modification

Links to More Info: BT748886

Component: Local Traffic Manager

Symptoms:
A virtual server stops passing traffic after changes are made to it.

Conditions:
-- Virtual server is using a port-list or address-list
-- High availability (HA) environment with multiple traffic groups
-- A change is made to the virtual server

Impact:
Every time you make changes to the virtual server, the traffic-group for the virtual address is changed, and traffic goes down.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1

740321-5 : iControl SOAP API does not follow current best practices

Links to More Info: K50310001, BT740321

1174873-5 : The location header query string separate is converted from "?" to "%3F" breaking multi-domain

Links to More Info: BT1174873

Component: Access Policy Manager

Symptoms:
In muti-domain Single Sign-On (SSO), the location header query string separate is converted from "?" to "%3F" breaking multi-domain.

Conditions:
- Create an access policy with a redirect to login page.

Impact:
Breaking multi-domain.

Workaround:
None

Fix:
Issue is with the normalized URL function, removed the search filter parameters normalization.

Fixed Versions:
17.0.0.2, 15.1.8.1

1143073-5 : iControl SOAP vulnerability CVE-2022-41622

Links to More Info: K94221585, BT1143073

1134085-3 : Intermittent TMM core when iRule is configured with SSL persistence

Links to More Info: BT1134085

Component: Local Traffic Manager

Symptoms:
The TMM core file is observed.

Conditions:
Under certain conditions, the TMM core file is observed with iRule and SSL persistence.

Impact:
TMM core file is observed.

Workaround:
Perform either of the following tasks:

- Disable SSL persistence
- Disable iRule

Fix:
Added fix to handle cases which can lead to the TMM core file generation.

Fixed Versions:
17.0.0.2, 15.1.8.1

1128245 : Secure Vault value created as part of block restricted property does not sync to the peer after High Availability (HA) sync

Links to More Info: BT1128245

Component: TMOS

Symptoms:
Restricted storage ID is not synced to standby device.
Following is an example:

[root@bigip1ha:Standby:In Sync] config # restcurl shared/restricted-store/storage/39cf9918-dbf6-4097-8817-bfe9ae436f62
{
  "code": 404,
  "message": "shared/restricted-store/storage/39cf9918-dbf6-4097-8817-bfe9ae436f62",
  "restOperationId": 6888310,
  "errorStack": [],
  "kind": ":resterrorresponse"
}

Conditions:
The sync SSL Orchestrator iApp block configuration with restricted property through HA Migration.

Impact:
- On Standby device edit SSLO iApp block configuration and then deployment will be failed.
- Decryption of the restricted Properties on standby device will not work.

Workaround:
Use the following steps:

1. GET on shared/restricted-store/storage to find the restricted ID for the corresponding iApp template.

Following is an example:
Active:
=======
[root@bigip1:Active:In Sync] config # restcurl shared/restricted-store/storage/c6fe376d-ac88-42bd-8b57-fac96709bb17
{
  "id": "c6fe376d-ac88-42bd-8b57-fac96709bb17",
  "encryptedData": "yjKX6Pz93wGF8qgvKuleYK+AeqIy3CiemI8shZsAy9nPQlfALl0RkgerwVDKI2NRTPsb/3kllb4wJj3oUydj7pQpqh82p5zUKuFKOJWLrG7spDijeFMlR/mI40fbvjB6JShaXSKiwyZtseq1tR/FHSNnbZhRaPg7qF5EwKay+DXHKihKrblvLI8aKe/+fOKN",
  "generation": 1,
  "lastUpdateMicros": 1666691181977380,
  "kind": "shared:restricted-store:storage:restrictedstorestate",
  "selfLink": "https://localhost/mgmt/shared/restricted-store/storage/c6fe376d-ac88-42bd-8b57-fac96709bb17"
}
Standby:
========

2. Make sure storage is not synced in Standby.
Following is an example:
[root@bigip1ha:Standby:In Sync] config # restcurl shared/restricted-store/storage/c6fe376d-ac88-42bd-8b57-fac96709bb17
{
  "code": 404,
  "message": "shared/restricted-store/storage/c6fe376d-ac88-42bd-8b57-fac96709bb17",
  "restOperationId": 6888310,
  "errorStack": [],
  "kind": ":resterrorresponse"
}

[root@bigip1ha:Standby:In Sync] config # restcurl shared/restricted-store/storage/
{
  "items": [],
  "generation": 4,
  "kind": "shared:restricted-store:storage:restrictedstorecollectionstate",
  "lastUpdateMicros": 1666684046568524,
  "selfLink": "https://localhost/mgmt/shared/restricted-store/storage"
}

3. POST on shared/restricted-store/storage with "ID" and "encryptedData" details from Active machine.
Following is an example:
[root@bigip1ha:Standby:In Sync] config # restcurl shared/restricted-store/storage/ -X POST -d '{"id": "c6fe376d-ac88-42bd-8b57-fac96709bb17",
  "encryptedData": "yjKX6Pz93wGF8qgvKuleYK+AeqIy3CiemI8shZsAy9nPQlfALl0RkgerwVDKI2NRTPsb/3kllb4wJj3oUydj7pQpqh82p5zUKuFKOJWLrG7spDijeFMlR/mI40fbvjB6JShaXSKiwyZtseq1tR/FHSNnbZhRaPg7qF5EwKay+DXHKihKrblvLI8aKe/+fOKN"}'
{
  "id": "c6fe376d-ac88-42bd-8b57-fac96709bb17",
  "encryptedData": "yjKX6Pz93wGF8qgvKuleYK+AeqIy3CiemI8shZsAy9nPQlfALl0RkgerwVDKI2NRTPsb/3kllb4wJj3oUydj7pQpqh82p5zUKuFKOJWLrG7spDijeFMlR/mI40fbvjB6JShaXSKiwyZtseq1tR/FHSNnbZhRaPg7qF5EwKay+DXHKihKrblvLI8aKe/+fOKN",
  "generation": 1,
  "lastUpdateMicros": 1666692760785557,
  "kind": "shared:restricted-store:storage:restrictedstorestate",
  "selfLink": "https://localhost/mgmt/shared/restricted-store/storage/c6fe376d-ac88-42bd-8b57-fac96709bb17"
}

4. Make sure Storage created with same ID as Active in the standby.
Following is an examlpe:
[root@bigip1ha:Standby:In Sync] config # restcurl shared/restricted-store/storage/
{ "items": [
    {
      "id": "c6fe376d-ac88-42bd-8b57-fac96709bb17",
      "encryptedData": "yjKX6Pz93wGF8qgvKuleYK+AeqIy3CiemI8shZsAy9nPQlfALl0RkgerwVDKI2NRTPsb/3kllb4wJj3oUydj7pQpqh82p5zUKuFKOJWLrG7spDijeFMlR/mI40fbvjB6JShaXSKiwyZtseq1tR/FHSNnbZhRaPg7qF5EwKay+DXHKihKrblvLI8aKe/+fOKN",
      "generation": 1,
      "lastUpdateMicros": 1666692760785557,
      "kind": "shared:restricted-store:storage:restrictedstorestate",
      "selfLink": "https://localhost/mgmt/shared/restricted-store/storage/c6fe376d-ac88-42bd-8b57-fac96709bb17"
    }
  ],
  "generation": 5,
  "kind": "shared:restricted-store:storage:restrictedstorecollectionstate",
  "lastUpdateMicros": 1666692760786844,
  "selfLink": "https://localhost/mgmt/shared/restricted-store/storage"
}

5. Decrypt the restricted Properties using Block-Id and restrictedId
Following is an example:
[root@bigip1ha:Standby:In Sync] config # restcurl shared/restricted-store/crypto -X POST -d '{"operation": "DECRYPT", "salt": "3100c16e-1c9d-4aff-bdfd-780fbe14dce6", "id": "c6fe376d-ac88-42bd-8b57-fac96709bb17"}'{
  "data": {
    "list": [
      {
        "id": "T_1666691134763633",
        "type": "STRING",
        "value": "password"
      },
      {
        "id": "T_1666691134763447",
        "type": "STRING",
        "value": "password"
      }
    ]
  },
  "generation": 0,
  "lastUpdateMicros": 0
}

6. In webUI, edit the same template on standby and deploy the application. Deployment is successful and no error observed.

Fixed Versions:
17.0.0.1

1113385-5 : Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP

Links to More Info: BT1113385

Component: TMOS

Symptoms:
REST tokens which are present in /var/run/pamcache on BIG-IP are not deleted after token expiration when there are a large number of tokens.

Conditions:
When a large number of tokens are generated.

Impact:
Disk space exhausted on the BIG-IP system.

Workaround:
Try to remove token files from /var/run/pamcache manually.
# rm -f /var/run/pamcache/*

Fix:
Expired token are removed from /var/run/pamcache by the BIG-IP system.

Fixed Versions:
17.0.0.2, 15.1.8.1

1112445-1 : Fix to avoid zombie node on the chain

Component: Local Traffic Manager

Symptoms:
TMM crashing because of not removing complete nodes

Conditions:
Flush to finally remove complete nodes will avoids the TMM crash and avoids leaving zombie nodes

Impact:
Subsequent activities on the connection could lead to TMM to crash or misbehave in a variety of ways.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.0.0.2

1108181-5 : iControl REST call with token fails with 401 Unauthorized

Links to More Info: BT1108181

Component: TMOS

Symptoms:
For a short period after creating or refreshing a token, the iControl REST calls may fail with a 401 Unauthorized error and an HTML body content, or a 401 F5 Authorization Required error and a JSON body content.

When using F5 Ansible modules for BIG-IP, the modules may fail with an error "Expecting value: line 1 column 1 (char 0)".

The AS3 may return an error "AS3 API code: 401".

Conditions:
- REST call using valid token.
- Can commonly occur on the call after a token has been refreshed or a Token list has been requested.

Impact:
The iControl REST calls may temporarily fail (typically less than 1 second) after the creation or refresh of an iControl REST token.

Workaround:
After being issued a token or refreshing a token, wait a second before attempting to use it.

If this does not work, request a new token.

No workaround exists for AS3 or F5 Ansible BIG-IP modules.

Fix:
A race condition on a PAM file update has been resolved. Tokens should remain valid.

Fixed Versions:
17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1

1107437-4 : TMM may crash when enable-rapid-response is enabled on a DNS profile

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crash

Conditions:
The "enable-rapid-response" is enabled on a DNS profile. The BIG-IP is a platform that has hardware syncookie capability.

Impact:
TMM restart, unexpected failover

Workaround:
Disable rapid response or disable syncookies in the tcp profile attached to the rapid response virtual server.

Fix:
TMM no longer crashes

Fixed Versions:
17.0.0.2, 15.1.8.1

1106289-1 : TMM may leak memory when processing sideband connections.

Links to More Info: K43024307, BT1106289

1106161-1 : Securing iControlRest API for appliance mode

Links to More Info: K13325942, BT1106161

1105389-3 : Incorrect HTTP request handling may lead to resource leak

Component: Application Security Manager

Symptoms:
Under certain configurations specific HTTP requests may cause BD to waste resources and hang during the ingress process.

Conditions:
An unspecified virtual server configuration attached to an ASM policy.

Impact:
Excess resource consumption on the BIG-IP.

Traffic disruption while TMM restarts.

Workaround:
Configure high availability.

Fix:
The connection handling between the enforcer and the client after a response violation is received has been corrected.

Fixed Versions:
17.0.0.2, 15.1.8

1104493-2 : Client-side abort during server-side establishment may cause tmm to behave abnormally in HTTP MRF proxy

Links to More Info: K90024104, BT1104493

1104073-1 : Use of iRules command whereis with "isp" or "org" options may cause TCL object leak.

Links to More Info: BT1104073

Component: Local Traffic Manager

Symptoms:
When iRules command whereis is being used with "isp" or "org" options and underlying GEOIP database(s) have not been loaded,
cur_allocs for tcl memory increases over time and does not return to the prior level.

Conditions:
- iRules command whereis is used with "isp" or "org" options
- The underlying GEOIP database(s) have not been loaded

Impact:
Cur_allocs for tcl memory increases over time and does not return to the prior level.

Workaround:
Load the underlying GEOIP database(s) before using "isp" or "org" options of the iRules command whereis.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7

1103369-1 : DELETE of REST auth token does not result in deletion of the pamcache token file on a multi slot VIPRION chassis or vCMP guest

Links to More Info: BT1103369

Component: TMOS

Symptoms:
Deletion of REST tokens from cache /var/run/pamcache is not happening when the token expires or is deleted.

Conditions:
A large number of REST auth tokens get created.
Multi-slot VIPRION or Multi-slot vCMP Guest.

Impact:
The deleted token is still present in the cache.
Memory is consumed as a cache is stored in an in-memory filesystem

Workaround:
Remove the pamcache directory from the set being acted upon by "csyncd" by running the following commands in bash:

    # clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"

    # clsh "sed -i '/run＼/pamcache/,+2s/^/#/' /etc/csyncd.conf"

    # clsh "bigstart restart csyncd"

Fix:
Auth tokens in /run/pamcache are deleted as required.

Fixed Versions:
17.0.0.2, 15.1.8.1

1103233-1 : Diameter in-tmm monitor is logging disconnect events unnecessarily

Links to More Info: BT1103233

Component: Service Provider

Symptoms:
Errors are logged to /var/log/ltm:

err tmm[20104]: 01cc0006:3: Peer (<peer>) connection state has changed: disconnected

Conditions:
A diameter in-tmm monitor is configured

Impact:
Debug logs are logged at the error level.

Workaround:
None

Fix:
Log level has been changed to the debug level for the peer disconnected log.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7

1101705-1 : RSA-KEX ciphers list are removed from httpd configuration in FIPS mode since these are non-approved ciphers for FIPS 140-3 certification

Links to More Info: BT1101705

Component: TMOS

Symptoms:
- RSA-KEX ciphers list are removed from httpd configuration when FIPS mode is enabled since these are non-approved ciphers for FIPS 140-3 certification.
- Mandatory fix for FIPS 140-3 Certification.

Conditions:
- BIG-IP versions 16.1.3 and above.
- Applies to systems requiring FIPS 140-3 Certification.
- FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device.
- https connections are established using the RSA-KEX based ciphers

Impact:
- BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be running a FIPS 140-3 certified configuration.
- https connection using RSA KEX ciphers will not be successful when FIPS 140-3 license is installed in the device.

Workaround:
None

Fix:
Apply this fix to ensure that the system is compliant with FIPS 140-3 Certification.

Fixed Versions:
17.0.0.1, 16.1.3

1097821-1 : Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified

Links to More Info: BT1097821

Component: Access Policy Manager

Symptoms:
Creating an APM policy image file with source_path attribute fails.

Conditions:
APM provisioned

Impact:
You are unable to use the source_path attribute for creating APM customization image files.

Workaround:
Copy the image file to one of the directories of /var/config/rest/, /var/tmp/, /shared/tmp/ and use local_path instead of source_path.

E.g. create apm policy image-file test.jpg local-path /var/tmp/<file name>

Fixed Versions:
17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5

1093821-5 : TMM may behave unexpectedly while processing HTTP traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing HTTP traffic

Conditions:
- HTTP profile enabled

Impact:
TMM may crashing leading to a traffic interruption and failover event.

Fix:
TMM now processes HTTP traffic as expected.

Fixed Versions:
17.0.0.2

1093621-5 : Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP

Links to More Info: K10347453

1091761-5 : Mqtt_message memory leaks when iRules are used

Links to More Info: BT1091761

Component: Local Traffic Manager

Symptoms:
Mqtt_message memory leaks when iRules like insert_after, insert_before, and respond are used.

Conditions:
Basic mqtt virtual server with any of the below rules ->insert_after
>insert_before
>respond

Impact:
Memory leak occurs and TMM may crash

Workaround:
NA

Fix:
There is no longer a memory leak with iRules usage

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1

1091345-1 : The /root/.bash_history file is not carried forward by default during installations.

Links to More Info: BT1091345

Component: TMOS

Symptoms:
By default, the /root/.bash_history file is not included in the UCS archives. As such, this file is not rolled forward during a software installation.

Conditions:
Performing a BIG-IP software installation.

Impact:
This issue may hinder the efforts of F5 Support should the need to determine what was done prior to a software installation arise.

Workaround:
None

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1

1091249-1 : BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address.

Links to More Info: BT1091249

Component: Global Traffic Manager (DNS)

Symptoms:
As BIG-IP DNS and Link Controller systems connect with one another (or with monitored BIG-IP systems) over iQuery, you may notice:

-- Log messages that specify IPv6 translation addresses non-existent in your configuration and often meaningless (as in not pertaining to some of the more common IPv6 address spaces). For example:

debug gtmd[24229]: 011ae01e:7: Creating new socket to connect to 2001::1 (a06d:3d70:fd7f:0:109c:7000::)

-- If you restart the gtmd daemon, the IPv6 translation address mentioned above between parenthesis changes to a new, random meaningless value.

-- The GTM portion of the configuration fails to synchronize.

Conditions:
IPv6 translation addresses are in use in relevant objects.

Impact:
The logs are misleading and the GTM portion of the configuration may fail to synchronize.

Workaround:
If possible, do not use IPv6 translation addresses.

Fix:
IPv6 translation addresses now function as designed.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1

1090649-4 : PEM errors when configuring IPv6 flow filter via GUI

Links to More Info: BT1090649

Component: Policy Enforcement Manager

Symptoms:
An error occurs while configuring an IPv6 flow filter using the GUI:
0107174e:3: The source address (::) and source netmask (0.0.0.0) addresses for pem flow info filter (filter0) must be be the same type (IPv4 or IPv6).

Conditions:
Configuring an IPv6 flow filter using the GUI

Impact:
You are unable to configure the IPv6 flow filter via the GUI

Workaround:
The error does not occur when using tmsh.

Fix:
Modified the IPv6 Validation. Able to create IPV6 flow filter after the fix

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1

1090569-2 : After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV

Links to More Info: BT1090569

Component: TMOS

Symptoms:
Some SSL handshakes are fail when using the CRL certificate validator and tmm crashes.

Conditions:
-- TLS virtual server
-- The virtual server passes network traffic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed a tmm crash related to the CRL certificate validator.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1

1089849-1 : NIST SP800-90B compliance

Links to More Info: BT1089849

Component: TMOS

Symptoms:
Common Criteria and FIPS 140-3 certifications require compliance with NIST SP800-90B; this completes that compliance.

Conditions:
This applies to systems requiring Common Criteria and/or FIPS 140-3 compliance.

Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be using a Common Criteria and/or FIPS 140-3 certified configuration.

Workaround:
None

Fix:
Apply this fix to ensure that the system is compliant with NIST SP800-90B.

Fixed Versions:
17.0.0.1, 16.1.3

1087621-3 : IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload

Links to More Info: BT1087621

Component: TMOS

Symptoms:
The tunnel stops working after initially starting with no problem.

The BIG-IP will send a bad KE (Key Exchange) Payload when rekeying the IKE SA with ECP.

Conditions:
-- IKEv2
-- ECP PFS
-- Peer attempts to re-key IKE SA (CREATE_CHILD SA) over existing IKE SA.

Impact:
IPsec tunnels stop working for periods of time.

Workaround:
Do not use ECP for PFS.

Fix:
ECP will work correctly when rekeying.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1

1085729-1 : bd may crash while processing specific request

Links to More Info: K47204506, BT1085729

1084993-5 : [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching

Links to More Info: BT1084993

Component: Policy Enforcement Manager

Symptoms:
E2e id and h2h id in Re-Authorisation Answer from PEM to OCS is not matching with Re-Authorisation Request from OCS to PEM.

Conditions:
Diameter-endpoint configuration. PCEF(PEM) communicating over gy interface with OCS for quota information.

Impact:
OCS will not be able to determine for which RAR it got RAA. This is catastrophic for billing.

Workaround:
None

Fix:
There was conversion issue in PEM, fixed it.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7

1084673-1 : GTM Monitor "require M from N" status change log message does not print pool name

Links to More Info: BT1084673

Component: Global Traffic Manager (DNS)

Symptoms:
The number of probes that are succeeding is changing in between different windows in which the "N" number of probes were sent.

Conditions:
- GTM/DNS is provisioned
- A "require M from N" monitor rule is assigned to a gtm pool or an individual gtm pool member.

Impact:
The log written to provide information on the changing number of successful probes does not contain information about the pool member.

Workaround:
None

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1

1084257-1 : New HTTP RFC Compliance check for incorrect newline separators in headers

Component: Application Security Manager

Symptoms:
ASM is not enforcing incoming HTTP requests headers ending with LF('＼n')

Conditions:
Any HTTP request with LF('＼n') as the only header separator will pass ASM without enforcement

Impact:
Invalid requests according to RFC might pass through ASM enforcement

Fix:
HTTP requests with LF('＼n') as the only header separator are enforced, and "Unparsable request content" is reported

Fixed Versions:
17.0.0.1, 15.1.7

1084013-5 : TMM does not follow TCP best practices

Links to More Info: K52494562, BT1084013

1083537-1 : FIPS 140-3 Certification

Links to More Info: BT1083537

Component: TMOS

Symptoms:
For FIPS 140-3 Certification

Conditions:
This applies to systems requiring FIPS 140-3 Certification.

Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be running a FIPS 140-3 certified configuration.

Workaround:
None

Fix:
Apply this fix to ensure that the system is compliant with FIPS 140-3 Certification.

Fixed Versions:
17.0.0.1, 16.1.2.2

1082505-1 : TLS ciphersuites including RSA-KEX are non-approved ciphers for FIPS 140-3 certification

Links to More Info: BT1082505

Component: Local Traffic Manager

Symptoms:
TLS ciphersuites including RSA KEX are non-approved ciphers as per FIPS 140-3 certification standard

Conditions:
- BIG-IP versions 16.1.3 and above
- FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device.
- f5-fips cipher-group is associated with SSL profiles
- Connections are established using the RSA-KEX based ciphers

Impact:
SSL handshake will not be successful.

Workaround:
Create a custom cipher-group including all the required cipher strings and associate with the SSL profiles.

Fix:
For FIPS 140-3 certification, TLS ciphersuites including RSA-KEX are reported as non-approved ciphers in fips mode, also these cipher strings have been removed from the f5-fips cipher group.

Fixed Versions:
17.0.0.1, 16.1.3

1082461-1 : The enforcer cores during a call to 'ASM::raise' from an active iRule

Links to More Info: BT1082461

Component: Application Security Manager

Symptoms:
In the case of 'ASM::raise' call execution from an iRule that contains a list length greater than 100, the enforcer (bd) will core.

Conditions:
A call to 'ASM::raise' with a list length greater than 100 from an iRule.

Impact:
Traffic disrupted while bd restarts.

Workaround:
While constructing the iRule, make sure that the list passed into 'ASM::raise' contains fewer than 100 elements.

Fix:
Fixed an enforcer core.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1

1082225-6 : Tmm may core while Adding/modifying traffic-class attached to a virtual server.

Links to More Info: BT1082225

Component: Local Traffic Manager

Symptoms:
Tmm may core with 'tmm SIGSEGV' while performing addition/updating of traffic class attached to a virtual server.

Conditions:
-- Some Traffic classes have been removed from the virtual server.
-- A new traffic class is attached to the virtual server, or modification of the existing traffic class is triggered.

Impact:
Traffic disrupted while tmm restarts.
The traffic class might not be applied as expected.

Workaround:
None

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1

1080317-4 : Hostname is getting truncated on some logs that are sourced from TMM

Links to More Info: BT1080317

Component: TMOS

Symptoms:
Hostnames in the APM, IPSEC, SAAS, FW_LOG logs that are sourced from TMM are truncated.

Conditions:
The truncation occurs when the hostname contains a period (for example "my.hostname").

Impact:
Some logs contain truncated hostnames and some contain full hostnames. The inconsistent hostnames degrade the readability and therefore the usefulness of the logs.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1

1078765-5 : Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer.

Links to More Info: BT1078765

Component: Application Security Manager

Symptoms:
A BD core may occur due to enforcement of 200004390 200004389 signatures with the combination of Arcsight remote logger enabled.

Conditions:
The request must contain 200004390 200004389 signatures with the combination of Arcsight remote logger attached to the virtual server.

Impact:
The enforcer may crash.

Workaround:
Disable 200004390 200004389 signatures.

Fix:
200004390 200004389 are now signatures enforced successfully.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7

1074517-4 : Tmm may core while adding/modifying traffic-class attached to a virtual server

Links to More Info: BT1074517

Component: Local Traffic Manager

Symptoms:
Tmm may core while adding/modifying traffic-class attached to a virtual server

Conditions:
-- Traffic class is attached to a virtual server.
-- Add an existing traffic class to a virtual server.
-- Afterwards, a new traffic class is attached to the virtual server, or modification of the existing traffic class is triggered.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1

1073625-1 : Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled.

Links to More Info: BT1073625

Component: Application Security Manager

Symptoms:
ASM policy import is successful on Active unit and it syncs to standby device, but "Apply changes" is displayed on the standby device policies page.

Conditions:
1. XML policy with learning enabled imported via TMSH.
2. Autosync with incremental sync enabled on device-group with ASM sync enabled.

Impact:
The peer (standby) unit needs to have the policies applied manually even though everything is set to auto-sync

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1

1073005-5 : iControl REST use of the dig command does not follow security best practices

Component: TMOS

Symptoms:
iControl REST does not follow security best practices when invoking the 'dig' command to perform DNS lookups via the /mgmt/tm/util/dig endpoint

Conditions:
This issue only affects standard deployments. Appliance Mode deployments are not affected

Impact:
Security best practices are not followed

Fix:
iControl REST now follows best practices when performing DNS lookups via the dig endpoint

Fixed Versions:
17.0.0.2, 15.1.8.1

1071621-2 : Increase the number of supported traffic selectors

Links to More Info: BT1071621

Component: TMOS

Symptoms:
There is an imposed limit of 30 traffic selectors that can be attached to an IPsec policy / IKEv2 ike-peer.

Conditions:
-- IKEv2
-- More than 30 traffic selectors required on one IPsec policy / ike-peer.

Impact:
No more than 30 traffic selectors can be added to a single IPsec policy / ike-peer.

Workaround:
None

Fix:
The behavior of sys db ipsec.maxtrafficselectors has changed.

- Max traffic selectors associated with an ike-peer are increased from 30 to 100.

- When the sys-db variable is non-zero, the limit is enforced.

Warning: Adding hundreds or thousands of traffic-selectors to an ipsec-policy may result in slow config-load times (for example, during startup). An excessive number of traffic selectors may also slow down IPsec tunnel negotiation. The impact will depend on the BIG-IP system's provisioning and the overall configuration.

- ipsec.maxtrafficselectors can be set to "0" to indicate there is no limit.

Behavior Change:
The behavior of sys db ipsec.maxtrafficselectors has changed.

- Max traffic selectors associated with an ike-peer are increased from 30 to 100.

- When the sys-db variable is non-zero, the limit is enforced.

- ipsec.maxtrafficselectors can be set to "0" to indicate there is no limit.

Warning: Adding hundreds or thousands of traffic-selectors to an ipsec-policy may result in slow config-load times (for example, during startup). An excessive number of traffic selectors may also slow down IPsec tunnel negotiation. The impact will depend on the BIG-IP system's provisioning and the overall configuration.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1

1067105-5 : Racoon logging shows incorrect SA length.

Links to More Info: BT1067105

Component: TMOS

Symptoms:
Debug2 logs incorrect "total SA" length in racoon.log.

Conditions:
-- IKEv1 tunnels in use
-- ikedaemon in debug2 mode

Impact:
Troubleshooting is confused by misleading information about the SA payload length.

Workaround:
None. This is a cosmetic / logging issue.

Fix:
Clarified the log message to indicate what the logged length actually covers.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7

1066673-7 : BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions

Links to More Info: K55580033, BT1066673

1065917-1 : BIG-IP APM Virtual Server does not follow security best practices

Component: Access Policy Manager

Symptoms:
BIG-IP APM Virtual Server with an associated access policy does not follow security best practices when handling authenticated user traffic

Conditions:
APM Access Policy assigned to a Virtual Server
A valid, logged in user

Impact:
APM virtual server allows a malicious authenticated user to cause APM to mis-handle specific requests

Fix:
BIG-IP APM virtual server now correctly follows security best practices.

Fixed Versions:
17.0.0.2, 15.1.7

1063641-5 : NTLM library hardening

Links to More Info: K23465404, BT1063641

1063637-5 : NTLM library hardening

Links to More Info: K23465404, BT1063637

1062569-3 : HTTP/2 stream bottom filter leaks memory at teardown under certain conditions

Component: Local Traffic Manager

Symptoms:
Xhead/xdata allocations increase over time and do not return to initial levels.

Conditions:
-HTTP/2 MRF Virtual Server with client-side HTTP/2.
-HTTP/2 undisclosed clientside requests

Impact:
Memory leakage

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.0.0.2

1062493-5 : BD crash close to it's startup

Links to More Info: BT1062493

Component: Application Security Manager

Symptoms:
BD crashes shortly after startup.

Conditions:
FTP or SMTP are in use. Other causes are unknown.

Impact:
Traffic disrupted while bd restarts.

Workaround:
No workaround except removal of the FTP/SMTP protection.

Fix:
Crashes close to startup coming from SMTP or FTP were fixed.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7

1061481-4 : Denied strings were found in the /var/log/ folder after an update or reboot

Links to More Info: BT1061481

Component: TMOS

Symptoms:
Denied strings error message were found in /var/log/dmesg and /var/log/messages files after update or reboot.

For example, the string "denied" was found:[ 5.704716] type=1401 audit(1636790175.688:4): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:f5_jitter_entropy_t:s0

Conditions:
After update or reboot, check the following log files:
/var/log/dmesg and /var/log/messages.

Impact:
Error strings are observed in /var/log/dmesg and /var/log/messages.

Workaround:
None.

Fix:
No error strings are observed.

Fixed Versions:
17.0.0.1, 16.1.3

1058297-1 : Policy history values for 'max Size Of Saved Versions' and for 'min Retained Files In Dir' is reset during upgrade★

Links to More Info: BT1058297

Component: Application Security Manager

Symptoms:
The values for "minRetainedFilesInDir" and "maxSizeOfSavedVersions" in /etc/ts/tools/policy_history.cfg
 are set back to default after an upgrade.

Conditions:
-- Non-default values for "minRetainedFilesInDir" and for "maxSizeOfSavedVersions"
-- An upgrade occurs

Impact:
After upgrade, the values in the configuration file are set back to default.

Workaround:
Update the values after the upgrade is complete.

Fix:
The usage of the configuration file /etc/ts/tools/policy_history.cfg is deprecated.

New internal config items have been added:
"policy_history_min_retained_versions" and "policy_history_max_total_size"

The internal variables are preserved during the upgrade.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7

1056957-2 : An attack signature can be bypassed under some scenarios.

Links to More Info: BT1056957

Component: Application Security Manager

Symptoms:
An attack signature is not detected.

Conditions:
A specific condition.

Impact:
False negative - attack is not detected.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.0.0.1, 16.1.3.1

1042737-5 : BGP sending malformed update missing Tot-attr-len of '0.

Links to More Info: BT1042737

Component: TMOS

Symptoms:
BIG-IP might send a malformed BGP update missing Tot-attr-len of '0 when performing a soft reset out.

Conditions:
-- Multiple traffic groups configured.
-- A BGP soft reset occurs.

Impact:
BGP peering resets.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7

1040513-4 : The counter for "FTP commands" is always 0.

Links to More Info: BT1040513

Component: Application Security Manager

Symptoms:
On the FTP Statistics page, the "FTP Commands" value is always zero.

Conditions:
FTP security is applied and "FTP commands violations" is enforced.

Impact:
The FTP security does not show violations statistics regarding the FTP commands.

Workaround:
None

Fix:
"FTP commands statistics" now shows an accurate value in the UI.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1

1036057-5 : Add support for line folding in multipart parser.

Links to More Info: BT1036057

Component: Application Security Manager

Symptoms:
RFC 2616 allowed HTTP header field values to be extended over multiple lines by preceding each extra line with at least one space or horizontal tab. This was then deprecated by RFC 7230.

The multipart parser of ASM does not support the multiple line header, so these requests cause false positives.

Conditions:
Multiline header in multipart request

Impact:
False positives.

Workaround:
None

Fix:
Introduced a new ASM internal parameter: multipart_allow_multiline_header

Note: default value is 0 (disabled)
Note: enabling/disabling the feature requires asm restart that triggers the unit going offline for a short time period. If the unit is a part of a high availability (HA) cluster, failover to the other unit will occur. If it is a standalone unit, traffic disruption until the unit comes back to online.

- Enable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 1
# bigstart restart asm

- Disable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 0
# bigstart restart asm

Behavior Change:
Introduced a new ASM internal parameter: multipart_allow_multiline_header

Note: default value is 0 (disabled)
Note: enabling/disabling the feature requires asm restart that triggers the unit going offline for a short time period. If the unit is a part of a high availability (HA) cluster, failover to the other unit will occur. If it is a standalone unit, traffic disruption until the unit comes back to online.

- Enable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 1
# bigstart restart asm

- Disable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 0
# bigstart restart asm

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1

1032553-6 : Core when virtual server with destination NATing receives multicast

Component: TMOS

Symptoms:
TMM cores when the virtual server processes a multicast packet.

Conditions:
-- Virtual server that can match multicast, e.g. destination address 0.0.0.0:any and mask any.
-- LTM and AFM provisioned.
-- Virtual server is using destination NATing.
-- Virtual server uses fastL4.
-- Multicast route setup, e.g. with Zebos.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Add a virtual server to specifically match multicast without destination NATing.

Fix:
TMM does not crash.

Fixed Versions:
17.0.0.2, 15.1.8

1030133-1 : BD core on XML out of memory

Links to More Info: BT1030133

Component: Application Security Manager

Symptoms:
Missing error handling in lib xml parser.

Conditions:
XML parser going out of memory.

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
None

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1

1029689-1 : Incosnsitent username "SYSTEM" in Audit Log

Links to More Info: BT1029689

Component: Application Security Manager

Symptoms:
The Security Policy Auto Log in ASM displays the system component that triggered the event. The component name is sometimes shown as 'SYSTEM', other times shown as 'System'

Conditions:
The value is "SYSTEM" when Apply Policy was initiated locally.
The value is "System" when Apply Policy was initiated by the peer unit

Impact:
Component name inconsistency causing confusion

Workaround:
None

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7

1025261-4 : Restjavad uses more resident memory in control plane after software upgrade

Links to More Info: BT1025261

Component: TMOS

Symptoms:
The restjavad process immediately reserves more memory and the process size (as shown by RSS) increases as the starting heap size has been made to be the same as maximum heap size for performance reasons.

(Note the process name displays as 'java', but there are multiple independent Java processes on the system. The parent process of restjavad is 'runsv restjavad', and the command line arguments may have 'logging' in them.)

For restjavad with the default size, the increase is usually 200 MB-300 MB.

The increase is particularly apparent where restjavad.useextramb is set to the value 'true' and provision.extramb is set to a high value but restjavad had not required that much extra memory previously.

Conditions:
After upgrading to a BIG-IP software version with the fix for ID 776393 ( https://cdn.f5.com/product/bugtracker/ID776393.html ), where more memory has been allocated for restjavad.

Impact:
The memory Resident Set Size (RSS) of the restjavad process will be larger than needed, possibly constricting other processes in the control plane.

Workaround:
If restjavad.useextramb is set to value true you may find that if only a small amount of extra restjavad memory was required (~192 MB or less extra) that it can be set to false.

This is because the default size of restjavad has increased by 192 MB to 384MB.

Restart restjavad after the change.

Fix:
A new sys DB variable, provision.restjavad.extramb has been introduced to allow finer-grained control of restjavad memory.

It takes effect only if sys db restjavad.useextramb is true. It can be used to set restjavad heap size both above and below the default heap size of 384 MB.

Behavior Change:
A new sys DB variable, provision.restjavad.extramb has been introduced to allow finer-grained control of restjavad memory.

The variable is particularly useful when you need restjavad to be slightly bigger and also need a much larger provision.extramb without most of that being taken by restjavad.

For the variable to take effect, sys db restjavad.useextramb must be set to 'true'; otherwise, default memory values are used.

The variable sets the heap size, and defaults to and has a minimum value of 192 MB.

If the value of provision.restjavad.extramb is set above a certain cap value, the heap size will be set to the cap value. In this release, the cap value 384 MB + 80% of provision.extramb.

So with restjavad.useextramb set to 'true', you can set the restjavad heap size from 192 MB to 384 MB + 80% of provision.extramb using the provision.restjavad.extramb variable.

After changing value of provision.restjavad.extramb, restart restjavad to enable the change in memory size:

bigstart restart restjavad

Or on multi-blade systems:

clsh bigstart restart restjavad

If using a sys db restjavad.useextramb value of true and needing to restore your previous restjavad memory setting ( based on maximum heap size) please look at advice below.

Before upgrade - if you set sys db restjavad.useextramb to value false before install of new version you will have more restjavad memory, the default 384MB, after upgrade.

  tmsh modify sys db restjavad.useextramb value false

If you restart restjavad you can see if that value works before upgrade. If you don't restart then it will come into effect after reboot.

If that no longer has issues after update then leave that setting at false. Otherwise set back to true (no restart) and increase provision.restjavad.extramb as in After upgrade section below.

After upgrade:
Set sys db provision.restjavad.extramb to an appropriate value and restart restjavad.

Run the following command:

  tmsh modify sys db provision.restjavad.extramb value X
  bigstart restart restjavad

Iterate as necessary.

The value of X is derived by using one of the following formulae:

- When updating from versions before 14.1.4 and 15.1.3, to affected versions, a value that preserves the maximum previous restjavad heap size is:
  192MB + 80% of MIN(provision.extramb|2500)
the minimum possible heap size was:
  192MB + 20% of MIN(provision.extramb|2500)
The actual restjavad heap size would be between those extremes. SSLO systems would typically need a higher amount towards the maximum.

  Example 1: If provision.restjavad was 1000 MB on previous version, the possible range of restjavad heap size would have been between (20% of 1000 + 192) = 392 MB and (80% of 1000 + 192) = 992 MB.
  Example 2: If provision.extramb was 4000 MB, the possible range would be between (20 % of 2500 + 192) = 692 MB and (80% of 2500 + 192) = 2192 MB.

- When updating from 14.1.4-14.1.5, from 15.1.3-15.1.6.1 or from 16.0.x to affected versions:
  384MB + 80% of MIN(provision.extramb|2500)

  Example 3: If provision.extramb was 500 MB, the restjavad heap size on the previous version would have been 80% of 500 + 384 = 784 MB.

- When updating from 16.1.0-16.1.3 or from 17.0.0.0 to affected versions:
  384MB + 90% of MIN(provision.extramb|4000)

  Example 4: If provision.extramb was 2000 MB, the restjavad heap size on the previous version would have been 90% of 2000 + 384 = 2184 MB.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1

1024661-4 : SCTP forwarding flows based on VTAG for bigproto

Links to More Info: BT1024661

Component: TMOS

Symptoms:
Sometimes SCTP traffic is unidirectionally dropped on one link after an SCTP link down occurs.

Conditions:
-- SCTP configured and BIG-IP is passing traffic
-- A link goes down

Impact:
Flow creation on the wrong TMM and some traffic is dropped.

Workaround:
Disable SCTP flow redirection.
tmm.sctp.redirect_packets == disable

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1

1022453-5 : IPv6 fragments are dropped when packet filtering is enabled.

Links to More Info: BT1022453

Component: Local Traffic Manager

Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.

Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.

Impact:
Some or all of the fragments of an IPv6 packet are lost.

Workaround:
Disable packet filtering

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7

1014973-6 : ASM changed cookie value.

Links to More Info: BT1014973

Component: Application Security Manager

Symptoms:
ASM changes the value of a cookie going to the server.

Conditions:
Specific conditions.

Impact:
Domain cookie will reach the server with a wrong value. Can cause different malfunctions depending on the application.

Workaround:
Change the following db variable:
tmsh modify sys db asm.strip_asm_cookies (https://support.f5.com/csp/article/K30023210) value false.

There is no need to restart asm.

Add an iRule without the use of strip_asm_cookies:
https://support.f5.com/csp/article/K13693.

Fix:
Original cookies not being deleted/modified after the removing of TS cookies in ASM.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7

1014573-5 : Several large arrays/objects in JSON payload may core the enforcer

Links to More Info: BT1014573

Component: Application Security Manager

Symptoms:
Requests with JSON payload that consists of more than one object with elements, such as a couple of large arrays, may cause the enforcer to crash.

Conditions:
Each of the objects/arrays in JSON payload has to consist lesser amount of elements than defined in the "Maximum Array Length" JSON profile attribute.

Impact:
Large enough arrays may cause performance decrease, in addition, the enforcer may crash.

Workaround:
Set "Maximum Array Length" to a lower value than the requests array length.

Fix:
Added internal param "count_overall_child_elements_in_json" to control "Maximum Array/Object Elements" behaviour:
0 (default) - retain current behaviour (check max elements in each array/object separately);
1 - count overall elements in all arrays/objects.

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1

1006921-8 : iRules Hardening

Links to More Info: K80970653, BT1006921

1006157-7 : FQDN nodes not repopulated immediately after 'load sys config'

Links to More Info: BT1006157

Component: Local Traffic Manager

Symptoms:
A DNS query is not sent for configured FQDN nodes until the TTL value expires.

Conditions:
This occurs when 'load sys config' is executed.

Impact:
Name addresses do not resolve to IP addresses until the TTL expires.

Workaround:
You can use either of the following workarounds:

-- Change the default TTL value to be fewer than 300 seconds (the default value is 3600 seconds).

-- Restart dynconfd daemon:
tmsh restart sys service dynconfd

Fixed Versions:
17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1