Supplemental Document : BIG-IP 17.0.0 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.0.0

BIG-IP Link Controller

  • 17.0.0

BIG-IP Analytics

  • 17.0.0

BIG-IP LTM

  • 17.0.0

BIG-IP PEM

  • 17.0.0

BIG-IP AFM

  • 17.0.0

BIG-IP DNS

  • 17.0.0

BIG-IP FPS

  • 17.0.0

BIG-IP ASM

  • 17.0.0
Updated Date: 05/08/2022

BIG-IP Release Information

Version: 17.0.0
Build: 22.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Known Issues in BIG-IP v17.0.x

Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
991421 CVE-2022-23016 K91013510, BT991421 TMM may crash while processing TLS traffic 15.1.4.1, 16.1.2
989701 CVE-2020-25212 K42355373, BT989701 CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
988549 CVE-2020-29573 K27238230, BT988549 CVE-2020-29573: glibc vulnerability 14.1.4.5, 15.1.4.1, 16.1.2
968893 CVE-2022-23014 K93526903, BT968893 TMM crash when processing APM traffic 15.1.4.1, 16.1.2
940317 CVE-2020-13692 K23157312, BT940317 CVE-2020-13692: PostgreSQL JDBC Driver vulnerability 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
830361 CVE-2012-6711 K05122252, BT830361 CVE-2012-6711 Bash Vulnerability 14.1.4.6, 15.1.5.1, 16.1.2.2
1087201 CVE-2022-0778 K31323265, BT1087201 OpenSSL Vulnerability: CVE-2022-0778 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1051305 CVE-2021-34798 K72382141 CVE-2021-34798: A NULL pointer dereference in httpd via malformed requests  
1043281 CVE-2021-3712 K19559038 OpenSSL vulnerability CVE-2021-3712  
1037181 CVE-2022-23022 K96924184, BT1037181 TMM may crash while processing HTTP traffic 16.1.2
1032405 CVE-2021-23037 K21435974, BT1032405 TMUI XSS vulnerability CVE-2021-23037 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1031269-1 CVE-2022-23020 K17514331, BT1031269 TMM may consume excessive resources when processing logging profiles 16.1.2
1030689 CVE-2022-23019 K82793463, BT1030689 TMM may consume excessive resources while processing Diameter traffic 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
1028669 CVE-2019-9948 K28622040, BT1028669 Python vulnerability: CVE-2019-9948 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1028573 CVE-2020-10878 K40508224, BT1028573 Perl vulnerability: CVE-2020-10878 14.1.4.5, 15.1.4.1, 16.1.2
1028497 CVE-2019-15903 K05295469, BT1028497 libexpat vulnerability: CVE-2019-15903 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1012365 CVE-2021-20305 K33101555, BT1012365 Nettle cryptography library vulnerability CVE-2021-20305 14.1.4.5, 15.1.4.1, 16.1.2
1007489 CVE-2022-23018 K24358905, BT1007489 TMM may crash while handling specific HTTP requests&start; 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1002565 CVE-2021-23840 K24624116, BT1002565 OpenSSL vulnerability CVE-2021-23840 14.1.4.6, 15.1.5.1, 16.1.2.2
990333 CVE-2021-23016 K75540265, BT990333 APM may return unexpected content when processing HTTP requests 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
987749 CVE-2020-10769 K62532228 CVE-2020-10769 kernel: A buffer over-read flaw was found in crypto_authenc_extractkeys in crypto/authenc.c  
981273 CVE-2021-23054 K41997459, BT981273 APM webtop hardening 13.1.5, 15.1.4
974341 CVE-2022-23026 K08402414, BT974341 REST API: File upload 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
973409 CVE-2020-1971 K42910051, BT973409 CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference 14.1.4.4, 15.1.4.1, 16.1.2
954425 CVE-2022-23031 K61112120, BT954425 Hardening of Live-Update 14.1.4.4, 15.1.4, 16.1.1
941649 CVE-2021-23043 K63163637, BT941649 Local File Inclusion Vulnerability 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
940185 CVE-2022-23023 K11742742, BT940185 icrd_child may consume excessive resources while processing REST requests 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
823877 CVE-2019-10098
CVE-2020-1927
K25126370, BT823877 CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability 14.1.4.5, 15.1.5.1, 16.1.2.2
803965 CVE-2018-20843 K51011533, BT803965 Expat Vulnerability: CVE-2018-20843 13.1.5, 14.1.4.5, 15.1.4, 16.1.2
797797 CVE-2019-11811 K01512680, BT797797 CVE-2019-11811 kernel: use-after-free in drivers 14.1.4.3, 15.1.4, 16.0.1.2, 16.1.1
1035729 CVE-2022-23021 K57111075, BT1035729 TMM may crash while processing traffic http traffic 16.1.2
1009725 CVE-2022-23030 K53442005, BT1009725 Excessive resource usage when ixlv drivers are enabled 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1008561 CVE-2022-23025 K44110411, BT1008561 In very rare condition, BIG-IP may crash when SIP ALG is deployed 13.1.5, 14.1.4.4, 15.1.4, 16.1.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
982697 2-Critical   ICMP hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1078821 2-Critical   Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit  
1050537 2-Critical BT1050537 GTM pool member with none monitor will be part of load balancing decisions. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
972933 3-Major   Self-IP hardening  
972489 3-Major   BIG-IP Appliance Mode iControl hardening 15.1.5.1
969553 3-Major BT969553 A DNS Cache (or Network DNS Resolver) returns SERVFAIL to some queries.  
948073 3-Major BT948073 Dual stack download support for IP Intelligence Database 15.1.4
911141 3-Major BT911141 GTP v1 APN is not decoded/encoded properly 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
882709 3-Major BT882709 Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors&start; 16.1.2.2
669046 3-Major BT669046 Handling large replies to MCP audit_request messages 16.1.2.2
1053589-2 3-Major BT1053589 DDoS functionality cannot be configured at a Zone level  
1049213 3-Major   A new disaggregation (DAG) mode based on TEID field in GTP-U header is introduced  
1046669 3-Major BT1046669 The audit forwarders may prematurely time out waiting for TACACS responses 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1036285 3-Major   Enforce password expiry after local user creation  
1021005-1 3-Major   IPI IPV6 traffic Reputation.  
1015133 3-Major BT1015133 Tail loss can cause TCP TLP to retransmit slowly. 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
985953 4-Minor BT985953 GRE Transparent Ethernet Bridging inner MAC overwrite 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1033837 4-Minor BT1033837 REST authentication tokens persist on reboot&start; 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1081201 1-Blocking   MCPD certification import hardening  
1070009-1 1-Blocking BT1070009 iprepd, icr_eventd and tmipsecd restarts continuously after installing FIPS 140-3 license in BIG-IP cloud platform 16.1.2.2
1050969 1-Blocking BT1050969 After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid 15.1.5.1, 16.1.2.2
1042993 1-Blocking K19272127, BT1042993 Provisioning high availability (HA) setup wizard fails to load, reports 'No Access' 13.1.5, 14.1.4.5, 15.1.4.1
1039049-3 1-Blocking BT1039049 Installing EHF on particular platforms fails with error "RPM transaction failure" 14.1.4.5, 15.1.4.1, 16.1.2
1004833-3 1-Blocking BT1004833 NIST SP800-90B compliance 14.1.4.2, 15.1.4
997313 2-Critical BT997313 Unable to create APM policies in a sync-only folder&start; 15.1.4.1, 16.1.2
995849 2-Critical BT995849 Tmm crash SIGSEGV - rcs_getsalen() in lib/rc_net.c  
976669-6 2-Critical BT976669 FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade 14.1.4.6, 15.1.5.1, 16.1.2.2
974241 2-Critical BT974241 Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades 15.1.4, 16.1.1
967905 2-Critical BT967905 Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
943109 2-Critical BT943109 Mcpd crash when bulk deleting Bot Defense profiles  
935177 2-Critical BT935177 IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm 16.1.2.2
915981 2-Critical   BIG-IP SCP hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
749332 2-Critical BT749332 Client-SSL Object's description can be updated using CLI and with REST PATCH operation 14.1.4.4, 15.1.5, 16.1.2.1
1081709 2-Critical   Tmm crash SIGSEGV - traffic_selector_update_handler  
1079817 2-Critical BT1079817 Java null pointer exception when saving UCS with iAppsLX installed&start;  
1076921 2-Critical BT1076921 Log hostname should be consistent when it contains ' . '  
1059185 2-Critical   iControl REST Hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1059165 2-Critical BT1059165 Multiple virtual server pages fail to load. 16.1.2.2
1057801 2-Critical   TMUI does not follow current best practices 14.1.4.6, 15.1.5.1, 16.1.2.2
1051561 2-Critical   iControl REST request hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1048853 2-Critical BT1048853 "IKE VBUF" memory leak debug.  
1048141 2-Critical BT1048141 Sorting pool members by 'Member' causes 'General database error' 14.1.4.6, 15.1.5.1, 16.1.2.2
1047213 2-Critical BT1047213 VPN Client to Client communication fails when clients are connected to different TMMs. 16.1.2.2
1043277 2-Critical K06520200, BT1043277 'No access' error page displays for APM policy export and apply options. 13.1.5, 14.1.4.5, 15.1.4.1
1041865 2-Critical BT1041865 Correctable machine check errors [mce] should be suppressed  
1035121 2-Critical BT1035121 Configsync syncs the node's monitor status  
1031357 2-Critical BT1031357 After reboot of standby and terminating peer, some IPsec traffic-selectors are still online 16.1.2
1029949 2-Critical BT1029949 IPsec traffic selector state may show incorrect state on high availability (HA) standby device 16.1.2
1023829-1 2-Critical BT1023829 Security->Policies in Virtual Server web page spins mcpd 100%, which later cores  
1007901 2-Critical BT1007901 Support for FIPS 140-3 Module identifier service. 16.1.2.2
1004929 2-Critical BT1004929 During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. 13.1.5, 14.1.4.5, 15.1.5
999125 3-Major BT999125 After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
998225 3-Major   TMM crash when disabling/re-enabling a blade that triggers a primary blade transition.  
998221 3-Major BT998221 Accessing pool members from configuration utility is slow with large config 14.1.4.3, 15.1.4, 16.0.1.2, 16.1.2
996001 3-Major BT996001 AVR Inspection Dashboard 'Last Month' does not show all data points 14.1.4.5, 15.1.5, 16.1.2.1
995605 3-Major BT995605 PVA accelerated traffic does not update route domain stats  
995097 3-Major BT995097 Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file.  
994305 3-Major BT994305 The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5 16.1.2.1
992813 3-Major BT992813 The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations.  
988165 3-Major BT988165 VMware CPU reservation is now enforced. 15.1.5.1, 16.1.2.2
987301 3-Major BT987301 Software install on vCMP guest via block-device may fail with error 'reason unknown'  
984585 3-Major BT984585 IP Reputation option not shown in GUI. 15.1.5.1, 16.1.2.2
982341 3-Major   iControl REST endpoint hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
968657 3-Major BT968657 Added support for IMDSv2 on AWS 15.1.5.1, 16.1.2.1
963541 3-Major BT963541 Net-snmp5.8 crash 15.1.5.1, 16.1.2.2
959985 3-Major BT959985 Update VMware hardware version templates for BIG-IP Virtual Edition (VE) from v10 to v13 in order to support VMs deployed in more versions of vSphere ESXi. 16.1.2.2
955953 3-Major BT955953 iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg'  
950149-1 3-Major   Add configuration to ccmode for compliance with the Common Criteria STIP PPM.  
948601 3-Major   File object checksum attribute is not updated when an external data-group file or external monitor file is edited from GU  
943577 3-Major BT943577 Full sync failure for traffic-matching-criteria with port list under certain conditions 14.1.4.6, 15.1.5.1, 16.1.2.2
922185 3-Major BT922185 LDAP referrals not supported for 'cert-ldap system-auth'&start; 14.1.4.5, 15.1.4.1, 16.1.2
912253 3-Major BT912253 Non-admin users cannot run show running-config or list sys 15.1.5.1, 16.1.2.2
907549 3-Major BT907549 Memory leak in BWC::Measure 15.1.0.5, 16.1.2.2
901669 3-Major BT901669 Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change. 14.1.4.6, 15.1.5.1, 16.1.2.2
896941-1 3-Major   Common Criteria ccmode script updated  
887117 3-Major BT887117 Invalid SessionDB messages are sent to Standby 15.1.4.1, 16.1.1
881085 3-Major BT881085 Intermittent auth failures with remote LDAP auth for BIG-IP managment 14.1.4.5, 15.1.4.1, 16.1.2
755976 3-Major BT755976 ZebOS might miss kernel routes after mcpd deamon restart 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
724653 3-Major BT724653 In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync.  
720610-5 3-Major BT720610 Automatic Update Check logs false 'Update Server unavailable' message on every run 13.1.3, 14.1.2.7
708991 3-Major BT708991 Newly entered password is not remembered. 16.1.2
673952 3-Major BT673952 1NIC VE in high availability (HA) device-group shows 'Changes Pending' after reboot  
1076377 3-Major BT1076377 OSPF path calculation for IA and E routes is incorrect. 16.1.2.2
1074273 3-Major   Tmm crash while bringing up a static IPSec tunnel  
1074113 3-Major BT1074113 IPsec IKEv2: Selectors incorrectly marked up after disable ike-peer 16.1.2.2
1071609 3-Major BT1071609 IPsec IKEv1: Log Key Exchange payload in racoon.log. 16.1.2.2
1066285 3-Major BT1066285 Master Key decrypt failure - decrypt failure. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1065585 3-Major BT1065585 System does not halt on on FIPS/entropy error threshold for BIG-IP Virtual Edition 16.1.2.2
1064893 3-Major BT1064893 Keymgmtd memory leak occurrs while configuring ca-bundle-manager.  
1064461 3-Major BT1064461 PIM-SM will not complete RP registration over tunnel interface when floating IP address is used. 16.1.2.2
1064357 3-Major BT1064357 execute_post_install: EPSEC: Installation of EPSEC package failed  
1062953 3-Major BT1062953 Unable to save configuration via tmsh or the GUI.  
1061797 3-Major BT1061797 Upgraded AWS CloudFormation Helper Scripts which now support IMDSv2 15.1.5.1, 16.1.2.2
1060625-2 3-Major BT1060625 Wrong INTERNAL_IP6_DNS length. 16.1.2.2
1060321 3-Major   TMM crash on reload of HTML processing rules under OOM conditions.  
1060181-4 3-Major BT1060181 SSL handshakes fail when using CRL certificate validator. 15.1.5.1
1060149 3-Major BT1060149 BIG-IP vCMP guest data-plane failure with turboflex-adc selected on the host. 16.1.2.2
1059853-1 3-Major BT1059853 Long loading configuration time after upgrade from 15.1.3.1 to 16.1.2.&start; 16.1.2.2
1057809 3-Major   Saved dashboard hardening 14.1.4.6, 15.1.5.1, 16.1.2.2
1057393 3-Major   CVE-2019-18197 libxslt vulnerability: use after free in xsltCopyText  
1057149 3-Major   CVE-2019-11068 libxslt vulnerability: xsltCheckRead and xsltCheckWrite  
1056993 3-Major   404 error is raised on GUI when clicking "App IQ." 14.1.4.6, 15.1.5.1, 16.1.2.2
1056741-1 3-Major BT1056741 ECDSA certificates signed by RSA CA are not selected based by SNI. 15.1.5.1, 16.1.2.2
1048541 3-Major BT1048541 Certificate Order Manager: renew requests to the Comodo (now Sectigo) CA are unsuccessful. 15.1.5.1, 16.1.2.2
1048137 3-Major BT1048137 IPsec IKEv1 intermittent but consistent tunnel setup failures  
1047169 3-Major BT1047169 GTM AAAA pool can be deleted from the configuration despite being in use by an iRule. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1045421 3-Major K16107301, BT1045421 No Access error when performing various actions in the TMOS GUI 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1042589 3-Major BT1042589 Wrong trunk_id is associated in bcm56xxd.  
1042009 3-Major BT1042009 Mcpd fails to reply if a request is proxied to another daemon and the connection to that daemon closes 13.1.5, 14.1.4.6, 16.1.2.2
1032949-2 3-Major BT1032949 Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate. 15.1.5, 16.1.2.1
1032821 3-Major BT1032821 Syslog: invalid level/facility from /usr/libexec/smart_parse.pl  
1032737 3-Major BT1032737 IPsec: tmm SIGSEGV in getlocaladdr in ikev2_initiate 15.1.4.1, 16.1.2
1032077-4 3-Major BT1032077 TACACS authentication fails with tac_author_read: short author body 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1028969 3-Major BT1028969 An unused traffic-selector can prevent an IKEv2 IPsec tunnel from working 16.1.2
1026549 3-Major BT1026549 Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd 14.1.4.5, 15.1.4.1, 16.1.2
1022757 3-Major BT1022757 Tmm core due to corrupt list of ike-sa instances for a connection 16.1.2
1022637 3-Major BT1022637 A partition other than /Common may fail to save the configuration to disk 13.1.5, 14.1.4.6, 15.1.5, 16.1.2.2
1021773 3-Major BT1021773 Mcpd core. 16.1.2
1020789 3-Major BT1020789 Cannot deploy a four-core vCMP guest if the remaining cores are in use. 13.1.5, 14.1.4.6, 16.1.2.2
1020377 3-Major BT1020377 Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon 16.1.2
1019429 3-Major BT1019429 CMP Forwarded flows do not get syncache counter decremented when only server-side is PVA accelerated 15.1.4.1
1019357 3-Major BT1019357 Active fails to resend ipsec ikev2_message_id_sync if no response received 16.1.2.2
1018309 3-Major BT1018309 Loading config file with imish removes the last character 15.1.4.1, 16.1.1
1015645 3-Major BT1015645 IPSec SA's missing after reboot 16.1.2
1009949 3-Major BT1009949 High CPU usage when upgrading from previous version&start; 14.1.4.4, 15.1.4.1, 16.1.2
1008837 3-Major BT1008837 Control plane is sluggish when mcpd processes a query for virtual server and address statistics 14.1.4.4, 15.1.4, 16.1.2.2
1008269 3-Major BT1008269 Error: out of stack space 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1003257 3-Major BT1003257 ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1002761 3-Major BT1002761 SCTP client's INIT chunks rejected repeatedly with ABORT during re-establishment of network link after failure 15.1.4, 16.0.1.2
988533 4-Minor BT988533 GRE-encapsulated MPLS packet support 14.1.4.5, 15.1.4.1
921365 4-Minor BT921365 IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby 15.1.4, 16.1.2
889813 4-Minor BT889813 Show net bwc policy prints bytes-per-second instead of bits-per-second 14.1.4.5
742753 4-Minor BT742753 Accessing the BIG-IP system's WebUI via special proxy solutions may fail 16.1.2.2
674026 4-Minor BT674026 iSeries AOM web UI update fails to complete.&start;  
528894 4-Minor BT528894 Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition 13.1.5, 14.1.4.6, 15.1.5, 16.1.2.2
1076253 4-Minor BT1076253 IKE library memory leak  
1072237 4-Minor BT1072237 Retrieval of policy action stats causes memory leak 16.1.2.2
1071365 4-Minor   iControl SOAP WSDL hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1067617 4-Minor BT1067617 BGP default route not advertised after mid-session OPEN. 16.1.2.2
1062445 4-Minor   CVE-2021-3467: jasper-libs vulnerability: NULL pointer dereference  
1062441 4-Minor   CVE-2021-26927: jasper-libs vulnerability: Null pointer dereference in jp2_decode  
1062433 4-Minor   CVE-2021-3443: jasper-libs vulnerability: JP2 image file  
1062429 4-Minor   CVE-2021-26926: jasper-libs vulnerability: out of bounds read  
1062425 4-Minor   CVE-2016-9396: jasper-libs vulnerability: Denial of service  
1062417 4-Minor   CVE-2016-9398: jasper-libs vulnerability: denial of service via unspecified vectors  
1062409 4-Minor   CVE-2016-8886: jasper-libs vulnerability: Memory allocation failire  
1062333 4-Minor   Linux kernel vulnerability: CVE-2019-19523 16.1.2.2
1058677 4-Minor BT1058677 Not all SCTP connections are mirrored on the standby device when auto-init is enabled. 14.1.4.6, 15.1.5.1, 16.1.2.2
1057457 4-Minor   CVE-2015-9019: libxslt vulnerability: math.random()  
1057449 4-Minor   CVE-2015-7995 libxslt vulnerability: Type confusion may cause DoS  
1057445 4-Minor   CVE-2019-13118 libxslt vulnerability: uninitialized stack data  
1057441 4-Minor   CVE-2016-1683 chromium-browser vulnerability: out-of-bounds access in libxslt  
1057437 4-Minor   CVE-2019-13117 libxslt vulnerability: uninitialized read in xsltNumberFormatInsertNumbers  
1057433 4-Minor   CVE-2016-1684 chromium-browser vulnerability: integer overflow in libxslt  
1055925 4-Minor   TMM may crash while processing traffic on AWS  
1050413 4-Minor BT1050413 Drive model HGST HUS722T1TALA604 must be added to pendsect drives.xml.  
1046693 4-Minor BT1046693 TMM with BFD confgured might crash under significant memory pressure 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1045549 4-Minor BT1045549 BFD sessions remain DOWN after graceful TMM restart 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1041765 4-Minor BT1041765 Racoon may crash in rare cases 16.1.2.1
1040821 4-Minor BT1040821 Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1034617 4-Minor BT1034617 Login/Security Banner text not showing in console login. 16.1.2
1034589 4-Minor BT1034589 No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1034329 4-Minor BT1034329 SHA-512 checksums for BIG-IP Virtual Edition (VE) images available on downloads.f5.com 16.1.2.2
1031425 4-Minor BT1031425 Provide a configuration flag to disable BGP peer-id check. 14.1.4.6, 15.1.5.1, 16.1.2.2
1030845 4-Minor BT1030845 Time change from TMSH not logged in /var/log/audit. 14.1.4.5, 15.1.4.1, 16.1.2
1030645 4-Minor BT1030645 BGP session resets during traffic-group failover 14.1.4.6, 15.1.5.1, 16.1.2.2
1024621 4-Minor BT1024621 Re-establishing BFD session might take longer than expected. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1023817 4-Minor BT1023817 Misleading "Enabling NAT64 for virtual server with security NAT policy configured is redundant/not required." warning 15.1.5.1
1022417 4-Minor BT1022417 Ike stops with error ikev2_send_request: [WINDOW] full window 16.1.2
1011217 4-Minor BT1011217 TurboFlex Profile setting reverts to turboflex-base after upgrade&start; 16.1.2.2
1002809 4-Minor BT1002809 OSPF vertex-threshold should be at least 100 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
999901 1-Blocking   Certain LTM policies may not execute correctly after a system reboot or TMM restart. 14.1.4.6, 15.1.5.1, 16.1.2.2
1039041-1 1-Blocking BT1039041 Log Message: Clock advanced by <number> ticks 16.1.2
968929 2-Critical BT968929 TMM may crash when resetting a connection on an APM virtual server 16.1.2.2
944381 2-Critical BT944381 Dynamic CRL checking for client certificate is not working when TLS1.3 is used.  
935193-3 2-Critical BT935193 With APM and AFM provisioned, single logout ( SLO ) fails  
910213 2-Critical BT910213 LB::down iRule command is ineffective, and can lead to inconsistent pool member status 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
881809 2-Critical   serverssl profile hardening  
780857 2-Critical BT780857 HA failover network disruption when cluster management IP is not in the list of unicast addresses  
435231-1 2-Critical   Support RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral parameters  
1086677 2-Critical   TMM Crashes in xvprintf() because of NULL Flow Key  
1083989 2-Critical BT1083989 TMM may restart if abort arrives during MBLB iRule execution 16.1.2.2
1080581 2-Critical BT1080581 Virtual server creation is not allowed to have TCP, UDP and HTTP together with Client or Server SSL Profiles.&start; 15.1.5.1
1078741 2-Critical BT1078741 Tmm crash  
1075073 2-Critical   TMM Crash observed with Websocket and MQTT profile enabled  
1073841 2-Critical   URI normalization does not function as expected  
1073609 2-Critical BT1073609 Tmm may core while using reject iRule command in LB_SELECTED event.  
1071689 2-Critical BT1071689 SSL connection not immediately closed with HTTP2 connection and lingers until idle timeout  
1071593 2-Critical   TMM may crash while processing TLS traffic 16.1.2.2
1071449 2-Critical BT1071449 Statsd memory leak on platforms with license disabled processors. 16.1.2.2
1069629 2-Critical   TMM may crash while processing TLS traffic 15.1.5.1, 16.1.2.2
1067669 2-Critical BT1067669 TCP/UDP virtual servers drop all incoming traffic.  
1064649 2-Critical BT1064649 Tmm crash after upgrade.&start; 15.1.5
1064617 2-Critical BT1064617 DBDaemon process may write to monitor log file indefinitely 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1059053 2-Critical BT1059053 Tmm crash when passing traffic over some configurations with L2 virtual wire 15.1.5.1, 16.1.2.2
1055737 2-Critical   TMM may consume excessive resources while processing HTTP/2 traffic 16.1.2.2
1047581 2-Critical BT1047581 Ramcache can crash when serving files from the hot cache 16.1.2.2
1047089-1 2-Critical   TMM may terminate while processing TLS/DTLS traffic 14.1.4.6, 15.1.5, 16.1.2.2
1043805 2-Critical BT1043805 ICMP traffic over NAT does not work properly.  
1040677-1 2-Critical BT1040677 BIG-IP D120 platform reports page allocation failures in N3FIPS driver 16.1.1
1040361 2-Critical BT1040361 TMM crashes during its startup when TMC destination port list attached/deleted to virtual server. 14.1.4.5, 15.1.5, 16.1.2
1039145 2-Critical BT1039145 Tenant mirroring channel disconnects with peer and never reconnects after failover. 15.1.4
1032513 2-Critical   TMM may consume excessive resources while processing MRF traffic 16.1.2.2
1030185 2-Critical BT1030185 TMM may crash when looking up a persistence record using "persist lookup" iRule commands  
1017533 2-Critical BT1017533 Using TMC might cause virtual server vlans-enabled configuration to be ignored 14.1.4.6, 16.1.2.2
1009037 2-Critical BT1009037 Tcl resume on invalid connection flow can cause tmm crash 14.1.4.5, 15.1.4.1, 16.1.2
1000021 2-Critical   TMM may consume excessive resources while processing packet filters 14.1.4.6, 15.1.5, 16.1.2.2
999881 3-Major BT999881 Tcl command 'string first' not working if payload contains Unicode characters.  
999097 3-Major BT999097 SSL::profile may select profile with outdated configuration 14.1.4.5, 15.1.5, 16.1.2.1
995405 3-Major BT995405 After upgrade, the copied SSL vhf/vht profile prevents traffic from passing&start; 16.1.1
993981 3-Major   TMM may crash when ePVA is enabled 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
993517 3-Major BT993517 Loading an upgraded config can result in a file object error in some cases 16.1.2.2
987885 3-Major BT987885 Half-open unclean SSL termination might not close the connection properly  
987077 3-Major BT987077 TLS1.3 with client authentication handshake failure 14.1.4.6, 15.1.5.1
984897 3-Major BT984897 Some connections performing SSL mirroring are not handled correctly by the Standby unit.  
980617 3-Major BT980617 SNAT iRule is not working with HTTP/2 and HTTP Router profiles 16.1.1
976525 3-Major BT976525 Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled  
972517 3-Major   Appliance mode hardening  
967101 3-Major BT967101 When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out. 14.1.4.6, 15.1.5.1, 16.1.2.2
967093 3-Major BT967093 In SSL forward proxy when the signing CA cert and end-entity cert has a different signature algorithm, the SSL connection may fail 15.1.5
956133 3-Major BT956133 MAC address might be displayed as 'none' after upgrading.&start; 14.1.4.4, 15.1.4
955617 3-Major BT955617 Cannot modify properties of a monitor that is already in use by a pool 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
953601 3-Major BT953601 HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions 16.1.2.2
951257 3-Major   FTP active data channels are not established 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
948985-4 3-Major BT948985 Workaround to address Nitrox 3 compression engine hang  
948065 3-Major BT948065 DNS Responses egress with an incorrect source IP address.  
945357-1 3-Major   BIG-IP must be able to set CA=True when creating Certificate Signing Requests from TMSH.  
943041 3-Major   Trunk interface support added for L2wire on BIG-IP Virtual Edition  
936441 3-Major BT936441 Nitrox5 SDK driver logging messages 15.1.5.1, 16.1.2.2
934697 3-Major BT934697 Route domain not reachable (strict mode)  
915773-2 3-Major BT915773 Restart of TMM after stale interface reference 14.1.4.4, 15.1.4.1, 16.1.2
912945 3-Major BT912945 A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed 14.1.4.4, 15.1.4, 16.1.1
912517 3-Major BT912517 Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
910673 3-Major BT910673 Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM' 15.1.5.1, 16.1.2.1
902377 3-Major BT902377 HTML profile forces re-chunk even though HTML::disable 15.1.5.1, 16.1.2.2
898929 3-Major BT898929 Tmm might crash when ASM, AVR, and pool connection queuing are in use 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
883049 3-Major BT883049 Statsd can deadlock with rrdshim if an rrd file is invalid 16.1.2.2
803109 3-Major BT803109 Certain configuration may result in zombie forwarding flows 14.1.4.6, 15.1.5.1, 16.1.2.2
794385 3-Major BT794385 BGP sessions may be reset after CMP state change 15.1.5.1, 16.1.2.2
672963 3-Major BT672963 MSSQL monitor fails against databases using non-native charset 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
574762 3-Major   Forwarding flows leak when a routing update changes the egress vlan  
1079769 3-Major BT1079769 Tmm utilizing the virtio driver might crash after modifying several IPv6 virtual servers  
1078053 3-Major   TMM may consume excessive resources while processing STEAM traffic 16.1.2.2
1076573 3-Major   MQTT profile addition is different in GUI and TMSH  
1076397 3-Major   TMSH hardening  
1074505 3-Major BT1074505 Traffic classes are not attached to virtual server at TMM start  
1073973 3-Major BT1073973 Gateway HTTP/2, response payload intermittently not forwarded to client. 16.1.2.2
1073549 3-Major   TMSH hardening  
1073357 3-Major   TMM may crash while processing HTTP traffic  
1072953 3-Major BT1072953 Memory leak in traffic management interface. 16.1.2.2
1072397 3-Major   VLAN failsafe failover does not occur in three-node device group  
1071585 3-Major BT1071585 BIG-IP system does not respond to an arp from a SelfIP configured in virtual wire mode 16.1.2.2
1068561-2 3-Major BT1068561 Can't create key on the second netHSM partition. 15.1.5.1, 16.1.2.2
1068445 3-Major BT1068445 TCP duplicate acks are observed in speed tests for larger requests  
1067505 3-Major   TMM may crash while processing TLS traffic with HTTP::respond  
1065789 3-Major   TMM may send duplicated alerts while processing SSL connections 15.1.5, 16.1.2.1
1064157 3-Major BT1064157 Http_proxy_opaque_get should constrain search to local/spawn flows, not looped flows 16.1.2.2
1063453 3-Major BT1063453 FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets. 16.1.2.2
1059573 3-Major BT1059573 Variation in a case insensitive value of an operand in LTM policy may fail in some rules.  
1058469 3-Major BT1058469 Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working. 14.1.4.6, 15.1.5.1, 16.1.2.2
1056401 3-Major BT1056401 Valid clients connecting under active syncookie mode might experience latency. 15.1.5.1, 16.1.2.2
1055097 3-Major BT1055097 TCP proxy with ramcache and OneConnect can result in out-of-order events, which stalls the flow. 16.1.2.2
1053173 3-Major   Support for MQTT functionality over websockets.  
1053149 3-Major BT1053149 A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received.  
1052929 3-Major BT1052929 MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1050393 3-Major   Dynamic VLAN support in BIG-IP Virtual Edition  
1043357 3-Major BT1043357 SSL handshake may fail when using remote crypto client 14.1.4.6, 15.1.5.1, 16.1.2.2
1043017 3-Major BT1043017 Virtual-wire with standard-virtual fragmentation 14.1.4.6, 16.1.2.2
1042913-3 3-Major BT1042913 Pkcs11d CPU utilization jumps to 100% 16.1.2.2
1042509 3-Major BT1042509 On an HTTP2 gateway virtual server, TMM does not ever update the stream's window for a large POST request 16.1.2.2
1040017 3-Major BT1040017 Final ACK validation during flow accept might fail with hardware SYN Cookie  
1038629-1 3-Major BT1038629 DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
1037645 3-Major BT1037645 TMM may crash under memory pressure when using iRule 'AES::key' command  
1036873 3-Major BT1036873 Pre-shared key extension sometimes is not the last extension in ClientHello in TLS1.3  
1036169 3-Major BT1036169 VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500".  
1031777-2 3-Major BT1031777 Connection not immediately closed on ssl handshake failure  
1031609-2 3-Major BT1031609 Improve nethsm-thales-install.sh and nethsm-thales-rfs-install.sh to be compatible with Entrust Client v12.60.10 package.&start; 15.1.5.1, 16.1.2.1
1029897 3-Major K63312282, BT1029897 Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1024841 3-Major BT1024841 SSL connection mirroring with ocsp connection failure on standby 15.1.5.1, 16.1.2.2
1024225-1 3-Major BT1024225 BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request 16.1.2.2
1023365 3-Major BT1023365 SSL server response could be dropped on immediate client shutdown. 15.1.4.1, 16.1.2
1023341 3-Major   HSM hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.1
1021713 3-Major   TMM may crash when processing AFM NAT64 policy 15.1.5.1, 16.1.2
1021481 3-Major BT1021481 'http-tunnel' and 'socks-tunnel' (which are internal interfaces) should be hidden. 16.1.2
1020957 3-Major BT1020957 HTTP response may be truncated by the BIG-IP system 16.1.2
1020549 3-Major BT1020549 Server-side connections stall with zero window with OneConnect profile 16.1.2.2
1019609-2 3-Major BT1019609 No Error logging when BIG-IP device's IP address is not added in client list on netHSM.&start; 15.1.5.1, 16.1.2.1
1018577 3-Major BT1018577 SASP monitor does not mark pool member with same IP Address but different Port from another pool member 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1017721 3-Major BT1017721 WebSocket does not close cleanly when SSL enabled. 16.1.2.2
1017513 3-Major BT1017513 Config sync fails with error Invalid monitor rule instance identifier 13.1.5, 14.1.4.5, 15.1.5.1, 16.1.2.1
1016921 3-Major BT1016921 SSL Connection mirroring - session resumption does not occur on standby when the session ticket is enabled  
1016449 3-Major BT1016449 After certain configuration tasks are performed, TMM may run with stale Self IP parameters. 14.1.4.6, 15.1.5.1, 16.1.2.2
1016113 3-Major BT1016113 HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile. 15.1.4, 16.1.2
1008501 3-Major BT1008501 TMM core 14.1.4.6, 15.1.5.1, 16.1.2.2
1008017 3-Major BT1008017 Validation failure on Enforce TLS Requirements and TLS Renegotiation 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1008009 3-Major BT1008009 SSL mirroring null hs during session sync state 14.1.4.5, 15.1.5.1, 16.1.2.2
1007749 3-Major BT1007749 URI TCL parse functions fail when there are interior segments with periods and semi-colons 15.1.5, 16.1.2.1
1006781 3-Major BT1006781 Server SYN is sent on VLAN 0 when destination MAC is multicast 15.1.4.1, 16.1.2.2
1004897 3-Major BT1004897 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason 14.1.4.4, 16.1.2.2
1004689 3-Major BT1004689 TMM might crash when pool routes with recursive nexthops and reselect option are used. 16.1.2.2
997357 4-Minor BT997357 iRule command "SSL:session invalidate" not working as expected  
962177 4-Minor BT962177 Results of POLICY::names and POLICY::rules commands may be incorrect 13.1.4.1, 14.1.4, 15.1.4, 16.0.1.2
895557 4-Minor BT895557 NTLM profile logs error when used with profiles that do redirect 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2
838305 4-Minor BT838305 BIG-IP may create multiple connections for packets that should belong to a single flow. 14.1.4.6, 15.1.5.1, 16.1.2.2
717806 4-Minor BT717806 In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1080341 4-Minor BT1080341 Changing an L2-forward virtual to any other virtual type might not update the configuration. 16.1.2.2
1075205 4-Minor BT1075205 Using TCP::close after HTTP::redirect/HTTP::respond causes HTTP response not to be delivered to the client. 16.1.2.2
1064669 4-Minor BT1064669 Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash. 15.1.5.1, 16.1.2.2
1034217 4-Minor BT1034217 Quic_update_rtt can leave ack_delay uninitialized.  
1031901 4-Minor BT1031901 In HTTP2 deployment, RST_STREAM sent to client if server in CLOSING state is picked 15.1.4.1, 16.1.2
1030533 4-Minor BT1030533 The BIG-IP system may reject valid HTTP responses from OCSP servers.  
1027805 4-Minor BT1027805 DHCP flows crossing route-domain boundaries might fail.  
1026605 4-Minor BT1026605 When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1026005 4-Minor BT1026005 BIG-IP Virtual Edition (VE) does NOT preserve the order of NICs 5-10 defined in the VMware ESXi hypervisor and NSXT platforms. 16.1.2.2
1024761 4-Minor BT1024761 HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body 15.1.5, 16.1.2.1
1018493 4-Minor BT1018493 Response code 304 from TMM Cache always closes TCP connection. 13.1.5, 14.1.4.5, 15.1.4, 16.1.2
1016441 4-Minor   RFC Enforcement Hardening 14.1.4.6, 15.1.5.1, 16.1.2.2
1016049 4-Minor BT1016049 EDNS query with CSUBNET dropped by protocol inspection 14.1.4.6, 15.1.5.1, 16.1.2.2
1005109 4-Minor BT1005109 TMM crashes when changing traffic-group on IPv6 link-local address 14.1.4.5, 15.1.5, 16.1.2.1
1002945 4-Minor BT1002945 Some connections are dropped on chained IPv6 to IPv4 virtual servers. 14.1.4.5, 15.1.4.1, 16.1.2
968581 5-Cosmetic BT968581 TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description 15.1.5.1, 16.1.2.2


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1039069 1-Blocking BT1039069 Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049.&start; 15.1.4, 16.1.1
950069 2-Critical BT950069 Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record"  
876677 2-Critical BT876677 When running the debug version of TMM, an assertion may be triggered due to an expired DNS lookup. 16.1.2.2
1077701 2-Critical BT1077701 GTM "require M from N" monitor rules do not report when the number of "up" responses change  
1066729 2-Critical   TMM may crash while processing DNS traffic 15.1.5.1, 16.1.2.2
1062513 2-Critical BT1062513 GUI returns 'no access' error message when modifying a GTM pool property. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1035853 2-Critical K41415626, BT1035853 Transparent DNS Cache can consume excessive resources. 13.1.5, 14.1.4.5, 15.1.5, 16.1.2
1030881 2-Critical BT1030881 [GTM] Upgrade failure - 01070022:3: The monitor template min was not found.&start; 16.1.2.2
1029629 2-Critical   TMM may crash while processing DNS lookups 15.1.5.1, 16.1.2
1028773 2-Critical BT1028773 Support for DNS Over TLS 16.1.2
1027657 2-Critical BT1027657 Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules. 15.1.5.1, 16.1.2.2
1011433 2-Critical BT1011433 TMM may crash under memory pressure when performing DNS resolution 16.1.2.2
1010617 2-Critical BT1010617 String operation against DNS resource records cause tmm memory corruption 15.1.5.1, 16.1.2.2
996233 3-Major   Tomcat may crash while processing TMUI requests  
993489 3-Major BT993489 GTM daemon leaks memory when reading GTM link objects 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
984749 3-Major BT984749 Discrepancy between DNS cache statistics "Client Summary" and "Client Cache."  
935249 3-Major BT935249 GTM virtual servers have the wrong status 15.1.5, 16.1.2.1
808913 3-Major BT808913 Big3d cannot log the full XML buffer data  
1084173 3-Major BT1084173 Unable to specify "no caching desired" for ephemeral DNS resolvers (i.e. RESOLV::lookup).  
1078669 3-Major   iRule command “RESOLVER::name_lookup” returns null for TCP resolver with TC (truncated) flag set.  
1076401 3-Major BT1076401 Memory leak in TMM (ldns) when exceeding dnssec.maxnsec3persec. 16.1.2.2
1071301 3-Major BT1071301 GTM server does not get updated even when the virtual server status changes.  
1071233 3-Major BT1071233 GTM Pool Members may not be updated accurately when multiple identical database monitors are configured  
1064189 3-Major BT1064189 DoH proxy and server listeners from GUI with client-ssl profile and server-ssl profile set to None produces undefined warning 16.1.2.2
1046785 3-Major BT1046785 Missing GTM probes when max synchronous probes are exceeded. 13.1.5, 15.1.5.1, 16.1.2.2
1044425 3-Major   NSEC3 record improvements for NXDOMAIN 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1039553 3-Major BT1039553 Non-200 HTTP status codes fail to be matched by GTM HTTP(S) monitors 15.1.5, 16.1.2.1
1021417 3-Major BT1021417 Modifying GTM pool members with replace-all-with results in pool members with order 0 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1021061 3-Major BT1021061 Config fails to load for large config on platform with Platform FIPS license enabled 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
1020337 3-Major BT1020337 DNS msg_ObjType can cause buffer overrun due to lack of NUL terminator 15.1.5.1, 16.1.2.2
1018613 3-Major BT1018613 Modify wideip pools with replace-all-with results pools with same order 0 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
996381 2-Critical K41503304, BT996381 ASM attack signature may not match as expected 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
993613 2-Critical BT993613 Device fails to request full sync 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
978357 2-Critical   BD crash on specific scenario  
970329 2-Critical   ASM hardening 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
965229 2-Critical BT965229 ASM Load hangs after upgrade&start; 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
912149 2-Critical BT912149 ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
884945 2-Critical BT884945 Latency reduce in case of empty parameters.  
842013 2-Critical BT842013 ASM Configuration is Lost on License Reactivation&start; 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
791669-4 2-Critical BT791669 TMM might crash when Bot Defense is configured for multiple domains 14.1.2.3, 15.1.4, 16.0.1.2
1069501 2-Critical   ASM may not match certain signatures 16.1.2.2
1069449 2-Critical   ASM attack signatures may not match cookies as expected 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1068237 2-Critical BT1068237 Some attack signatures added to policies are not used. 16.1.2.2
1036521 2-Critical BT1036521 TMM crash in certain cases 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1019853 2-Critical K30911244, BT1019853 Some signatures are not matched under specific conditions 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1017153 2-Critical BT1017153 Asmlogd suddenly deletes all request log protobuf files and records from the database. 14.1.4.5, 15.1.4.1, 16.1.2
1012701 2-Critical   BD crash on websocket traffic  
1011065 2-Critical   Certain attack signatures may not match in multipart content 15.1.4.1, 16.1.2
1011061 2-Critical   Certain attack signatures may not match in multipart content 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1000789-4 2-Critical BT1000789 ASM-related iRule keywords may not work as expected 16.1.2.2
995889 3-Major BT995889 Username/Password JSON elements of login page detected as case sensitive when the policy is configured as case insensitive  
986937 3-Major BT986937 Cannot create child policy when the signature staging setting is not equal in template and parent policy 15.1.4, 16.0.1.2, 16.1.1
984593 3-Major BT984593 BD crash 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
981069 3-Major BT981069 Reset cause: "Internal error ( requested abort (payload release error))" 15.1.4, 16.1.1
980029 3-Major   [JSON policy] signature set systems are not being exported as expected  
977897 3-Major   A rule which contains pipe is parsed successfully on BIG-IP, but BIG-IQ throws an error  
969017 3-Major   [JSON policy] Attack type filter in signature set is being exported as attackTypeReference  
965785 3-Major BT965785 Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine 14.1.4.6, 15.1.5.1, 16.1.2.2
964977 3-Major BT964977 Uncaught RangeError: Maximum call stack size exceeded  
964897 3-Major BT964897 Live Update - Indication of "Update Available" when there is no available update 14.1.4, 15.1.3, 16.0.1.2
962589 3-Major BT962589 Full Sync Requests Caused By Failed Relayed Call to delete_suggestion 14.1.4.4, 15.1.4, 16.1.1
962493 3-Major   Request is not logged  
962489 3-Major   False positive enforcement of parameters with specific configuration  
961509 3-Major BT961509 ASM blocks WebSocket frames with signature matched but Transparent policy 14.1.4.6, 15.1.5.1, 16.1.2.2
956373 3-Major BT956373 ASM sync files not cleaned up immediately after processing 14.1.4.1, 15.1.3, 16.0.1.2
951789 3-Major BT951789 Uncaught RangeError: Maximum call stack size exceeded  
951133 3-Major BT951133 Live Update does not work properly after upgrade&start; 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
950917 3-Major BT950917 Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 13.1.4.1, 14.1.4.2, 15.1.4
949293 3-Major   False-Positives in case of matrix path parameter enforcement  
947341 3-Major BT947341 MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files. 14.1.4.1, 15.1.3, 16.0.1.2, 16.1.2
932193 3-Major   Improper handling of multiple cookie headers results in security bypass  
932133 3-Major BT932133 Payloads with large number of elements in XML take a lot of time to process 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
929077 3-Major BT929077 Bot Defense allow list does not apply when using default Route Domain and XFF header 14.1.4, 15.1.3, 16.0.1.1
926845 3-Major BT926845 Inactive ASM policies are deleted upon upgrade 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
923221 3-Major BT923221 BD does not use all the CPU cores 16.1.2.2
921697 3-Major BT921697 Attack signature updates fail to install with Installation Error.&start; 14.1.4.6, 15.1.5.1, 16.1.2.1
920149 3-Major BT920149 Live Update default factory file for Server Technologies cannot be reinstalled 14.1.4.4, 15.1.4.1, 16.1.1
907025 3-Major BT907025 Live update error" 'Try to reload page' 14.1.4.5, 15.1.5, 16.1.2.1
903313 3-Major   OWASP page: File Types score in Broken Access Control category is always 0.  
888289 3-Major BT888289 Add option to skip percent characters during normalization 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1
885765 3-Major BT885765 ASMConfig Handler undergoes frequent restarts 14.1.4.5, 15.1.5, 16.1.2.1
830341 3-Major BT830341 False positives Mismatched message key on ASM TS cookie 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2.1
818889 3-Major BT818889 False positive malformed json or xml violation. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
789841 3-Major   Some specific security enhancements were added to the payload normalization.  
673272 3-Major BT673272 Search by "Signature ID is" does not return results for some signature IDs 13.1.4, 14.1.4.2, 15.1.4, 16.0.1.2
580715 3-Major BT580715 ASM is not sending 64 KB remote logs over UDP 15.1.5
1072197 3-Major   Issue with input normalization in WebSocket. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1070273 3-Major   OWASP Dashboard does not calculate Disallow DTDs in XML content profile protection properly. 16.1.2.2
1069133 3-Major BT1069133 ASMConfig memory leak. 16.1.2.2
1067285 3-Major BT1067285 Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.' 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1066829 3-Major BT1066829 Memory leak for xml/json auto-detected parameter with signature patterns. 15.1.5.1, 16.1.2.2
1064501 3-Major   BD crash on startup or first request  
1062105 3-Major BT1062105 For specific configurations (Auto-Added Signature Accuracy and Case Sensitive parent policy), child security policy fails to create.  
1061617 3-Major BT1061617 Some of the URL Attack signatures are not detected in the URL if "Handle Path Parameters" is configured "As Parameters". 16.1.2.2
1060933 3-Major   Issue with input normalization. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1059621 3-Major BT1059621 IP Exceptions feature and SSRF feature do not work as expected if both the entries are configured with the same IP/IPs. 16.1.2.2
1058597 3-Major BT1058597 Bd crash on first request after system recovery.  
1056365 3-Major   Bot Defense injection does not follow best SOP practice. 16.1.2.2
1052173 3-Major BT1052173 For wildcard SSRF hosts "Matched Disallowed Address" field is wrong in the SSRF violation. 16.1.2.2
1051213 3-Major BT1051213 Increase default value for violation 'Check maximum number of headers'. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1051209 3-Major   BD may not process certain HTTP payloads as expected 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1048685 3-Major BT1048685 Rare TMM crash when using Bot Defense Challenge  
1047389 3-Major BT1047389 Bot Defense challenge hardening 14.1.4.6, 15.1.5.1, 16.1.2.2
1045101 3-Major   Bd may crash while processing ASM traffic 13.1.5, 14.1.4.6, 15.1.5, 16.1.2.1
1043533 3-Major   Unable to pick up the properties of the parameters from audit reports. 15.1.5.1, 16.1.2.2
1043513 3-Major   ASM rest API endpoints to upload/import a security policy into a partition.  
1043385 3-Major BT1043385 No Signature detected If Authorization header is missing padding. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1042917 3-Major BT1042917 Using 'Full Export' of security policy should result with no diffs after importing it back to device. 16.1.2
1042605 3-Major BT1042605 ASM Critical Warnings during UCS load after upgrade to v15.1.0 or above&start; 15.1.5.1, 16.1.2.2
1042069 3-Major   Some signatures are not matched under specific conditions. 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2.1
1041757 3-Major BT1041757 Legitimate users using new versions of Chromium-based browsers might be mitigated  
1041149 3-Major BT1041149 Staging of URL does not affect apply value signatures 15.1.5.1, 16.1.2.2
1039361 3-Major BT1039361 [GraphQL] In case of more than one malformed violation, the first is reported multiple times  
1038733 3-Major BT1038733 Attack signature not detected for unsupported authorization types. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1037457 3-Major BT1037457 High CPU during specific dos mitigation 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1036305 3-Major   "Mandatory request body is missing" violation in staging but request is unexpectedly blocked  
1033017 3-Major BT1033017 Policy changes learning mode to automatic after upload and sync 16.1.2.2
1030853 3-Major BT1030853 Route domain IP exception is being treated as trusted (for learning) after being deleted 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1028493 3-Major   Live Update genesis file for Server Technologies installation fails  
1028473 3-Major BT1028473 URL sent with trailing slash might not be matched in ASM policy 16.1.2.2
1028109 3-Major BT1028109 Detected attack signature is reported with the wrong context. 16.1.2
1023993 3-Major BT1023993 Brute Force is not blocking requests, even when auth failure happens multiple times 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1022269 3-Major BT1022269 False positive RFC compliant violation 13.1.5, 14.1.4.4, 15.1.4, 16.1.2
1021521 3-Major BT1021521 JSON Schema is not enforced if OpenAPI media-type is wild card. 16.1.2.2
1019721 3-Major BT1019721 Wrong representation of JSON/XML validation files in template based (minimal) JSON policy export 16.1.2.2
1012221 3-Major BT1012221 Message: childInheritanceStatus is not compatible with parentInheritanceStatus&start; 14.1.4.6, 15.1.5.1, 16.1.2.2
1011069 3-Major BT1011069 Group/User R/W permissions should be changed for .pid and .cfg files. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1008849 3-Major BT1008849 OWASP "A4 XML External Entities (XXE)" is not reflecting the XXE signatures configuration. 15.1.5.1, 16.1.2.2
1005105 3-Major BT1005105 Requests are missing on traffic event logging 14.1.4.5, 15.1.4, 16.1.1
1004069 3-Major BT1004069 Brute force attack is detected too soon 13.1.5, 14.1.4.5, 15.1.5, 16.1.2
1000741 3-Major   Fixing issue with input normalization 14.1.4.4, 15.1.4, 16.1.1
984449 4-Minor   Unnecessary swagger validation violation may raise due to behavioral WAF parameter traps that have identical name  
974425 4-Minor BT974425 Legitimate clients using new browsers might get mitigated by Bot Defense Profile  
964925 4-Minor   Page might be broken when using Single Page Application and calling onreadystatechange() directly  
962817 4-Minor BT962817 Description field of a JSON policy overwrites policy templates description 15.1.3, 16.0.1.1
950953 4-Minor BT950953 Browser Challenges update file cannot be installed after upgrade&start;  
949781 4-Minor   Possible blocking on bad IP reputation  
941625 4-Minor BT941625 BD sometimes encounters errors related to TS cookie building 15.1.4, 16.1.1
937541 4-Minor   Wrong display of signature references in violation details  
922785 4-Minor BT922785 Live Update scheduled installation is not installing on set schedule 14.1.4, 15.1.3, 16.0.1.2
911729 4-Minor BT911729 Redundant learning suggestion to set a Maximum Length when parameter is already at that value 14.1.4.2, 15.1.4, 16.0.1.2
844045 4-Minor BT844045 ASM Response event logging for "Illegal response" violations. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
810917 4-Minor   OWASP Compliance score is shown for parent and child policies that are not applicable.  
1066377 4-Minor BT1066377 OpenAPI - Content profile is not consistent with wildcard configuration 16.1.2.2
1064025 4-Minor   OWASP Compliance screen: entities appear in plural when only single entity is detected.  
1063993 4-Minor   Typo in Session Hijacking Protection requirement in OWASP compliance screen.  
1063985 4-Minor   Typo in Review Policy Security pop-up, in OWASP Compliance screen (UnIgnore instead of Unignore).  
1050697 4-Minor   Traffic learning page counts Disabled signatures when they are ready to be enforced 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1048445 4-Minor BT1048445 Accept Request button is clickable for unlearnable violation illegal host name 16.1.2.2
1046317 4-Minor   Violation details are not populated with staged URLs for some violation types  
1039245 4-Minor   Policy Properties screen does not load and display 16.1.2.2
1038741 4-Minor BT1038741 NTLM type-1 message triggers "Unparsable request content" violation. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1037949 4-Minor   Import ASM policy fails due to no available index for user defined violation  
1035361 4-Minor BT1035361 Illegal cross-origin after successful CAPTCHA 15.1.5.1, 16.1.2.2
1034941 4-Minor BT1034941 Exporting and then re-importing "some" XML policy does not load the XML content-profile properly 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1026277 4-Minor   Apply Policy can get ignored in auto-sync setup, while importing/replacing several existing policies with policies that have Policy Builder enabled  
1021637 4-Minor BT1021637 In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs 16.1.2.2
1020717 4-Minor BT1020717 Policy versions cleanup process sometimes removes newer versions 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1016033 4-Minor BT1016033 Remote logging of WS/WSS shows date_time equal to Unix epoch start time 15.1.5
1004537 4-Minor BT1004537 Traffic Learning: Accept actions for multiple suggestions not localized 15.1.4, 16.1.2
1002385 4-Minor   Fixing issue with input normalization 14.1.4.6, 15.1.5, 16.1.2.1
959465 5-Cosmetic   Bot Defense iFrame might be seen in browsers  


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
1009093 2-Critical BT1009093 GUI widgets pages are not functioning correctly 15.1.5, 16.1.2.1
949593 3-Major BT949593 Unable to load config if AVR widgets were created under '[All]' partition&start; 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
932485 3-Major BT932485 Incorrect sum(hits_count) value in aggregate tables 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
932137 3-Major BT932137 AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
926341 3-Major BT926341 RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade&start; 13.1.5, 14.1.4.4, 15.1.4
924945 3-Major BT924945 Fail to detach HTTP profile from virtual server 15.1.3, 16.0.1.2, 16.1.1
922105 3-Major BT922105 Avrd core when connection to BIG-IQ data collection device is not available 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
913085 3-Major BT913085 Avrd core when avrd process is stopped or restarted 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1
909161 3-Major BT909161 A core file is generated upon avrd process restart or stop 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
869049 3-Major BT869049 Charts discrepancy in AVR reports 14.1.4.1, 15.1.3, 16.0.1.2
743826 3-Major BT743826 Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0) 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
1035133 3-Major BT1035133 Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
964097 4-Minor   Watchdog restart AVRD when publish interval set to 300  
948113 4-Minor BT948113 User-defined report scheduling fails 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1020705 4-Minor BT1020705 tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name 14.1.4.4, 15.1.3.1, 16.1.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1027217-2 1-Blocking BT1027217 Script errors in Network Access window using browser. 15.1.4.1, 16.1.2
1010597 1-Blocking BT1010597 Traffic disruption when virtual server is assigned to a non-default route domain&start;  
999317-5 2-Critical K03544414, BT999317 Running Diagnostics report for Edge Client on Windows does not follow best practice 15.1.3.1
987341 2-Critical   BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers.  
965837 2-Critical BT965837 When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection  
943489-1 2-Critical BT943489 OAuth crash  
1078829 2-Critical   Login as current user fails in VMware  
1073885 2-Critical   Occasional ECA plugin crashes observed during service shutdown or restart  
1072665 2-Critical   TMM crash while passing OAuth traffic  
1063261 2-Critical BT1063261 TMM crash is seen due to sso_config objects.  
1046633 2-Critical BT1046633 Rare tmm crash when sending packets to apmd fails  
1024029 2-Critical   TMM may crash when processing traffic with per-session APM Access Policy  
1006893 2-Critical BT1006893 Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core 14.1.4.5, 15.1.4.1, 16.1.2
993457 3-Major BT993457 TMM core with ACCESS::policy evaluate iRule 14.1.4.5, 15.1.4.1, 16.1.2
992073 3-Major   APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
969317 3-Major BT969317 "Restrict to Single Client IP" option is ignored for vmware VDI 14.1.4.5, 15.1.4.1, 16.1.2.1
956645 3-Major BT956645 Per-request policy execution may timeout. 14.1.4.5
947613 3-Major BT947613 APM reset after upgrade and modify of LDAP Group Lookup&start;  
858005 3-Major   When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:" 16.1.2.2
849029 3-Major BT849029 No configurable setting for maximum entries in CRLDP cache 14.1.4.4
828761 3-Major BT828761 APM OAuth - Auth Server attached iRule works inconsistently 14.1.4.5, 15.1.5, 16.1.2.1
827393 3-Major BT827393 In rare cases tmm crash is observed when using APM as RDG proxy. 13.1.5, 14.1.4.5, 15.1.5.1, 16.1.2.1
809409 3-Major   Support PKCE (Proof Key for Code Exchange) in BIG-IP APM OAuth Authorization Server.  
752077 3-Major BT752077 Kerberos replay cache leaks file descriptors  
738593 3-Major BT738593 Vmware Horizon session collaboration (shadow session) feature does not work through APM. 14.1.4.5, 15.1.5, 16.1.2.1
423519 3-Major   Bypass disabling the redirection controls configuration of APM RDP Resource. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1076753 3-Major   Not able to set RSA new pin on windows with Citrix Receiver  
1071485 3-Major BT1071485 For IP based bypass, Response Analytics sends RST.  
1064001 3-Major   POST request to a virtual server with stream profile and a access policy is aborted.  
1063345 3-Major   Urldbmgrd may crash while downloading the database.  
1053309 3-Major   Localdbmgr leaks memory while syncing data to sessiondb and mysql.  
1048913 3-Major BT1048913 APM internal virtual server leaks memory under certain conditions.  
1045229 3-Major BT1045229 APMD leaks Tcl_Objs as part of the fix made for ID 1002557 14.1.4.5, 15.1.5.1, 16.1.2.2
1044121 3-Major BT1044121 APM logon page is not rendered if db variable "ipv6.enabled" is set to false 14.1.4.5, 15.1.5.1, 16.1.2.2
1043217 3-Major   NTLM frontend auth fails with the latest Microsoft RDP client on MacOS 14.0.1 platform  
1042505 3-Major BT1042505 Session variable "session.user.agent" does not get populated for edge clients  
1039725 3-Major BT1039725 Reverse proxy traffic fails when a per-request policy is attached to a virtual server.  
1038353 3-Major   UI and Schema changes are needed to enable/disable NLA for machine tunnels during client package creation.  
1034041 3-Major   Microsoft Intune Azure AD Graph cannot cannot migrate to Microsoft Graph.  
1029413 3-Major K09131713 BIG-IP needs to support different password complexity variables for Android 10.  
1024437 3-Major BT1024437 Urldb index building fails to open index temp file  
1024101 3-Major BT1024101 SWG as a Service license improvements 16.1.1
1022625 3-Major BT1022625 Profile type 'swg-transparent' should be selected on create page when 'create-new' is selected for SwgAsService in SSL Orchestrator 16.1.1
1022493 3-Major BT1022493 Slow file descriptor leak in urldbmgrd (sockets open over time)  
1021485 3-Major BT1021485 VDI desktops and apps freeze with Vmware and Citrix intermittently 14.1.4.5, 15.1.4.1, 16.1.2
1020561 3-Major BT1020561 Session memory increases over time due to db_access_set_accessinfo can leak sresult key/data in error case 15.1.5
1018877 3-Major BT1018877 Subsession variable values mixing between sessions  
1017233 3-Major BT1017233 APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption 15.1.4.1, 16.1.2
1013729 3-Major   Changing User login password using VMware View Horizon client results in “HTTP error 500”  
1009049-10 3-Major   browser based vpn did not follow best practices while logging.&start; 14.1.4.6, 15.1.5.1, 16.1.2.2
1007677 3-Major BT1007677 Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector' 15.1.4.1, 16.1.2.1
1002413 3-Major BT1002413 Websso puts quotation marks around non-string claim type 'custom' values  
1001937 3-Major   APM configuration hardening 15.1.5.1, 16.1.2.2
1000669-5 3-Major BT1000669 Tmm memory leak 'string cache' leading to SIGFPE  
939877 4-Minor BT939877 OAuth refresh token not found 14.1.4.4, 15.1.4, 16.1.2
773853 4-Minor   Support JWE consumption in OAuth Client and Resource Server.  
1064377 4-Minor   OAuth token contents is shown in the debug logs  


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
993913 2-Critical BT993913 TMM SIGSEGV core in Message Routing Framework 14.1.4.4, 15.1.4, 16.1.1
1047053 2-Critical   TMM may consume excessive resources while processing RTSP traffic 13.1.5, 14.1.4.6, 15.1.5, 16.1.2.2
1029397 2-Critical BT1029397 Tmm may crash with SIP-ALG deployment in a particular race condition 14.1.4.6, 15.1.5, 16.1.2.2
1012721 2-Critical BT1012721 Tmm may crash with SIP-ALG deployment in a particular race condition 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.1
1007821 2-Critical BT1007821 SIP message routing may cause tmm crash 15.1.4, 16.1.1
1007113 2-Critical BT1007113 Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds 14.1.4.5, 15.1.4.1, 16.1.2
996113 3-Major BT996113 SIP messages with unbalanced escaped quotes in headers are dropped 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
957905 3-Major BT957905 SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
921441 3-Major BT921441 MR_INGRESS iRules that change diameter messages corrupt diam_msg  
805821 3-Major BT805821 GTP log message contains no useful information 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
1082885 3-Major BT1082885 MR::message route virtual asserts when configuration changes during ongoing traffic 16.1.2.2
1078721 3-Major   TMM may consume excessive resources while processing ICAP traffic 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1056933 3-Major   TMM may crash while processing SIP traffic 14.1.4.6, 15.1.5, 16.1.2.2
1039329 3-Major BT1039329 MRF per peer mode is not working in vCMP guest. 14.1.4.5, 15.1.5, 16.1.2.1
1025529 3-Major BT1025529 TMM generates core when iRule executes a nexthop command and SIP traffic is sent 14.1.4.5, 15.1.4.1, 16.1.2.1
919301 4-Minor BT919301 GTP::ie count does not work with -message option 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
913413 4-Minor BT913413 'GTP::header extension count' iRule command returns 0 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
913409 4-Minor BT913409 GTP::header extension command may abort connection due to unreasonable TCL error 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
1018285 4-Minor BT1018285 MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction 15.1.4.1, 16.1.2
1003633 4-Minor BT1003633 There might be wrong memory handling when message routing feature is used 14.1.4.5, 15.1.4.1, 16.1.2
913393 5-Cosmetic BT913393 Tmsh help page for GTP iRule contains incorrect and missing information 13.1.5, 14.1.4.4, 15.1.4, 16.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
993269 2-Critical BT993269 DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option  
964989 2-Critical BT964989 AFM DOS half-open does not handle wildcard virtual servers properly.  
1061929-1 2-Critical BT1061929 Unable to perform IPI update (through proxy) after upgrade to 15.1.4.&start; 15.1.5.1
1060833 2-Critical BT1060833 After handling a large number of connections with firewall rules that log or report translation fields or server side statistics, TMM may crash.  
1058645 2-Critical BT1058645 ipsecalg blocks Sophos ISAKMP negotiation during tunnel setup. 14.1.4.6, 15.1.5.1
1049229 2-Critical BT1049229 When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1040685-2 2-Critical BT1040685 Core file on blade slot2 after reboot (TMM SIGSEGV in pktclass_classifier)  
1033781-1 2-Critical BT1033781 IP Reputation database sync fails when DB variable iprep.protocol is set to auto-detect  
1008265 2-Critical   DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond&start; 14.1.4.6, 15.1.5.1, 16.1.2.2
992213 3-Major BT992213 Protocol Any displayed as HOPTOPT in AFM policy view 14.1.4.2, 15.1.4, 16.1.1
987637 3-Major BT987637 DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware 15.1.4
965849 3-Major BT965849 Displayed 'Route Domain ID' value is confusing if it is set to None  
964625 3-Major BT964625 Improper processing of firewall-rule metadata 16.1.2.2
959609-1 3-Major BT959609 Autodiscd daemon keeps crashing 16.1.2.2
952521 3-Major BT952521 Memory allocation error while creating an address list with a large range of IPv6 addresses&start;  
929913 3-Major BT929913 External DNS logging does not differentiate between: all src_IP, Per-SrcIP and Per-DstIP events  
929909 3-Major BT929909 TCP Packets are not dropped in IP Intelligence 15.1.5.1, 16.1.2.2
808893-4 3-Major BT808893 DNS DoS profile vectors do not function correctly&start; 14.1.4.6
1079637-2 3-Major BT1079637 Incorrect Neuron rule order 15.1.5.1
1076881 3-Major   Attack count and BA/BD stats are not updated for DNS family vectors  
1076477-3 3-Major BT1076477 AFM allows deletion of a firewall policy even if it's being used in a route domain.  
1070737 3-Major BT1070737 AFM does not detect NXDOMAIN attack at virtual context when DNS cache is activated.  
1070033-3 3-Major BT1070033 Virtual server may not fully enter hardware SYN Cookie mode. 14.1.4.6
1067405 3-Major BT1067405 TMM crash while offloading / programming bad actor connections to hardware.  
1067393 3-Major BT1067393 MCP validation - incorrect config load fail on AFM NAT rule with next-hop pool.&start; 15.1.5.1
1057061 3-Major   BIG-IP Virtual Edition + security-log-profile (HSL) performance issue with Log Translation Fields.  
1047933 3-Major BT1047933 Virtual server security policy - An error has occurred while trying to process your request  
1045065 3-Major BT1045065 Enable traffic group modification in source-translation object 15.1.4.1
1042153 3-Major   AFM TCP connection issues when tscookie-vlans enabled on server/client side VLAN.  
1037661 3-Major   The packet tester does not validate the route domain after applying the rule list when the protocol is changed from IP to any  
1020061 3-Major BT1020061 Nested address lists can increase configuration load time  
1019557 3-Major BT1019557 Bdosd does not create /var/bdosd/*.json  
1019453 3-Major BT1019453 Core generated for autodosd daemon when synchronization process is terminated 15.1.3.1
1016309 3-Major BT1016309 When two policies with the same properties are configured with geo property, the geo for the second policy is ignored. 15.1.4
1012581 3-Major BT1012581 Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered  
1012413 3-Major BT1012413 Tmm performance impact for DDoS vector on virtual server when hardware mitigation is enabled 15.1.4
1000405 3-Major BT1000405 VLAN/Tunnels not listed when creating a new rule via GUI 15.1.4, 16.1.1
1072057 4-Minor BT1072057 "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy. 14.1.4.6, 15.1.5.1, 16.1.2.2
1063681 4-Minor BT1063681 PCCD cored, SIGSEGV in pc::cfg::CMessageProcessor::modify_fqdn. 15.1.5.1
1052317 4-Minor   The BIG-IP system does not output the show security nat source-translation command.  
1033021 4-Minor BT1033021 UI: Partition does not work when clicking through security zones  


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1086897 2-Critical BT1086897 PEM subcriber lookup can fail for internet side/subscriber side new connections 16.1.2.2
946325 3-Major   PEM subscriber GUI hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
829653 3-Major BT829653 Memory leak due to session context not freed  
1081153-3 3-Major   TMM may crash while processing administrative requests  
815901 4-Minor BT815901 Add rule to the disabled pem policy is not allowed  


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
1085077 1-Blocking   TMM may crash while processing SIP-ALG traffic  
1083225 2-Critical   TMM may crash while processing SIP traffic  
1028269 2-Critical BT1028269 Device using CGNAT + subscriber discovery license shows unknown for pem_subscriber-id. 15.1.5.1, 16.1.2.2
1019613 2-Critical BT1019613 Unknown subscriber in PBA deployment may cause CPU spike 14.1.4.6, 15.1.5.1, 16.1.2.2
994985 3-Major BT994985 CGNAT GUI shows blank page when applying SIP profile 14.1.4.2, 15.1.4
1064217 3-Major BT1064217 Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T. 16.1.2.2
1023461-1 3-Major BT1023461 Multiple entries for CGNAT when PBA pools allocation is defined: for each request, a new entry is created  


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1038445 2-Critical BT1038445 During upgrade to 16.1, the previous FPS Engine live update remains active&start; 16.1.2.2
873617 3-Major BT873617 DataSafe is not available with AWAF license after BIG-IP startup or MCP restart. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1052781-1 3-Major BT1052781 JavaScript obfuscation is very slow.  


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1023437 3-Major   Buffer overflow during attack with large HTTP Headers 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
1060409 4-Minor BT1060409 Behavioral DoS enable checkbox is wrong. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
1033829-4 2-Critical BT1033829 Unable to load Traffic Classification package 14.1.4.5, 15.1.5.1, 16.1.2.2
1052153-3 3-Major BT1052153 Signature downloads for traffic classification updates via proxy fail 14.1.4.6, 15.1.5.1, 16.1.2.2
1013629 3-Major BT1013629 URLCAT: Vulnerability Scan finds many Group/User Read/Write (666/664/662) files 16.1.2
686783 4-Minor BT686783 UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
929213 3-Major BT929213 iAppLX packages not rolled forward after BIG-IP upgrade&start; 14.1.4.4, 15.1.4.1, 16.1.2
999085 4-Minor BT999085 REST endpoint registration errors in restjavad logs  


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
946185 3-Major BT946185 Unable to view iApp component due to error 'An error has occurred while trying to process your request.'&start; 14.1.4.4, 15.1.4.1, 16.1.2
1004665-1 3-Major   Secure iAppsLX Restricted Storage issues.  


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
1072733 2-Critical   Protocol Inspection IM package hardening 16.1.2.2
965853 3-Major   IM package file hardening&start; 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
964489 3-Major   Protocol Inspection IM package hardening 14.1.4.6, 15.1.5.1, 16.1.2.2
1070677-3 3-Major BT1070677 Learning phase does not take traffic into account - dropping all. 16.1.2.2
940261 4-Minor BT940261 Support IPS package downloads via HTTP proxy. 14.1.4.6, 15.1.5.1, 16.1.2.2


Guided Configuration Fixes

ID Number Severity Links to More Info Description Fixed Versions
963625-7 2-Critical   Appliance mode hardening  
959153-7 2-Critical   Appliance mode hardening  
982801-7 3-Major   AGC hardening  
982785-7 3-Major   Guided Configuration hardening  
982777-13 3-Major   APM hardening  
982769-14 3-Major   Appliance mode hardening  
982757-2 3-Major   APM Access Guided Configuration hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
982753-12 3-Major   Appliance mode hardening  
982745-14 3-Major   Appliance mode hardening  
1013569-2 3-Major   Hardening of iApps processing 15.1.4, 16.1.1
1004881-6 3-Major   Update angular, jquery, moment, axios, and lodash libraries in AGC  
1025117 4-Minor   APM Access Guided Configuration hardening  


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
944121 3-Major BT944121 Missing SNI information when using non-default domain https monitor running in TMM mode. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
854129 3-Major BT854129 SSL monitor continues to send previously configured server SSL configuration after removal 16.1.2.2


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
1079505 2-Critical   TMM may consume excessive resources while processing SSLO traffic  
1055361 2-Critical BT1055361 Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a tmm crash. 15.1.5.1, 16.1.2.1
1058401 3-Major BT1058401 SSL Bypass does not work for inbound traffic 16.1.2.2
1050273 3-Major BT1050273 ERR_BOUNDS errors observed with HTTP explicit proxy service in SSL Orchestrator. 15.1.5
1048033 3-Major BT1048033 Server-speaks-first traffic might not work with SSL Orchestrator 16.1.2.2
1047377 3-Major BT1047377 "Server-speak-first" traffic might not work with SSL Orchestrator 16.1.2.2
1038669 3-Major BT1038669 Antserver keeps restarting. 15.1.5, 16.1.2
1032797 3-Major BT1032797 Tmm continuously cores when parsing custom category URLs 15.1.5, 16.1.2
1029869 3-Major BT1029869 Use of ha-sync script may cause gossip communications to fail 16.1.2.2
1029585 3-Major BT1029585 Use of ha-sync script may cause platforms in a sync-failover device group to fall out of sync 16.1.2.2
1017053 3-Major BT1017053 [SSL Orchestrator] Policy fails to complete when URL branching is configured  
1014085 3-Major   SSL Orchestrator traffic summary logs incorrectly identify decryption-status  

 

Cumulative fix details for BIG-IP v17.0.0 that are included in this release

999901 : Certain LTM policies may not execute correctly after a system reboot or TMM restart.

Component: Local Traffic Manager

Symptoms:
After a system reboot or TMM restart, LTM policies referencing an external data-group may not execute correctly, regardless of a successful matching condition.

This can cause a wide range of issues, including misrouted traffic, unshaped traffic, the bypassing of ASM, or complete traffic failure (based on the policy actions).

Note that if a virtual server references multiple LTM policies, and only some of those policies reference an external data-group, all LTM policies attached to the virtual server will be affected.

Conditions:
-- LTM policy with an external data-group configured on a virtual server.
-- System reboot or TMM restart.

Impact:
LTM policies may be unable to execute the appropriate action on a successful matching condition, leading to a wide range of traffic-impacting consequences.

Workaround:
Remove and re-add the affected policy to the desired virtual-server. Alternatively, to fix a wider number of affected virtual servers in one go, reload the system configuration by executing 'tmsh load sys config'.

Fix:
TMM now loads LTM policies with external data-groups as expected.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


999881 : Tcl command 'string first' not working if payload contains Unicode characters.

Links to More Info: BT999881

Component: Local Traffic Manager

Symptoms:
Tcl command 'string first' returns an incorrect value when Unicode characters are present in the payload.

Conditions:
-- Tcl command 'string first' is used in iRules.
-- Payload contains Unicode characters.

Impact:
Traffic processing with iRules that contains the 'string first' command might not work as expected.

Workaround:
You can use any of the following workarounds:

-- Use iRuleLX.
-- Do not use Unicode characters in the payload.
-- Use a custom Tcl proc to iterate through the string using lindex


999317-5 : Running Diagnostics report for Edge Client on Windows does not follow best practice

Links to More Info: K03544414, BT999317

Component: Access Policy Manager

Symptoms:
Running Diagnostics report for Edge Client on Windows does not follow best practice

Conditions:
Running Diagnostics report for Edge client on Windows system

Impact:
Edge client does not follow best practice

Workaround:
No workaround.

Fix:
Edge Client on Windows now follows best practice

Fixed Versions:
15.1.3.1


999125 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.

Links to More Info: BT999125

Component: TMOS

Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.

Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.

Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).

Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.

Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:

tmsh restart sys service sod

Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.

Fix:
Redundant devices remain in the correct failover state following a management IP address change.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


999097 : SSL::profile may select profile with outdated configuration

Links to More Info: BT999097

Component: Local Traffic Manager

Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.

Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.

Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.

Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.

Fix:
The system now makes sure that SSL profiles are properly reloaded after changes are made.

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1


999085 : REST endpoint registration errors in restjavad logs

Links to More Info: BT999085

Component: Device Management

Symptoms:
Errors are logged to /var/log/restjavad.0.log at the SEVERE log level:

[SEVERE]... [IcrWorker] Unable to register iControl endpoint "/xxxx/xxxx". Error: uriPath '/tm/xxxx/xxxx' already registered

Conditions:
The system reports these errors during startup of the restjavad service because of multiple registrations of the same endpoint.

Impact:
There is no functional impact and these errors can be ignored.

Workaround:
None


998225 : TMM crash when disabling/re-enabling a blade that triggers a primary blade transition.

Component: TMOS

Symptoms:
TMM crashes during the primary blade transition.

Conditions:
-- Using bidirectional forwarding detection.
-- Primary blade transition occurs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM no longer crashes on primary blade transition.


998221 : Accessing pool members from configuration utility is slow with large config

Links to More Info: BT998221

Component: TMOS

Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.

Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.

Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,

Managing pool members from configuration utility is very slow causing performance impact.

Workaround:
None

Fix:
Optimized the GUI query used for retrieving pool members data.

Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2, 16.1.2


997357 : iRule command "SSL:session invalidate" not working as expected

Links to More Info: BT997357

Component: Local Traffic Manager

Symptoms:
The iRule command "SSL:session invalidate" allows session resumption to happen. Session resumption not supposed to occur when this iRule command is used in an iRule.

Conditions:
"SSL:session invalidate" is used in the iRule event HTTP_REQUEST

Impact:
Session resumption would happen where the iRule is used with "SSL:session invalidate" included which is not supposed to occur

Workaround:
Session resumption should be disabled in SSL profiles

Fix:
SSL::Session invalidate will now properly remove the current session information from the session cache.


997313 : Unable to create APM policies in a sync-only folder&start;

Links to More Info: BT997313

Component: TMOS

Symptoms:
Unable to configure an APM policy in a sync-only folder, or the configuration fails to load after an upgrade, with an error message similar to:

-- err mcpd[mcpd_pid]: 01070734:3: Configuration error: Invalid Devicegroup Reference. The customization_group (/Common/sync-only/example_apm_customization) requires customization_source (/Common/standard) to be syncd to the same devices

Conditions:
-- Multiple BIG-IP devices configured in a sync-only device group, but different/non-overlapping failover device groups
-- APM policy being created in a folder or partition associated with sync-only device group.

Impact:
-- Unable to create the access policy.
-- The configuration fails to load and the device remains inoperative.

Workaround:
You can use either of the following strategies to prevent the issue:

--Do not create APM policies in a sync-only folder.

--Disable MCPD device-group reference validation for the sync-only folder, e.g.:
    tmsh modify sys folder /Common/sync-only no-ref-check true
    tmsh save sys config

Fixed Versions:
15.1.4.1, 16.1.2


996381 : ASM attack signature may not match as expected

Links to More Info: K41503304, BT996381

Component: Application Security Manager

Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.

Conditions:
- Attack signature 200000128 enabled.

Impact:
Processed traffic may not match all expected attack signatures

Workaround:
N/A

Fix:
Attack signature 200000128 now matches as expected.

Fixed Versions:
13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1


996233 : Tomcat may crash while processing TMUI requests

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, Tomcat may crash while processing TMUI requests.

Conditions:
- GTM provisioned
- Authenticated administrative user
- TMUI request

Impact:
Access to the TMUI disrupted while Tomcat restarts.

Workaround:
N/A

Fix:
TMUI now processes requests as expected.


996113 : SIP messages with unbalanced escaped quotes in headers are dropped

Links to More Info: BT996113

Component: Service Provider

Symptoms:
Dropped SIP messages.

Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote

Impact:
Certain SIP messages are not being passed via MRF.

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


996001 : AVR Inspection Dashboard 'Last Month' does not show all data points

Links to More Info: BT996001

Component: TMOS

Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.

Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.

Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.

Workaround:
None

Fix:
Viewing a 'Last Month' graph now reports ~30 days worth of data, rather than a variable amount of data based on actual calendar periods.

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1


995889 : Username/Password JSON elements of login page detected as case sensitive when the policy is configured as case insensitive

Links to More Info: BT995889

Component: Application Security Manager

Symptoms:
A JSON element of a page behaves in a case-sensitive manner even if the policy is configured as case insensitive.

Conditions:
- Using JSON in a page
- Authentication type is json/ajax
- The policy is configured case-insensitive
- JSON element seen in a request has uppercase letter(s)

Impact:
Case-insensitive configuration fails to detect uppercase JSON elements in a page. This may cause, for example, brute force protection to not trigger.

Workaround:
None


995849 : Tmm crash SIGSEGV - rcs_getsalen() in lib/rc_net.c

Links to More Info: BT995849

Component: TMOS

Symptoms:
Tmm crashes while processing a large number of tunnels.

Conditions:
-- A large number of ipsec tunnels

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Memory allocation failures are handled.


995605 : PVA accelerated traffic does not update route domain stats

Links to More Info: BT995605

Component: TMOS

Symptoms:
PVA accelerated traffic does not update route domain stats

Conditions:
-- PVA accelerated traffic.
-- Viewing the route domain stats.

Impact:
The route domain stats may be inaccurate

Workaround:
Use the virtual server stats or ifc_stats instead.


995405 : After upgrade, the copied SSL vhf/vht profile prevents traffic from passing&start;

Links to More Info: BT995405

Component: Local Traffic Manager

Symptoms:
After an RPM upgrade, SSL Orchestrator traffic does not pass

Conditions:
Upgrading SSL Orchestrator via RPM

Impact:
Traffic will not pass.

Workaround:
Bigstart restart tmm

Fix:
Fixed an issue that was preventing from passing after an RPM upgrade.

Fixed Versions:
16.1.1


995097 : Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file.

Links to More Info: BT995097

Component: TMOS

Symptoms:
After reloading the configuration from a file, management-dhcp supersede options whose values contained a double quote character (") no longer contain the character.

For instance, after reloading the configuration, the following section:

# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
    supersede-options {
        domain-name {
            value { "example.com" }
        }
        domain-name-servers {
            value { 8.8.8.8 }
        }
        domain-search {
            value { "example.com" }
        }
    }
}

Becomes:

# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
    supersede-options {
        domain-name {
            value { example.com }
        }
        domain-name-servers {
            value { 8.8.8.8 }
        }
        domain-search {
            value { example.com }
        }
    }
}

This also affects the configuration file for the dhclient/dhclient6 daemons that the system automatically generates from the aforementioned config stanza.

Conditions:
This issue occurs when the following statements apply:
--- The values of management-dhcp supersede options contain double quote characters.
--- The configuration is reloaded from file.

The BIG-IP system reloads the configuration from file in the following cases:
-- When you issue the 'tmsh load sys config' command.
-- After an upgrade, as the mcpd binary database does not exist yet.
-- When troubleshooting requires removing the mcpd binary database and reloading the config from file.
-- When the system is relicensed.
-- When system provisioning changes.
-- When a UCS/SCF archive is restored.
-- When someone merges in config from file or terminal (but this is limited to the actual contents being merged in, not the entire configuration).

Impact:
The in-memory mcpd configuration relating to management-dhcp supersede options is incorrect.

The /etc/dhclient.conf file that is automatically generated contains incorrect syntax.

As a result of this, the dhclient/dhclient6 daemons fail to parse the file and run with an incomplete configuration.

Ultimately, the system does not behave as configured in regard to its management-dhcp configuration.

Workaround:
Reapply the desired management-dhcp supersede-options configuration using the tmsh utility.

For example, to restore the intended in-memory configuration shown under Symptoms, you would run within tmsh:

# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options none
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name-servers { value add { 8.8.8.8 } } }
# save sys config

On versions earlier than 15.0.0, you must also restart the dhclient/dhclient6 daemons by running:

bigstart restart dhclient dhclient6

Note that the workaround is not permanent and will be invalidated the next time the config is loaded from file again.

Fix:
The BIG-IP system user is no longer responsible for knowing which dhcp-options require quoting and which do not. This determination is now done internally by mcpd, which uses the correct syntax for each supersede-option when writing the /etc/dhclient.conf file. This means that, as the BIG-IP system user, you are not required to quote anything when manipulating management-dhcp supersede-options in tmsh.

For instance, you can enter the following command:

tmsh modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { one.example.com two.example.com } } }

And the system inserts the following instruction in the /etc/dhclient.conf file:

supersede domain-search "one.example.com", "two.example.com" ;


994985 : CGNAT GUI shows blank page when applying SIP profile

Links to More Info: BT994985

Component: Carrier-Grade NAT

Symptoms:
The virtual server properties GUI page shows blank when a SIP profile is applied to the virtual server.

Conditions:
-- Create virtual server and attach a SIP profile.
-- Navigate to virtual server properties page.

Impact:
The virtual server properties page does not display the configuration.

Workaround:
None.

Fix:
The GUI shows virtual server config page with all config values

Fixed Versions:
14.1.4.2, 15.1.4


994305 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5

Links to More Info: BT994305

Component: TMOS

Symptoms:
Features supported in newer versions of open-vm-tools are not available.

Conditions:
This issue may be seen when running in VMware environments.

Impact:
Features that require a later version of open-vm-tools are not available.

Workaround:
None.

Fix:
The version of open-vm-tools has been updated to 11.1.5.

Fixed Versions:
16.1.2.1


993981 : TMM may crash when ePVA is enabled

Component: Local Traffic Manager

Symptoms:
When ePVA is enabled on the BIG-IP system, Increased CMP redirections can cause tmm to core and report an error:
tmm SIGFPE "nexthop ref valid".

Conditions:
-- ePVA acceleration is enabled on the BIG-IP system.
-- High rate of CMP redirections.

Impact:
Traffic disrupted while TMM restarts, and systems configured as part of a high availability (HA) group may failover.

Workaround:
Disable ePVA acceleration option.

Note: Performing this procedure may increase CPU use because TCP connections are subsequently processed in software by the Traffic Management Microkernel (TMM).

Fix:
TMM now operates as expected with ePVA enabled.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


993913 : TMM SIGSEGV core in Message Routing Framework

Links to More Info: BT993913

Component: Service Provider

Symptoms:
TMM crashes on SIGSEGV.

Conditions:
This can occur while passing traffic through the message routing framework.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1


993613 : Device fails to request full sync

Links to More Info: BT993613

Component: Application Security Manager

Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs

Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.

Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage

Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1


993517 : Loading an upgraded config can result in a file object error in some cases

Links to More Info: BT993517

Component: Local Traffic Manager

Symptoms:
After an upgrade from a version prior to 13.1.0, when loading a configuration that has had an HTTPS monitor in it, if that configuration has not yet been saved, you may see errors like this in the LTM log:

-- 0107134a:3: File object by name (DEFAULT) is missing.

If you run 'tmsh load sys config verify' on this configuration, the system also posts the error on the screen.

Conditions:
-- Upgrading from a version prior to 13.1.0.
-- At least one HTTPS monitor that has the kEDH cipher in its cipherlist.
-- Upgrading to version 13.1.1.4 or later.
-- Loading the configuration (either automatically on startup, or manually).

Impact:
Other than the error message, there is no impact.

Workaround:
After the initial reboot, save the configuration.

Fixed Versions:
16.1.2.2


993489 : GTM daemon leaks memory when reading GTM link objects

Links to More Info: BT993489

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process memory consumption is higher than expected.

Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.

Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1


993457 : TMM core with ACCESS::policy evaluate iRule

Links to More Info: BT993457

Component: Access Policy Manager

Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.

Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.

Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM no longer crashes and generates a core file during the ACCESS::policy evaluate iRule under these conditions.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2


993269 : DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option

Links to More Info: BT993269

Component: Advanced Firewall Manager

Symptoms:
Using DoS timestamp cookies together with a FastL4 profile with the timestamp rewrite option enabled might lead to traffic failures.

DoS timestamp cookies might also lead to problems with traffic generated by the Linux host.

Conditions:
-- DoS timestamp cookies are enabled, and either of the following:

-- FastL4 profile with the timestamp rewrite option enabled.
-- Traffic originating from Linux host.

Impact:
Traffic is dropped due to incorrect timestamps.

Workaround:
Disable timestamp cookies on the affected VLAN.


992813 : The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations.

Links to More Info: BT992813

Component: TMOS

Symptoms:
The mcpd daemon performs validation of the request-options and supersede-options a BIG-IP administrator specifies via the tmos.sys.management-dhcp endpoint in tmsh.

As the list of dhcp-options known to mcpd is outdated, it is possible you may be returned an error when attempting to configure valid request-options or supersede-options.

For example, you may be returned the following error when attempting to supersede the domain-search option:

01071627:3: Management Dhcp resource supersede-option - Invalid dhcp option: domain-search

Conditions:
You attempt to configure a dhcp-option unknown to mcpd as part of the request-options or supersede-options properties.

Note: A common dhcp-option of which mcpd has no knowledge is domain-search. You are unlikely to experience this issue unless you are requesting or superseding this particular dhcp-option.

Impact:
You are unable to instantiate the desired management-dhcp configuration.

Workaround:
None

Fix:
The list of dhcp-options known to mcpd has been updated.


992213 : Protocol Any displayed as HOPTOPT in AFM policy view

Links to More Info: BT992213

Component: Advanced Firewall Manager

Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.

Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.

Impact:
GUI shows an incorrect value.

Workaround:
None

Fix:
GUI Shows correct value for rule protocol option.

Fixed Versions:
14.1.4.2, 15.1.4, 16.1.1


992073 : APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS

Component: Access Policy Manager

Symptoms:
End user clients frequently get a prompt to enter credentials when they should not.

Conditions:
APM Access Profile with NTLM authentication enabled.

Impact:
NTLM handshake failure causing user authentication failures.

Workaround:
N/A

Fix:
APM now processes NTLM requests as expected.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


991421 : TMM may crash while processing TLS traffic

Links to More Info: K91013510, BT991421


990333 : APM may return unexpected content when processing HTTP requests

Links to More Info: K75540265, BT990333


989701 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response

Links to More Info: K42355373, BT989701


988549 : CVE-2020-29573: glibc vulnerability

Links to More Info: K27238230, BT988549


988533 : GRE-encapsulated MPLS packet support

Links to More Info: BT988533

Component: TMOS

Symptoms:
There no facility to accept packets using GRE-encapsulated MPLS. The GUI gives only encapsulation options for IP address (0x0800) and transparent ethernet bridging (0x6558).

Conditions:
This is encountered when attempting to configure BIG-IP systems to handle GRE-encapsulated MPLS.

Impact:
Packets get dropped when they are GRE-encapsulated with MPLS.

Workaround:
None

Fix:
Encapsulated MPLS packets over GRE is now supported in a way similar to IP address and transparent ethernet bridging.

Fixed Versions:
14.1.4.5, 15.1.4.1


988165 : VMware CPU reservation is now enforced.

Links to More Info: BT988165

Component: TMOS

Symptoms:
CPU reservation is not enforced which can result in users over-subscribing their hosts.

Conditions:
BIG-IP Virtual Edition running in VMware.

Impact:
If a host is oversubscribed, performance can suffer as traffic volumes increase.

Workaround:
Manually enforce the 2GHz per core rule when provisioning VMware instances to ensure that your VMware hosts are not oversubscribed.

Fix:
The VMware CPU reservation of 2GHz per core is now enforced. The CPU reservation can be up to 100 percent of the defined virtual machine hardware. For example, if the hypervisor has 2.0 GHz cores, and the VE is set to 4 cores, you will need 4 x 2.0 GHz reserved for 8GHz (or 8000 MHz).

Fixed Versions:
15.1.5.1, 16.1.2.2


987885 : Half-open unclean SSL termination might not close the connection properly

Links to More Info: BT987885

Component: Local Traffic Manager

Symptoms:
Upon receiving TCP FIN from the client in the middle of the SSL Application Data, the BIG-IP system does not close the connection on either client- or server-side (i.e., it does not 'forward' the FIN on the server-side as it normally does) causing the connection to go stale until the timeout is reached.

Conditions:
-- TCP and SSL profiles configured on a virtual server.
-- Client terminates the connection in the middle of an SSL record.

Impact:
Connection termination does not happen. Connection remains in the connection table until idle timeout is reached.

Workaround:
None.


987749 : CVE-2020-10769 kernel: A buffer over-read flaw was found in crypto_authenc_extractkeys in crypto/authenc.c

Links to More Info: K62532228


987637 : DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware

Links to More Info: BT987637

Component: Advanced Firewall Manager

Symptoms:
BIG-IP systems mitigate traffic on all of the IP addresses in an address list when certain DoS vectors are detected on a virtual server.

Conditions:
-- BIG-IP hardware platform equipped with Neuron (BIG-IP iSeries)
-- Virtual server configured with a DoS profile
-- Flood traffic reaches the virtual server

Impact:
For Neuron-supported hardware, virtual servers with subnet destinations are not properly mitigated when flood vectors are detected.

Workaround:
None

Fixed Versions:
15.1.4


987341 : BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers.

Component: Access Policy Manager

Symptoms:
BIG-IP discovers and updates JSON Web Keys (JWK) in OpenID Connect (OIDC) deployments using a Java Runtime Environment (JRE). The JRE in BIG-IP does not support strong TLS ciphers, so the discovery/update process can fail against OIDC providers that enforce strong encryption requirements.

Conditions:
Using an OpenID Connect provider that allows only strong TLS ciphers. and using an APM configuration that validates incoming JWTs against a dynamic JWK list in Internal Validation Mode.

Impact:
This might cause discovery to fail against certain OpenID Connect auth providers that enforce strong cipher requirements. It could lead to JWT validation failure as the JWK expire and cannot be updated by BIG-IP.

Workaround:
N/A

Fix:
N/A


987301 : Software install on vCMP guest via block-device may fail with error 'reason unknown'

Links to More Info: BT987301

Component: TMOS

Symptoms:
When installing an engineering hotfix (EHF) on a vCMP guest via block-device, sometimes it fails with 'reason unknown'.

-- /var/log/liveinstall may contain an error similar to:

I/O error : Input/output error
/tmp/lind_util.voCQOs/BIGIP1610/install/fsinfo.xml:1: parser error : Document is empty

-- /var/log/kern.log may contain an error similar to:

Aug 14 14:15:54 bigip1 info kernel: attempt to access beyond end of device
Aug 14 14:15:54 bigip1 info kernel: sr0: rw=0, want=3560560, limit=312712

Conditions:
This might occur after multiple attempts to install an EHF on a vCMP guest via block-device:

 tmsh install sys software block-device-hotfix Hotfix-BIGIP-14.1.2.6.0.77.2-ENG.iso volume HD1.3

Impact:
Sometimes the EHF installation fails on the guest.

Workaround:
-- Retry the software installation.
-- If the software installation continues to fail, copy the ISO images into the vCMP guest, and use those to perform the installation.


987077 : TLS1.3 with client authentication handshake failure

Links to More Info: BT987077

Component: Local Traffic Manager

Symptoms:
SSL handshakes fail, and TLS clients send 'Bad Record MAC' errors.

Conditions:
-- LTM authentication profile using OCSP and TLS1.3.
-- Client application data arrives during LTM client authentication iRule.

Impact:
-- A handshake failure occurs.
-- Client certificate authentication may pass without checking its validity via OCSP.

Workaround:
Use TLS1.2 or use TLS1.3 without the LTM authentication profile.

Fix:
Handshake completes if using TLS1.3 with client authentication and LTM auth profile.

Fixed Versions:
14.1.4.6, 15.1.5.1


986937 : Cannot create child policy when the signature staging setting is not equal in template and parent policy

Links to More Info: BT986937

Component: Application Security Manager

Symptoms:
When trying to create a child policy, you get an error:

FAILURE: "Could not update the Policy policy1. Inherited values may not be changed."

Conditions:
-- Parent policy created with signature staging disabled.
-- Creating a new child policy with that policy as a parent.

Impact:
You are unable to create the child policy and the system presents an error.

Workaround:
Create the policy without assigning it to the parent, and then assign it to the parent policy on the Inheritance Settings page.

Fix:
The error no longer occurs on child policy creation.

Fixed Versions:
15.1.4, 16.0.1.2, 16.1.1


985953 : GRE Transparent Ethernet Bridging inner MAC overwrite

Links to More Info: BT985953

Component: TMOS

Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.

Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.

Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.

Workaround:
None

Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


984897 : Some connections performing SSL mirroring are not handled correctly by the Standby unit.

Links to More Info: BT984897

Component: Local Traffic Manager

Symptoms:
Some of the connections performing SSL mirroring do not advance through TCP states as they should on the Standby unit.

Additionally, these connections do not get removed from the connection table of the Standby unit when the connections close. Instead, they linger on until the idle timeout expires.

Conditions:
A virtual server configured to perform SSL connection mirroring.

Impact:
Should the units fail over, some connections may not survive as expected.

Additionally, given a sufficient load and a long idle timeout, this could cause unnecessary TMM memory utilization on the Standby unit.

Workaround:
None.


984749 : Discrepancy between DNS cache statistics "Client Summary" and "Client Cache."

Links to More Info: BT984749

Component: Global Traffic Manager (DNS)

Symptoms:
"show ltm dns cache", shows difference between "Client Summary" and "Client Cache".

Conditions:
Create a resolver type DNS cache, attach to a DNS profile, and attach to a virtual server. Send queries to virtual server. Compare/review result of "show ltm dns cache."

Impact:
Client Cache Hit/Miss Statistics ratio affected.

Workaround:
N/A

Fix:
N/A


984593 : BD crash

Links to More Info: BT984593

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1


984585 : IP Reputation option not shown in GUI.

Links to More Info: BT984585

Component: TMOS

Symptoms:
Cannot configure IP Reputation option from the GUI.

Conditions:
Configuring the LTM policy type 'IP Reputation' using the GUI, when the 'IP Intelligence' module is licensed in time-limited modules.

Impact:
The IP Reputation option is not shown in GUI configuration list. Cannot create LTM policies with IP Reputation.

Workaround:
Use tmsh to configure IP Reputation.

Fix:
The IP Reputation option is now shown in the GUI.

Fixed Versions:
15.1.5.1, 16.1.2.2


984449 : Unnecessary swagger validation violation may raise due to behavioral WAF parameter traps that have identical name

Component: Application Security Manager

Symptoms:
An unnecessary swagger validation violation may be raised about illegal parameters which is actually the parameter trap that was injected by ASM and failed to be ignored by the enforcer. Only one of these parameter traps will be ignored - enforcement will be avoided for it. Expected behavior is to avoid enforcement for both parameters traps.

Conditions:
Security team provide 2 traps with type parameter and with identical name but with different values. In adition one of these parameter traps was injected by ASM to the web-page.

Impact:
Unecessary swagger validation violation may raise regarding one of these parameters traps and request may be blocked, instead of ignoring swagger enforcement for both parameters traps.

Workaround:
None.

Fix:
Avoid enforcement for each of these parameters traps that share the same name and no violation appears for these parameters traps.


982801-7 : AGC hardening

Component: Guided Configuration

Symptoms:
AGC does not follow current best practices.

Conditions:
- APM is provisioned
- AGC used for Azure AD Application

Impact:
AGC does not follow current best practices.

Workaround:
N/A

Fix:
AGC now follows current best practices.


982785-7 : Guided Configuration hardening

Component: Guided Configuration

Symptoms:
Guided Configuration does not follow current best practices.

Conditions:
- ASM or APM provisioned
- Authenticated administrative user
- Advanced shell access

Impact:
Guided Configuration does not follow current best practices.

Workaround:
N/A

Fix:
Guided Configuration now follows current best practices.


982777-13 : APM hardening

Component: Guided Configuration

Symptoms:
APM does not follow current best practices.

Conditions:
- APM provisioned
- AGC in use
- Authenticated administrative user

Impact:
APM does not follow current best practices

Workaround:
N/A

Fix:
APM now follows current best practices.


982769-14 : Appliance mode hardening

Component: Guided Configuration

Symptoms:
Appliance mode license restrictions do not follow current best practices.

Conditions:
- Appliance-mode license
- Authenticated administrative user
- AGC provisioned

Impact:
Appliance mode does not follow current best practices.

Workaround:
N/A

Fix:
Appliance mode now follows current best practices.


982757-2 : APM Access Guided Configuration hardening

Component: Guided Configuration

Symptoms:
APM Guided Configuration does not follow current best practices

Conditions:
- APM provisioned
- Authenticated administrative user

Impact:
Guided Configuration does not follow current best practices.

Workaround:
N/A

Fix:
Guided Configuration now follows current best practices.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


982753-12 : Appliance mode hardening

Component: Guided Configuration

Symptoms:
Appliance mode license restrictions do not follow current best practices.

Conditions:
- Appliance-mode license
- Authenticated administrative user
- AGC provisioned

Impact:
Appliance mode does not follow current best practices.

Workaround:
N/A

Fix:
Appliance mode now follows current best practices.


982745-14 : Appliance mode hardening

Component: Guided Configuration

Symptoms:
Appliance mode license restrictions do not follow current best practices.

Conditions:
- Appliance-mode license
- Authenticated administrative user
- AGC provisioned

Impact:
Appliance mode does not follow current best practices.

Workaround:
N/A

Fix:
Appliance mode now follows current best practices.


982697 : ICMP hardening

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM does not follow current best practices for ICMP traffic.

Conditions:
- ICMP traffic
- DNS in use

Impact:
TMM does not follow current best practices.

Workaround:
N/A

Fix:
TMM now follows current best practices while processing ICMP traffic.

Behavior Change:
The change randomly adjusts the BIG-IP's ICMP rate limit to within 1/8% of the configured rate. While the average rate will remain the same, the number of ICMP packets issued second-to-second will vary randomly.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


982341 : iControl REST endpoint hardening

Component: TMOS

Symptoms:
iControl REST endpoints do not apply current best practices.

Conditions:
- Authenticated administrative user
- Request to iControl endpoint

Impact:
iControl REST endpoints do not follow current best practices.

Workaround:
N/A

Fix:
iControl REST endpoints now follow current best practices.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


981273 : APM webtop hardening

Links to More Info: K41997459, BT981273


981069 : Reset cause: "Internal error ( requested abort (payload release error))"

Links to More Info: BT981069

Component: Application Security Manager

Symptoms:
An unexpected RST occurs on inbound traffic. The RST cause shows "Internal error ( requested abort (payload release error))"

Conditions:
When all the following conditions are met:
- The system was upgraded to a version where ID910253 is fixed
- TS cookie coming from a previous version
- data guard in non blocking (masking)
- response that is not zipped and has a textual content type

Impact:
Traffic is affected.

Workaround:
Any of the following actions can resolve the issue:

1. Turn off data guard or change it to blocking.
2. Make the server reply with zipped responses (perhaps by adding the accept-encoding: gzip using an iRule).
3. Add an additional response related feature.
4. Use the following iRule in case there aren't cookie related enforcement:
when HTTP_REQUEST {
  set cookies [HTTP::cookie names]
  foreach aCookie $cookies {
    if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
      HTTP::cookie remove $aCookie
    }
  }
}

Fix:
Fixed an issue that was triggering resets on traffic.

Fixed Versions:
15.1.4, 16.1.1


980617 : SNAT iRule is not working with HTTP/2 and HTTP Router profiles

Links to More Info: BT980617

Component: Local Traffic Manager

Symptoms:
On HTTP/2 full-proxy virtual servers, the snatpool command in an iRule is accepted but the source address server-side is not changed.

Conditions:
1.) Basic HTTP profile and HTTP/2 profile is configured on BIG-IP systems
2.) iRule with snatpool <pool_name>, snat <IP> is configured

Impact:
Unable to use snatpool (and possibly snat) in iRule to control the server-side source address.

Workaround:
Configure SNAT under the virtual server configuration, rather than in an iRule.

Fixed Versions:
16.1.1


980029 : [JSON policy] signature set systems are not being exported as expected

Component: Application Security Manager

Symptoms:
System object is empty and system name is missing from JSON policy.

Conditions:
Policy with systems based signature set being exported to JSON.

Impact:
Imported policy will have wrong configuration.


978357 : BD crash on specific scenario

Component: Application Security Manager

Symptoms:
BD crashes right after de-assigning and re-assigning a security policy to a virtual server.

Conditions:
A sequence of assigning and de-assigning a security policy to a virtual server.

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
Wait a moment before reassigning the policy. The issue will usually happen due to a script that attaches and de-attach security policy to a virtual in an exact same way way over and over again.

Fix:
ASM does not crashes over sequence of policy assignment and de-assignment to a virtual server.


977897 : A rule which contains pipe is parsed successfully on BIG-IP, but BIG-IQ throws an error

Component: Application Security Manager

Symptoms:
Rules with a pipe character are wrongly parsed differently on BIG-IQ and on BIG-IP

Conditions:
Creating rules with pipe which is parsed differently on BIG-IP and on BIG-IQ

Impact:
When trying to add a signature with this rule to BIG-IQ it fails with error:
Could not convert pipe escape in text: For input string: "7C923030300000003006"

Fix:
Now parsing pipe characters in a rule in BIG-IQ is the same as for BIG-IP and the is completed successfully in both


976669-6 : FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade

Links to More Info: BT976669

Component: TMOS

Symptoms:
After rebooting or replacing a secondary blade, the FIPS integrity check fails for other secondary blades and they fail to fully boot.

Conditions:
This can occur after rebooting or replacing a secondary blade.

Impact:
When the FIPS integrity checks fail the blades won't fully boot.

Workaround:
On the secondary blade reboot, the following critical files are deleted from other secondary blades which leads to FIPS integrity check failure:

/root/.ssh/authorized_keys
/root/.ssh/known_hosts

To mitigate, copy the missing files from the primary blade to the secondary blade.

From the primary blade, issue the following command towards the secondary blade(s).

rsync -avz -e ssh /root/.ssh/* root@<Secondary Blade>:/root/.ssh/

Fix:
Critical files are not deleted during secondary blade reboot.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


976525 : Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled

Links to More Info: BT976525

Component: Local Traffic Manager

Symptoms:
In BIG-IP v13.1.3.2 and later, there is new functionality to SNAT the traffic coming from the host system. When there are multiple routes to a destination address and transparent monitors are in use, tmm occasionally picks the wrong source IP for these connections.

Conditions:
-- The db variable snat.hosttraffic is enabled.
-- Gateway pool with multiple members.
-- Transparent monitors.

Impact:
The system chooses the wrong source IP address for the egress interface. That incorrect source IP address might cause traffic to return on the wrong VLAN.

Workaround:
Use either of the following workarounds:

-- Disable VLAN keyed connections: modify sys db connection.vlankeyed value disable

-- Upgrade to a version with a fix for ID 826905 (https://cdn.f5.com/product/bugtracker/ID826905.html) and disable snat.hosttraffic.


974425 : Legitimate clients using new browsers might get mitigated by Bot Defense Profile

Links to More Info: BT974425

Component: Application Security Manager

Symptoms:
As part of Bot Defense Profile browser verification, client capabilities are tested, and if they do not match what is expected, they are mitigated.

Some new browser versions exist that do not apply the current expected capabilities.

Conditions:
-- Bot Defense Profile is attached to a virtual server.
-- Browser Verification is set to 'verify before access' or 'verify after access'.
-- Client is using a new browser version.

Impact:
Legitimate clients are mitigated.

Workaround:
None.

Fix:
Update expected capabilities.


974341 : REST API: File upload

Links to More Info: K08402414, BT974341


974241 : Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades

Links to More Info: BT974241

Component: TMOS

Symptoms:
Mcpd exists with error similar to:

01070734:3: Configuration error: Configuration from primary failed validation: 010713cf:3: Configuration group '/Common/test1_end_deny_ag' has invalid source '/Common/standard'

Conditions:
1. VIPRION or vCMP guest with multiple blades in a cluster
2. Create a access policy with modern customization enabled

Impact:
Mcpd restarts leading to failover.

Workaround:
Use standard customization and not modern customization.

Fixed Versions:
15.1.4, 16.1.1


973409 : CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference

Links to More Info: K42910051, BT973409


972933 : Self-IP hardening

Component: Local Traffic Manager

Symptoms:
Self-IP handling for IPv6 link-local addresses does not follow current best practices.

Conditions:
Self-IP with IPv6 link-local address.

Impact:
BIG-IP does not implement current best practices for IPv6 link-local addresses.

Workaround:
Set value of tm.linklocal.allowservice to "none"

Fix:
Set Default value of tm.linklocal.allowservice to "none"

Behavior Change:
This fix will change the default value for sys db variable tm.linklocal.allowservice to "none" instead of "default"


972517 : Appliance mode hardening

Component: Local Traffic Manager

Symptoms:
Appliance mode license restrictions do not follow current best practices.

Conditions:
- Appliance-mode license
- Authenticated administrative user
- Monitors in use

Impact:
Appliance mode does not follow current best practices.

Workaround:
N/A

Fix:
Appliance mode now follows current best practices.


972489 : BIG-IP Appliance Mode iControl hardening

Component: iApp Technology

Symptoms:
When operating in Appliance mode iControl does not follow current best practices.

Conditions:
- Authenticated administrative user
- Appliance mode license
- iControl request

Impact:
Appliance mode iControl does not follow current best practices.

Workaround:
N/A

Fix:
iControl now follows current best practices while operating under and Appliance mode license.

Behavior Change:
Restjavad.disablerpmtasks with default value true and restjavad.disablepackagemanagementtasks with default value false were introduced.

When restjavad.disablerpmtasks is true, /mgmt/shared/rpm-tasks endpoint won't be accessible. Otherwise will be accessible.

When restjavad.disablepackagemanagementtasks is true, /mgmt/shared/package-management-tasks endpoint won't be accessible. Otherwise will be accessible.

Fixed Versions:
15.1.5.1


970329 : ASM hardening

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM does not follow current best practices.

Conditions:
- ASM provisioned

Impact:
Attack detection is not triggered as expected

Workaround:
N/A

Fix:
Attack detection is now triggered as expected

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


969553 : A DNS Cache (or Network DNS Resolver) returns SERVFAIL to some queries.

Links to More Info: BT969553

Component: Global Traffic Manager (DNS)

Symptoms:
- A DNS Cache (or Network DNS Resolver) returns SERVFAIL responses to clients, despite the BIG-IP system receiving a good (albeit delayed) response from upstream servers.

- When this happens, the BIG-IP system rejects the responses from the upstream servers with ICMP errors (Destination unreachable - Port unreachable).

- If the db key dnscacheresolver.loglevel is set to debug5, the following error message is visible in the /var/log/ltm file when this issue occurs:

debug tmm[13147]: DNScache: request example.com. has exceeded the maximum number of glue fetches 17 to a single delegation point

- If a Network DNS Resolver is used with an HTTP Explicit Proxy profile, the symptoms can appear as "503 Service Unavailable" responses to clients due to DNS lookup failure.

Conditions:
This issue occurs when the following conditions are met:

- A DNS Cache (or Network DNS Resolver) is in use on the BIG-IP system.

- The aforementioned object is configured with a forward-zone that uses multiple servers to perform resolutions.

- The RTT of the servers fluctuates. For example, the servers are generally fast to reply for most domains, but take extra time to reply for a given domain.

- 'Randomize Query Character Case' is enabled in the DNS Cache (or Network DNS Resolver).

- If the requests for the domain take a long time to resolve, BIG-IP may reply with SERVFAIL.

Impact:
Clients of the BIG-IP DNS Cache (or Network DNS Resolver) are not returned an answer. As a result, application failures may occur.

Workaround:
You can work around this issue by changing 'Randomize Query Character Case' to 'No' in the DNS Cache (or Network DNS Resolver) settings.

Fix:
The infra-cache-min-rtt can now have a setting of unbound which sets the minimum RTT with upstream servers for both net resolver and cache resolver. Increase this value if using forwarders needing more time to do recursive name resolution. The default value is 50ms.

Behavior Change:
The infra-cache-min-rtt can now have a setting of unbound which sets the minimum RTT with upstream servers for both net resolver and cache resolver. Increase this value if using forwarders needing more time to do recursive name resolution. The default value is 50ms.


969317 : "Restrict to Single Client IP" option is ignored for vmware VDI

Links to More Info: BT969317

Component: Access Policy Manager

Symptoms:
The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI.

Conditions:
- Configure APM Webtop with vmware VDI.
- Set "Restrict to Single Client IP" option in Access Profile.
- Try to launch vmware desktop on one client. Copy the launch URI
- Try to launch vmware desktop from other client using the copied URI.

Impact:
A connection from the second client is allowed, but it should not be allowed.

Fix:
Restrict to Single Client IP is honored for VMware VDI for both PCOIP and Blast protocols.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2.1


969017 : [JSON policy] Attack type filter in signature set is being exported as attackTypeReference

Component: Application Security Manager

Symptoms:
Attack type filter in signature set is being exported as 'attackTypeReference' instead of attackType.

Conditions:
Policy with attack type based signature set is being exported to JSON.

Impact:
Imported policy will have wrong configuration.

Workaround:
Manually convert:

"attackTypeReference" : {
     "link" : "/attack-types/j0Tz_I-5yKUmvGlePjbjzA?ver=16.1.0",
     "name" : "Command Execution"
},


To:

"attackType" : {
    "name" : "Command Execution"
},


968929 : TMM may crash when resetting a connection on an APM virtual server

Links to More Info: BT968929

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
- HTTP profile without fallback host.
- iRules.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure fallback host to an HTTP profile that redirects the request to a specified location.

Fixed Versions:
16.1.2.2


968893 : TMM crash when processing APM traffic

Links to More Info: K93526903, BT968893


968657 : Added support for IMDSv2 on AWS

Links to More Info: BT968657

Component: TMOS

Symptoms:
AWS added a token-based Instance MetaData Service API (IMDSv2). Prior versions of BIG-IP Virtual Edition supported only a request/response method (IMDSv1). When the AWS API is starting with IMDSv2, you will receive the following error message:

get_dossier call on the command line fails with:
        01170003:3: halGetDossier returned error (1): Dossier generation failed.

This latest version of BIG-IP Virtual Edition now supports instances started with IMDSv2.

Conditions:
AWS instances started with IMDSv2.

Impact:
BIG-IP Virtual Edition cannot license or re-license AWS instances started with IMDSv2 and other metadata-based functionality will not function.

Fix:
With the latest version of BIG-IP VE, you can now initialize "IMDSv2 only" instances in AWS and migrate your existing instances to "IMDSv2 only" using aws-cli commands. For details, consult documentation: https://clouddocs.f5.com/cloud/public/v1/shared/aws-ha-IAM.html#check-the-metadata-service-for-iam-role
 
IMDSv2 documentation from AWS: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html

Fixed Versions:
15.1.5.1, 16.1.2.1


968581 : TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description

Links to More Info: BT968581

Component: Local Traffic Manager

Symptoms:
The TMSH command "show /ltm profile ramcache" has a max-response option to output a number of records designated in this parameter. Due to calculation algorithm, the command may output less records than RAMCACHE stores or more records than the limit prescribes.

Conditions:
-- A virtual server is configured on BIG-IP.
-- A webacceleration profile with no web application is attached to the virtual server.
-- Traffic is sent over the virtual server with a number of unique cacheable documents that exceed a designated limit.

Impact:
Output of the command may not match to actual list of stored documents in RAMCACHE.

Fix:
Command "show /ltm /profile ramcache" respects a limit defined as "max-response" parameter.

Fixed Versions:
15.1.5.1, 16.1.2.2


967905 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash

Links to More Info: BT967905

Component: TMOS

Symptoms:
Tmm crashes.

Conditions:
-- static bwc
-- virtual to virtual chain

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the static bwc on a virtual chain.

Fix:
Fixed a tmm crash.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2


967101 : When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out.

Links to More Info: BT967101

Component: Local Traffic Manager

Symptoms:
Gratuitous ARP (GARP) messages are dropped at the time of sending GARP because the number of links up in the trunk is 0 (which returns "error 18" ... ERR_NOT_FOUND)

Conditions:
-- Two BIG-IP systems with switchless configuration, such as i2xxx and i4xxx.
-- Bring down and up the interfaces at the same time in the trunk.

Impact:
Neighboring device arp table is not updated about the BIG-IP interface status, because no gratuitous ARP message is sent out.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


967093 : In SSL forward proxy when the signing CA cert and end-entity cert has a different signature algorithm, the SSL connection may fail

Links to More Info: BT967093

Component: Local Traffic Manager

Symptoms:
In SSL forward proxy, the client side handshake may fail with the message: fwdp lookup error.

Conditions:
The handshake failure occurs when the certificate chain consists of different key types. For example, the following cert chain may fail the handshake:

root CA (rsa) --> intermediate CA1 (rsa) --> intermediate CA2 (ec) --> end-entity cert (ec)

The signing CA which is intermediate CA2 has a key of EC type, but cert is signed by RSA signature. The end-entity cert has a key of EC type, but cert is signed by ECDSA.
In this case, the signer cert has different signature from that of the end-entity cert.

Impact:
SSL forward proxy handshake fails.

Fix:
Fixed an issue with SSL forward handshakes.

Fixed Versions:
15.1.5


965853 : IM package file hardening&start;

Component: Protocol Inspection

Symptoms:
IM package file uploads do not follow current best practices.

Conditions:
- IM package file uploaded to BIG-IP

Impact:
IM package file uploads do not follow current best practices.

Workaround:
N/A

Fix:
IM package file uploads now follow current best practices.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


965849 : Displayed 'Route Domain ID' value is confusing if it is set to None

Links to More Info: BT965849

Component: Advanced Firewall Manager

Symptoms:
The numeric value of RT_DOMAIN_NONE is 65535. Lsndb displays this value, which is confusing.

Conditions:
If the parent route domain is set to "None", lsndb displays 65535.

Impact:
No impact on functionality.

Workaround:
None

Fix:
Change while printing value of RT_DOMAIN_NONE(65535) to "None"


965837 : When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection

Links to More Info: BT965837

Component: Access Policy Manager

Symptoms:
When BIG-IP is configured with a PingAccess profile and an SSL profile is associated with both the BIG-IP virtual server and a ping access configuration, an active connection to the virtual server may lead to a TMM crash.

Conditions:
-- SSL is configured on both the BIG-IP virtual server that contains the ping access profile and ping access configuration.
-- Active connection to the BIG-IP virtual server
-- Config sync is triggered or "tmsh load sys config" is triggered

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fix:
Fixed a TMM crash related to ping access.


965785 : Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine

Links to More Info: BT965785

Component: Application Security Manager

Symptoms:
DCC.HSL_DATA_PROFILES table on standby machine stay empty after sync process. Error for DB insert failure into table DCC.HSL_DATA_PROFILES thrown in asm_config_server.log.

Conditions:
There is no specific condition, the problem occurs rarely.

Impact:
Sync process requires an additional ASM restart

Workaround:
Restart ASM after sync process finished

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


965229 : ASM Load hangs after upgrade&start;

Links to More Info: BT965229

Component: Application Security Manager

Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------

In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
 info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
 info tsconfig.pl[24675]: ASM initial configration script launched
 info tsconfig.pl[24675]: ASM initial configration script finished
 info asm_start[25365]: ASM config loaded
 err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------

Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade

Impact:
ASM post upgrade config load hangs and there are no logs or errors

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


964989 : AFM DOS half-open does not handle wildcard virtual servers properly.

Links to More Info: BT964989

Component: Advanced Firewall Manager

Symptoms:
AFM DOS half-open vector does not handle wildcard virtual servers properly.

Conditions:
-- Wildcard virtual-server.
-- AFM DOS half-open vector configured.
-- Attacks towards multiple destinations covered by a single virtual-server.

Impact:
- Wrong statistics reporting.
- Wrong status of syncookie protection.
- Unexpected traffic drops.

Workaround:
Split wildcard virtual server into a series of /32 virtual servers.


964977 : Uncaught RangeError: Maximum call stack size exceeded

Links to More Info: BT964977

Component: Application Security Manager

Symptoms:
Web application does not work and JavaScript error is posted in the browser console:

Uncaught RangeError: Maximum call stack size exceeded

Conditions:
-- ASM provisioned.
-- Bot or DoS application profile attached to a virtual server.
-- Single page application (SPA) enabled.

Impact:
Web application does not work as expected.

Workaround:
None

Fix:
SPA functionality has been corrected to avoid this issue.


964925 : Page might be broken when using Single Page Application and calling onreadystatechange() directly

Component: Application Security Manager

Symptoms:
A web application suddenly misfunctions or does not render.

Conditions:
Any one of the the following conditions may apply if the web application calls onreadystatechange() directly:

-- ASM Policy with `single_page_application` enabled is attached to a virtual server.
-- DoS Profile with `Single Page Application` enabled is attached to a virtual server.
-- Bot Defense Profile with `Single Page Application` is attached to a virtual server.

Impact:
A console error might appear, and the web page might break.

Workaround:
When calling onreadystatechange directly - add the xhr object it is called for (even `this`):
onreadystatechange(xhr)

Fix:
Handle direct calls for onreadystatechange.


964897 : Live Update - Indication of "Update Available" when there is no available update

Links to More Info: BT964897

Component: Application Security Manager

Symptoms:
Live Update notifies you that an update is available even though there is no available update.

Conditions:
The latest file is installed but not present on the system and the second-latest file has an 'error' status

Impact:
Live Update erroneously indicates that an update is available.

Workaround:
1. upload the latest file that is not present on the system with scp to '/var/lib/hsqldb/live-update/update-files/'
2. restart 'tomcat' service:
> bigstart restart tomcat

Fix:
Fixed an issue with Live Update notification.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2


964625 : Improper processing of firewall-rule metadata

Links to More Info: BT964625

Component: Advanced Firewall Manager

Symptoms:
The 'mcpd' process may suffer a failure and be restarted.

Conditions:
Adding very large firewall-policy rules, whether manually, or from config-sync, or from BIG-IQ.

Impact:
-- MCPD crashes, which disrupts both control-plane and data-plane processing while services restart.
-- Inability to configure firewall policy.

Workaround:
Reduce the number of firewall policy rules.

Fixed Versions:
16.1.2.2


964489 : Protocol Inspection IM package hardening

Component: Protocol Inspection

Symptoms:
Protocol Inspection IM packages do not follow current best practices.

Conditions:
- Authenticated administrative user
- Protocol Inspection IM packages uploaded to BIG-IP

Impact:
Protocol Inspection IM packages do not follow current best practices.

Workaround:
N/A

Fix:
Protocol Inspection IM packages now follows current best practices.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


964097 : Watchdog restart AVRD when publish interval set to 300

Component: Application Visibility and Reporting

Symptoms:
Changing avrd snapshot publisher to 300 after it was 30, causes to avrd reboot.

Conditions:
Changing avrd snapshot publisher to 300 after it was 30.

Impact:
AVRD gets rebooted when it shouldn't be rebooted

Fix:
Added the ability to update thread interval of (watchdog) subscribed thread.


963625-7 : Appliance mode hardening

Component: Guided Configuration

Symptoms:
Appliance mode license restrictions do not follow current best practices.

Conditions:
- Appliance-mode license
- Authenticated administrative user
- AGC provisioned

Impact:
Appliance mode does not follow current best practices.

Workaround:
N/A

Fix:
Appliance mode now follows current best practices.


963541 : Net-snmp5.8 crash

Links to More Info: BT963541

Component: TMOS

Symptoms:
Snmpd crashes.

Conditions:
This does not always occur, but it may occur after a subagent (bgpd) is disconnected.

Impact:
Snmpd crashes.

Fixed Versions:
15.1.5.1, 16.1.2.2


962817 : Description field of a JSON policy overwrites policy templates description

Links to More Info: BT962817

Component: Application Security Manager

Symptoms:
Creating a UTF-8 policy using a template for the first time creates a binary policy the system uses the next time you create a UTF-8 policy with the same template.

If the creation occurs via JSON policy import, the description field of the JSON policy overwrites the description from the template, and the next time you create a UTF-8 policy using the same template, the system uses the description from the first JSON policy.

Conditions:
Create an initial UTF-8 policy with some template using a JSON policy with a custom description.

Impact:
The next time you create a UTF-8 policy with the same template, unless you provide a description, the system uses the one from the initially created JSON policy instead the template.

Workaround:
Before creating the second policy, remove the binary file that was created from the first run. For example if the template used was Fundamental:

rm -f /ts/install/policy_templates/fundamental.bin

Fix:
The binary file now contains the correct description.

Fixed Versions:
15.1.3, 16.0.1.1


962589 : Full Sync Requests Caused By Failed Relayed Call to delete_suggestion

Links to More Info: BT962589

Component: Application Security Manager

Symptoms:
When using parent policies with learning enabled in an auto-sync device group, in some use cases deleting an ignored suggestion on a parent policy will cause a full sync to occur.
This can cause unexpected delays in configuration being synchronized between peers, and in the event of repeated instances in quick succession could fill the /var partition

Conditions:
1) Device Group with ASM and auto-sync enabled
2) Parent Policies with learning are in use.
3) Ignored Suggestions are deleted on the parent policy after they have 0 suggesting children left.

Impact:
ASM configuration requests a full sync which can cause unexpected slowness in config synchronization and may fill the /var partition if done multiple times in quick succession.
A full /var partition can lead to bd cores.

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1


962493 : Request is not logged

Component: Application Security Manager

Symptoms:
A request is not logged in the local and/or remote logs.

Conditions:
A request has evasions detected on very large parameters.

Impact:
A missing request in the log.

Workaround:
N/A


962489 : False positive enforcement of parameters with specific configuration

Component: Application Security Manager

Symptoms:
False positive parameters are being detected in the payload and enforced wrongly.

Conditions:
The URL is not defined (also not as wildcard - not defined at all) and the request has a payload.

Impact:
False positive enforcement - may lead to wrong violations and wrong blocking of requests.

Workaround:
None.


962177 : Results of POLICY::names and POLICY::rules commands may be incorrect

Links to More Info: BT962177

Component: Local Traffic Manager

Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.

Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.

Impact:
Traffic processing may not provide expected results.

Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.

Fixed Versions:
13.1.4.1, 14.1.4, 15.1.4, 16.0.1.2


961509 : ASM blocks WebSocket frames with signature matched but Transparent policy

Links to More Info: BT961509

Component: Application Security Manager

Symptoms:
WebSocket frames receive a close frame

Conditions:
-- ASM provisioned
-- ASM policy attached to a virtual server
-- WebSocket profile attached to a virtual server
-- ASM policy transparent mode enabled

Impact:
WebSocket frame blocked in transparent mode

Workaround:
Change signatures blocking settings to Learn = Yes, Alarm = Yes, Block = No

Fix:
WebSocket frame blocking condition now takes into account global transparent mode setting.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


959985 : Update VMware hardware version templates for BIG-IP Virtual Edition (VE) from v10 to v13 in order to support VMs deployed in more versions of vSphere ESXi.

Links to More Info: BT959985

Component: TMOS

Symptoms:
Virtual hardware version setting for BIG-IP VE VMware templates (virtualHW.version) are set to version 10 and must change to version 13, so more versions of vSphere ESXi (for example, ESXi v6.0 and later) can support deploying BIG-IP Virtual Edition.

Conditions:
Using BIG-IP Virtual Edition VMware hardware templates set to v10 running in most, later versions of VMware ESXi.

Impact:
BIG-IP Virtual Edition VMware hardware templates result in performance issues and deployment errors/failures.

Workaround:
None

Fix:
Changed the BIG-IP Virtual Edition VMware hardware template version setting (virtualHW.version) to 13 and deployed them successfully using later versions of VMware ESXi.

Fixed Versions:
16.1.2.2


959609-1 : Autodiscd daemon keeps crashing

Links to More Info: BT959609

Component: Advanced Firewall Manager

Symptoms:
Autodiscd daemon keeps crashing.

Conditions:
Issue is happening when high speed logging and auto discovery configuration are configured and send the traffic.

Impact:
Auto discovery feature is not working as expected

Workaround:
None.

Fix:
Auto discovery feature now works as expected.

Fixed Versions:
16.1.2.2


959465 : Bot Defense iFrame might be seen in browsers

Component: Application Security Manager

Symptoms:
On some cases, the Bot Defense iFrame used for inject in response might be seen in the browser.

Conditions:
-- Bot Defense profile is attached to VS.
-- Bot Defense profile has "Browser Verification" set to "Verify After Access" or "Device ID Mode" set to "Generate After Access".
-- Depends on the application pages.

Impact:
Suboptimal user experience - minor iFrame is seen at the bottom of the page.

Workaround:
None.

Fix:
Bot Defense iFrame is no longer seen in browsers.


959153-7 : Appliance mode hardening

Component: Guided Configuration

Symptoms:
Appliance mode license restrictions do not follow current best practices.

Conditions:
- Appliance-mode license
- Authenticated administrative user
- AGC provisioned

Impact:
Appliance mode does not follow current best practices.

Workaround:
N/A

Fix:
Appliance mode now follows current best practices.


957905 : SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP.

Links to More Info: BT957905

Component: Service Provider

Symptoms:
SIP Requests that don't contain a content_length header are accepted and forwarded by the BIG-IP to the server.

SIP Responses that don't contain a content_length header are accepted and forwarded to the client.

The sipmsg parser does not treats the content_length header as a required header as part of the SIP Request / Response.

Conditions:
SIP request / response without content_length header.

Impact:
RFC 6731 non compliance.

Workaround:
N/A

Fix:
BIG-IP now aborts the connection of any TCP SIP request / response that does not contain a content_length header.

content_length header is treated as optional for UDP and SCTP.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


956645 : Per-request policy execution may timeout.

Links to More Info: BT956645

Component: Access Policy Manager

Symptoms:
When attempting to access a resource that requires subsession validation, the client may receive an HTTP 503 "Service Unavailable" response, and the logs indicate that per-request policy execution time has expired.

Conditions:
Multiple connections are accessing the same subsession, triggering subsession lock contention.

Impact:
Some clients will fail to connect to their destination.

Workaround:
Add criteria to the gating criteria to enable more fine-grained subroutines to reduce subsession contention. For example, add category, or application name, to the gating criteria. In the case of API protection, consider concatenating credentials with the resource hostname (plus port).

Increase the per-request policy execution timeout value, controlled by the variable tmm.access.prp_global_timeout, to a higher value.

Fix:
Subesssion lock contention wait time is reduced. Clients will not fail to connect due to subsession lock contention.

Fixed Versions:
14.1.4.5


956373 : ASM sync files not cleaned up immediately after processing

Links to More Info: BT956373

Component: Application Security Manager

Symptoms:
Some ASM sync files remain on disk after config sync finishes. They remain until periodic clean-up tasks activate

Conditions:
-- ASM provisioned
-- BIG-IP devices are in a sync group
-- Relatively small "/var" partition

Impact:
If the files are large it may lead to "lack of disk space" problem.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


956133 : MAC address might be displayed as 'none' after upgrading.&start;

Links to More Info: BT956133

Component: Local Traffic Manager

Symptoms:
The MAC Address of a BIG-IP Virtual Edition network interface is displayed as 'none' after upgrading.

Conditions:
1. The VLAN MTU is set to less than 1280 bytes on a BIG-IP network interface.
2. Upgrade BIG-IP to 14.1.0 or above from BIG-IP versions below 14.1.0.

Impact:
Traffic disrupted when the MAC address is set to 'none'.

Workaround:
N/A

Fix:
IPv6 link-local addresses are now created with MTU greater than 1280, so this issue is resolved.

Fixed Versions:
14.1.4.4, 15.1.4


955953 : iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg'

Links to More Info: BT955953

Component: TMOS

Symptoms:
'table' command fails to resume causing processing of traffic to halt due to 'irule_scope_msg' causing iRule processing to proceed in a way that 'table' does not expect.

Conditions:
- iRule using 'table' command
- Diameter 'irule_scope_msg' enabled

Impact:
Traffic processing halts (no crash)


955617 : Cannot modify properties of a monitor that is already in use by a pool

Links to More Info: BT955617

Component: Local Traffic Manager

Symptoms:
Modifying monitor properties gives error, if it is attached to a pool with Node/Pool member instance.

0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor

Conditions:
-- Monitor with alias address field as default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.

Impact:
Monitor properties can't be modified if they are in use by a pool.

Workaround:
Remove monitor, modify it, and then add it back.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


954425 : Hardening of Live-Update

Links to More Info: K61112120, BT954425


953601 : HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions

Links to More Info: BT953601

Component: Local Traffic Manager

Symptoms:
HTTPS monitor marks pool member/nodes as down and they remain down until bigd is restarted or the monitor instance is removed and created again.

Conditions:
BIG-IP is configured with restrictive ciphers that are only compatible with TLS 1.2 (ECDH+AESGCM) but all of the TLS protocol versions are allowed. When HTTPS monitor TLS 1.0 handshake fails, due to incompatible ciphers with the server being monitored. It does not try TLS 1.2 version and marks pool members or nodes as down.

Impact:
HTTPS monitor shows pool members or nodes down when they are up.

Workaround:
Restart bigd or remove and add monitors.

Fix:
In case of handshake failure, BIG-IP will try TLS 1.2 version.

Fixed Versions:
16.1.2.2


952521 : Memory allocation error while creating an address list with a large range of IPv6 addresses&start;

Links to More Info: BT952521

Component: Advanced Firewall Manager

Symptoms:
When trying to create a large IPv6 address-list IP range either via the GUI, tmsh, or from loading a previously saved config, MCPd will temporarily experience memory exhaustion and report an error "01070711:3: Caught runtime exception, std::bad_alloc"

Conditions:
When adding an IPv6 address range that contains a very large number of IPs. This does not affect IPv4.

Impact:
The IP address range cannot be entered. If upgrading from a non-affected version of TMOS where an IP range of this type has been saved to the config, a std::bad_alloc error will be printed when loading the config after upgrading.

Workaround:
Use CIDR notation or multiple, smaller IP ranges.


951789 : Uncaught RangeError: Maximum call stack size exceeded

Links to More Info: BT951789

Component: Application Security Manager

Symptoms:
Web application does not work and JavaScript error is posted in the browser console:

Uncaught RangeError: Maximum call stack size exceeded

Conditions:
-- ASM provisioned.
-- Bot or DoS application profile attached to a virtual server.
-- Single page application (SPA) enabled.

Impact:
Web application does not work as expected.

Workaround:
None

Fix:
SPA functionality has been corrected to avoid this issue.


951257 : FTP active data channels are not established

Component: Local Traffic Manager

Symptoms:
Under certain conditions FTP active data channels may not be established as expected.

Conditions:
-- The FTP profile has "allow-active-mode" enabled and "port" set to a non-zero value.

Impact:
FTP transfers with active data channels are not processed as expected.

Workaround:
- Disable 'active' FTP and only use passive FTP or
- Use a custom FTP profile with port set to '0' on FTP virtual servers.

Fix:
FTP active data channels are now established as expected.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


951133 : Live Update does not work properly after upgrade&start;

Links to More Info: BT951133

Component: Application Security Manager

Symptoms:
After upgrading BIG-IP version the Live Update "Check for Update" button does not respond.

Conditions:
Upgrading from a version that did not have Live Update to a new version which includes Live Update

Impact:
Live Update can't query for new updates.

Workaround:
Restart tomcat process:
> bigstart restart tomcat

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1


950953 : Browser Challenges update file cannot be installed after upgrade&start;

Links to More Info: BT950953

Component: Application Security Manager

Symptoms:
After upgrading BIG-IP, the Browser Challenges factory default update file cannot be installed, and you see this error:

Installation error: gpg: WARNING: unsafe ownership on homedir `/usr/share/live-update/share/gpg/browser_challenges_genesis_load'gpg: encrypted with 1024-bit ELG key, ID 7C3E3CE5, created 2007-03-20 "asm_sigfile_installer"gpg: Signature made Mon Aug 2

Conditions:
The new file that comes with the installation is ready to install

Impact:
New updated cannot be installed

Workaround:
There are 2 options:
1. download a new version of the update file (if exists)
2.
   2.1 download a copy of that file from the machine to your locale machine
   2.2 rename it :
       > cp BrowserChallenges_20200722_072935.im BrowserChallenges_<CURRENT_DATE>_<CURRENT_TIME>.im
       ## the date and time are for tracking and the have to be in a specific format DATE : YYYYMMDD, TIME: HHMMSS
   2.3 upload the file and install it manually from the LiveUpdate screen.

Fix:
Modified decryption key directory to a RW file systme


950917 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034

Links to More Info: BT950917

Component: Application Security Manager

Symptoms:
Following Signature Update (-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:

01310027:2: subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )

Conditions:
Signature Update -SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.

Impact:
Apply policy fails.

Workaround:
You can use any of the following workarounds:

-- Install an older signature update -SignatureFile_20200917_175034

-- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.

-- Run the following SQL command to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4


950149-1 : Add configuration to ccmode for compliance with the Common Criteria STIP PPM.

Component: TMOS

Symptoms:
To comply with configuration requirements for the Common Criteria STIP PPM, the ccmode script must be updated.

Conditions:
Required compliance with Common Criteria STIP PPM configuration.

Impact:
Without these updates, the BIG-IP will not be compliant with the Common Criteria STIP requirements.

Workaround:
Follow the instructions in the Common Criteria Guidance document.

Fix:
This fix added configuration elements for compliance to Common Criteria STIP PPM requirements.


950069 : Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record"

Links to More Info: BT950069

Component: Global Traffic Manager (DNS)

Symptoms:
When attempting to use zonerunner to edit a TXT record that contains a plus character, BIG-IP DNS presents the error message 'Resolver returned no such record'.

Conditions:
A TXT record exists with RDATA (the value of the TXT record) containing one or more + symbols

Impact:
Unable to edit the record.

Workaround:
Two workarounds available:

1. Use zonerunner to delete the record and then recreate it with the desired RDATA value

2. Manually edit the bind zone file (see K7032)


949781 : Possible blocking on bad IP reputation

Component: Application Security Manager

Symptoms:
Bad ip reputation as part of Bot Defense verification causes suspicious classification, and therefore mitigation, by itself.

Conditions:
-- Bot Defense profile is attached to Virtual Server.
-- Intrusive mitigation action is configured for "Suspicious Browser" class.
-- Client IP appears in bad IP reputation database.

Impact:
Clients are mitigated when they should not be.

Workaround:
Suspicious Javascript free score can be increased via a BigDB variable:

tmsh modify sys db botdefense.suspicious_jsfree_score value 60


949593 : Unable to load config if AVR widgets were created under '[All]' partition&start;

Links to More Info: BT949593

Component: Application Visibility and Reporting

Symptoms:
When upgrading to or loading saved configuration on BIG-IP software v13.0.0 or later, if the configuration contains AVR widgets created under a partition of '[All]', the config load fails.

Conditions:
This occurs if one or more AVR widgets in the configuration was created under the read-only '[All]' pseudo-partition.
This could have occurred if you were running a version of BIG-IP which did not include the fix for ID 721408.

Impact:
Upgrading to or loading an affected configuration on BIG-IP v13.x or later fails.

Workaround:
Manually edit the /config/bigip.conf configuration file and change '[All]' to 'Common':

# sed -i 's/\\\[All\]/Common/g' /config/bigip.conf
# tmsh load sys config
# tmsh save sys config

This should be done before upgrading to BIG-IP v13.x or later, or before saving configuration to be loaded later, or before loading a saved configuration from the config files.

Fix:
It is possible to successfully upgrade from or load a configuration containing one or more AVR widgets created under the read-only '\[All]' pseudo-partition or under other not existing partitions. With the current fix all partitions are changed to "Common" during upgrade.

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2


949293 : False-Positives in case of matrix path parameter enforcement

Component: Application Security Manager

Symptoms:
Creating an Open-API ASM policy with the configuration "Handle Path Parameters" = "As Parameters" causes fault detection of parameter violations on valid matrix path parameters, which leads to false positives.

Conditions:
This can occur when an open API policy is created with the configuration "Handle Path Parameters" = "As Parameters"

Impact:
False-Positives on matrix path parameters

Workaround:
During open API policy creation, configure "Handle Path Parameters" = "As URL"

Fix:
No False-Positives on matrix path parameters.


948985-4 : Workaround to address Nitrox 3 compression engine hang

Links to More Info: BT948985

Component: Local Traffic Manager

Symptoms:
Occasionally the Nitrox3 compression engine hangs.

In /var/log/ltm:
 
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.

Conditions:
The BIG-IP system uses Nitrox 3 hardware compression chip: 5xxx, 7xxx, 12250, and B2250.

You can check if your platform has nitrox3 by running the following command:

tmctl -w 200 compress -s provider

provider
--------
bzip2
lzo
nitrox3 <--------
zlib

Impact:
The Nitrox3 hardware compression system becomes unavailable and the compression mode switches to software compression. This can lead to high CPU usage.

Workaround:
Disable HTTP compression or use software compression.


948601 : File object checksum attribute is not updated when an external data-group file or external monitor file is edited from GU

Component: TMOS

Symptoms:
SHA1 checksum attribute/property of the file object is not persisted/published/propagated to the MCP datastore/GUI.

Conditions:
This could be observed when an external data-group file or external monitor file definition is edited from GUI.
Below mentioned is the workflow where the issue can be seen/replicated,
System ›› File Management : Data Group File List >> FILE
Edit the "definition" field of the file object & click update.
1.) edit sys file data-group "filename"
2.) list sys file data-group "filename"
Aforementioned commands can be used from TMOS shell to understand the correct behavior that is expected when the same is done from GUI

Impact:
You are unable to identify whether the file object was modified by just validating/comparing the file object's metadata/schema property i.e. "checksum SHA1"

Workaround:
None


948113 : User-defined report scheduling fails

Links to More Info: BT948113

Component: Application Visibility and Reporting

Symptoms:
A scheduled report fails to be sent.

An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
     DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
 Because : Unknown column ....... in 'order clause'

Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report

Impact:
Internal error for AVR report for ASM pre-defined.

Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr

Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});

The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm

Lastly, remount /usr back to read-only:
mount -o remount,ro /usr

Fix:
Using 'sort-by' measure when building PDF (instead of the first value on measure-list)

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


948073 : Dual stack download support for IP Intelligence Database

Links to More Info: BT948073

Component: Advanced Firewall Manager

Symptoms:
IP Intelligence cannot function if the BIG-IP management IP network is strict IPv6.

Conditions:
- IP Intelligence License installed
- Management IP is configured with only IPv6 addresses.

Impact:
The BIG-IP systems configured with IPv6 management networks cannot use IP Intelligence features even though they have installed IP Intelligence licenses.

Workaround:
None

Fix:
BIG-IP can now download the IP Intelligence database over IPv4 and IPv6 management networks.

Behavior Change:
BIG-IP can now download the IP Intelligence database over IPv4 and IPv6 management networks.

Fixed Versions:
15.1.4


948065 : DNS Responses egress with an incorrect source IP address.

Links to More Info: BT948065

Component: Local Traffic Manager

Symptoms:
DNS responses over a certain size egress the BIG-IP with an incorrect source IP address set.

Conditions:
Large responses of ~2460 bytes from local BIND

Impact:
The response to the client appears to be coming from the wrong source IP address, and the request fails.

Workaround:
Change 'max-udp-size' in BIND to a smaller value reduces the size of response, which stops the fragmentation.

Note: This workaround has limitations, as some records in 'Additional Section' are truncated.


947613 : APM reset after upgrade and modify of LDAP Group Lookup&start;

Links to More Info: BT947613

Component: Access Policy Manager

Symptoms:
-- Per-Request Policy fails.
-- APM reset the connection.

Conditions:
Upgrade from 13.1.3.4 to 15.1.0.4 and modify the LDAP Group Lookup.

Impact:
APM resets the connection.

Workaround:
1. Create a new empty object with the same expression as the LDAP Group Lookup.
2. Restart the system:
bigstart restart tmm


947341 : MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files.

Links to More Info: BT947341

Component: Application Security Manager

Symptoms:
1) var/lib/mysql/mysqld.err is filled with log entries that contain:
------------
  200824 11:04:43 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:18:46 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:35:58 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
------------

2) There are a lot of PRX.REQUEST_LOG partitions, in some cases up to 1024, many of which are empty.

Conditions:
ASM/AVR provisioned

Impact:
MySQL runs out of resources when opening the file
PRX.REQUEST_LOG and an error message states the file is corrupt.

Workaround:
1. If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
   https://support.f5.com/csp/article/K14956
   https://support.f5.com/csp/article/K42497314

2. To identify the empty partitions, look into:
   mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G"

3. For every partition that is empty, manually (or via shell script) execute this sql:
   mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "ALTER TABLE PRX.REQUEST_LOG DROP PARTITION <empty_partition_name>;"

   Note: <empty_partition_name> must be substituted with the partition name, for example p100001.


4. Increase 'open_files_limit' to '10000'.
--------------------------------

   In the /etc/my.cnf file:
   1. Change the value of the 'open_files_limit' parameter to 10000.
   2. Restart MySQL:
   bigstart restart mysql
--------------------------------

5. pkill asmlogd

Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.

Fix:
This release increases the default 'open_files_limit' to '10000'.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2, 16.1.2


946325 : PEM subscriber GUI hardening

Component: Policy Enforcement Manager

Symptoms:
The PEM subscriber GUI does not follow current best practices.

Conditions:
- Authenticated administrative user
- PEM GUI request

Impact:
PEM subscriber GUI does not follow current best practices.

Workaround:
N/A

Fix:
PEM subscriber GUI now follows current best practices.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


946185 : Unable to view iApp component due to error 'An error has occurred while trying to process your request.'&start;

Links to More Info: BT946185

Component: iApp Technology

Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:

An error has occurred while trying to process your request.

Conditions:
-- With or without Partitions configured.
-- Navigate to GUI iApps :: Application Services : Applications, to view a custom iApp.
-- More likely to occur after upgrade.

Impact:
Unable to view/modify iApps via GUI iApps :: Application Services : Applications screen.

Workaround:
To reconfigure the iApp, do the following:

1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List

2. Click the Application Link :: Reconfigure.

Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.

Fix:
Viewing Application Service components now reports no errors in the GUI under these conditions.

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2


945357-1 : BIG-IP must be able to set CA=True when creating Certificate Signing Requests from TMSH.

Component: Local Traffic Manager

Symptoms:
A Certificate Signing Request (CSR) is generated on the BIG-IP device to be used to create a certificate. It is possible for the entity owning the just-created certificate to serve as a Certificate Authority (CA) and be able to issue certificates and private keys to other parties. However, that ability does not exist unless the certificate has the CA field set to True (by default it is set to False).

Conditions:
In the TMSH prompt on the Command Line Interface (CLI), an attempt is made to generate a Certificate Signing Request (CSR) to be used to eventually create a certificate and corresponding private key.

Impact:
Without this change, certificates and private keys generated on the BIG-IP device cannot be directly provided to certification authorities so they can be used to sign certificates they would issue to other parties.

Workaround:
This is a new facility, not provided before, and overcomes a limitation. Without this facility, existing users of the BIG-IP are not impacted at all. As such, there is no workaround applicable.

Fix:
This fix enables certificates and private keys generated on the BIG-IP device via CSR's to be directly provided to certification authorities for their use. Because the CA field is set to now True, this fix adds convenience for certification authorities.


944381 : Dynamic CRL checking for client certificate is not working when TLS1.3 is used.

Links to More Info: BT944381

Component: Local Traffic Manager

Symptoms:
In SSL reverse proxy, dynamic CRL checking for client certificate is not working when TLS 1.3 handshake is used.
The SSL handshake successfully completed even though the client certificate is revoked.

Conditions:
-- Dynamic CRL checking enabled on a client-ssl profile
-- The client-side SSL handshake uses TLS1.3.

Impact:
The handshake should fail but complete successfully

Fix:
The issue was due to Dynamic CRL revocation check has not been integrated to TLS 1.3.

After the Dynamic CRL checking is integrated to TLS 1.3, the TLS handshake will work as expected.


944121 : Missing SNI information when using non-default domain https monitor running in TMM mode.

Links to More Info: BT944121

Component: In-tmm monitors

Symptoms:
In-TMM https monitors do not send the SNI (Server Name Indication) information for non-default route domain pool members.

In-TMM monitors do not send any packet when TLS1.3 monitor is used.

Conditions:
-- SNI is configured in serverssl profile
-- serverssl profile is assigned to in-tmm https monitors
-- https monitors are monitoring pool members that are in a non-default route domain.

 - Another Condition :

TLS1.3 Monitor is used

Impact:
The TLS connection might fail in case of SNI

No SYN packet is sent in case of TLS1.3 monitor

Workaround:
N/A

Fix:
N/A

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


943577 : Full sync failure for traffic-matching-criteria with port list under certain conditions

Links to More Info: BT943577

Component: TMOS

Symptoms:
Performing a full configuration sync with traffic-matching-criteria (TMC) under specific conditions fails with errors similar to:

err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 245 6869100131892804717 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..

Conditions:
This may occur on a full-load config sync (not an incremental sync)
On the device receiving the ConfigSync:
   - a traffic-matching-criteria is attached to a virtual server
   - the traffic-matching-criteria is using a port-list
On the device sourcing the ConfigSync:
   - the same traffic-matching-criteria is attached to the same virtual server
   - the original port-list is modified (e.g. a description is changed)
   - the TMC is changed to reference a _different_ port-list

Impact:
Unable to sync configurations.

Workaround:
Copy the "net port-list" and "ltm traffic-matching-criteria" objects from the source to target system, merge them with "tmsh load sys config merge", and then perform a force-full-load-push sync from source to target.

If the BIG-IP systems are using device groups with auto-sync enabled, disable auto-sync temporarily while performing this workaround.

1. On the source system (the system whose configuration you want to sync to peer), save the configuration and extract the ltm traffic-matching-criteria and port-lists:

tmsh save sys config

(shopt -s nullglob; echo "#"; echo "# $HOSTNAME"; echo "# generated $(date +"%F %T %z")"
    cat /config{/partitions/*,}/bigip{_base,}.conf |
    awk '
        BEGIN { p=0 }
        /^(ltm traffic-matching-criteria|net port-list) / { p=1 }
        /^}/ { if (p) { p=0; print } }
        { if (p) print; }
    ' ) > /var/tmp/portlists-and-tmcs.txt

2. Copy /var/tmp/portlists-and-tmcs.txt to the target system

3. On the target system, load that file:

    tmsh load sys config replace file /var/tmp/portlists-and-tmcs.txt

3a. If loading the config file on the target system fails with the same error message seen during a ConfigSync, follow the procedure in
K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.

   tmsh save sys config
   clsh touch /service/mcpd/forceload
   clsh reboot

4. On the source system, force a full-load sync to the device-group:

    tmsh run cm config-sync force-full-load-push to-group <name of sync-group>

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


943489-1 : OAuth crash

Links to More Info: BT943489

Component: Access Policy Manager

Symptoms:
OAuth crashes during the authorization process

Conditions:
This can occur while under heavy authorization load.

Impact:
Authorization disrupted while oauth restarts

Workaround:
None

Fix:
Added the null checks while sending the sql db query to fix this issue


943109 : Mcpd crash when bulk deleting Bot Defense profiles

Links to More Info: BT943109

Component: TMOS

Symptoms:
When bulk deleting a large number of Bot Defense profiles (around 450 profiles) using TMSH, mcpd could crash.

Conditions:
This can be encountered during bulk delete of Bot Defenese profiles via tmsh.

Impact:
Crash of mcpd causing failover.

Workaround:
Delete the Bot Defense profiles in smaller batches to avoid the possible crash.

Fix:
There is no longer a crash of mcpd when deleting a large number of Bot Defense in a bulk using TMSH.


943041 : Trunk interface support added for L2wire on BIG-IP Virtual Edition

Component: Local Traffic Manager

Symptoms:
L2wire on BIG-IP Virtual Edition works with non-trunked interfaces. Trunk interfaces are not supported. Packets ingressing on a trunk are not bridged properly to the egress side.

Conditions:
Basic L2-wire on BIG-IP Virtual Edition with trunk interface.

Impact:
Trunk interfaces were not supported for L2wire deployments on BIG-IP Virtual Edition.

Workaround:
None

Fix:
Trunk Support in BIG-IP Virtual Edition L2WIRE added.


941649 : Local File Inclusion Vulnerability

Links to More Info: K63163637, BT941649


941625 : BD sometimes encounters errors related to TS cookie building

Links to More Info: BT941625

Component: Application Security Manager

Symptoms:
BD sometimes print errors related to TS cookie building when receiving ASM cookies with account_id:

-- BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040.

-- IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.

Conditions:
-- Cookie protection is enabled.
-- The BIG-IP software is upgraded from a version that was earlier than 15.1.x.

Impact:
The cookie is not built and an error is logged.

Workaround:
None.

Fixed Versions:
15.1.4, 16.1.1


940317 : CVE-2020-13692: PostgreSQL JDBC Driver vulnerability

Links to More Info: K23157312, BT940317


940261 : Support IPS package downloads via HTTP proxy.

Links to More Info: BT940261

Component: Protocol Inspection

Symptoms:
IPS package download via HTTP proxy does not work.

2021-08-31 16:59:59,793 WARNING Download file failed. Retrying.
--
The error repeats continuously.

Conditions:
-- The global db key 'sys management-proxy-config' is configured
-- An IPS download is triggered

Impact:
The IPS IM package fails to download.

Workaround:
No workaround.

Fix:
IPS package downloads can now be successfully performed through an HTTP proxy.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


940185 : icrd_child may consume excessive resources while processing REST requests

Links to More Info: K11742742, BT940185


939877 : OAuth refresh token not found

Links to More Info: BT939877

Component: Access Policy Manager

Symptoms:
When an OAuth client sends a refresh token to renew the access token, BIG-IP reports an error:

err tmm[13354]: 01990004:3: /Common/my_OAuth_v1:Common: Request Refresh Token from Source ID ... failed. Error Code (id_not_found) Error Description (The refresh token is not found)

Conditions:
-- The refresh token expiration interval is longer than authcode and accesstoken.
-- The Authorization code table entry does not exist because of an internal clearing/purging operation.
-- tmm restarts or failover to standby thus losing refresh-token value from primarydb

Impact:
OAuth APM client end user fails to renew the access token even with a valid refresh token.

Workaround:
Clear/reset the Authorization code column value manually:

As a root user run below BIG-IP shell
(tmos)# list apm oauth db-instance
apm oauth db-instance oauthdb { db-name <db_name> description "Default OAuth DB." }

Copy the value corresponding to <db_name>.

Log into mysql from the bash prompt:
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw)

mysql> use <db_name>;

mysql> update master set auth_code = NULL where refresh_token='affected_refresh_token_id';

(Substitute the affected refresh token ID with affected_refresh_token_id in the previous command.)

Fix:
Do not report error if the Authorization code does not exist when a valid refresh-token/access-token exists.

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.2


937541 : Wrong display of signature references in violation details

Component: Application Security Manager

Symptoms:
The number '1' is added to the signature reference in violation details in the Request Log.

Conditions:
You click the '?' icon near signature name to view signature details and there are references for this signature

Impact:
The number 1 is shown before the link

Fix:
Signature References are shown correctly in violation details of Request Log


936441 : Nitrox5 SDK driver logging messages

Links to More Info: BT936441

Component: Local Traffic Manager

Symptoms:
The system kernel started spontaneously logging messages at an extremely high rate (~3000 per second):

Warning kernel: EMU(3)_INT: 0x0000000000000020
warning kernel: sum_sbe: 0
warning kernel: sum_dbe: 0
warning kernel: sum_wd: 0
warning kernel: sum_gi: 0
warning kernel: sum_ge: 0
warning kernel: sum_uc: 1

The above set of messages seems to be logged at about 2900-3000 times a second.

These messages continue after TMM fails its heartbeat and is killed. The system is rebooted by the host watchdog.

Conditions:
These messages are triggered by Nitrox5 driver when EMU microcode cache errors corrected by hardware.

Impact:
High rate of logging messages. The tmm heartbeat eventually fails, and tmm is restarted. Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
15.1.5.1, 16.1.2.2


935249 : GTM virtual servers have the wrong status

Links to More Info: BT935249

Component: Global Traffic Manager (DNS)

Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up).

Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.

-- The status code (for example, 200) being searched for in the response appears elsewhere than in the first line (for example, in a following header).

Impact:
The system incorrectly matches the status code in a response line which is not the Status-Line. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.

Workaround:
You can work around this issue by not performing HTTP status matching in your HTTP/HTTPS GTM monitors.

Fix:
The HTTP status code is now correctly searched only in the first line of the response.

Fixed Versions:
15.1.5, 16.1.2.1


935193-3 : With APM and AFM provisioned, single logout ( SLO ) fails

Links to More Info: BT935193

Component: Local Traffic Manager

Symptoms:
SAML Single log out (SLO) fails on BIG-IP platforms. The SAML module on the BIG-IP system reports following error messages:

-- SAML SSO: Error (12) Inflating SAML Single Logout Request
-- SAML SSO: Error (12) decoding SLO message
-- SAML SSO: Error (12) extracting SAML SLO message

Conditions:
Failures occur with Redirect SLO.

Impact:
SAML single logout does not work.

Workaround:
Use POST binding SLO requests.


935177 : IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm

Links to More Info: BT935177

Component: TMOS

Symptoms:
TMM crashes when the maximum transmission unit (MTU) or 'Use PMTU' setting is changed while passing IPsec traffic.

Conditions:
-- IPsec tunnel configured and passing traffic.
-- The MTU or 'Use PMTU' setting for the IPsec tunnel (in interface mode) is changed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not change MTU or PMTU settings for the tunnel while it is passing traffic.

The settings can be changed while passing traffic, but TMM may crash very soon after the change. If the settings are changed and TMM does not crash soon after, then it will not spontaneously crash at some later point.

Fixed Versions:
16.1.2.2


934697 : Route domain not reachable (strict mode)

Links to More Info: BT934697

Component: Local Traffic Manager

Symptoms:
Network flows are reset and errors are found in /var/log/ltm:

Route domain not reachable (strict mode).

Conditions:
This might happen in either of the following scenarios:
Scenario 1
==========
-- LTM with iRules configured.
-- The iRule directs traffic to a node that is in a route domain.

Scenario 2
==========
-- LTM with an LTM policy configured.
-- The policy directs traffic to a node that is in a route domain.

Impact:
Traffic is not sent to the node that is in a route domain.

The iRule 'node' method and/or LTM policy 'node' specification require a route_domain to be specified in order for the traffic to be sent to a node that is assigned to a route domain.

Workaround:
Specify the node along with Route domain ID.

-- For iRules, change from this:
when HTTP_REQUEST {
 node 10.10.10.10 80
}

To this (assuming route domain 1):
when HTTP_REQUEST {
 node 10.10.10.10%1 80
}


-- For LTM policies, change from this:
actions {
    0 {
        forward
        select
        node 10.2.35.20
    }
}

To this (assuming route domain 1):
actions {
    0 {
        forward
        select
        node 10.2.35.20%1
    }
}


932485 : Incorrect sum(hits_count) value in aggregate tables

Links to More Info: BT932485

Component: Application Visibility and Reporting

Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.

Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.

Impact:
The system reports incorrect values in AVR tables when dealing with large numbers

Workaround:
None.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2


932193 : Improper handling of multiple cookie headers results in security bypass

Component: Application Security Manager

Symptoms:
Improper handling of multiple cookies results in security bypass when certain server technologies are used. The multiple cookie headers are handled separately in ASM, but the backend server concatenates it and can lead to potential signature attacks.

Conditions:
When PHP server technology is used as backend and a specially crafted request is sent with multiple cookies header.

Impact:
Bypass of negative security enforcement and can affect certain server technologies

Fix:
Templates are modified to change the default value of 'Repeated Occurrences' for HTTP header 'cookie' to 'Disallow'.


932137 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade

Links to More Info: BT932137

Component: Application Visibility and Reporting

Symptoms:
After upgrade, AFM statistics show non-relevant data.

Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.

Impact:
Non-relevant data are shown in AFM statistics.

Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2


932133 : Payloads with large number of elements in XML take a lot of time to process

Links to More Info: BT932133

Component: Application Security Manager

Symptoms:
ASM experiences high CPU and latency usage while processing a large XML request.

Conditions:
-- ASM provisioned
-- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser.

Impact:
High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request.

Workaround:
None

Fix:
This fix includes performance improvements for large XML payloads.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2


929913 : External DNS logging does not differentiate between: all src_IP, Per-SrcIP and Per-DstIP events

Links to More Info: BT929913

Component: Advanced Firewall Manager

Symptoms:
DNS logs on LTM side do not print the all src_IP, per-srcIP, etc.

Conditions:
-- DNS logging is enabled
-- A DNS flood is detected

Impact:
Some information related to DNS attack event is missing such as src_IP, Per-SrcIP and Per-DstIP events.

Fix:
DNS now logs all src_IP, Per-SrcIP and Per-DstIP events.


929909 : TCP Packets are not dropped in IP Intelligence

Links to More Info: BT929909

Component: Advanced Firewall Manager

Symptoms:
When an IP address is added to IP Intelligence under Denial-Of_service Category at a global level, and a TCP flood with that IP address occurs, IP Intelligence does not drop those packets

Conditions:
TCP traffic on BIG-IP with IP Intelligence enabled and provisioned

Impact:
When adding an IP address to an IP Intelligence category, UDP traffic from that IP address is dropped, but TCP traffic is not dropped.

Fix:
When adding an IP address to an IP Intelligence category, both TCP and UDP traffic from that IP address is dropped.

Fixed Versions:
15.1.5.1, 16.1.2.2


929213 : iAppLX packages not rolled forward after BIG-IP upgrade&start;

Links to More Info: BT929213

Component: Device Management

Symptoms:
Certain iAppLX packages are not rolled forward after a BIG-IP upgrade or restoring a UCS file generated from an affected system, and will be unavailable for use.

1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm

Conditions:
-> Installing any of the below iAppLX packages
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm

-> Performing an upgrade

-> Trying to access the LX packages from GUI by navigating to iApps -> Package Management LX

Impact:
After upgrading or restoring a UCS file generated from an affected system, the cloud-failover, service discovery, and telemetry iAppLX apps are not available for use, and will result in 404 error, while accessing them from GUI

Workaround:
The package needs to be uninstalled and installed again for use.

Steps:
-> From GUI, Navigate to iApps -> Package Management LX
-> select the package to uninstall and click on Uninstall
-> click on Import and provide the path of package to install again

Fix:
A new database key has been added, 'sys db iapplxrpm.timeout', which allows the RPM build timeout value to be increased.

sys db iapplxrpm.timeout {
    default-value "60"
    scf-config "true"
    value "60"
    value-range "integer min:30 max:600"
}

For example:

tmsh modify sys db iapplxrpm.timeout value 300

tmsh restart sys service restjavad

Increasing the db key and restarting restjavad should not be traffic impacting.

After increasing the timeout, the RPM build process that runs during a UCS save should be successful, and the resulting UCS should include the iAppsLX packages as expected.

Note: The maximum db key value of 600 may be needed in some cases.

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2


929077 : Bot Defense allow list does not apply when using default Route Domain and XFF header

Links to More Info: BT929077

Component: Application Security Manager

Symptoms:
When configuring an IP address allow list in Bot Defense Profile, using a default Route Domain, and a request with an X-Forwarded-For header the request might not be added to the allow list.

Conditions:
-- Bot Defense Profile is attached to virtual server.
-- Bot Defense Profile has an IP address allow list configured.
-- Using default Route Domain.
-- Sending a request with X-Forwarded-For header.
-- Might require heavy traffic.

Impact:
Request from an IP address that is on the allow list is blocked.

Workaround:
Allow the IP address using an iRule.

Fix:
The system now sets the correct route domain, and IP addresses on the allow list are allowed.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


926845 : Inactive ASM policies are deleted upon upgrade

Links to More Info: BT926845

Component: Application Security Manager

Symptoms:
Upon upgrade, active ASM policies are preserved, and inactive policies are deleted.

Conditions:
-- Configuration contains active and inactive ASM policies.
-- Upgrade the BIG-IP system to any later version.
-- You can check existing ASM policies in tmsh:
tmsh list asm policy

Impact:
Only the active ASM policies are preserved; the inactive policies are deleted.

Workaround:
None.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


926341 : RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade&start;

Links to More Info: BT926341

Component: Application Visibility and Reporting

Symptoms:
Unusually high AVR CPU utilization occurs following an upgrade.

Conditions:
-- BIG-IP software upgrade to v13.0.x or later.
-- Running AVR.

Impact:
AVR CPU utilization can be unusually high for an unusually long period of time.

Workaround:
After upgrade manually edit /etc/avr/avrd.cfg to decrease AVR CPU usage is high by increasing the time period of real-time statistics collection. In order to do so:
1. Change value of RtIntervalSecs in /etc/avr/avrd.cfg file to 30 or 60 seconds.
2. Restart the system by running the following command at the command prompt:
bigstart restart.

When changing RtIntervalSecs please take into consideration two important limitations:
-- Value of RtIntervalSecs cannot be less than 10.
-- Value of RtIntervalSecs must be 10 on BIG-IP devices that are registered on BIG-IQ DCD nodes.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4


924945 : Fail to detach HTTP profile from virtual server

Links to More Info: BT924945

Component: Application Visibility and Reporting

Symptoms:
The virtual server might stay attached to the initial HTTP profile.

Conditions:
Attaching new HTTP profiles or just detaching an existing one.

Impact:
The virtual server stays attached to the former HTTP profile, meaning that the virtual server might be attached to a different HTTP profile than what the GUI displays. Configuration changes to the HTTP profile the GUI shows as attached are not reflected in the virtual server. For example, the new HTTP profile might enable XFF, but if the former attached profile does not enable it, the virtual server does not accept XFF.

Workaround:
Create new similar virtual server and attach it to the correct HTTP profile.

Fixed Versions:
15.1.3, 16.0.1.2, 16.1.1


923221 : BD does not use all the CPU cores

Links to More Info: BT923221

Component: Application Security Manager

Symptoms:
Not all CPUs are utilized. The CPUs that are not loaded are those with ID greater than 31.

Conditions:
BIG-IP software is installed on a device with more than 32 cores.

Impact:
ASM does not use all of the available CPU cores.

Workaround:
Run the following commands from bash shell.

1. # mount -o remount,rw /usr

2. Modify the following file on the BIG-IP system:
   /usr/local/share/perl5/F5/ProcessHandler.pm
   
   Important: Make a backup of the file before editing.

3. Change this:
  ALL_CPUS_AFFINITY => '0xFFFFFFFF',

   To this:
  ALL_CPUS_AFFINITY => '0xFFFFFFFFFFFF',

4. # mount -o remount,ro /usr

5. Restart the asm process:
   # bigstart restart asm.

Fixed Versions:
16.1.2.2


922785 : Live Update scheduled installation is not installing on set schedule

Links to More Info: BT922785

Component: Application Security Manager

Symptoms:
A scheduled live update does not occur at the scheduled time.

Conditions:
A scheduled installation is set for only a single day, between 00:00-00:14.

Impact:
Automated installation does not initiate

Workaround:
There are two options:
1. Install the update manually.
2. Set two consecutive days where the second day is the day with the schedule set between 00:00-00:14

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2


922185 : LDAP referrals not supported for 'cert-ldap system-auth'&start;

Links to More Info: BT922185

Component: TMOS

Symptoms:
Admin users are unable to log in.

Conditions:
-- Remote LDAP auth enabled.
-- Administrative users are authenticated with the 'cert-ldap' source.
-- The admin user tries to log in.

Impact:
The cert-ldap authentication does not work, so login fails.

Workaround:
Manually edit the /etc/nslcd.conf and set the referrals to no.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2


922105 : Avrd core when connection to BIG-IQ data collection device is not available

Links to More Info: BT922105

Component: Application Visibility and Reporting

Symptoms:
When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated.

Conditions:
BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons.

Impact:
No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere.

Workaround:
Attempts to connect to BIG-IQ can be disabled manually by the following command:

tmsh modify analytics global-settings use-offbox disabled

Fix:
Avrd no longer cores when the connection to the BIG-IQ data collection device is not available.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2


921697 : Attack signature updates fail to install with Installation Error.&start;

Links to More Info: BT921697

Component: Application Security Manager

Symptoms:
Installing a new Attack Signature Update (ASU) file on ASM/AWAF device that has large number of active policies can result in a failure due to memory exceptions. The following errors can be observed:

/var/log/ts/asm_config_server.log:
F5::ASMConfig::Handler::handle_error,,Code: 406 , Error message = Process size (232341504) has exceeded max size (200000000)

/var/log/asm
crit perl[19751]: 01310027:2: ASM subsystem error (apply_asm_attack_signatures ,F5::LiveUpdate::PayloadHandler::clean_fail): Fail load update files: TSocket: timed out reading 1024 bytes from n.n.n.n:9781

Conditions:
1. Adding and activating a large number of policies on a BIG-IP system configured with ASM/AWAF. It is not known exactly how many policies are required to encounter this, but it appears to be between 50 and 90 where this becomes a risk.

2. Installing a new ASU file

Impact:
The attack signature update fails.

Workaround:
Impact of workaround:
Performing this workaround requires restarting ASM, so it affects traffic processing briefly; therefore, it is recommended that you perform this during a maintenance window.

Increase 'max memory size' from the default ~200 MB (200000000) to 300 MB:

1. Take a backup of the original file.
# cp /etc/ts/tools/asm_config_server.cfg /var/tmp/asm_config_server.original.cfg

2. Add the following to the end of file /etc/ts/tools/asm_config_server.cfg:
# AsyncMaxMemorySize=314572800

3. Restart ASM.
# bigstart restart asm

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.1


921441 : MR_INGRESS iRules that change diameter messages corrupt diam_msg

Links to More Info: BT921441

Component: Service Provider

Symptoms:
-- 'DIAMETER::host origin' command may not be set correctly.

There are errors in ltm/log:
err tmm[18562]: 014c0001:3: DIAMETER: hud_diam_handle error: Not found

Conditions:
-- Virtual server is configured with a diameter profile enabled with an ingress iRule, for example:

ltm rule Diameter - iRule {
  when MR_INGRESS {
    DIAMETER:: host origin "hostname.realm.example"
  }
}

-- Traffic arrives containing CER and ULR messages.

Impact:
Using the iRule to change the host origin corrupts the diameter message.

Workaround:
None.


921365 : IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby

Links to More Info: BT921365

Component: TMOS

Symptoms:
IKE-SAs are deleted on standby BIG-IP systems after a failover.

Conditions:
-- High availability (HA) environment
-- Dead-peer detection (DPD) / liveness checks are enabled
-- An HA failover occurs

This is a timing issue and can occur intermittently during a normal failover.

Impact:
Some of the IKE-SAs are missing on the standby device. When a failover happens, IPsec traffic will be dropped for those missing SAs.

Workaround:
Set IKE DPD interval time to ZERO (i.e., disable).

Fix:
When the BIG-IP system is in standby mode, the system no longer retries sending IKE/IPSEC control messages, which prevents this issue from occurring.

Fixed Versions:
15.1.4, 16.1.2


920149 : Live Update default factory file for Server Technologies cannot be reinstalled

Links to More Info: BT920149

Component: Application Security Manager

Symptoms:
Live Update default factory file for Server Technologies cannot be reinstalled once it is no longer the currently installed update file.

Conditions:
This occurs:

-- Once another update file for Server Technologies has been installed (most likely, a newer file).
-- If the device has been upgraded from a prior release such that the currently installed Server Technologies file is from the previous release, and is not the default factory file for the current release.

Impact:
Live Update default factory file for Server Technologies cannot be reinstalled.

Workaround:
None.

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.1


919301 : GTP::ie count does not work with -message option

Links to More Info: BT919301

Component: Service Provider

Symptoms:
The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error:

wrong # args: should be "-type <ie-path>"

Conditions:
Issue the 'GTP::ie count' command with -message command, for example:

GTP::ie count -message $m -type apn

Impact:
iRules fails and it could cause connection abort.

Workaround:
Swap order of argument by moving -message to the end, for example:

GTP::ie count -type apn -message $m

There is a warning message due to iRules validation, but the command works in runtime.

Fix:
'GTP::ie' count is now working with -message option.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


915981 : BIG-IP SCP hardening

Component: TMOS

Symptoms:
Under certain conditions SCP does not follow current best practices.

Conditions:
- Authenticated high-privilege user
- SCP file transfer

Impact:
BIG-IP do not follow current best practices for filesystem protection.

Workaround:
N/A

Fix:
All filesystem protections now follow best practices.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


915773-2 : Restart of TMM after stale interface reference

Links to More Info: BT915773

Component: Local Traffic Manager

Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2


913413 : 'GTP::header extension count' iRule command returns 0

Links to More Info: BT913413

Component: Service Provider

Symptoms:
The 'GTP::header extension count' iRule command always returns 0 (zero).

Conditions:
This is encountered when using 'GTP::header extension count' in an iRule.

Impact:
The command returns false information.

Workaround:
None

Fix:
'GTP::header extension count' command now returns number of header extension correctly.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


913409 : GTP::header extension command may abort connection due to unreasonable TCL error

Links to More Info: BT913409

Component: Service Provider

Symptoms:
When running "GTP::header extension" iRule command with some conditions, it may cause a TCL error and abort the connection.

Conditions:
Running "GTP::header extension" iRule command is used with some specific arguments and/or specific condition of GTP message

Impact:
TCL error log is shown and connection is aborted

Workaround:
None

Fix:
GTP::header extension command no longer abort connection due to unreasonable TCL error

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


913393 : Tmsh help page for GTP iRule contains incorrect and missing information

Links to More Info: BT913393

Component: Service Provider

Symptoms:
In the tmsh help page for the GTP iRule command, it contains incorrect and missing information for GTP::header and GTP::respond command.

Conditions:
When running "tmsh help ltm rule command GTP::header", information regarding GTP::header and GTP::respond iRule command may be incorrect or missing.

Impact:
User may not be able to use related iRule command properly.

Workaround:
None

Fix:
Tmsh help page for GTP iRule is updated

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


913085 : Avrd core when avrd process is stopped or restarted

Links to More Info: BT913085

Component: Application Visibility and Reporting

Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.

Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.

Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.

Workaround:
None.

Fix:
Avrd no longer cores when avrd process is stopped or restarted.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1


912945 : A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed

Links to More Info: BT912945

Component: Local Traffic Manager

Symptoms:
In a virtual configured with multiple client SSL profiles, the profile with ECDSA-signed cert is not selected even though its CN/SAN matching the SNI extension of ClientHello.

Conditions:
-- A virtual server with multiple client SSL profiles.
-- The SNI of,,lientHello does not match the 'server name' of any profile.
-- The cert in the profile is ECDSA-signed and its CN/SAN matches SNI extension of ClientHello.
-- That profile in is not selected.

Impact:
The incorrect client SSL profile is selected.

Workaround:
Configure the 'Server Name' option in the client SSL profile.

Fix:
Fixed an issue with client SSL profile selection.

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1


912517 : Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured

Links to More Info: BT912517

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.

Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.

Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).

Fix:
Database monitor no longer marks pool member down if 'send' is configured but no 'receive' strings are configured.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


912253 : Non-admin users cannot run show running-config or list sys

Links to More Info: BT912253

Component: TMOS

Symptoms:
Lower-privileged users, for instance guests or operators, are unable to list the configuration in tmsh, and get an error:

Unexpected Error: Can't display all items, can't get object count from mcpd.

The list /sys or list /sys telemd commands trigger the following error:

01070823:3: Read Access Denied: user (oper) type (Telemd configuration).

Conditions:
User account with a role of guest, operator, or any role other than admin.

Impact:
You are unable to show the running config, or use list or list sys commands.

Workaround:
Logon with an account with admin access.

Fixed Versions:
15.1.5.1, 16.1.2.2


912149 : ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476'

Links to More Info: BT912149

Component: Application Security Manager

Symptoms:
The system exhibits various symptoms related to sync and control plane, and reports errors similar to the following:

/var/log/:

asm:
-- (asm_config_server.pl,F5::Cgc::Channel::send): Failed to send a message, error:15638476.

ts_debug.log:
-- |ZEROMQ|May 21 23:27:31.840|24813|25914|25914|epoll.cpp:0060|~epoll_t()|(zmq_assert) Assertion failed: load.get () == 0

Conditions:
-- Two devices in a sync-failover/sync-only device group.
-- Other conditions required to reproduce this issue are under investigation.

Note: The occurrences of the Cgc::Channel message in the /var/log/ and /var/log/ts/asm_config_server logs are the most reliable indicator of this issue.

Impact:
-- Config-sync does not work, resulting in a different configuration among the devices in a sync group.

-- Security log profile changes are not propagated to other devices.

-- Portions of the GUI hang, e.g.: Security module tab, and 'security' menu under virtual server.

-- Policies with learning enabled do not generate learning suggestions.

Workaround:
Restart asm_config_server on the units in the device group.

# pkill -f asm_config_server

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


911729 : Redundant learning suggestion to set a Maximum Length when parameter is already at that value

Links to More Info: BT911729

Component: Application Security Manager

Symptoms:
Policy Builder is issuing a learning suggestion to set a specific maximum length for a parameter when that parameter already has that exact maximum length already configured.

Conditions:
-- Response learning is turned on
-- Response parameter length is less than, but close to, the currently configured maximum length limit.

Impact:
Redundant learning suggestion is issued.

Workaround:
You can either:
-- Ignore the learning suggestion (Click the Ignore button).
-- Turn off Learn from response.

Fix:
Learning suggestion is no longer issued with already configured maximum parameter length value.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


911141 : GTP v1 APN is not decoded/encoded properly

Links to More Info: BT911141

Component: Service Provider

Symptoms:
GTP v1 APN element was decoded/encoded as octetstring and Only GTP v2 APN element is decoded/encoded as DNS encoding.

Conditions:
- GTP version 1.
- APN element.

Impact:
iRules become more complex when dealing with GTP v1 APN element, as it may need to convert between octetstring and dotted style domain name value after decoding or before encoding the data.

Workaround:
Use iRules to convert between octetstring and dotted style domain name values.

Fix:
GTP version 1 APN information element is now decoded/encoded as DNS encoding.

Behavior Change:
GTP v1 apn element is now decoded/encoded using DNS-like encoding. Previously, it was decoded/encoded as octetstring.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


910673 : Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'

Links to More Info: BT910673

Component: Local Traffic Manager

Symptoms:
Thales installation script fails with error message.

ERROR: Could not reach Thales HSM "<ip>". Make sure the HSM IP address is correct and that the HSM is accessible to the BIG-IP.

Conditions:
This occurs when the ICMP ping is blocked between the BIG-IP system and netHSM.

Impact:
Thales/nCipher NetHSM client software installation fails.

Workaround:
Unblock ICMP ping between the BIG-IP system and netHSM.

Fixed Versions:
15.1.5.1, 16.1.2.1


910213 : LB::down iRule command is ineffective, and can lead to inconsistent pool member status

Links to More Info: BT910213

Component: Local Traffic Manager

Symptoms:
Use of the LB::down command in an iRule may not have the desired effect, or may result in pool members that are down for load balancing, but indicate up/available in the GUI and CLI.

Specifically, the pool member is marked down within the tmm instance executing the iRule, but the status change is not updated to mcpd, or to other tmm instances.

As a result, the message 'Pool /Common/mypool member /Common/1.1.1.1:80 monitor status iRule down' does not appear in the log, and the status of the pool member is not updated when viewed in the GUI or via 'tmsh show ltm pool xxxx members'.

Note: If [event info] is logged in the LB_FAILED event, it will indicate that the load balancing decision failed due to "connection limit"

Conditions:
Using the LB::down command in an iRule.

Impact:
Because mcpd believes the pool member to be up, it does not update tmm's status, so tmm continues to regard it as down indefinitely, or until a monitor state change occurs.

If the LB::down command is used on all members of a pool, the affected tmms cannot load balance to that pool, even though the GUI/tmsh indicate that the pool has available members.

Because pool member status is stored on per-tmm basis and incoming connections are distributed across tmms using a hash, this can lead to apparently inconsistent results, where some traffic (traffic hitting a particular tmm) is rejected with an RST cause of 'No pool member available'.

Workaround:
- Delete and recreate affected pool members
(or) Restart tmm
(or) Restart the BIG-IP.

There is no direct workaround, but the use of an inband monitor instead of the LB::down command may be effective. You must tune the inband monitor's settings to values consistent with the desired behavior.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


909161 : A core file is generated upon avrd process restart or stop

Links to More Info: BT909161

Component: Application Visibility and Reporting

Symptoms:
Sometime when avrd process is stopped or restarted, a core is generated.

Conditions:
Avrd process is stopped or restarted.

Impact:
Avrd creates a core file but there is no other negative impact to the system.

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


907549 : Memory leak in BWC::Measure

Links to More Info: BT907549

Component: TMOS

Symptoms:
Memory leak in BWC calculator.

Conditions:
When the HSL log publisher is attached to the BWC::Measure instance in the Bandwidth policy.

Impact:
A memory leak occurs.

Workaround:
None.

Fix:
Memory is not leaked.

Fixed Versions:
15.1.0.5, 16.1.2.2


907025 : Live update error" 'Try to reload page'

Links to More Info: BT907025

Component: Application Security Manager

Symptoms:
When trying to update Attack Signatures. the following error message is shown:

Could not communicate with system. Try to reload page.

Conditions:
Insufficient disk space to update the Attack Signature.

Impact:
Live Update unable to restore the database during startup. Device runs out of disk space, which leads to failure in writing live update hsqldb log file. The liveupdatedb.script file, which is based on the .log file, is truncated and missing necessary settings in order to initialize the live update database.

Workaround:
This following procedure restores the database to its default, initial state:

1. Remove the sigfile.tmp.* directories under /var/ts/var/tmp.

2. Delete the script:
delete /var/lib/hsqldb/live-update/liveupdatedb.script

3. Create a new script:
create new /var/lib/hsqldb/live-update/liveupdatedb.script.

4. Add the following lines to create the live update database schema and set the SA user as expected:

 CREATE SCHEMA PUBLIC AUTHORIZATION DBA
 CREATE MEMORY TABLE AVAILABILITY(ID VARCHAR(255) NOT NULL,ERRORMESSAGE VARCHAR(255),LASTCHECKDATETIME BIGINT,LASTCHECKUPDATEFILE VARCHAR(255),STATUS VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT AVAILABILITY_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE INSTALLSCHEDULE(ID VARCHAR(255) NOT NULL,APPLYATALLTIMES BOOLEAN,APPLYONALLDAYS BOOLEAN,APPLYONFRIDAYS BOOLEAN,APPLYONMONDAYS BOOLEAN,APPLYONSATURDAYS BOOLEAN,APPLYONSUNDAYS BOOLEAN,APPLYONTHURSDAYS BOOLEAN,APPLYONTUESDAYS BOOLEAN,APPLYONWEDNESDAYS BOOLEAN,ENDTIME VARCHAR(255),FREQUENCY VARCHAR(255),STARTTIME VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT INSTALLSCHEDULE_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE UPDATEFILE(ID VARCHAR(255) NOT NULL,CREATEDATETIME BIGINT,FILELOCATION VARCHAR(255),FILENAME VARCHAR(255),ISFILEAVAILABLE BOOLEAN,ISFILEMANUALLYUPLOADED BOOLEAN,ISGENESIS BOOLEAN,MD5 VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT UPDATEFILE_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE INSTALLATION(ID VARCHAR(255) NOT NULL,ADDEDENTITIESCOUNT INTEGER,DELETEDENTITIESCOUNT INTEGER,ERRORMESSAGE VARCHAR(255),LASTREADMEFILENAME VARCHAR(255),LASTUPDATEMICROS BIGINT,LOADDATETIME BIGINT,MODIFIEDENTITIESCOUNT INTEGER,README VARCHAR(500000),STATUS VARCHAR(255),"TYPE" VARCHAR(255),UPDATEFILE_ID_OID VARCHAR(255),CONSTRAINT INSTALLATION_PK PRIMARY KEY(ID),CONSTRAINT INSTALLATION_FK1 FOREIGN KEY(UPDATEFILE_ID_OID) REFERENCES UPDATEFILE(ID))
 CREATE INDEX INSTALLATION_N49 ON INSTALLATION(UPDATEFILE_ID_OID)
 CREATE MEMORY TABLE INSTALLATION_DELETEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_DELETEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_DELETEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_DELETEDENTITYLIST_N49 ON INSTALLATION_DELETEDENTITYLIST(ID_OID)
 CREATE MEMORY TABLE INSTALLATION_MODIFIEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_MODIFIEDENTITYLIST_N49 ON INSTALLATION_MODIFIEDENTITYLIST(ID_OID)
 CREATE MEMORY TABLE INSTALLATION_ADDEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_ADDEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_ADDEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_ADDEDENTITYLIST_N49 ON INSTALLATION_ADDEDENTITYLIST(ID_OID)
 CREATE USER SA PASSWORD ""
 GRANT DBA TO SA
 SET WRITE_DELAY 20
 SET SCHEMA PUBLIC

5. Restart the tomcat process:
bigstart restart tomcat

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1


903313 : OWASP page: File Types score in Broken Access Control category is always 0.

Component: Application Security Manager

Symptoms:
Under Broken Access Control category, the contribution of Disallowed File Types seems to be 0 no matter what is the number of Disallowed File Types in policy. As a result, it is not possible to reach full compliance.

Conditions:
Security Policy is configured. Not Applicable for parent or child policy.

Impact:
For any OWASP configurable policy (i.e. not parent or child policy), the policy cannot reach the maximum score for Broken Access Control category


902377 : HTML profile forces re-chunk even though HTML::disable

Links to More Info: BT902377

Component: Local Traffic Manager

Symptoms:
HTML profile performs a re-chunk even though HTML::disable has been executed in the HTTP_RESPONSE event.

Conditions:
Using HTML::disable in an HTTP_RESPONSE event.

Impact:
The HTML profile still performs a re-chunk.

Workaround:
None.

Fixed Versions:
15.1.5.1, 16.1.2.2


901669 : Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change.

Links to More Info: BT901669

Component: TMOS

Symptoms:
-- The 'tmsh show cm failover-status' command shows a status of 'Error' when the command is run on a peer of a device that underwent a management IP address change.

-- Should the sod_tg_conn_stat or sod_tg_msg_stat tmstat tables be inspected using the tmctl command, the tables show stale information in the entry_key column.

Note: Additionally, in certain cases, it is possible for failover functionality to be broken after the management IP address change, meaning devices remain stuck in an improper Active/Active or Standby/Standby state. This further aspect of the issue is tracked under ID999125. This ID tracks only the cosmetic defect.

Conditions:
-- Two or more devices in a sync-failover device-group.
-- The management IP address is changed on one of the devices.

The error appears under either of these conditions:
-- The 'tmsh show cm failover-status' is run on a peer of the device that underwent the management IP address change.
-- The sod_tg_conn_stat or sod_tg_msg_stat tmstat tables are inspected using the tmctl command.

Impact:
The 'tmsh show cm failover-status' command indicates an error.

Workaround:
You can work around this issue by running the following command on the peers of the device which underwent a management IP address change:

tmsh restart sys service sod

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


898929 : Tmm might crash when ASM, AVR, and pool connection queuing are in use

Links to More Info: BT898929

Component: Local Traffic Manager

Symptoms:
TMM crashes and generates a core file.

Conditions:
-- System is provisioned for at least ASM, AVR, and LTM.
-- An LTM pool is configured to use connection queuing.
-- The LTM pool is used on a virtual server with an analytics profile.

Impact:
Tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
Disable connection queuing on the pool.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1


896941-1 : Common Criteria ccmode script updated

Component: TMOS

Symptoms:
Configuration of SSH must be done to support Common Criteria compliance. This is currently done by following instructions in the Common Criteria Guidance Document.

Conditions:
Common Criteria compliance configuration.

Impact:
This update automates the SSH configuration.

Workaround:
Continue to follow Common Criteria Guidance document instructions for SSH configuration.

Fix:
Added SSH configuration to meet Common Criteria requirements.


895557 : NTLM profile logs error when used with profiles that do redirect

Links to More Info: BT895557

Component: Local Traffic Manager

Symptoms:
As of BIG-IP version 14.1, HTTP iRule commands that inspect HTTP state after the commands HTTP::respond, HTTP::redirect, and HTTP::retry returns errors instead of returning corrupt data (https://support.f5.com/csp/article/K23237429).

When the NTLM profile is configured, it does the same through a built-in TCL rule where among several things, it tries to check if HTTP::cookie exists. If a profile like HTTP exists wherein a redirect/respond/retry is configured, it results in a TCL error informing the admin that they are accessing an invalid HTTP state.

Conditions:
-- NTLM profile is configured alongside HTTP profile
-- One of the redirect/respond/retry commands has been executed before the NTLM profile accesses the state of HTTP (for ex. HTTP::collect, HTTP::close, HTTP::cookie, etc.).

Impact:
Tcl error is seen in /var/log/ltm informing the admin that the iRule operation executed after HTTP::redirect/retry/respond is not supported.

For example -
TCL error: _plugin_rule_/Common/ntlm_default_iis <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::cookie exists [PROFILE::ntlm insert_cookie_name]"

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2


889813 : Show net bwc policy prints bytes-per-second instead of bits-per-second

Links to More Info: BT889813

Component: TMOS

Symptoms:
The 'tmsh show net bwc policy' is printing out bits-per-second in the value field, but the name field says 'bytesPerSec'.

Conditions:
Running the tmsh command:
tmsh show net bwc policy

Impact:
The stats are in bits-per-second, but the label says bytesPerSec. Although there is no functional impact, the incorrect label could cause confusion.

Workaround:
None.

Fixed Versions:
14.1.4.5


888289 : Add option to skip percent characters during normalization

Links to More Info: BT888289

Component: Application Security Manager

Symptoms:
An attack signature is not detected.

Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.

Impact:
An attack goes undetected.

Workaround:
Turn on the bad unescape violation or the metacharacter violation.

Fix:
Added an internal parameter, normalization_remove_percents. Its default is 0 (zero), meaning that the previous behavior is maintained. When enabled, the normalization of the data before running the signature removes the percent characters (as it does to high ASCII and space characters).

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1


887117 : Invalid SessionDB messages are sent to Standby

Links to More Info: BT887117

Component: TMOS

Symptoms:
SessionDB messages sent from Active to Standby are dropped due to inconsistencies detected in the message. You see logs in /var/log/ltm:

SessionDB ERROR: received invalid or corrupt HA message; dropped message.

Conditions:
-- High availability (HA) pair configuration.
-- SessionDB messages sent from Active to Standby.

Impact:
Standby drops these messages

Workaround:
None.

Fixed Versions:
15.1.4.1, 16.1.1


885765 : ASMConfig Handler undergoes frequent restarts

Links to More Info: BT885765

Component: Application Security Manager

Symptoms:
Under some settings and load the RPC handler for the tsconfd process restarts frequently.

Conditions:
When processing a large number of configuration updates.

Impact:
The RPC handler for the tsconfd process restarts frequently, causing unnecessary churn and noisy logs

Workaround:
None

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1


884945 : Latency reduce in case of empty parameters.

Links to More Info: BT884945

Component: Application Security Manager

Symptoms:
Traffic load with many empty parameters may lead to increased latency.

Conditions:
Sending requests with many empty parameters

Impact:
Traffic load with many empty parameters may cause increased latency through the BIG-IP system.

Workaround:
None

Fix:
Ignore empty parameters


883049 : Statsd can deadlock with rrdshim if an rrd file is invalid

Links to More Info: BT883049

Component: Local Traffic Manager

Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.

You may see errors:

-- err statsd[5005]: 011b0600:3: Error ''/var/rrd/endpisession' is too small (should be 15923224 bytes)' during rrd_update for rrd file '/var/rrd/endpisession'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/endpisession'.

Conditions:
Truncation of a binary file in /var/rrd.

Impact:
Stats are no longer collected. Statsd and rrdshim deadlock.

Workaround:
Remove the truncated file and restart statsd:
bigstart restart statsd

Fix:
Now detecting and rectifying truncation of RRD files.

Fixed Versions:
16.1.2.2


882709 : Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors&start;

Links to More Info: BT882709

Component: TMOS

Symptoms:
Traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.

This may manifest as traffic failing after an upgrade from earlier (unaffected) software versions.

Note: This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.

This is due to an interoperability issue between RedHat Enterprise Linux (RHEL) and Microsoft Hyper-V, which seems to affect RHEL v7.3 and RHEL v7.5.

Hyper-V on Windows Server 2016 and Windows Server 2012 do not seem to identify the version of the built-in LIS correctly on Centos 7.3 or Centos 7.5 (which are built on RHEL 7.3 and RHEL 7.5 respectively).

Although there is a statement of support by Microsoft for VLAN tagging on RHEL 7.3 and 7.5 when running on Hyper-V, that functionality does not appear to work at present: Supported CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V :: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/Supported-CentOS-and-Red-Hat-Enterprise-Linux-virtual-machines-on-Hyper-V.

Conditions:
-- BIG-IP VE is deployed on a Hyper-V hypervisor.
-- VLAN configured in BIG-IP VE with tagged interfaces, e.g.:

    net vlan external {
        interfaces {
            1.1 {
                tagged
            }
        }
        tag 4000
    }

-- At present, VLAN tagging on the v14.x and v15.x releases does not work because those releases are running on CentOS 7.3 and 7.5 respectively, which both are affected by the MS/RHEL interoperability issue.

-- BIG-IP v12.x and v13.x use a different (older) CentOS version, so VLAN tagging works without issue on those releases.

Impact:
-- The system does not prevent you from configuring tagged VLANs, even though they do not pass traffic.

-- Although upgrades complete and you can reboot into the new boot location (or you can set up on Hyper-V from scratch), traffic does not pass (into the guest) across VLANs that are tagged.

Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.

Workaround:
Essentially, there is no workaround in this release; you must reconfigure the virtual machine to use separate, untagged interfaces for each VLAN.

Note: Although this is technically a problem between Hyper-V and the built-in LIS on RHEL 7.3/7.5, this issue is being tracked internally in this bug.

Behavior Change:
In this release, traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.

This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.

Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.

Fixed Versions:
16.1.2.2


881809 : serverssl profile hardening

Component: Local Traffic Manager

Symptoms:
Under certain conditions, the serverssl profile does not follow current best practices.

Conditions:
- serverssl profile in use
- Intel QAT HW accelerator in use
- AES-GCM/AES-CCM encryption in use

Impact:
serverssl profile does not process traffic as expected, potentially leading to dropped connections.

Workaround:
Use the AES(-CBC) cipher instead of AES-GCM and AES-CCM

Fix:
The serverssl profile now follows current best practices.


881085 : Intermittent auth failures with remote LDAP auth for BIG-IP managment

Links to More Info: BT881085

Component: TMOS

Symptoms:
There are intermittent auth failures when accessing the BIG-IP administration interfaces via SSH or the GUI.

Conditions:
-- Remote LDAP auth is configured.
-- An idle timeout RST is received on the LDAP connection before the configured auth LDAP idle-timeout expires. This RST might be generated by tmm (if the connection to the LDAP server is via a defined VLAN), some other intervening device on the network, or from the LDAP server itself (depending on its connection time limit).

Impact:
There might be intermittent remote-auth failures.

Workaround:
Set the auth ldap idle-timeout to a smaller value, for example, via tmsh:
modify auth ldap system-auth idle-timeout 299

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2


876677 : When running the debug version of TMM, an assertion may be triggered due to an expired DNS lookup.

Links to More Info: BT876677

Component: Global Traffic Manager (DNS)

Symptoms:
When running the debug version of TMM, if a particular DNS lookup takes more than 30 seconds, TMM may assert with a message in the /var/log/tmm file similar to the following example:

notice panic: ../modules/hudfilter/3dns/cache_resolver.c:2343: Assertion "standalone refcnt must be one" failed.

Conditions:
-- Using the debug TMM
-- Using the RESOLV::lookup iRule command
-- The DNS server targeted by the aforementioned command is pathologically slow or malfunctioning

Impact:
TMM crashes and, in redundant configurations, the unit fails over.

Workaround:
Do not use the debug TMM.

Fix:
The debug assert was removed and replaced by a debug log.

Fixed Versions:
16.1.2.2


873617 : DataSafe is not available with AWAF license after BIG-IP startup or MCP restart.

Links to More Info: BT873617

Component: Fraud Protection Services

Symptoms:
DataSafe is not available with an AWAF license.

Conditions:
-- AWAF license
-- BIG-IP startup or MCP restart

Impact:
DataSafe is not available.

Workaround:
Reset to default license.antifraud.id variable.
tmsh modify sys db license.antifraud.id reset-to-default.

Fix:
Additional DataSafe license validation during MCP startup after license information is loaded.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


869049 : Charts discrepancy in AVR reports

Links to More Info: BT869049

Component: Application Visibility and Reporting

Symptoms:
Discrepancy in AVR reports. When filtering on the 'last month' interval, a specific number of total requests per virtual server is shown. Then when filtering to the present day from a date that encompasses that month, a lower number is reported.

Conditions:
-- Number of records in database exceeds the maximum mount of data that AVR can aggregate between different table-resolutions.
-- There are metrics on the report other than the default one (hits-count).

Impact:
Stats on DB get corrupted and incorrect.

Workaround:
None.

Fix:
Aggregation store-procedure is now fixed.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


858005 : When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:"

Component: Access Policy Manager

Symptoms:
APM Access Policy evaluation failed.

Conditions:
When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces there is no configuration error but runtime evaluation results in failure with error message in /var/log/apm:
"Rule evaluation failed with error:"

Impact:
APM end user’s session cannot be established.

Workaround:
Using APM VPE remove all leading/trailing spaces from config of “IP Subnet Match” agent

Fix:
This issue is fixed by trimming spaces from IP Subnet Match agent config in VPE

Fixed Versions:
16.1.2.2


854129 : SSL monitor continues to send previously configured server SSL configuration after removal

Links to More Info: BT854129

Component: In-tmm monitors

Symptoms:
After an SSL profile has been removed from a monitor, a monitor instance continues to use settings from the previously-configured server SSL profile, such as client certificate or ciphers or supported TLS versions.

Conditions:
-- In-TMM monitors enabled.
-- SSL monitor configured with a server SSL profile.
-- Setting the monitor's 'SSL Profile' parameter to 'none'.

Impact:
The previously configured settings, such as certificate or cipher, continue to be used for monitoring pool members, which may result in unexpected health check behavior/pool member status.

Workaround:
An administrator can avoid this issue by ensuring the monitor's 'SSL Profile' parameter specifies a profile (i.e., is not 'none').

Note: In some software versions, changing a monitor's SSL profile from one profile to a different profile may not take effect. For information about this behavior, see https://cdn.f5.com/product/bugtracker/ID912425.html

Fixed Versions:
16.1.2.2


849029 : No configurable setting for maximum entries in CRLDP cache

Links to More Info: BT849029

Component: Access Policy Manager

Symptoms:
There is no setting provided to configure maximum entries the in CRLDP cache.

Conditions:
In a configuration with tens of thousands of CRLDP and hundreds of thousands or millions of certificates, certain operations might encounter an internal limit, resulting in a number of revoked certificates.

Impact:
No settings exist. Cannot set maximum entries in CRLDP cache.

Workaround:
None.

Fix:
There is now a setting for configuring maximum entries in CRLDP cache.

Fixed Versions:
14.1.4.4


844045 : ASM Response event logging for "Illegal response" violations.

Links to More Info: BT844045

Component: Application Security Manager

Symptoms:
Response log is not available when the request is legal but returns an illegal response status code.
In ASM, logging profiles allow the logging of all blocked responses. The existing response logging allows either all requests or illegal requests only which does not contain response logging data.

Conditions:
-- Response logging is enabled
-- An illegal response occurs

Impact:
Response logging does not occur.

Workaround:
N/A

Fix:
When a response has ASM response violations and response logging is enabled only for when there was a violation, ASM includes the response in the log.

Added an internal variable:
disable_illegal_response_logging -- default value 0.

If the response logging is enabled in the GUI, only the response logs are captured.
If the variable disable_illegal_response_logging is set to 1, then response logging is disabled(even if enabled in GUI).

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


842013 : ASM Configuration is Lost on License Reactivation&start;

Links to More Info: BT842013

Component: Application Security Manager

Symptoms:
After re-activating a BIG-IP license, if the configuration fails to load and reverts to a base config load, the ASM policy config contains 'default' or 'stub' policies, even after fixing the error that caused the configuration to fail to load.

Conditions:
1) A parsing error exists in the BIG-IP config such that 'tmsh load sys config verify' would fail
2) There is a license reactivation or the configuration is reloaded

Impact:
ASM policy configuration is lost and all policies are reverted to empty 'stubs'

Workaround:
In the case of license re-activation/before upgrade:

   Run the command "tmsh load sys config verify" prior to license activation on ASM units to be sure that the config will pass parsing and avoid the fallback to base configuration load.

   In a case of booting the system into the new version:

   Option 1:

      1. Using the steps in either K4423 or K8465, fix the issue that was preventing the config to load.
      2. Reload the config from the fixed UCS file using the command in K13132.

   Option 2:

      1. Roll back to the old version.
      2. Fix the issue that was preventing the config to load.
      3. Before activating the Boot Location of the new version at System >> Software Management : Boot Locations, make sure to set the option Install Configuration to Yes. see: K64400324

   Option 3: If one of the high availability (HA) units successfully upgraded, then use config-sync to push the working config to the failing unit.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


838305 : BIG-IP may create multiple connections for packets that should belong to a single flow.

Links to More Info: BT838305

Component: Local Traffic Manager

Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.

Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.

Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


830361 : CVE-2012-6711 Bash Vulnerability

Links to More Info: K05122252, BT830361


830341 : False positives Mismatched message key on ASM TS cookie

Links to More Info: BT830341

Component: Application Security Manager

Symptoms:
ASM system triggers false positives for ASM Cookie Hijacking violation with reason "Mismatched message key"

Conditions:
-- An HTTP request containing an old frame cookie with a different message key from the main ts cookie is rejected
-- The cookie is left intact

Impact:
All subsequent requests are rejected on ASM Cookie Hijacking violation

Workaround:
1. Disable "Learn Host Names" flag all policies. If the policy builder is on manual mode, they need to change it back to Auto mode, disable "Learn Host Names", then change to manual mode.

OR

2. Delete the mismatched cookie. This will cause the violations to stop occurring if the request comes from a legit endpoint

Fix:
In order to activate the changed functionality, set internal parameter ignore_cookies_msg_key to 1 and restart asm by executing following commands in CLI:
/usr/share/ts/bin/add_del_internal add ignore_cookies_msg_key 1
bigstart restart asm

Once enabled, ASM system does not trigger false positives.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2.1


829653 : Memory leak due to session context not freed

Links to More Info: BT829653

Component: Policy Enforcement Manager

Symptoms:
Memory increases slowly

Conditions:
A PEM iRule times out

Impact:
Memory could be exhausted depending on the frequency of the command timeouts


828761 : APM OAuth - Auth Server attached iRule works inconsistently

Links to More Info: BT828761

Component: Access Policy Manager

Symptoms:
The iRule attached to the OAuth Resource Server (RS) is not triggered when the traffic hits the virtual server.

Conditions:
The issue occurs during a reboot of the BIG-IP device containing an OAuth server config and an attached iRule, or when the iRule is initially assigned to the OAuth Server.

Impact:
OAuth scope check agent fails with 'HTTP error 503': as the iRule attached to the RS virtual server is not triggered.

Workaround:
For existing OAuth servers with the iRule attached, modify the iRule, for example, adding a log. This makes the iRule trigger when it is initially attached or loaded.

Fix:
The iRule is triggered when a request comes to the OAuth RS virtual server.

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1


827393 : In rare cases tmm crash is observed when using APM as RDG proxy.

Links to More Info: BT827393

Component: Access Policy Manager

Symptoms:
Tmm may crash when APM is configured as an RDG proxy to access Microsoft remote desktops and applications.

Conditions:
APM is used as RDG proxy

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Tmm does not crash when APM is configured as RDG proxy.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5.1, 16.1.2.1


823877 : CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability

Links to More Info: K25126370, BT823877


818889 : False positive malformed json or xml violation.

Links to More Info: BT818889

Component: Application Security Manager

Symptoms:
A false positive malformed XML or JSON violation occurs.

Conditions:
-- A stream profile is attached (or the http profile is set to rechunk on the request side).
-- A json/XML profile attached to the virtual.

Impact:
A false positive violation.

Workaround:
Modify the http profile to work in preserve mode for request chunking (this workaround is not possible in 16.1).

Fix:
N/A

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


815901 : Add rule to the disabled pem policy is not allowed

Links to More Info: BT815901

Component: Policy Enforcement Manager

Symptoms:
Adding rule to PEM policy is not allowed

Conditions:
A PEM policy is disabled

Impact:
You are unable to add rules to a PEM policy if it is disabled.

Fix:
Allow adding rules to disabled PEM policy


810917 : OWASP Compliance score is shown for parent and child policies that are not applicable.

Component: Application Security Manager

Symptoms:
OWASP score for a parent policy or child policy is shown as 0.
The more accurate value should be 'N/A' since these policies are not configurable for OWASP.

Conditions:
Create either child policy or parent policy. On Security ›› Application Security : Security Policies : Policies List page you will see in the OWASP Compliance score the value 0, and when going to OWASP page configuration (Security ›› Overview : OWASP Compliance) the user will see a note that the policy is not configurable for OWASP.

Impact:
When looking on the policies list, the user may get the impression that the parent or child policies can be configured to comply with OWASP.

Workaround:
Ignore OWASP Compliance score for child and parent policies.


809409 : Support PKCE (Proof Key for Code Exchange) in BIG-IP APM OAuth Authorization Server.

Component: Access Policy Manager

Symptoms:
APM does not support PKCE in the OAuth Authorization Server scenario.

Conditions:
-- APM provisioned and an APM policy is configured to use OAuth as an Authorization Server.

Impact:
PKCE is not supported.

Workaround:
N/A

Fix:
APM OAuth Authorization Server mode now supports PKCE Authorization flow defined in RFC7636.


808913 : Big3d cannot log the full XML buffer data

Links to More Info: BT808913

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d cannot log the full XML buffer data:

-- notice big3d[12212]: 012b600d:5: Probe from ::ffff:11.11.1.21:45011: len 883/buffer = <vip>.

Conditions:
The gtm.debugprobelogging variable is enabled.

Impact:
Not able to debug big3d monitoring issues efficiently.

Workaround:
None.


808893-4 : DNS DoS profile vectors do not function correctly&start;

Links to More Info: BT808893

Component: Advanced Firewall Manager

Symptoms:
Clients report that DNS TXT queries are not working. In /var/log/ltm, you see the following error:

DOS attack start was detected for vector TXT query DOS.

Conditions:
This can occur when DNS profile DoS vectors are enabled. It can be encountered after upgrading.

Impact:
DNS DoS detection and mitigation is not functioning correctly.

Workaround:
None.

Fix:
DNS DoS profile vectors are now detected correctly.

Fixed Versions:
14.1.4.6


805821 : GTP log message contains no useful information

Links to More Info: BT805821

Component: Service Provider

Symptoms:
GTP profile and GTP iRules provide no useful information in order to proceed with troubleshooting.

Conditions:
GTP profile or iRules fails to process message

Impact:
User lacks of information for troubleshooting

Workaround:
N/A

Fix:
GTP error log has been replaced with a more useful message. The new log message provides more intuitive information including the reason and, in some messages, location of data that causes the failure.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


803965 : Expat Vulnerability: CVE-2018-20843

Links to More Info: K51011533, BT803965


803109 : Certain configuration may result in zombie forwarding flows

Links to More Info: BT803109

Component: Local Traffic Manager

Symptoms:
OneConnect profile in conjunction with 'Source-port preserve-strict' or cmp-hash setting of 'dst-ip' or 'src-ip' on the server-side VLAN may result in zombie forwarding flows.

On the server-side the incoming traffic hits a different TMM from the one that handles the outgoing traffic.

Unexpected 'Inet port exhaustion' messages may be logged in the LTM log file.

Conditions:
-- OneConnect configured.

And one of the following:

-- Source-port is set to preserve-strict.
-- The cmp-hash setting on the server-side VLAN is set to 'dst-ip' or 'src-ip'.

Impact:
Zombie forwarding flows. Over time, the current allocation count grows and does not return to its prior level when traffic stops.

The current allocation can be checked with this command:
# tmctl memory_usage_stat name=connflow -s name,cur_allocs

Workaround:
You can use any of the following workarounds:

-- Remove the OneConnect profile from the Virtual Server.

-- Do not use 'source-port preserve-strict' setting on the Virtual Server.

-- Set the 'cmp-hash default' on the server-side VLAN if it is set to 'cmp-hash src-ip' or 'cmp-hash dst-ip'.

Note: After making this change, it may be necessary to run the command 'tmsh restart sys service tmm', which will clear the old flows but also impact traffic. Traffic interrupted while tmm restarts.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


797797 : CVE-2019-11811 kernel: use-after-free in drivers

Links to More Info: K01512680, BT797797


794385 : BGP sessions may be reset after CMP state change

Links to More Info: BT794385

Component: Local Traffic Manager

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
  - Blade reset.
  - Booting up or shutting down.
  - Running 'bigstart restart'.
  - Setting a blade state from/to primary/secondary.

During these events, there is a small chance that ingress ACK packet of previously established BGP connection is going to be disaggregated to the new processing group(TMMs) and selected TMM is ready to process traffic, but is not ready yet to process traffic for existing connection. In this case, connection isn't processed and reset instead.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BGP peering is configured.
-- CMP state change is occurred on one of the blades.
-- BGP ingress ACK packet is disaggregated to TMM, which either wrong TMM or not ready to process the packet of already established connection

Impact:
Affected BGP peering is reset and dynamic routes learnt by the configured protocol are withdrawn, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decisions are from networks learnt by affected routing protocols when the routing process on the BIG-IP system becomes unreachable. However, this state is short-lived, because the peering is recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There is no workaround, but the issue was never seen with a configuration where CMP hash of affected VLAN is changed back to Default value.

Fix:
BGP session is no longer reset during CMP state change.

Fixed Versions:
15.1.5.1, 16.1.2.2


791669-4 : TMM might crash when Bot Defense is configured for multiple domains

Links to More Info: BT791669

Component: Application Security Manager

Symptoms:
TMM might crash and generate a core file when using a Bot Defense profile that is configured for multiple domains.

Conditions:
Bot Defense is configured with multiple 'Related Site Domains' and attached to a virtual server.

Impact:
TMM crash with core. Traffic disrupted while tmm restarts.

Workaround:
None,

Fix:
TMM no longer crashes when Bot Defense is configured for multiple domains.

Fixed Versions:
14.1.2.3, 15.1.4, 16.0.1.2


789841 : Some specific security enhancements were added to the payload normalization.

Component: Application Security Manager

Symptoms:
Some specific evasions and normalizations were missing.

Conditions:
ASM attack signatures

Impact:
Attack could go un-noticed.

Workaround:
None

Fix:
Added support for evasion enhancements.


780857 : HA failover network disruption when cluster management IP is not in the list of unicast addresses

Links to More Info: BT780857

Component: Local Traffic Manager

Symptoms:
If the cluster management IP address is not in the list of failover network unicast addresses, the blade management IP addresses in the unicast mesh will not be able to receive failover messages from peer devices.

Conditions:
-- VIPRION chassis or vCMP guest on a VIPRION chassis.
-- Per-blade management IP addresses listed in the failover network unicast mesh.
-- No cluster management IP address listed.

Impact:
The blade management IP addresses in the failover network unicast mesh stop functioning:

[root@VIP2200-R75-S5:/S1-green-P::Standby:In Sync] config # tmctl -w 200 -S sod_tg_conn_stat
entry_key local_failover_addr remote_device_name pkts_received transitions last_msg status
----------------------------- ------------------- ------------------------------ ------------- ----------- ---------- ------
10.200.75.8->10.10.10.1:1026 10.10.10.1:1026 VIP2200-R75-S8.sin.pslab.local 3249 3 1555399271 1
10.200.75.8->10.200.75.3:1026 10.200.75.3:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--
10.200.75.8->10.200.75.4:1026 10.200.75.4:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--

Workaround:
You can add an explicit management IP firewall rule to allow this traffic:

tmsh modify security firewall management-ip-rules rules add { accept_udp_1026 { place-before first ip-protocol udp destination { ports add { 1026 } } action accept } }

This will add a firewall policy so port 1026 is no longer locked down, and the blade management IP addresses in the unicast mesh should begin to function properly.


773853 : Support JWE consumption in OAuth Client and Resource Server.

Component: Access Policy Manager

Symptoms:
If the Client/Resource Server receives a JWE token it will be shown as an invalid token.

Conditions:
1. BIG-IP APM deployed as OAuth Client/Resource Server.
2. Third party Authorization Servers such as Ping Federate is deployed. JWE enabled in JWT Key configuration
3. APM receives Access/ID tokens in JWE format from AS.

Impact:
The APM Client/Resource server is unable to consume the JWE token.

Workaround:
N/A

Fix:
APM OAuth Client and Resource Server now supports consumption of JWE token (which is sent by third party AS).


755976 : ZebOS might miss kernel routes after mcpd deamon restart

Links to More Info: BT755976

Component: TMOS

Symptoms:
After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses).

One of the most common scenario is a device reboot.

Conditions:
-- Dynamic routing is configured.
-- Virtual address is created and Route Advertisement is configured:
imish -e 'sh ip route kernel'
-- mcpd daemon is restarted or device is rebooted.

Impact:
The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised.

Workaround:
There are several workarounds; here are two:

-- Restart the tmrouted daemon:
bigstart restart tmrouted

-- Recreate the affected virtual address.

Fix:
The kernel route is now present in the ZebOS routing table after mcpd daemon restart.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


752077 : Kerberos replay cache leaks file descriptors

Links to More Info: BT752077

Component: Access Policy Manager

Symptoms:
APMD reports 'too many open files' error when reading HTTP requests:

-- err apmd[15293]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 113 Msg: epoll_create() failed [Too many open files].
-- err apmd[15293]: 01490000:3: ApmD.cpp func: "process_apd_request()" line: 1801 Msg: Error 3 reading/parsing response from socket 1498. strerror: Too many open files, queue size 0, time since accept

There are file descriptor dumps in /var/log/apm showing many deleted files with name krb5_RCXXXXXX:

-- err apmd[15293]: 01490264:3: 1492 (/shared/tmp/krb5_RCx8EN5y (deleted)) : cloexec, Fflags[0x8002], read-write
-- err apmd[15293]: 01490264:3: 1493 (/shared/tmp/krb5_RCnHclFz (deleted)) : cloexec, Fflags[0x8002], read-write
-- err apmd[15293]: 01490264:3: 1494 (/shared/tmp/krb5_RCKGW8ia (deleted)) : cloexec, Fflags[0x8002], read-write

Conditions:
This failure may happen if the access policy uses Kerberos authentication, Active Directory authentication, or Active Directory query. The conditions under which the Kerberos replay cache leaks is unknown.

Impact:
APM end users experience intermittent log on issues.

Workaround:
None.


749332 : Client-SSL Object's description can be updated using CLI and with REST PATCH operation

Links to More Info: BT749332

Component: TMOS

Symptoms:
REST PUT fails to update the object description when proxy-ca-cert and proxy-ca-key are not configured, and triggers an error:
SSL forward proxy RSA CA key is missing.

Conditions:
Issue is seen only with REST PUT operation, and when proxy-ca-cert and proxy-ca-key are not configured.

Impact:
REST PUT operation cannot be used to update/modify the description.

Workaround:
You can use either of the following:

-- You can use TMSH to update/modify the description, even if proxy-ca-cert and proxy-ca-key are not configured.

-- You can also use PATCH operation and send only the required field which need modification.

Fixed Versions:
14.1.4.4, 15.1.5, 16.1.2.1


743826 : Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0)

Links to More Info: BT743826

Component: Application Visibility and Reporting

Symptoms:
When a pool member is defined with port any(0), calling the GetPoolMember() function, gives an incorrect error message that the pool member was not found.

Conditions:
Pool member with port any(0)

Impact:
Wrong error message printed to avrd.log

Fix:
Added a flag that indicates whether or not to print an error message to the GetPoolMember() function.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


742753 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail

Links to More Info: BT742753

Component: TMOS

Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.

Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:

- Remove the Referer header.

- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.

Impact:
Users cannot log on to the BIG-IP system's WebUI.

Workaround:
As a workaround, you can do any of the following things:

- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).

- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).

- Modify the proxy solution so that it inserts compatible Referer and Host headers.

Fix:
CSRF checks based on HTTP headers pre-logon have been improved.

Fixed Versions:
16.1.2.2


738593 : Vmware Horizon session collaboration (shadow session) feature does not work through APM.

Links to More Info: BT738593

Component: Access Policy Manager

Symptoms:
When the VMware virtual desktop interface (VDI) is configured, session collaboration or shadow session does not work.

Conditions:
-- VMware VDI configured and Desktop resource is accessed with native client or browser.
-- Shadow session is enabled in desktop.

Impact:
Desktop's Shadow session resource icon is not showed on webtop or native client.

Workaround:
N/A

Fix:
Users should see Desktop's shadow session icon when resources are loaded on to webtop or native client.

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1


724653 : In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync.

Links to More Info: BT724653

Component: TMOS

Symptoms:
In a device-group configuration, a BIG-IP administrator can add a non-synced object to a partition on one device, then delete that partition on a peer device, syncing the delete (this is assuming the partition is empty on the peer).

Although the config-sync operation will report as having completed successfully on both devices, and no errors will be visible in the /var/log/ltm file of either device, a number of issues can manifest at a later time.

For instance, assuming the non-synced object was a VLAN, listing all VLANs across all partitions will return the following error:

root@(bigip-ntr-d)(cfg-sync In Sync)(Active)(/)(tmos)# list net vlan recursive
01070712:3: Internal error, can't load folder or nested folder for: /test/my_vlan

And reloading the config will return the following error (as the partition has been deleted, including its flat config files):

root@(bigip-ntr-d)(cfg-sync In Sync)(Active)(/Common)(tmos)# load sys config
Loading system configuration...
  /defaults/asm_base.conf
  /defaults/config_base.conf
  /defaults/ipfix_ie_base.conf
  /defaults/ipfix_ie_f5base.conf
  /defaults/low_profile_base.conf
  /defaults/low_security_base.conf
  /defaults/policy_base.conf
  /defaults/wam_base.conf
  /defaults/analytics_base.conf
  /defaults/apm_base.conf
  /defaults/apm_saml_base.conf
  /defaults/app_template_base.conf
  /defaults/classification_base.conf
  /var/libdata/dpi/conf/classification_update.conf
  /defaults/urlcat_base.conf
  /defaults/daemon.conf
  /defaults/pem_base.conf
  /defaults/profile_base.conf
  /defaults/sandbox_base.conf
  /defaults/security_base.conf
  /defaults/urldb_base.conf
  /usr/share/monitors/base_monitors.conf
Loading configuration...
  /config/bigip_base.conf
  /config/bigip_user.conf
  /config/bigip.conf
01070523:3: No Vlan association for STP Interface Member 1.2.
Unexpected Error: Loading configuration process failed.

These are just examples, and the exact failures will depend on the type of non-synced object and its use within your configuration.

Conditions:
-- Two or more devices in a device-group configuration.
-- Using partitions that contain non-synced objects.
-- Deleting the partition on a device and syncing the changes to the other devices.

Impact:
The partition is deleted on the peer device, even though it still contains non-synced objects. A number of config issues can arise at a later time as a result of this.

Workaround:
In some cases, if you need to define non-synced objects, you can do so in partitions or folders that are associated with 'device-group none' and 'traffic-group none'. This would prevent the partition or folder from synchronizing to other devices in the first place.

Fix:
Validation has been added that will make a config-sync receiver reject the operation if this includes the deletion of a non-empty partition. In this case, the config-sync will fail and report an error message similar to the following example:

0107082a:3: All objects from local device and all HA peer devices must be removed from a partition (test) before the partition may be removed, type ID (467), text ID (60706)


720610-5 : Automatic Update Check logs false 'Update Server unavailable' message on every run

Links to More Info: BT720610

Component: TMOS

Symptoms:
The Automatic Update Check operation erroneously logs a message indicating that the Update Server is unavailable on every run, successful or not.

Conditions:
The BIG-IP system is configured to run the Automatic Update Check feature.

Impact:
Misleading 'PHONEHOME: Update Server unavailable' messages in the log file, implying that the update server is not available.

Workaround:
None.

Fix:
The Automatic Update Check operation no longer logs false messages.

Fixed Versions:
13.1.3, 14.1.2.7


717806 : In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured

Links to More Info: BT717806

Component: Local Traffic Manager

Symptoms:
Load average peaks are observed when a high number of monitors (>= 200) are configured across 'n' bigd instances.

Conditions:
When a high number of monitors are configured across 'n' bigd instances. CPU load peaks appear and disappear periodically.

Impact:
No performance impact

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


708991 : Newly entered password is not remembered.

Links to More Info: BT708991

Component: TMOS

Symptoms:
- Upon enabling password remember feature and running 'tmsh load sys config default', the password history fails to verify and save the newly entered password.
- Upon installing a BIG-IP image for the first time, the default password is not updated.

Conditions:
- Installing first time BIG-IP image.
- Resetting the configuration using 'tmsh load sys config default'.

Impact:
The password is not remembered.

Workaround:
N/A

Fix:
Corrected selinux policy script of the file /etc/security/opasswd for access permission.

Fixed Versions:
16.1.2


686783 : UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters.

Links to More Info: BT686783

Component: Traffic Classification Engine

Symptoms:
If a UrlCat custom database feed list has URLs containing a www prefix or capital letters, the URLs are not categorized when queried.

Conditions:
The UrlCat custom database feed list with URL containing www prefix or capital letters,

Impact:
Improper classification

Workaround:
Using an iRule can help classify the URL.

Fix:
Normalized the URL before putting in the custom database.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


674026 : iSeries AOM web UI update fails to complete.&start;

Links to More Info: BT674026

Component: TMOS

Symptoms:
Upon upgrading a BIG-IP version, AOM web UI updates can sometimes fail.

Conditions:
This occurs when upgrading a BIG-IP system's software version on iSeries platforms.

Impact:
After booting to a new version, the AOM web UI update fails with an error message in /var/log/ltm similar to the following:

err bmcuiupdate[20824]: Failed updated AOM web UI with return code 2

Workaround:
At the bash prompt run:

/etc/lcdui/bmcuiupdate

This triggers another upgrade attempt, and the result is logged in /var/log/ltm. This should not be service-affecting.

Fix:
AOM web UI update failures are now automatically corrected.


673952 : 1NIC VE in high availability (HA) device-group shows 'Changes Pending' after reboot

Links to More Info: BT673952

Component: TMOS

Symptoms:
When Virtual Edition (VE) is configured for 1NIC, you will see the following logs on reboot indicating that configuration has been loaded from file:

 notice tmsh[12232]: 01420002:5: AUDIT - pid=12232 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all base
 notice tmsh[12392]: 01420002:5: AUDIT - pid=12392 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all

Conditions:
- VE configured in 1NIC mode.
- Unit booted either through reboot or power on.

Impact:
This is unlikely to have any impact if the VE is in standalone mode but could result in an unexpected config if the configuration files differ.

If the VE is part of a device-group, then this will result in a commit id update and the units will show 'Changes pending'.

Workaround:
None.


673272 : Search by "Signature ID is" does not return results for some signature IDs

Links to More Info: BT673272

Component: Application Security Manager

Symptoms:
Search by "Signature ID is" does not return results for some signature IDs.

Conditions:
Request associated with signature that was previously enforced and is now in staging after the attack signature update.

Impact:
You are unable to filter requests by some signature IDs.

Fix:
Fixed an issue with searching by signature ID.

Fixed Versions:
13.1.4, 14.1.4.2, 15.1.4, 16.0.1.2


672963 : MSSQL monitor fails against databases using non-native charset

Links to More Info: BT672963

Component: Local Traffic Manager

Symptoms:
MSSQL monitor is fails against databases using non-native charset.

Conditions:
MSSQL monitor configured to monitor a database that is using non-native charset (ISO-8859-1).

Impact:
MSSQL monitoring always marks node / member down.

Workaround:
On BIG-IP v13.x and v14.0.x, you can work around this issue using the following steps:

1. Log in to the BIG-IP console into a bash prompt.

2. Run the following command:
mount -o remount,rw /usr; ln -s /usr/java-64/openjdk/lib/charsets.jar /usr/java/openjdk/lib/charsets.jar; mount -o remount,ro /usr

3. Restart bigd:
bigstart restart bigd

Fix:
MSSQL monitor can be used effectively against a database using a non-native charset.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


669046 : Handling large replies to MCP audit_request messages

Links to More Info: BT669046

Component: TMOS

Symptoms:
When receiving very large replies to MCP messages (e.g., when viewing audit logs from the GUI), MCP can run out of memory and produce a core file. This is due in part to the amount of data returned, and also due in part to memory handling.

In a production environment, fragmentation naturally occurs over the lifetime of MCP, thus increasing the odds of this happening. In addition, larger configurations cause more space to be consumed in MCPD and might more easily lead to the fragmentation, resulting in this issue.

Conditions:
Receiving very large replies to MCP messages (e.g., from audit_request messages, which occurs when you view audit logs from the GUI).

Memory usage is already high.

Impact:
Allocation of memory for viewing the audit logs fails. MCP can run out of memory and produce a core file.

Workaround:
Use tmsh/bash to view the audit logs instead of the GUI when audit logs are extremely large and memory usage is already high.

Fix:
Viewing audit logs in the GUI is now limited to 10,000 lines, so this issue no longer occurs.

Behavior Change:
The GUI is limited to viewing no more than 10,000 lines of the audit log.

You can use tmsh/bash to view audit logs larger than 10,000 lines.

Fixed Versions:
16.1.2.2


580715 : ASM is not sending 64 KB remote logs over UDP

Links to More Info: BT580715

Component: Application Security Manager

Symptoms:
REmote logs are missing. The following log messages appears in bd.log and asm.log:

ASM configuration error: event code L3350 Failed to write to remote logger vs_name_crc 1119927693 LoggingAccount.cpp:3348`remote log write FAILED res = -3 <Failed to send remote message (remote server not responding)> errno <Message too long>.

Conditions:
-- A remote logger configured for UDP.
-- Max message length of 64 KB.

Impact:
Missing logs in the remote logger.

Workaround:
You can use either of the following workarounds:

-- Change the remote logger to TCP.

-- Reduce the message length to 1 KB.

Fixed Versions:
15.1.5


574762 : Forwarding flows leak when a routing update changes the egress vlan

Component: Local Traffic Manager

Symptoms:
Forwarding flow doesn’t expire and leaks a connflow object.

Conditions:
Conditions to hit this are a route change on forwarded flows.

Impact:
Memory leak.

Workaround:
None

Fix:
Fixed a memory leak with forwarding flows.


528894 : Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition

Links to More Info: BT528894

Component: TMOS

Symptoms:
Configuration stanzas that do not belong in the files of a non-Common partition appear there. These stanzas could include, for example, 'net trunk' or 'sys ha-group' objects.

Conditions:
-- The system includes partitions other than Common.

-- Configuration in a partition other than Common is modified.

-- A Config-Sync operation not involving an overwrite takes place (it is also possible to reproduce this issue on a standalone BIG-IP system by doing a save operation like the following: "tmsh save sys config partitions { Common other }").

Impact:
/config/partitions/<partition_name>/bigip_base.conf will contain extraneous config stanzas (such as the ones mentioned in Symptoms).

/config/bigip_base.conf will no longer contain config stanzas that belong there.

Note that the impact is mostly cosmetic. An affected device will still be able to correctly load its configuration even if some config stanzas appear in the wrong flat config file.

However, Administrators performing audits of the flat config files will be perplexed as to why some stanzas are moving back and forth between partitions.

Workaround:
If you wish to restore your flat config files to their proper state after the issue has already occurred, simply run "tmsh save sys config" on the affected device.

Alternatively, to prevent the issue in the first place, you can Config-Sync using the following command "tmsh run cm config-sync force-full-load-push to-group <device-group>".

Note that neither workaround is permanent and the issue will reoccur.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5, 16.1.2.2


435231-1 : Support RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral parameters

Component: Local Traffic Manager

Symptoms:
RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral (FFDHE) parameters are not supported.

Conditions:
This affects ciphersuites that use Diffie–Hellman key exchange.

Impact:
Support for larger FFDHE groups will be chosen if offered by the client. There is an impact to performance versus previously chosen Diffie–Hellman 1024.

Workaround:
None.

Fix:
RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral (FFDHE) parameters are now supported.


423519 : Bypass disabling the redirection controls configuration of APM RDP Resource.

Component: Access Policy Manager

Symptoms:
User can bypass RDP resource redirection restrictions between RDP remote machine and local machine.

Conditions:
1. Create RDP resource. Disable redirection parameter.
2. Launch the resource.
3. Launch RDP Client, enable redirection parameter.

Impact:
User can bypass RDP resource restrictions.

Workaround:
NA

Fix:
User is not allowed to perform any redirection controls of the RDP resource.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1087201 : OpenSSL Vulnerability: CVE-2022-0778

Links to More Info: K31323265, BT1087201


1086897 : PEM subcriber lookup can fail for internet side/subscriber side new connections

Links to More Info: BT1086897

Component: Policy Enforcement Manager

Symptoms:
PEM subscriber lookup can fail for internet/subscriber side flow for new connections, as PEM uses the local address to look up the session, which is not the subscriber.

Conditions:
-- PEM enabled and configured
-- Subscriber session has multiple IP's
-- Each IP lands on a different TMM

Impact:
PEM subscriber lookup can fail on the internet side or subscriber side

Workaround:
None

Fix:
PEM subscriber lookup now always succeeds for internet side and subscriber side new connections,

Fixed Versions:
16.1.2.2


1086677 : TMM Crashes in xvprintf() because of NULL Flow Key

Component: Local Traffic Manager

Symptoms:
TMM crashes while passing traffic

Conditions:
This was observed during internal testing and occurred while making configuration changes while passing traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed a tmm crash.


1085077 : TMM may crash while processing SIP-ALG traffic

Component: Carrier-Grade NAT

Symptoms:
Under certain conditions TMM may crash while processing SIP-ALG traffic

Conditions:
- SIP profile enabled

Impact:
TMM crash leading to a failover event

Workaround:
N/A

Fix:
TMM now processes SIP traffic as expected.


1084173 : Unable to specify "no caching desired" for ephemeral DNS resolvers (i.e. RESOLV::lookup).

Links to More Info: BT1084173

Component: Global Traffic Manager (DNS)

Symptoms:
Each time the iRule command RESOLV::lookup is invoked with a different target IP address or internal virtual server, a unique resolver context is created.

However, for performance and memory preservation reasons, all ephemeral resolvers are backed by the same set of DNS caches.

This means that repeated identical queries to different ephemeral resolvers will always return the answer from the cache that was retrieved by the first ephemeral resolver (until the TTL of the record expires).

While this is fine in the traditional use of DNS, this may be problematic in certain specific use-cases. For example, this does not allow for per-user DNS servers to return different results for the same query. This technique could be used by an iRule to retrieve user-specific information to then spin up user-unique virtual environments.

Conditions:
Sending repeated queries for the same FQDN to different ephemeral resolvers (before the TTL expires) and expecting different results back.

Impact:
Inability to support specific use-cases in a BIG-IP iRule.

Fix:
Versions with the fix include a new DB key called dnscache.ephemeralsnocache, which defaults to "disable".

When set to "disable", the system behaves exactly as in previous releases.

When set to "enable", ephemeral resolvers spawned in an iRule by the RESOLV::lookup command no longer cache anything, thus allowing for use-cases similar to the example mentioned under Symptoms.


1083989 : TMM may restart if abort arrives during MBLB iRule execution

Links to More Info: BT1083989

Component: Local Traffic Manager

Symptoms:
"Unallocated flow while polling for rule work. Skipping." is logged in /var/log/ltm.

*or*

"flow in use" assert fails causing TMM to restart.

Conditions:
- Virtual using MBLB proxy.
- iRule with LB_SELECTED, CLIENT_CLOSED, and SERVER_CLOSED events.
- client connection is aborted while LB_SELECTED is queued for execution.

Impact:
TMM may restart unexpectedly.

Workaround:
Remove LB_SELECTED event from the iRule, if feasible.

Fix:
The MBLB proxy now correctly handles being aborted when it has iRule events queued for execution.

Fixed Versions:
16.1.2.2


1083225 : TMM may crash while processing SIP traffic

Component: Carrier-Grade NAT

Symptoms:
Under certain conditions TMM may crash while processing SIP traffic

Conditions:
- SIP profile enabled

Impact:
TMM crash leading to a failover event

Workaround:
N/A

Fix:
TMM now processes SIP traffic as expected.


1082885 : MR::message route virtual asserts when configuration changes during ongoing traffic

Links to More Info: BT1082885

Component: Service Provider

Symptoms:
MR::message route virtual causes TMM to crash / panic when the configuration changes during ongoing traffic. This is due to
an invalid validation of the TYPEIDs when mis-matched virtual servers / proxies are identified because of the configuration change.

Conditions:
A BIG-IP configuration change is made while passing traffic.

Impact:
Traffic disrupted while tmm restarts.

Fix:
With the fix, proper validation of the Proxy TYPEIDs will make the server to gracefully close the connection when PROXIES TYPEIDs mismatch is detected and a relevant error log is printed in the ltm logs as well.

Fixed Versions:
16.1.2.2


1081709 : Tmm crash SIGSEGV - traffic_selector_update_handler

Component: TMOS

Symptoms:
Tmm can crash while creating a large number of tunnels.

Conditions:
-- IPsec enabled
-- A large number of tunnels is created

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Return values are handled and ensured crash does not occur when function returns with fail


1081201 : MCPD certification import hardening

Component: TMOS

Symptoms:
Under certain conditions, MCPD does not follow current best practices for certificate import.

Conditions:
- Authenticated administrative user
- Invalid SSL certificate import request

Impact:
MCPD crash leading to a failover event.

Workaround:
N/A

Fix:
MCPD now follows current best practices for certificate import.


1081153-3 : TMM may crash while processing administrative requests

Component: Policy Enforcement Manager

Symptoms:
Under certain conditions TMM may crash while processing administrative requests

Conditions:
- Authenticated administrative user
- Administrative data request

Impact:
TMM crash leading to a failover event

Workaround:
N/A

Fix:
TMM now processes administrative requests as expected


1080581 : Virtual server creation is not allowed to have TCP, UDP and HTTP together with Client or Server SSL Profiles.&start;

Links to More Info: BT1080581

Component: Local Traffic Manager

Symptoms:
During the upgrade, the configuration load fails with an error:

err mcpd[6381]: 01070734:3: Configuration error: A virtual server (/Common/my_virtual) is not allowed to have TCP, UDP and HTTP together with Client or Server SSL Profiles.

Conditions:
-- Upgrading from an earlier version that contains a QUIC profile in a virtual server having tcp, UDP, and HTTP together
-- Upgrading to version 15.1.5 or higher

Impact:
BIG-IP will remain in inoperative state after upgrade

Fix:
QUIC protocol is allowed to use tcp and udp protocol in combination

Fixed Versions:
15.1.5.1


1080341 : Changing an L2-forward virtual to any other virtual type might not update the configuration.

Links to More Info: BT1080341

Component: Local Traffic Manager

Symptoms:
Changing an L2-forward virtual-server to any other virtual-server type might not update the saved configuration.

Conditions:
Changing an L2-forward virtual-server to any other virtual-server type.

Impact:
Traffic still behaves as if L2-forward virtual-server is configured.

Workaround:
Remove and re-create the affected virtual-server.

Fixed Versions:
16.1.2.2


1079817 : Java null pointer exception when saving UCS with iAppsLX installed&start;

Links to More Info: BT1079817

Component: TMOS

Symptoms:
When saving a UCS the resulting archive does not contain iAppLX packages. This is because the POST to /shared/iapp/build-package gets a 400 error from restjavad.

The restjavad log files will show a null pointer exception when this occurs.

Conditions:
Saving UCS file when iAppLX packages are installed.

Impact:
When saving a UCS the resulting archive does not contain iAppLX packages.

Fix:
The RPM build completes successfully.


1079769 : Tmm utilizing the virtio driver might crash after modifying several IPv6 virtual servers

Links to More Info: BT1079769

Component: Local Traffic Manager

Symptoms:
Tmm crash

There might be entries similar to the following in the tmm log:
notice virtio[0:7.0]: MAC filter[27]: 33:33:ff:00:10:01 - deleted
notice virtio[0:7.0]: MAC filter[27]: 33:33:ff:00:10:01 - added

Conditions:
-- The tmm is utilizing the virtio driver for network communications.
-- Several changes are made to IPv6 listeners. Several changes would be on the order of at least 1,900.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
A work-around would be to utilize the sock driver. However, that will not perform as well.

Fix:
A defect was fixed in the virtio driver that might trigger a tmm crash.


1079637-2 : Incorrect Neuron rule order

Links to More Info: BT1079637

Component: Advanced Firewall Manager

Symptoms:
The order of Neuron rules created for the virtual servers may be incorrect.

Conditions:
- Platforms with Neuron support (BIG-IP iSeries) configured with a Turboflex profile other than turboflex-base.

Impact:
There are several features that rely on the Neuron rules.

In case of hardware SYN Cookie a TCP virtual server may not receive the TCP SYN packets even if the virtual server is not in SYN Cookie mode.

Some sPVA feature may behave unexpectedly.

Fix:
The order of the Neuron rules is now correct.

Fixed Versions:
15.1.5.1


1079505 : TMM may consume excessive resources while processing SSLO traffic

Component: SSL Orchestrator

Symptoms:
Under certain network conditions the service connector used in SSLO can consume excessive memory.

Conditions:
- APM service connector in use. This component is used by default in SSLO.

Impact:
Excessive resource consumption, potentially leading to decreased performance or a failover event.

Workaround:
N/A

Fix:
TMM now processes SSLO traffic as expected.


1078829 : Login as current user fails in VMware

Component: Access Policy Manager

Symptoms:
In VMware if user selects login as current user option, Http 500 error is being displayed.

Conditions:
1. Create vmware login as current user with kerberous AD keytab
2. Select VMware login as current user option on native client
3. Http 500 error is displayed.

Impact:
Login as current user fails in VMware

Workaround:
NA

Fix:
VMware Login as current user should not provide any error.


1078821 : Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit

Component: TMOS

Symptoms:
TMUI (the GUI) needs to be upgraded with OpenJDK 1.8 to support TLS 1.2 AES GCM ciphers for OAuth Provider Discovery

Conditions:
BIG-IP systems using the GUI

Impact:
Deployments which use Microsoft Azure AD as OAuth IDP, will start facing issues with OAuth Provider discovery after 31st Jan 2022. Microsoft is deprecating TLS1.0/1.1 and supporting TLS1.2 AES GCM ciphers only.

Fix:
Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit

Note: This results in an increase in the size of /usr. Although not an issue on its own, cumulative increases in /var, /usr, and /root might result in installation failures on iSeries devices when multiple slots contain software versions 16.1.x or later. Depending on the combination of versions, you might not be able to install/upgrade three TMOS software volumes on your iSeries device (see K41812306: The appdata volume on BIG-IP iSeries platforms is now larger :: https://support.f5.com/csp/article/K41812306 ).

Behavior Change:
Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit

Note: This results in an increase in the size of /usr. Although not an issue on its own, cumulative increases in /var, /usr, and /root might result in installation failures on iSeries devices when multiple slots contain software versions 16.1.x or later. Depending on the combination of versions, you might not be able to install/upgrade three TMOS software volumes on your iSeries device (see K41812306: The appdata volume on BIG-IP iSeries platforms is now larger :: https://support.f5.com/csp/article/K41812306 ).


1078741 : Tmm crash

Links to More Info: BT1078741

Component: Local Traffic Manager

Symptoms:
Tmm crashes while processing an iRule while handling traffic.

Conditions:
-- HTTP virtual server
-- HTTP profile with explicit proxy having default-connect-handling allowed
-- iRule with SERVER_CONNECTED event

Impact:
Traffic disrupted while tmm restarts.

Fix:
Null check to avoid null dereference.


1078721 : TMM may consume excessive resources while processing ICAP traffic

Component: Service Provider

Symptoms:
Undisclosed ICAP traffic may cause an increase in TMM resource utilization.

Conditions:
ICAP profile enabled

Impact:
Undisclosed ICAP traffic may cause an increase in TMM resource utilization.

Workaround:
N/A

Fix:
TMM does not consume excessive resources while processing ICAP traffic.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1078669 : iRule command “RESOLVER::name_lookup” returns null for TCP resolver with TC (truncated) flag set.

Component: Global Traffic Manager (DNS)

Symptoms:
“RESOLVER::name_lookup” returns null for TCP resolver with TC set.

Conditions:
Backend server returns very large DNS response.

Impact:
iRule command does not give any response but with TC set.

Workaround:
N/A

Fix:
N/A


1078053 : TMM may consume excessive resources while processing STEAM traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may consume excessive resources while processing traffic with a STREAM profile

Conditions:
- STEAM profile enabled

Impact:
Excessive resource consumption potentially leading to reduced performance or a failover event

Workaround:
N/A

Fix:
TMM now processes STREAM traffic as expected.

Fixed Versions:
16.1.2.2


1077701 : GTM "require M from N" monitor rules do not report when the number of "up" responses change

Links to More Info: BT1077701

Component: Global Traffic Manager (DNS)

Symptoms:
The number of probes that are succeeding is changing in between different windows in which the "N" number of probes were sent.

Conditions:
- GTM/DNS is provisioned.
- A "require M from N" monitor rule is assigned to a gtm resource.

Impact:
The change in the number of successful monitor probes isn't available which is useful for troubleshooting.

Workaround:
None

Fix:
A logline is written to show the change in the number of successful probes.


1076921 : Log hostname should be consistent when it contains ' . '

Links to More Info: BT1076921

Component: TMOS

Symptoms:
Messages that are logged to journald use the configured hostname, while sylog-ng uses the hostname (machine name) and truncates it starting at the first '.' (period). This results in hostnames being inconsistent when it contains '.'; e.g., 'my.hostname' is logged as 'my' by syslog-ng, and 'my.hostname' by journald. This can make it difficult for log analysis tools to work with the log files.

Conditions:
-- Hostname contains a period.
-- Viewing log files emitted from journald and from syslog-ng.

Impact:
The full hostname is logged for system logs while logs that go directly to syslog-ng use a truncated hostname.

Workaround:
N/A

Fix:
N/A


1076881 : Attack count and BA/BD stats are not updated for DNS family vectors

Component: Advanced Firewall Manager

Symptoms:
Only one tmm increments the attack count stats and other tmms do not increment.

Conditions:
AFM is provisioned and the DNS family of vectors are configured with detection and mitigation threshold values.

Impact:
Wrong stats numbers and attack count will be observed for DNS family of vectors.

Workaround:
None

Fix:
Protocol type was initialized to dns before creating session keys for DNS vectors.


1076753 : Not able to set RSA new pin on windows with Citrix Receiver

Component: Access Policy Manager

Symptoms:
In Citrix Receivers for Windows, user is not able to change RSA PIN.

Conditions:
- Configure APM in integration/replacement mode for Citrix virtual apps and desktops with RSA auth.
- Clear PIN on the RSA server for the user.
- Go to APM with Windows Citrix Receiver and try to login.

Impact:
User is unable to change the RSA PIN.

Workaround:
NA

Fix:
User is able to change RSA new PIN.


1076573 : MQTT profile addition is different in GUI and TMSH

Component: Local Traffic Manager

Symptoms:
MQTT profile selection is not supported through GUI when HTTP is enabled. In tmsh, the MQTT profile can be added in the same virtual server and contradicting the GUI configuration.

Conditions:
Simple virtual server with HTTP profile.

Impact:
Contradictory configuration validation between the GUI and tmsh.

Workaround:
None

Fix:
Validation to make sure the GUI and tmsh behave the same way for MQTT and HTTP profile in same virtual server.


1076477-3 : AFM allows deletion of a firewall policy even if it's being used in a route domain.

Links to More Info: BT1076477

Component: Advanced Firewall Manager

Symptoms:
AFM allows you to delete a firewall policy that is still applied to a route domain.

Conditions:
A firewall policy is created and assigned to a route domain.

Impact:
The firewall policy can be deleted without warning or error.

Workaround:
Before deleting a firewall policy check to make sure it is not being used in any route domain.

Fix:
N/A


1076401 : Memory leak in TMM (ldns) when exceeding dnssec.maxnsec3persec.

Links to More Info: BT1076401

Component: Global Traffic Manager (DNS)

Symptoms:
Memory leak leading to TMM running out of free memory.

Conditions:
-- Dnssec.maxnsec3persec set to non-default value (default 0 - unlimited).
-- Number of DNS requests leading to NSEC3 responses goes above the limit of dnssec.maxnsec3persec.

Impact:
TMM runs out of memory.

Workaround:
Set dnssec.maxnsec3persec to 0.

Fix:
N/A

Fixed Versions:
16.1.2.2


1076397 : TMSH hardening

Component: Local Traffic Manager

Symptoms:
TMSH/TMUI does not follow current best practices when processing monitor configuration

Conditions:
- Monitor configured
- Configuration loaded from file

Impact:
Configuration fails to load.

Workaround:
N/A

Fix:
TMSH now follows current best practices.


1076377 : OSPF path calculation for IA and E routes is incorrect.

Links to More Info: BT1076377

Component: TMOS

Symptoms:
--OSPF path calculation for IA and E routes is incorrect.
--E2 route might be preferred over E1 route.
--Cost calculation for IA routes is incorrect.

Conditions:
Mixing E2/E1 routes and IA routes with different cost.

Impact:
Wrong route is installed.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
16.1.2.2


1076253 : IKE library memory leak

Links to More Info: BT1076253

Component: TMOS

Symptoms:
After the tunnel is established there is continuous increase in memory is seen in the IKE library (memory_usage_stat)

Conditions:
-- IPSEC tunnels are established.
-- DPD delay = 30 sec

Impact:
Continuous memory increase on the BIG-IP system.

Workaround:
None

Fix:
Fixed an IKE library memory leak.


1075205 : Using TCP::close after HTTP::redirect/HTTP::respond causes HTTP response not to be delivered to the client.

Links to More Info: BT1075205

Component: Local Traffic Manager

Symptoms:
Using TCP::close after HTTP::redirect/HTTP::respond causes HTTP response not to be delivered to the client.

Conditions:
iRule similar to:

ltm rule REDIRECT {
when HTTP_REQUEST {
   HTTP::redirect "https://[HTTP::host][HTTP::uri]"
   TCP::close
}

Impact:
Redirect/response not delivered to the client.

Workaround:
Remove TCP::close from an iRule.

Fix:
N/A

Fixed Versions:
16.1.2.2


1075073 : TMM Crash observed with Websocket and MQTT profile enabled

Component: Local Traffic Manager

Symptoms:
A tmm crash occurs while passing Websockets traffic

Conditions:
Virtual server with http, Websockets, MQTT profiles

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Delete the MQTT profile.

Fix:
MQTT validation to ignore non-MQTT messages.


1074505 : Traffic classes are not attached to virtual server at TMM start

Links to More Info: BT1074505

Component: Local Traffic Manager

Symptoms:
When tmm starts, an error message is logged in the TMM log:

"MCP message handling failed in 0xXXXX (XXXXXXXX)"

Conditions:
Virtual server with traffic class attached is being used.

Impact:
A traffic class is not being attached to the virtual server so traffic matching the traffic classes does not work.

Fix:
Traffic matching the traffic classes does match.


1074273 : Tmm crash while bringing up a static IPSec tunnel

Component: TMOS

Symptoms:
A tmm crash occurs during ipsec tunnel establishment

Conditions:
- A NAT device exists between the initiator and responder
- The configuration is changed from dynamic to static ike-peer
- A tunnel is initiated from strongswan

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
DEBUG print had mismatch between arguments and format specifiers, it has been corrected.


1074113 : IPsec IKEv2: Selectors incorrectly marked up after disable ike-peer

Links to More Info: BT1074113

Component: TMOS

Symptoms:
When disabling an ike-peer, sometimes the traffic-selector is not marked "down" in one or both directions.

Conditions:
All the following must be true

-- IKEv2 IPsec tunnel
-- A nonzero value for ipsec.pfkey.load, ipsec.sp.migrate and ipsec.sp.owner is set.
-- During the life of the SA the tunnel was migrated to another tmm owner.

The final point is not normally visible unless debug2 logging is enabled on ike-daemon.

Impact:
Cosmetic. The traffic selector is incorrectly reported as up for one or both directions.

Workaround:
The selector state cannot be changed unless it goes up/down again. There is no way to manually fix it.

Fix:
Disabling an ike-peer config object will correctly mark the associated traffic-selector down.

Fixed Versions:
16.1.2.2


1073973 : Gateway HTTP/2, response payload intermittently not forwarded to client.

Links to More Info: BT1073973

Component: Local Traffic Manager

Symptoms:
Some HTTP/2 requests through a Gateway HTTP2 (HTTP2 clientside/HTTP1 serverside, no MRF) stall, with:
   - the BIG-IP receives a request and forwards it to the server
   - the server responds with both headers and response body
   - the BIG-IP forwards the response headers back to the client
   - the BIG-IP does not forward the response body to the client

Conditions:
-- BIG-IP virtual server configured with an HTTP/2 profile on both the client side and server side
-- A high number of HTTP/2 requests traverse the HTTP/2 connection

Impact:
HTTP response body is not forwarded to the client from the BIG-IP system.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
16.1.2.2


1073885 : Occasional ECA plugin crashes observed during service shutdown or restart

Component: Access Policy Manager

Symptoms:
Occasional ECA plugin crashes observed during service shutdown or restart operations.

Conditions:
If significant number of NTLM auth requests are present in the queue and a service shutdown/restart happens, occasionally ECA may crash.

Impact:
This occurs during shutdown clean-up.

Fix:
Fixed an ECA plugin crash


1073841 : URI normalization does not function as expected

Component: Local Traffic Manager

Symptoms:
Under certain conditions URIs processed with normalization may not be normalized as expected.

Conditions:
-- HTTP profile in use
-- iRule using URI normalization

Impact:
URI normalization not processed as expected, potentially resulting in unexpected iRule operation due to non-normal URIs.

Workaround:
N/A

Fix:
URI normalization is now processed as expected.


1073609 : Tmm may core while using reject iRule command in LB_SELECTED event.

Links to More Info: BT1073609

Component: Local Traffic Manager

Symptoms:
Tmm cores with SIGFPE "packet is locked by a driver"

Conditions:
-- Fastl4 virtual server
-- iRule attached that uses reject iRule command in LB_SELECTED event

Impact:
Traffic disrupted while tmm restarts.

Fix:
Tmm does not core while using iRules attached that uses reject iRule command in LB_SELECTED event.


1073549 : TMSH hardening

Component: Local Traffic Manager

Symptoms:
TMSH/TMUI does not follow current best practices when processing monitor configuration

Conditions:
- Monitor configured
- Configuration loaded from file

Impact:
Configuration fails to load.

Workaround:
N/A

Fix:
TMSH now follows current best practices.


1073357 : TMM may crash while processing HTTP traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing HTTP traffic

Conditions:
- HTTP profile enabled
- HTTP::uri iRule in use

Impact:
TMM crash leading to a failover event

Workaround:
N/A

Fix:
TMM now processes HTTP traffic as expected.


1072953 : Memory leak in traffic management interface.

Links to More Info: BT1072953

Component: Local Traffic Manager

Symptoms:
When configuration objects that use a traffic management interface are modified, they leave behind orphaned objects. The memory leak can become significant over time if there are frequent config changes.

Conditions:
Request logging profile attached to a VIP.

Impact:
TMM uses more memory than it should.

Workaround:
Restart tmm to free the memory, avoid making frequent configuration changes to virtual servers that contain request logging profiles.

Fix:
Traffic management interface no longer leaks memory.

Fixed Versions:
16.1.2.2


1072733 : Protocol Inspection IM package hardening

Component: Protocol Inspection

Symptoms:
Protocol Inspection IM packages do not follow current best practices.

Conditions:
- Authenticated administrative user
- Protocol Inspection IM packages uploaded to BIG-IP

Impact:
Protocol Inspection IM packages do not follow current best practices.

Workaround:
N/A

Fix:
Protocol Inspection IM packages now follows current best practices.

Fixed Versions:
16.1.2.2


1072665 : TMM crash while passing OAuth traffic

Component: Access Policy Manager

Symptoms:
TMM can crash during OAuth authorization

Conditions:
OAuth authorization enabled

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
JWE encryption key length assignment is properly fixed which will avoid the buffer overrun during the OAuth Authorization


1072397 : VLAN failsafe failover does not occur in three-node device group

Component: Local Traffic Manager

Symptoms:
VLAN failsafe fails to activate the next-active device in a device group.

Conditions:
-- Three devices in a sync/failover device group
-- A VLAN goes down on the active device, or is unable to communicate with the device group

Impact:
-- VLAN failsafe does not trigger and the next-active device does not become active

Fix:
Fixed an issue with VLAN failsafe not triggering in a three-device sync/failover device group


1072237 : Retrieval of policy action stats causes memory leak

Links to More Info: BT1072237

Component: TMOS

Symptoms:
When a virtual server with an L7 policy is present, the tmsh show ltm policy command triggers a memory leak.

Conditions:
The tmsh show ltm policy command is executed when a virtual server with an L7 policy attached is present.

Impact:
Memory leak for umem_alloc_16 cur_allocs for each request for
each request of tmsh show ltm policy

Workaround:
None

Fix:
Umem_alloc_16 cur_allocs no longer leaking memory.

Fixed Versions:
16.1.2.2


1072197 : Issue with input normalization in WebSocket.

Component: Application Security Manager

Symptoms:
Under certain conditions, attack signature violations might not be triggered in WebSocket scenario.

Conditions:
- ASM handles WebSocket flow.
- Malicious WebSocket message contains specific characters.

Impact:
Attack detection is not triggered as expected.

Workaround:
N/A

Fix:
Attack detection is now triggered as expected.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1072057 : "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy.

Links to More Info: BT1072057

Component: Advanced Firewall Manager

Symptoms:
The GUI incorrectly displays the sources address in certain conditions.

1. If the source address of a firewall policy is not empty (that is, some specific IP addresses available to the rule), the word "Any" is displayed.
2. If the source address is empty (that is, no specific IP addresses exist), nothing (empty) is displayed.

Conditions:
Viewing a firewall policy in the GUI via Security > Firewall > policy.

Impact:
No functional impact

Workaround:
N/A

Fix:
Fixed a display issue with the source address field.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1071689 : SSL connection not immediately closed with HTTP2 connection and lingers until idle timeout

Links to More Info: BT1071689

Component: Local Traffic Manager

Symptoms:
SSL connections using HTTP/2 are not immediately closed and linger until the idle timeout expires.

Conditions:
This occurs during SSL handshake termination from the client to the BIG-IP system.

Impact:
SSL connection does not close.

Fix:
System will properly terminate the connection without lingering until timeout


1071609 : IPsec IKEv1: Log Key Exchange payload in racoon.log.

Links to More Info: BT1071609

Component: TMOS

Symptoms:
The key exchange payload is not logged to the IPsec logs.

Conditions:
The issue is observed during IKEv1 tunnel establishment.

Impact:
If you are investigating the IKEv1 key calculation, the key exchange payload information will not be available.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
16.1.2.2


1071593 : TMM may crash while processing TLS traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing TLS traffic.

Conditions:
- SSL profile enabled
- Client certificate auth enabled

Impact:
TMM crash leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes TLS traffic as expected.

Fixed Versions:
16.1.2.2


1071585 : BIG-IP system does not respond to an arp from a SelfIP configured in virtual wire mode

Links to More Info: BT1071585

Component: Local Traffic Manager

Symptoms:
BIG-IP system does not respond to an arp from a SelfIP configured in virtual wire mode in Virtual Edition platforms.

Conditions:
Configure network in virtual wire mode in VADC pltaform

Impact:
Virtual server traffic is disrupted.

Workaround:
None

Fix:
Fix for the ARP not getting resolved when BIG-IP is configured with selfip on vwire's while redirecting to a different tmm.

Fixed Versions:
16.1.2.2


1071485 : For IP based bypass, Response Analytics sends RST.

Links to More Info: BT1071485

Component: Access Policy Manager

Symptoms:
When SSL takes a dynamic bypass action (IP based bypass decision), the Per-Request Policy agents skip execution when necessary. That is, Category Lookup exits early due to no data because of the early bypass. The same check is not present in Response Analytics and URL Filter agents so that they don't take the error path due to not seeing Category Lookup data.

Conditions:
IP based bypass (in client SSL profile) with Response Analytics or URL Filtering in the Per-Request Policy.

Impact:
Category Lookup skips execution due to IP based bypass and thus Response Analytics and URL Filtering do not have the necessary data, so they take an internal error path. This will cause an RST.

Workaround:
Do not add Response Analytics or URL Filtering agents to paths that you know will not have appropriate Category Lookup data due to bypass.

Fix:
When the SSL level filter bypasses based on client data, Per-Request Policy agents will now be appropriately bypassed as well if there is not enough data to run on. They will take the fallback branches instead of sending a RST on error.


1071449 : Statsd memory leak on platforms with license disabled processors.

Links to More Info: BT1071449

Component: Local Traffic Manager

Symptoms:
Memory usage in statsd will continue to grow until the control-plane is out of memory.

Conditions:
This issue occurs when the license on the BIG-IP disables some of the processors.

Impact:
Statsd may consume excessive memory causing OOM killer activity.

Workaround:
Restart statsd periodically.

Fix:
Statsd no longer leaks memory.

Fixed Versions:
16.1.2.2


1071365 : iControl SOAP WSDL hardening

Component: TMOS

Symptoms:
Under certain conditions iControl SOAP does not follow best practices for WSDL processing.

Conditions:
- Authenticated administrative user
- WSDL processing

Impact:
iControl SOAP does not follow current best practices.

Workaround:
N/A

Fix:
iControl SOAP now processes WSDL files according to current best practices.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1071301 : GTM server does not get updated even when the virtual server status changes.

Links to More Info: BT1071301

Component: Global Traffic Manager (DNS)

Symptoms:
GTM Server is in an Unknown state even though the single virtual server is green.

Conditions:
-- Three-member sync group.
-- Create a large number of virtual servers.
-- Virtual servers are disabled and enabled.

Impact:
The server status does not reflect the virtual server status, and there is no obvious way to recover.

Workaround:
N/A

Fix:
N/A


1071233 : GTM Pool Members may not be updated accurately when multiple identical database monitors are configured

Links to More Info: BT1071233

Component: Global Traffic Manager (DNS)

Symptoms:
When two or more GTM database monitors (MSSQL, MySQL, PostgreSQL, and Oracle) with identical 'send' and 'recv' strings are configured and applied to different GTM pools (with at least one pool member in each), the monitor status of some GTM pool members may not be updated accurately.

Other parameters of the affected monitors that differ (such as 'recv row' or 'recv column' indicating where the specified 'recv' string should be found in the result set) may cause GTM pool members using one of the affected monitors to connect to the same database to be marked UP, while GTM pool members using another affected monitor may be marked DOWN.

As a result of this issue, GTM pool members that should be marked UP or DOWN by the configured GTM monitor may instead be marked according to another affected monitor's configuration, resulting in the affected GTM pool members being intermittently marked with an incorrect state.

After the next monitor ping interval, affected GTM pool members members may be marked with the correct state.

Conditions:
This may occur when multiple GTM database monitors (MSSQL, MySQL, PostgreSQL, and Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different pools/members which share the same IP address and Port values.

For example:
gtm monitor mysql mysql_monitor1 {
...
    recv none
    send "select version();"
...
}
gtm monitor mysql mysql_monitor2 {
...
    recv none
    send "select version();"
...
}

Impact:
Monitored GTM pool members using a database monitor (MSSQL, MySQL, PostgreSQL, and Oracle) randomly go offline/online.

Workaround:
To avoid this issue, configure each GTM database monitor with values that make the combined parameters unique by changing either the 'send' or the 'recv' parameters, or both.

For example:
gtm monitor mysql mysql_monitor1 {
...
    recv none
    send "select version();"
...
}
gtm monitor mysql mysql_monitor2 {
...
    recv 5.7
    send "select version();"
...
}

Fix:
The system updates GTM pool members correctly when multiple identical database monitors are configured.


1070737 : AFM does not detect NXDOMAIN attack at virtual context when DNS cache is activated.

Links to More Info: BT1070737

Component: Advanced Firewall Manager

Symptoms:
When the DNS cache is activated, the NXDOMAIN DoS vector does not increase for the virtual server context. As a result, NXDOMAIN flood attack is never detected/mitigated at the virtual server context.

Note this does not happen with other vectors like DNS A query flood attack, only for NXDOMAIN.

Conditions:
Issue is only seen When DNS cache is activated and for NXDOMAIN Dos Vector.

Impact:
NXDOMAIN flood attack is never detected/mitigated at virtual server context.

Workaround:
N/A

Fix:
Unbound is used to do the DNS query and the BIG-IP self IP is used to do the query instead of the listener at the server-side when DNS Cache is Enabled.

DOS on connflow is also done at the client-side egress when DNS Cache is enabled in case of NXDOMAIN.


1070677-3 : Learning phase does not take traffic into account - dropping all.

Links to More Info: BT1070677

Component: Protocol Inspection

Symptoms:
Suggestions are generated every suggestion interval and every suggestion interval suggestions are overriding, so the last suggestion is considered after the staging period is completed.

Conditions:
Once the start of staging period, suggestions will override every time until the staging period completes.

Impact:
IPS learning phase, which lasts the default 7 days, sees a ton of traffic from websites hitting against signatures, but at the end of the 7 days it blocks all signatures and causes an outage.

Workaround:
N/A

Fix:
We now make the decision based on the overall suggestions that are generated during the staging period instead of the last suggestion.

Fixed Versions:
16.1.2.2


1070273 : OWASP Dashboard does not calculate Disallow DTDs in XML content profile protection properly.

Component: Application Security Manager

Symptoms:
On OWASP dashboard, both 2021 and 2017, the Disallow DTDs in XML content profile protection is not calculated correctly on the xml-profile allowDTD field.

Conditions:
Open the OWASP page for any non-parent/child security policy, (Security ›› Overview : OWASP Compliance). For OWASP 2017, DTDs is located under A4 category, and for 2021 under A5 category.

Impact:
Actual OWASP compliance for this protection can be different from the one shown by the GUI.

Workaround:
The actual conditions that satisfy the Disallow DTDs in XML content profile protection are:

1. 'XML data does not comply with format settings' violation should be set to alarm+block.

2. 'Malformed XML data' violation should be set to alarm + block.


3. No XML content profile in the policy is set so that allowDTDs to true.

Fix:
Scoring calculation was changed: Now score will be given only if no XML content profile in the policy has allowDTDs field set as true.

Fixed Versions:
16.1.2.2


1070033-3 : Virtual server may not fully enter hardware SYN Cookie mode.

Links to More Info: BT1070033

Component: Advanced Firewall Manager

Symptoms:
The SYN Cookies Status of a virtual server shows 'full-hardware', but the 'Total Software' counter of software SYN Cookies continues to increment together with the 'Total Hardware' SYN Cookie counter during a SYN flood attack.

Conditions:
On platforms with multiple HSB modules each TMM connects to only one of the modules. This depends on platform, BIG-IP version and selected turboflex profile.

The simplest way to check is to look at the epva_flowstat tmstat table. If there is only one row per TMM and there are more than one distinct mod_id numbers, then the device is affected. For example:

$ tmctl -s tmm,mod_id,pdenum,slot_id epva_flowstat
tmm mod_id pdenum slot_id
--- ------ ------ -------
  0 1 0 0
  1 1 8 0
  2 2 0 0
  3 2 8 0

Impact:
A portion of the SYN flood attack is handled in software, which might have some performance impact.

Workaround:
N/A

Fix:
All TMMs now correctly enter hardware SYN Cookie mode.

Fixed Versions:
14.1.4.6


1070009-1 : iprepd, icr_eventd and tmipsecd restarts continuously after installing FIPS 140-3 license in BIG-IP cloud platform

Links to More Info: BT1070009

Component: TMOS

Symptoms:
32 bit applications (iprepd, icr_eventd and tmipsecd) uses clock_gettime to gather the time which causes the restart of applications. This issue occurs only in Azure and Google Cloud platform when FIPS 140 license is installed.

Conditions:
- Occurs only in Azure and Google Cloud platform
-32 bit applications (iprepd, icr_eventd and tmipsecd) which uses clock_gettime to gather the time for generating entropy data
- A FIPS 140 license is installed

Impact:
Applications restart continuously.

Workaround:
None.

Fix:
32-bit applications does not restart continuously while using clock_gettime to generate entropy data when FIPS 140 license is installed.

Fixed Versions:
16.1.2.2


1069629 : TMM may crash while processing TLS traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing TLS traffic.

Conditions:
- SSL profile enabled
- Client certificate auth enabled

Impact:
TMM crash leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes TLS traffic as expected.

Fixed Versions:
15.1.5.1, 16.1.2.2


1069501 : ASM may not match certain signatures

Component: Application Security Manager

Symptoms:
Under certain condition, ASM may not match signatures as expected.

Conditions:
- base64 violations not configured for blocking

Impact:
Signatures not matched as expected.

Workaround:
Illegal base64 value violation should be set to blocking.
This way if Base64 decoding fails the requests gets blocked.

Fix:
ASM now processes signature as expected.

Fixed Versions:
16.1.2.2


1069449 : ASM attack signatures may not match cookies as expected

Component: Application Security Manager

Symptoms:
Under certain conditions ASM attack signatures may not match cookies as expected.

Conditions:
- Specially crafted cookies

Impact:
Attack signatures are not detected as expected.

Workaround:
N/A

Fix:
ASM attack signatures now match cookies as expected.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1069133 : ASMConfig memory leak.

Links to More Info: BT1069133

Component: Application Security Manager

Symptoms:
A slow leak exists for long-lived asm_config_handler processes that handle configuration updates.

Conditions:
Configuration updates are being regularly made.

Impact:
Processes slowly grow in size until they reach a limit and restart themselves.

Workaround:
N/A

Fix:
The slow leak has been fixed.

Fixed Versions:
16.1.2.2


1068561-2 : Can't create key on the second netHSM partition.

Links to More Info: BT1068561

Component: Local Traffic Manager

Symptoms:
While trying to create a key pair in a second partition, the key creation fails.

Conditions:
-- Multiple partitions are used
-- Attempt to create a key with the second partition

Impact:
Unable to use multiple netHSM partitions.

Workaround:
N/A

Fix:
Corrected session handle able to create keys in second partition.

Fixed Versions:
15.1.5.1, 16.1.2.2


1068445 : TCP duplicate acks are observed in speed tests for larger requests

Links to More Info: BT1068445

Component: Local Traffic Manager

Symptoms:
- A lot of TCP duplicate acks are observed in speed tests for larger requests

Conditions:
Below conditions are met
- Large request
- fastL4 profile with PVA acceleration set
- Below sys db variables are enabled
tm.tcpsegmentationoffload
tm.tcplargereceiveoffload
- Softpva is used

Impact:
- Reduced throughput because of duplicate ACKs and retransmissions

Workaround:
Either one of the conditions
- fastL4 profile with PVA acceleration set to NONE
- Disable below sys db variables
tm.tcpsegmentationoffload
tm.tcplargereceiveoffload


1068237 : Some attack signatures added to policies are not used.

Links to More Info: BT1068237

Component: Application Security Manager

Symptoms:
Some attack signatures added to an existing signature set may not be utilized by Policies associated with the signature set, despite the attack signatures being reported as now present in the Policies.

Conditions:
1. Have one or more policies utilizing a manual attack signature set.

2. Update the attack signature database by installing an ASU or creating a custom attack signature.

3. Update the previously created manual attack signature set with one or more attack signatures which were not updated by the ASU (if ASU installed) or are not the newly created custom attack signature (if new custom signature created).

Impact:
The additional attack signatures added to the attack signature set will show up in the Policies utilizing the signature set however the Policies will not actually use those additional attack signatures.

Workaround:
There are two workarounds:

1. When adding additional attack signatures to a Policy, place them in a new attack signature set rather than re-using an existing signature set.

2. If adding signatures to an existing set, afterwards create a new custom attack signature, add it to a new manual attack signature set, add the set to any active policy and then remove the set from the policy (the set and signature can then be deleted if desired).

Both workarounds will result in all attack signatures listed as present in all Policies being fully and properly utilized by the Policies.

Fix:
N/A

Fixed Versions:
16.1.2.2


1067669 : TCP/UDP virtual servers drop all incoming traffic.

Links to More Info: BT1067669

Component: Local Traffic Manager

Symptoms:
-- Incoming TCP/UDP traffic is not processed by virtual servers on the BIG-IP system. Instead, legitimate traffic appears to be dropped by the BIG-IP system.

-- A tcpdump taken on the BIG-IP system shows the traffic arriving on VLAN 0 instead of the actual VLAN.

-- Inspection of the dns_rapid_response_global tmstat table shows many entries in the failed_ifc column.

Conditions:
-- Using a BIG-IP 2000, 4000, or VE device.

-- Using a trunk with an untagged VLAN.

-- Using a virtual server with a dns profile configured for rapid-response.

Impact:
All TCP/UDP virtual servers fail to process incoming traffic.

Workaround:
You can work around this issue by performing any one of the following actions:

-- Avoid using an untagged VLAN with your trunks.
-- Avoid using a trunk if you cannot avoid using untagged VLANs.
-- Disable rapid-response in all dns profiles (this option is disabled by default).

Fix:
TCP/UDP traffic is no longer dropped under the conditions described in this article.


1067617 : BGP default route not advertised after mid-session OPEN.

Links to More Info: BT1067617

Component: TMOS

Symptoms:
After BGP peer opens a new session with BIG-IP in the middle of the existing session and the session is dropped, BIG-IP does not send default route NLRI to the peer when the new session is established.

Conditions:
Mid-session OPEN (Event 16 or Event 17 per RFC spec).

Impact:
Default route is missing on a BGP peer.

Workaround:
Clear the BGP session manually.

Fix:
N/A

Fixed Versions:
16.1.2.2


1067505 : TMM may crash while processing TLS traffic with HTTP::respond

Component: Local Traffic Manager

Symptoms:
Under certain conditions TMM may crash while processing TLS traffic using an HTTP::respond iRule

Conditions:
- ClientSSL profile in use
- TLS1.3 in use
- HTTP::respond iRule in use

Impact:
TMM crash leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes TLS traffic as expected.


1067405 : TMM crash while offloading / programming bad actor connections to hardware.

Links to More Info: BT1067405

Component: Advanced Firewall Manager

Symptoms:
TMM crashes while passing traffic. From the core analysis, this issue looks specific to some platforms(i4800 c115).

Conditions:
This might occur when bad actor detection is enabled in BIG-IP platforms.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue is platform specific and seen only when BA actor detection is enabled.

Fix:
Fixed a tmm crash occurring on BIG-IP iSeries platforms.


1067393 : MCP validation - incorrect config load fail on AFM NAT rule with next-hop pool.&start;

Links to More Info: BT1067393

Component: Advanced Firewall Manager

Symptoms:
Upgrade failure, which may lead to a rollback and delayed upgrade.

Conditions:
AFM NAT rule referencing a Next Hop pool.

Impact:
Upgrade failure, which may lead to a rollback and delayed upgrade.

Workaround:
Once in the failed state, the system can be recovered by running 'tmsh load sys config'; the config will load successfully. No changes to the configuration are needed.

Fix:
N/A

Fixed Versions:
15.1.5.1


1067285 : Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.'

Links to More Info: BT1067285

Component: Application Security Manager

Symptoms:
F5 Networks, Inc.
F5 Networks Inc.
F5 Networks appear as F5, Inc.

Conditions:
NA

Impact:
F5 Networks, Inc
F5 Networks
F5 Networks Inc will appear as F5, Inc to the end user, be it online help, or any ASM related screens.

Workaround:
NA

Fix:
F5 Networks, Inc
F5 Networks
F5 Networks Inc will appear as F5, Inc to the end user, be it online help, or any ASM related screens.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1066829 : Memory leak for xml/json auto-detected parameter with signature patterns.

Links to More Info: BT1066829

Component: Application Security Manager

Symptoms:
A memory leak is observed in ASM when specific traffic arrives.

Conditions:
A request contains a JSON parameter value with the signature pattern.

Impact:
Memory leak in the system.

Workaround:
N/A

Fix:
No memory leak observed after the fix.

Fixed Versions:
15.1.5.1, 16.1.2.2


1066729 : TMM may crash while processing DNS traffic

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions TMM may crash while processing DNS traffic.

Conditions:
- DNS profile enabled

Impact:
TMM crash leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes DNS traffic as expected.

Fixed Versions:
15.1.5.1, 16.1.2.2


1066377 : OpenAPI - Content profile is not consistent with wildcard configuration

Links to More Info: BT1066377

Component: Application Security Manager

Symptoms:
A content profile is created with an inconsistent order for wildcard content types.

Conditions:
-- Create OpenAPI policy
-- Configure any endpoint with multiple wildcard content types

Impact:
HTTP request body is not enforced properly

Workaround:
None

Fix:
Fix provided to create content profile with proper order for wild card content type

Fixed Versions:
16.1.2.2


1066285 : Master Key decrypt failure - decrypt failure.

Links to More Info: BT1066285

Component: TMOS

Symptoms:
After MCPD restarts or the system reboots:
-- the system is inoperative and MCPD may be restarting
-- the logs report this error:

err mcpd[12444]: 01071769:3: Decryption of the field (value) for object (config.auditing.forward.sharedsecret) failed while loading configuration that is encrypted with a different master key.

-- the system may be reporting this error:

load_config_files[5635]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command.

This may occur during a system upgrade.

Conditions:
When config.auditing.forward.sharedsecret is encrypted and masterkey value is changed.

Impact:
MCPD will continuously restart, and the system will remain inoperative.

Workaround:
If a system is affected by this issue, set the DB key back to its default value. Once the configuration is loaded, set the DB key back to the correct value:

   - tmsh modify /sys db config.auditing.forward.sharedsecret value '<null>'


After changing the SecureValue master key but before encountering the issue, run the following command to update the value of the DB key on-disk:

    setdb config.auditing.forward.sharedsecret "$(getdb config.auditing.forward.sharedsecret)"

Fix:
N/A

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1065789 : TMM may send duplicated alerts while processing SSL connections

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may send duplicated SSL alerts while processing encrypted connections.

Conditions:
- Fatal SSL error

Impact:
Increased resource usage, potentially leading to degraded performance.

Workaround:
N/A

Fix:
SSL alerts are now processed as expected.

Fixed Versions:
15.1.5, 16.1.2.1


1065585 : System does not halt on on FIPS/entropy error threshold for BIG-IP Virtual Edition

Links to More Info: BT1065585

Component: TMOS

Symptoms:
BIG-IP Virtual Edition keeps running even after multiple FIPS/entropy errors occur.

Conditions:
Multiple FIPS/entropy errors on BIG-IP Virtual Edition system.

Impact:
BIG-IP Virtual Edition keeps running even after multiple FIPS/entropy errors occur

Workaround:
None

Fix:
System should halt after the threshold number of FIPS/entropy errors occue

Fixed Versions:
16.1.2.2


1064893 : Keymgmtd memory leak occurrs while configuring ca-bundle-manager.

Links to More Info: BT1064893

Component: TMOS

Symptoms:
Keymgmtd leaks memory and the RES/RSS value increases over time.

Same issue can be observed using top -p `pidof keymgmtd` or tmctl proc_pid_stat proc_name=keymgmtd -s proc_name,vsize,rss monitor keymgmtd resident memory size.

Conditions:
Configure sys crypto ca-bundle-manager to periodically update the ca bundle on the system.

Impact:
If keymgmtd causes a system wide out of memory condition, this could cause a traffic disruption, if mcpd is chosen to be killed.

Workaround:
N/A

Fix:
N/A


1064669 : Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash.

Links to More Info: BT1064669

Component: Local Traffic Manager

Symptoms:
TMM crashes if an iRule is configured that has HTTP::enable in the RULE_INIT event.

Conditions:
iRule that uses HTTP:enable command in RULE_INIT event, for example:

ltm rule example_rule {
    when RULE_INIT {
        # Don't do this!
        HTTP::enable
    }
}

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Do not use the HTTP::enable iRule command in the RULE_INIT event.

Fix:
N/A

Fixed Versions:
15.1.5.1, 16.1.2.2


1064649 : Tmm crash after upgrade.&start;

Links to More Info: BT1064649

Component: Local Traffic Manager

Symptoms:
After upgrading and provisioning the ASM module, TMM starts to crash and core.

Conditions:
-- BIG-IP system is upgraded to version 15.1.4.1.
-- The ARL table is empty (transparent VLAN group) and traffic is passed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
15.1.5


1064617 : DBDaemon process may write to monitor log file indefinitely

Links to More Info: BT1064617

Component: Local Traffic Manager

Symptoms:
If debug logging is enabled for a database monitor (mssql, mysql, postgresql or oracle), the DBDaemon process may write to a monitor log file indefinitely, including after the monitor log file is rotated and/or deleted.

Conditions:
This problem may occur when:
- using a database monitor (mssql, mysql, postgresql or oracle) which is configured with the "debug" value set to "yes"
- using a database monitor (mssql, mysql, postgresql or oracle) for a pool member which is configured with the "logging" set to "enabled"

Impact:
The DBDaemon process may write debug logging messages to the affected monitor log file indefinitely, including after the monitor log file has been rotated and/or deleted.
As a result, storage in the /var/log volume may be consumed to the point that other logging cannot be performed, and the BIG-IP instance may be restarted/rebooted.

Workaround:
To work around this issue, restart the DBDaemon process.

To find the PID of the DBDaemon process, observe the output of the following command:
ps -ef |grep -v grep | grep DB_monitor.jar | awk '{print($2)}'

To confirm whether the DBDaemon process is writing to a monitor log file, and if so, which file:
lsof -p $(ps -ef | grep -v grep | grep DB_monitor.jar | awk '{print($2)}') | grep -e COMMAND -e '/var/log/monitors'

To kill the DBDaemon process:
kill $(ps -ef | grep -v grep | grep DB_monitor.jar | awk '{print($2)}')

NOTE:
Killing the DBDaemon process will cause a short-term loss of database monitoring functionality, until DBDaemon is restarted by the next database monitor probe.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1064501 : BD crash on startup or first request

Component: Application Security Manager

Symptoms:
The bd daemon crashes on it's startup or first request.

Conditions:
This can occur rarely during system startup if there is an issue with generating the data protection files or the data protection grace file. This can occur if the disk runs out of space.

Impact:
BD crashes. ASM traffic disrupted while bd restarts.

Workaround:
None

Fix:
Rare issue with system startup was fixed.


1064461 : PIM-SM will not complete RP registration over tunnel interface when floating IP address is used.

Links to More Info: BT1064461

Component: TMOS

Symptoms:
PIM-SM will not complete rendezvous point (RP) registration over the tunnel interface when a floating IP address is used (ip pim use-floating-address). Join/prune from RP gets dropped on BIG-IP when doing local-address validation.

BIG-IP never completes registration successfully.

Conditions:
RP registration over tunnel interface when floating IP address is used.

Impact:
BIG-IP never completes registration and outgoing packets are register-encapsulated.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
16.1.2.2


1064377 : OAuth token contents is shown in the debug logs

Component: Access Policy Manager

Symptoms:
Under the OAuth related log messages the token contents are seen

Conditions:
-- OAuth authorization is enabled
-- Debug logging is enabled

Impact:
OAuth token content is seen in log messages.

Workaround:
None

Fix:
Printing the token contents to the logs is removed now.


1064357 : execute_post_install: EPSEC: Installation of EPSEC package failed

Links to More Info: BT1064357

Component: TMOS

Symptoms:
APM EPSEC installation fails and an error message is logged in /var/log/ltm: "execute_post_install: EPSEC: Installation of EPSEC package failed"

Conditions:
APM EPSEC package installation

Impact:
Installation fails with an error message


1064217 : Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T.

Links to More Info: BT1064217

Component: Carrier-Grade NAT

Symptoms:
Port bits are not set as expected in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T.

Conditions:
This occurs in a MAP-T configuration.

Impact:
MAP-T port translation does not work as expected.

Workaround:
N/A

Fix:
Fixed an issue with the port bit not being set correctly.

Fixed Versions:
16.1.2.2


1064189 : DoH proxy and server listeners from GUI with client-ssl profile and server-ssl profile set to None produces undefined warning

Links to More Info: BT1064189

Component: Global Traffic Manager (DNS)

Symptoms:
Dns Over HTTPS (DOH) is allowed to work without a clientssl profile on clientside. Setting it to none disables the DNS resolution via the HTTPS protocol.

Conditions:
- Selecting "None" in Client SSL Profile and Server SSL Profile in DOH Server Listener and DOH Proxy Listener from GUI

Impact:
An error occurs:
GUI: 01020036:3: The requested profile (/Common/NO_SELECTION) was not found.
TMSH: 01070734:3: Configuration error: In Virtual Server (/Common/mydohproxylistener) http2 specified activation mode requires a client ssl profile

Workaround:
None

Fixed Versions:
16.1.2.2


1064157 : Http_proxy_opaque_get should constrain search to local/spawn flows, not looped flows

Links to More Info: BT1064157

Component: Local Traffic Manager

Symptoms:
In a VIP-on-VIP (looped) situation, HTTP on one virtual server uses/reuses an existing 'http_proxy_opaque' whilst still in use by another virtual server that causes unexpected state changes in the opaque which may cause tmm to core.

Conditions:
-- Explicit Forward Proxy SSL Orchestrator, in other words an L3 Explicit Proxy which is usually deployed in a VIP on VIP configuration
-- Hostname resolution using explicit 'RESOLV::lookup' iRule in HTTP_PROXY_REQUEST on the explicit/client-facing VIP

Impact:
Traffic disrupted while tmm restarts.

Fixed Versions:
16.1.2.2


1064025 : OWASP Compliance screen: entities appear in plural when only single entity is detected.

Component: Application Security Manager

Symptoms:
For some protections, The OWASP shows the number of entities besides the plural name of the entity, for example,
47 File Types.

When there is a single entity, the name still will appear in plural. for example, 1 File Types.

Conditions:
-- Set a single entity for the observed OWASP policy settings
(Security ›› Overview : OWASP Compliance screen).
E.g. for OWASP 2017, under A5 Broken Access Control,
-- Set a single built-in disallowed file type (for example bak)

Impact:
None

Workaround:
N/A

Fix:
N/A


1064001 : POST request to a virtual server with stream profile and a access policy is aborted.

Component: Access Policy Manager

Symptoms:
POST request to virtual server fails with reset cause "Incomplete chunked response".

Conditions:
Virtual server is configured with both stream profile and access policy.

Impact:
User will be unable to send POST request to backend servers

Workaround:
N/A

Fix:
N/A


1063993 : Typo in Session Hijacking Protection requirement in OWASP compliance screen.

Component: Application Security Manager

Symptoms:
Instead of Session Hijacking Protection, it should read Session Hijacking protection.

Conditions:
In Security ›› Overview : OWASP Compliance screen, for OWASP 2017, under A2 Broken Authentication category.

Impact:
N/A

Workaround:
N/A

Fix:
Text now reads: Session Hijacking protection.


1063985 : Typo in Review Policy Security pop-up, in OWASP Compliance screen (UnIgnore instead of Unignore).

Component: Application Security Manager

Symptoms:
The following title is being shown:
UnIgnore Attack Signature Type.

Conditions:
1.When you want to recalculate an already ignored requirement (wether signature or protection) for OWASP Compliance score, and want to set the Unignore operation on this requirement.

2.When pressing Review and Update button, the Review Policy Security pop-up will be shown with the title:

UnIgnore Attack Signature Type

Impact:
No actual impact except from typo in text.

Workaround:
N/A

Fix:
Unignore Attack Signature Type


1063681 : PCCD cored, SIGSEGV in pc::cfg::CMessageProcessor::modify_fqdn.

Links to More Info: BT1063681

Component: Advanced Firewall Manager

Symptoms:
Pccd (Packet Correlation Classification Daemon) generates a core while adding a fqdn during testing.

Conditions:
Conditions to trigger the core are unknown.

Impact:
Pccd crashes and creates a core file.

Workaround:
Restart PCCD

Fix:
N/A

Fixed Versions:
15.1.5.1


1063453 : FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets.

Links to More Info: BT1063453

Component: Local Traffic Manager

Symptoms:
Tmm crashes while passing IPv4-to-IPv6 traffic over FastL4.

Conditions:
-- A FastL4 virtual server translates between IPv4 and IPv6.
-- Fragment reassembly is not enabled in the FastL4 profile.
-- A feature requiring asynchronous completion is configured including: asynchronous irules on LB events (LB_SELECTED, LB_FAILED, LB_PERSIST_DOWN, LB_QUEUED, SA_PICKED), persistence, sessiondb operations, HA, virtual rate limiting.

Impact:
All traffic is disrupted while the TMM restarts.

Workaround:
Configure the FastL4 profile to always reassemble fragments.

Fixed Versions:
16.1.2.2


1063345 : Urldbmgrd may crash while downloading the database.

Component: Access Policy Manager

Symptoms:
Urldbmgrd may crash while downloading the database.

Conditions:
SWG or URLDB is provisioned.

Impact:
User traffic will be impacted when urldbmgrd is down.

Workaround:
N/A

Fix:
N/A


1063261 : TMM crash is seen due to sso_config objects.

Links to More Info: BT1063261

Component: Access Policy Manager

Symptoms:
Observed a TMM crash once which is due to unfreed sso_config objects in SAML.

Conditions:
Conditions are unknown, this was only seen once.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Freeing the sso_config objects during sso cleanup will avoid this situation.


1062953 : Unable to save configuration via tmsh or the GUI.

Links to More Info: BT1062953

Component: TMOS

Symptoms:
If there are hundreds of partitions and changes to the configuration are made via the GUI, the configuration save can hang. When the configuration save hangs, all subsequent configuration saves will not complete.

Conditions:
-- Hundreds of partitions with objects contained in them.
-- Changing config via the GUI.

Impact:
Subsequent attempts to save the configuration will not complete.

Workaround:
For this scenario, syscalld is the process that created
the tmsh process to save the config where the tmsh process hangs. A restart of syscalld using bigstart restart syscalld will kill the hung syscalld and tmsh processes and restore services.

Fix:
N/A


1062513 : GUI returns 'no access' error message when modifying a GTM pool property.

Links to More Info: BT1062513

Component: Global Traffic Manager (DNS)

Symptoms:
When you modify a GTM pool property and then click "Update," the next page displays the error message "No access."

When you modify GTM pool properties using the GUI, the properties do not update or display.

Conditions:
This occurs when you modify a GTM pool property using the GUI.

Impact:
You cannot change a GTM pool property using the GUI.

Workaround:
Use TMSH to change the GTM pool property.
OR
Click on "Update" a second time in the GUI.

Fix:
N/A

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1062445 : CVE-2021-3467: jasper-libs vulnerability: NULL pointer dereference

Component: TMOS

Symptoms:
A NULL pointer dereference flaw was found in Jasper in the way it handled component references in the CDEF box in the JP2 image format decoder. This flaw allows a specially crafted JP2 image file to cause an application using the Jasper library to crash when opened. The highest threat from this vulnerability is system availability.

Conditions:
JasPer before 2.0.26

Impact:
NULL pointer dereference causes the system to crash & there by rendering the system unavailable

Workaround:
N/A

Fix:
jasper-libs patched to mitigate CVE-2021-3467


1062441 : CVE-2021-26927: jasper-libs vulnerability: Null pointer dereference in jp2_decode

Component: TMOS

Symptoms:
A flaw was found in jasper before 2.0.25. A null pointer dereference in jp2_decode in jp2_dec.c may lead to program crash and denial of service.

Conditions:
JasPer before 2.0.25

Impact:
Null pointer dereference which results in denial of service

Workaround:
N/A

Fix:
jasper-libs patched to mitigate CVE-2021-26927


1062433 : CVE-2021-3443: jasper-libs vulnerability: JP2 image file

Component: TMOS

Symptoms:
A NULL pointer dereference flaw was found in the way Jasper versions before 2.0.27 handled component references in the JP2 image format decoder. A specially crafted JP2 image file could cause an application using the Jasper library to crash when opened.

Conditions:
A specially crafted JP2 image file could cause an application using the Jasper library to crash when opened.

Impact:
NULL pointer dereference causes the application to crash

Workaround:
N/A

Fix:
jasper-libs patched to mitigate CVE-2021-3443


1062429 : CVE-2021-26926: jasper-libs vulnerability: out of bounds read

Component: TMOS

Symptoms:
A flaw was found in jasper before 2.0.25. An out of bounds read issue was found in jp2_decode function which may lead to disclosure of information or program crash

Conditions:
JasPer before 2.0.25

Impact:
This flaw can lead to disclosure of information or program crash

Workaround:
N/A

Fix:
jasper-libs patched to mitigate CVE-2021-26926


1062425 : CVE-2016-9396: jasper-libs vulnerability: Denial of service

Component: TMOS

Symptoms:
The JPC_NOMINALGAIN function in jpc/jpc_t1cod.c in JasPer through 2.0.12 allows remote attackers to cause a denial of service (JPC_COX_RFT assertion failure) via unspecified vectors.

Conditions:
JasPer before 2.0.12

Impact:
Remote attackers can cause denial of service via unspecified vectors

Workaround:
N/A

Fix:
jasper-libs patched to mitigate CVE-2016-9396


1062417 : CVE-2016-9398: jasper-libs vulnerability: denial of service via unspecified vectors

Component: TMOS

Symptoms:
The jpc_floorlog2 function in jpc_math.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via unspecified vectors

Conditions:
JasPer before 1.900.17

Impact:
Remote attackers can cause denial of service via unspecified vectors

Workaround:
N/A

Fix:
jasper-libs patched to mitigate CVE-2016-9398


1062409 : CVE-2016-8886: jasper-libs vulnerability: Memory allocation failire

Component: TMOS

Symptoms:
The jas_malloc function in libjasper/base/jas_malloc.c in JasPer before 1.900.11 allows remote attackers to have unspecified impact via a crafted file, which triggers a memory allocation failure.

Conditions:
All the versions till 1.900.11 are vulnerable for this

Impact:
remote attackers can trigger memory allocation failure via a crafted file.

Workaround:
N/A

Fix:
jasper-libs patched to mitigate CVE-2016-8886


1062333 : Linux kernel vulnerability: CVE-2019-19523

Component: TMOS

Symptoms:
A flaw was found in the Linux kernel’s implementation for ADU devices from Ontrak Control Systems, where an attacker with administrative privileges and access to a local account could pre-groom the memory and physically disconnect or unload a module.

Conditions:
The attacker must be able to access either of these two events to trigger the use-after-free, and then race the access to the use-after-free, to create a situation where key USB structs can be manipulated into corrupting memory.

Impact:
An attacker could pre-groom the memory and physically disconnect or unload a module.

Workaround:
N/A

Fix:
Kernel patched to mitigate CVE-2019-19523

Fixed Versions:
16.1.2.2


1062105 : For specific configurations (Auto-Added Signature Accuracy and Case Sensitive parent policy), child security policy fails to create.

Links to More Info: BT1062105

Component: Application Security Manager

Symptoms:
1. Creation of child security policy fails when it should not.
2. GUI shows wrong value for Auto-Added Signature Accuracy in creation page of the child policy.

Conditions:
1. Create a parent policy with the following settings:

   - Policy is Case Sensitive set to disable.
   - Auto-Added Signature Accuracy set to low.

Note: these values are not the default values related to the template used in the policy. For example: Fundamental, Comprehensive, and RDP templates.

2. Try to create a policy using the above parent policy.

Impact:
Creation of child policy

Workaround:
Send REST command with minimumAccuracyForAutoAddedSignatures field under 'signature-settings' and not from the outer level.

Fix:
N/A


1061929-1 : Unable to perform IPI update (through proxy) after upgrade to 15.1.4.&start;

Links to More Info: BT1061929

Component: Advanced Firewall Manager

Symptoms:
After upgrading, the IPI database fails to update. During system start, iprepd logs an error:
"Cannot connect to host api.bcti.brightcloud.com: No route to host".

Conditions:
IPI update occurs through a proxy server.

Impact:
IPI update fails.

Workaround:
N/A

Fix:
IPI updates now work through a proxy after an upgrade.

Fixed Versions:
15.1.5.1


1061797 : Upgraded AWS CloudFormation Helper Scripts which now support IMDSv2

Links to More Info: BT1061797

Component: TMOS

Symptoms:
For AWS's CloudFormation to work with IMDSv2, the Helper Script module had to be upgraded.

Conditions:
Using AWS CloudFormation for IMDSv2-only instances

Impact:
The Helper scripts throw a "No Handler found" error when used to launch IMDSv2 instances

Fix:
With the latest version of BIG-IP VE, you can now launch IMDSv2 instances using AWS's CloudFormation templates.

Fixed Versions:
15.1.5.1, 16.1.2.2


1061617 : Some of the URL Attack signatures are not detected in the URL if "Handle Path Parameters" is configured "As Parameters".

Links to More Info: BT1061617

Component: Application Security Manager

Symptoms:
The following Attack Signatures are not identified if "Handle Path Parameters" = "As Parameters".
200001660, 200001663, 200007032, 200101543, 200101632, 200101635, 200101638, 200101641, 200101644

Conditions:
- Configure "Handle Path Parameters" = "As Parameters"
 - Enable URL attack signatures 200001660, 200001663, 200007032, 200101543, 200101632, 200101635, 200101638, 200101641, 200101644

Impact:
Some URL attack signatures are not detected by ASM.

Fixed Versions:
16.1.2.2


1060933 : Issue with input normalization.

Component: Application Security Manager

Symptoms:
Under certain conditions, attack signature violations may not be triggered.

Conditions:
- ASM provisioned with XML content profile
- Request contains XML body

Impact:
Attack detection is not triggered as expected.

Workaround:
None

Fix:
Attack detection is now triggered as expected.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1060833 : After handling a large number of connections with firewall rules that log or report translation fields or server side statistics, TMM may crash.

Links to More Info: BT1060833

Component: Advanced Firewall Manager

Symptoms:
TMM crashes.

The 'virt_cnt' column in the tmctl 'string_cache_stat' table continues to grow over time, and diverges significantly from the 'phys_cnt' column.

Conditions:
-- Enforced AFM firewall policies configured in multiple contexts (global, route domain, virtual server)

-- Large number of connections that matches rules in multiple contexts

-- AFM configured in at least one of the following ways:

--+ Stats collection enabled and collecting server-side stats enabled. Stats collection is enabled by default. Collecting server-side statistics ("security analytics settings acl-rules { collect-server-side-stats }") is not enabled by default.
--+ ACL logging enabled, and the logging of translation fields enabled.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
Disable logging and reporting of server-side information in AFM firewall ACLs.

After making these changes, it may be necessary to restart TMM once.

Fix:
N/A


1060625-2 : Wrong INTERNAL_IP6_DNS length.

Links to More Info: BT1060625

Component: TMOS

Symptoms:
Tunnel establishment fails when an IPv6 DNS IP address is provided in the IKE_AUTH payload. As per RFC it should be 16 octets, but BIG-IP sends 17 octets(that is, it tries to provide the subnet info also).

Conditions:
Initiator requests an IPv6 DNS IP during tunnel negotiation.

Impact:
Tunnel will not establish.

Workaround:
None

Fix:
The INTERNAL_IP6_DNS payload is now filled with only the IPv6 address (the subnet is excluded).

Fixed Versions:
16.1.2.2


1060409 : Behavioral DoS enable checkbox is wrong.

Links to More Info: BT1060409

Component: Anomaly Detection Services

Symptoms:
Behavioral DoS Enabled indicator is wrongly reported after configuration change, when no traffic is injected to the virtual server.

Conditions:
Behavioral DoS is enabled and then disabled when no traffic is injected to the virtual server.

Impact:
After server health is stabilized and constant, the BIG-IP system doesn't report the configuration changes.

Workaround:
Send 1-2 requests to the server and the configuration will be updated.

Fix:
Behavioral DoS enabled/disabled flag is now reported correctly.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1060321 : TMM crash on reload of HTML processing rules under OOM conditions.

Component: TMOS

Symptoms:
The filters using HTML parsing infrastructure may cause tmm to crash on configuration changes in certain rare conditions.

Conditions:
-- TMM is running out of memory.
-- The configuration changes for one of the affected profiles that trigger reload of HTML processing rules: HTML, REWRITE in uri-translation mode, FPS, DOSL7, PEM, RISK.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed an issue that could cause a crash when tmm is running out of memory.


1060181-4 : SSL handshakes fail when using CRL certificate validator.

Links to More Info: BT1060181

Component: TMOS

Symptoms:
Some SSL handshakes are reset with "SSL Handshake timeout exceeded" reset.

Conditions:
Client SSL profile with CRL certificate validator.
Client SSL certificate authentication enabled.

Impact:
SSL handshakes fail.

Workaround:
None

Fix:
SSL handshakes are now successful.

Fixed Versions:
15.1.5.1


1060149 : BIG-IP vCMP guest data-plane failure with turboflex-adc selected on the host.

Links to More Info: BT1060149

Component: TMOS

Symptoms:
-- Interfaces in the vCMP guest may remain uninitialized.
-- 'Invalid VCMP PDE state version' log in /var/log/tmm*.

Conditions:
-- BIG-IP i5xxx/i7xxx/i10xxx/i11xxx platform.
-- vCMP provisioned.
-- turboflex-adc profile selected.

Impact:
Affected guest is non-functional.

Workaround:
Use the turboflex-base profile.

Fix:
N/A

Fixed Versions:
16.1.2.2


1059853-1 : Long loading configuration time after upgrade from 15.1.3.1 to 16.1.2.&start;

Links to More Info: BT1059853

Component: TMOS

Symptoms:
Tmsh load sys config/tmsh load sys config verify takes much longer (~10x).

Conditions:
While loading config tmsh load sys config verify.

Impact:
Configuration loading takes a long time (more than 8 minutes).

Workaround:
N/A

Fix:
N/A

Fixed Versions:
16.1.2.2


1059621 : IP Exceptions feature and SSRF feature do not work as expected if both the entries are configured with the same IP/IPs.

Links to More Info: BT1059621

Component: Application Security Manager

Symptoms:
IP Exceptions/SSRF does not work as expected if the same IPs are configured in both IP Exception and SSRF.

Conditions:
- Enable XFF Header.
- Configure same IP/IPs in both SSRF and IP Exceptions.
- Send traffic with xff header and URI parameter.

Impact:
One of the IP Exceptions or SSRF features do not work as expected.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
16.1.2.2


1059573 : Variation in a case insensitive value of an operand in LTM policy may fail in some rules.

Links to More Info: BT1059573

Component: Local Traffic Manager

Symptoms:
LTM policy engine compiles a policy into a state machine. If there is a variation of the same case insensitive value for an operand, the state machine may fail to properly build all rules, using this value. An example of a variation is a list of words like "Myself", "myself", "MYself", "mySElf", "MYSELF".

Conditions:
-- LTM policy is configured and attached to a virtual server.
-- The policy has variation in a case insensitive value of an operand.

Impact:
An expected rule does not apply: either a wrong rule is applied, or no rule is applied, causing incorrect traffic processing.

Workaround:
Eliminate variation in any case insensitive value of any operand. For example, replace all variations in the mentioned list with "myself".

Fix:
When there is a variation in a case insensitive value of an operand, BIG-IP will correctly handle it and compiles the policy so the rules with the variations are correctly applied to processing traffic.


1059185 : iControl REST Hardening

Component: TMOS

Symptoms:
Under certain conditions iControl REST does not follow current best practices.

Conditions:
- Authenticated administrative user
- iControl REST request

Impact:
iControl REST does not follow current best practices.

Workaround:
N/A

Fix:
iControl REST now follows current best practices.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1059165 : Multiple virtual server pages fail to load.

Links to More Info: BT1059165

Component: TMOS

Symptoms:
Virtual server-related pages fail to load in the GUI.

Conditions:
This issue is observed only when the DOS module is provisioned.

Impact:
Virtual server properties do not load.

Workaround:
None

Fix:
Virtual Server pages now load successfully.

Fixed Versions:
16.1.2.2


1059053 : Tmm crash when passing traffic over some configurations with L2 virtual wire

Links to More Info: BT1059053

Component: Local Traffic Manager

Symptoms:
In very rare cases, tmm crashes while passing traffic over some configurations with L2 virtual wire.

Conditions:
-- L2 wire setup
-- A routing error occurs

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Modified code to prevent such crashes.

Fixed Versions:
15.1.5.1, 16.1.2.2


1058677 : Not all SCTP connections are mirrored on the standby device when auto-init is enabled.

Links to More Info: BT1058677

Component: TMOS

Symptoms:
When auto-init is enabled, Not all SCTP connections are mirrored to the standby device.

Conditions:
-- SCTP Profile and Mirroring.
-- Auto initialization is enabled.

Impact:
Only half of the connections are mirrored to the standby device.

Workaround:
Disable auto initialization:

tmsh modify ltm message-routing diameter peer <affected_peer> { auto-initialization disabled }

Fix:
SCTP connections are mirrored successfully to standby device.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1058645 : ipsecalg blocks Sophos ISAKMP negotiation during tunnel setup.

Links to More Info: BT1058645

Component: Advanced Firewall Manager

Symptoms:
Sophos IPsec clients cannot connect to a Sophos firewall when ipsecalg is configured on the forwarding virtual server.

The Sophos client initially attempts to start the tunnel using aggressive mode. The Sophos firewall does not support remote users attempting aggressive mode and responds with Notify Message Type INVALID-PAYLOAD-TYPE. The tunnel setup cannot proceed correctly after that point.

Conditions:
-- Sophos client is installed on remote user devices.
-- Sophos firewall is the remote endpoint in the IPsec tunnel.

Note: The Sophos client and firewall combination is the only known failing use-case.

Impact:
Sophos clients cannot start an IPsec tunnel.

Workaround:
The Sophos client cannot be configured to use main mode instead of starting with aggressive mode. The Sophos firewall does not support aggressive mode for remote user IPsec tunnels.

Therefore, create an iRule and add the iRule to the ipsecalg virtual server. The iRule simply contains this:

when SERVER_DATA {
# Only execute on first server side packet of conflow.
event disable

if { [UDP::payload length] < 40 } { return; }
binary scan [UDP::payload] x8x8cH2cx9x10S payload_type ver exch_type noti_type

# Depending on throughput, the amount of logging here may be problematic
#log local0. "payload_type : $payload_type"
#log local0. "ver : $ver"
#log local0. "exch_type : $exch_type"
#log local0. "noti_type : $noti_type"

if { $payload_type == 11 && $ver == 10 && $exch_type == 5 && $noti_type == 1 } {
log local0. "Closing ipsecalg connection"
after 1 { reject }
}
}

Fix:
Sophos clients can now bring up an IPsec tunnel with a Sophos firewall.

Fixed Versions:
14.1.4.6, 15.1.5.1


1058597 : Bd crash on first request after system recovery.

Links to More Info: BT1058597

Component: Application Security Manager

Symptoms:
Bd crashes on the first request.

Conditions:
The system is out of disk space while creating the ASM policy.

Impact:
The security configuration is incomplete with missing data.

Workaround:
-- Remove the ASM policy from the virtual server to avoid the bd crash.
-- Go to the cookie protection screen and reconfigure the secure and fast algorithm.
-- Re-attach the security policy to the virtual server.

Fix:
N/A


1058469 : Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working.

Links to More Info: BT1058469

Component: Local Traffic Manager

Symptoms:
A virtual server which is part of an iApp service and which was previously working correctly now rejects all traffic.

Upon inspecting the log, entries similar to the following examples may be noticed:

==> /var/log/tmm <==
<13> Oct 28 23:41:36 bigip1 notice hudfilter_init: clientside matches TCP position. 0 0

==> /var/log/ltm <==
Oct 28 23:41:36 bigip1 err tmm[21251]: 01010008:3: Proxy initialization failed for /Common/my.app/my-vs. Defaulting to DENY.
Oct 28 23:41:36 bigip1 err tmm[21251]: 01010008:3: Listener config update failed for /Common/my.app/my-vs: ERR:ERR_UNKNOWN

Conditions:
This issue is known to occur when strict-updates is disabled for an iApp service which includes a non-default NTLM profile.

Impact:
Traffic outage as the affected virtual server(s) no longer passes any traffic.

Workaround:
To recover an affected system, either restart TMM (bigstart restart tmm) or delete and redeploy the iApp service.

To prevent this issue from occurring again, modify the iApp configuration to use the default NTLM profile rather than a custom one (if the iApp template involved allows this).

Fix:
Disabling strict-updates for an iApp service, which includes a non-default NTLM profile, no longer causes virtual servers associated with the profile to suddenly stop working.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1058401 : SSL Bypass does not work for inbound traffic

Links to More Info: BT1058401

Component: SSL Orchestrator

Symptoms:
Per-request policy's SSL Bypass Set agent does not bypass TLS traffic for inbound topology.

Conditions:
-- SSL Orchestrator is licensed and provisioned.
-- Per-request policy is attached to interception rules and SSL Bypass Set agent is used in the policy.

Impact:
BIG-IP/SSL Orchestrator does not bypass the TLS traffic for inbound topology.

Fix:
SSL Bypass Set agent in the per-request policy now bypasses TLS traffic for inbound topology.

Fixed Versions:
16.1.2.2


1057809 : Saved dashboard hardening

Component: TMOS

Symptoms:
Saved dashboards do not follow current best practices.

Conditions:
- Authenticated administrative user
- Saved dashboard

Impact:
Dashboards do not follow current best practices.

Workaround:
N/A

Fix:
Saved dashboards now follow current best practices.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1057801 : TMUI does not follow current best practices

Component: TMOS

Symptoms:
The TMUI does not follow current best practices.

Conditions:
- Authenticated administrative user
- TMUI request

Impact:
TMUI does not follow current best practices.

Workaround:
N/A

Fix:
TMUI now follows current best practices.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1057457 : CVE-2015-9019: libxslt vulnerability: math.random()

Component: TMOS

Symptoms:
In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.

Conditions:
where the EXSLT math.random function was called by applications.

Impact:
It could cause usage of this function to produce predictable outputs

Workaround:
Applications using libxslt that rely on non-repeatable randomness should be seeding the system PRNG (srand()) themselves, as they would if calling rand() directly.

Fix:
libxslt patched to resolve CVE-2015-9019


1057449 : CVE-2015-7995 libxslt vulnerability: Type confusion may cause DoS

Component: TMOS

Symptoms:
A type confusion vulnerability was discovered in the xsltStylePreCompute() function of libxslt. A remote attacker could possibly exploit this flaw to cause an application using libxslt to crash by tricking the application into processing a specially crafted XSLT document.

Conditions:
By tricking the application into processing a specially crafted XSLT document.

Impact:
A remote attacker could possibly exploit this flaw to cause an application using libxslt to crash.

Workaround:
N/A

Fix:
libxslt patched to mitigate CVE-2015-7995


1057445 : CVE-2019-13118 libxslt vulnerability: uninitialized stack data

Component: TMOS

Symptoms:
In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.

Conditions:
When processing the number formatting options at xsltFormatNumberConversion() libxslt uses a too narrow data type, which end up truncating the format character data.

Impact:
This triggers a read from an uninitialized memory position from stack which will be further added to final formatted XML output.

Workaround:
N/A

Fix:
libxslt patched to mitigate CVE-2019-13118


1057441 : CVE-2016-1683 chromium-browser vulnerability: out-of-bounds access in libxslt

Component: TMOS

Symptoms:
numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles namespace nodes, which allows remote attackers to cause a denial of service (out-of-bounds heap memory access) or possibly have unspecified other impact via a crafted document.

Conditions:
numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles namespace nodes,

Impact:
It allows remote attackers to cause a denial of service (out-of-bounds heap memory access) or possibly have unspecified another impact via a crafted document.

Workaround:
N/A

Fix:
libxslt patched to mitigate CVE-2016-1683


1057437 : CVE-2019-13117 libxslt vulnerability: uninitialized read in xsltNumberFormatInsertNumbers

Component: TMOS

Symptoms:
In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.

Conditions:
While processing the format string xsltNumberFormatTokenize() eventually let a few tokens
uninitialized on token list, this leads to a further uninitialized read scenario at xsltNumberFormatInsertNumbers() function. An attacker may leverage this by creating a crafted XSL file and as consequence a few bytes from the stack are revealed.

Impact:
This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.

Workaround:
N/A

Fix:
libxslt patched to mitigate CVE-2019-13117


1057433 : CVE-2016-1684 chromium-browser vulnerability: integer overflow in libxslt

Component: TMOS

Symptoms:
numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles the i format token for xsl:number data, which allows remote attackers to cause a denial of service (integer overflow or resource consumption) or possibly have unspecified other impact via a crafted document.

Conditions:
libxslt component of the Chromium browser

Impact:
It allows remote attackers to cause a denial of service (integer overflow or resource consumption) or possibly have unspecified another impact via a crafted document.

Workaround:
N/A

Fix:
libxslt patched to mitigate CVE-2016-1684


1057393 : CVE-2019-18197 libxslt vulnerability: use after free in xsltCopyText

Component: TMOS

Symptoms:
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.

Conditions:
This is basically a use-after-free error that only happened when a node's text content was freed and the same memory area was reused for another node's text content. In glibc's memory allocator it causes either use-of-uninitialized-value or causes an abort.

Impact:
If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.

Workaround:
N/A

Fix:
libxslt patched to mitigate CVE-2019-18197


1057149 : CVE-2019-11068 libxslt vulnerability: xsltCheckRead and xsltCheckWrite

Component: TMOS

Symptoms:
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.

Conditions:
An application that uses these APIs, and allows attackers to load arbitrary URLs.

Impact:
This could cause a security bypass ie invalid/malicious URLs considered valid and processed.

Workaround:
This flaw only applies to applications compiled against libxml2 which use xsltCheckRead and xsltCheckWrite functions and/or allow users to load arbitrary URLs to be parsed via libxml2. In all other cases, applications are not vulnerable.

Fix:
libxslt patched to mitigate CVE-2019-11068


1057061 : BIG-IP Virtual Edition + security-log-profile (HSL) performance issue with Log Translation Fields.

Component: Advanced Firewall Manager

Symptoms:
When using a security log profile that has Log Translation Fields enabled, CPU usage is unusually high.

Conditions:
-- AFM provisioned
-- One or more security log profiles has “Log Translation Fields” enabled

Impact:
Excessive CPU utilization when compared to the same configuration with Log Translation Fields disabled.

Workaround:
N/A

Fix:
Fixed a performance issue with the Log Translation Fields setting.


1056993 : 404 error is raised on GUI when clicking "App IQ."

Component: TMOS

Symptoms:
When the App IQ menu option is clicked in the GUI workflow, (GUI: System ›› Configuration >> App IQ) the result is "Not Found. The requested URL was not found on this server."

Conditions:
Clicking the App IQ menu option in the GUI workflow, GUI: System ›› Configuration >> App IQ.

Impact:
Not able to access App IQ page.

Workaround:
Navigate directly to the following page on your BIG-IP (replacing <BIG-IP> with the IP/hostname of the system):

https://<BIG-IP>/tmui/tmui/system/appiq_ng/views/settings.html

Fix:
N/A

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1056933 : TMM may crash while processing SIP traffic

Component: Service Provider

Symptoms:
Under certain conditions, TMM may coredump while processing SIP traffic

Conditions:
- SIP ALG is configured

Impact:
TMM crash leading to a traffic interruption and failover event.

Workaround:
By using SIP::discard under specific conditions in SIP_RESPONSE iRule.

Fix:
SIP traffic is now processed as expected.

Fixed Versions:
14.1.4.6, 15.1.5, 16.1.2.2


1056741-1 : ECDSA certificates signed by RSA CA are not selected based by SNI.

Links to More Info: BT1056741

Component: TMOS

Symptoms:
Attempts to select a client-ssl profile based on the certificate subject/SAN will not work for ECDSA certificates if ECDSA cert is signed by RSA CA. Even when the SNI in the client hello matches the certificate subject/SAN, BIG-IP selects the default client SSL profile.

Conditions:
-- ECDSA certificate signed by RSA CA.
-- Client SSL profile does not have "server name" option configured.

Impact:
The desired client-ssl profile is not selected for ECDSA hybrid certificates when the SNI matches the certificate subject/SAN.

Workaround:
Do not use hybrid certificates or configure the "server name" option in the client-ssl profile matching SNI.

Fix:
N/A

Fixed Versions:
15.1.5.1, 16.1.2.2


1056401 : Valid clients connecting under active syncookie mode might experience latency.

Links to More Info: BT1056401

Component: Local Traffic Manager

Symptoms:
Valid clients that connect using active syncookie mode might experience latency.

Conditions:
- SYN Cookie (Hardware or Software) is enabled.
- SYN Cookies are activated (TCP Half Open) for the virtual server.
- Fastl4 tcp-generate-isn option or SYN-ACK vector 'suspicious event count' options are enabled.
- SYN Cookie issue and validation with client is correct.
- SSL Client Hello packet sent by client reaches DHD right after TCP SYN packet is sent to backend server.

Impact:
Random connections could be disrupted.

Fix:
N/A

Fixed Versions:
15.1.5.1, 16.1.2.2


1056365 : Bot Defense injection does not follow best SOP practice.

Component: Application Security Manager

Symptoms:
In specific cases, Bot Defense challenge does not follow Same Origin Policy.

Conditions:
Bot Defense Profile is attached to VS.

Impact:
In some cases, Bot Defense Injection does not follow Same Origin Policy.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
16.1.2.2


1055925 : TMM may crash while processing traffic on AWS

Component: TMOS

Symptoms:
Under certain conditions, TMM may crash while processing traffic with the DPDK/ENA driver on AWS systems.

Conditions:
-- BIG-IP Virtual Edition (VE) on AWS configured with the XNet DPDK/ENA driver.

Impact:
TMM restart, leading to a failover event.

Workaround:
Configure BIG-IP VE to use the sock driver instead of the default XNet driver.

Modify (or create, if not present) the file /config/tmm_init.tcl on the affected BIG-IP systems, and add the following lines to it:

device driver vendor_dev 1d0f:ec20 sock
ndal force_sw_tcs off 1d0f:ec20

Then restart TMM:

bigstart restart tmm

Note: Restarting TMM causes a failover (or an outage if there is no high availability (HA) peer available).

Fix:
TMM now processes traffic as expected when using the XNet DPDK/ENA driver on AWS.


1055737 : TMM may consume excessive resources while processing HTTP/2 traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions TMM may consume excessive resources while processing HTTP/2 traffic

Conditions:
- HTTP/2 profile enabled
- Undisclosed conditions

Impact:
Excessive resource consumption potentially leading to decreased performance or a failover event.

Workaround:
N/A

Fix:
TMM now processes HTTP/2 traffic as expected

Fixed Versions:
16.1.2.2


1055361 : Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a tmm crash.

Links to More Info: BT1055361

Component: SSL Orchestrator

Symptoms:
Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a TMM crash.

Conditions:
Suspending iRule command in L7CHECK_CLIENT_DATA

Example:

ltm rule /Common/rule-a {
when L7CHECK_CLIENT_DATA {
        after 10000
        }
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use Suspending iRule command in L7CHECK_CLIENT_DATA.

Fix:
Fixed a TMM crash.

Fixed Versions:
15.1.5.1, 16.1.2.1


1055097 : TCP proxy with ramcache and OneConnect can result in out-of-order events, which stalls the flow.

Links to More Info: BT1055097

Component: Local Traffic Manager

Symptoms:
Because the client resends the request, the connection is not lost, but is stalled for a considerable time.

Conditions:
-- virtual server running affected version has both webacceleration and OneConnect profiles.
-- The response has 'Cache-Control: no-cache' header.

Impact:
The stalled connection causes slow response times for application users.

Workaround:
Remove the configuration for either the OneConnect or Caching profile.

Fix:
N/A

Fixed Versions:
16.1.2.2


1053589-2 : DDoS functionality cannot be configured at a Zone level

Links to More Info: BT1053589

Component: Advanced Firewall Manager

Symptoms:
DDoS functionality is supported at the global and virtual server level.

Conditions:
DDoS functionality configured on the BIG-IP system.

Impact:
Cannot enable DDoS at the Zone level.

Workaround:
N/A

Fix:
DDoS functionality is now enabled at the Zone level.

Behavior Change:
Limited DDoS functionality is supported at the scope of a Zone, which is group of VLANs. Thus, DDoS functionality is now supported at the global, Zone, and virtual server levels.


1053309 : Localdbmgr leaks memory while syncing data to sessiondb and mysql.

Component: Access Policy Manager

Symptoms:
Top output shows that localdbmgr memory increases steadily.

Conditions:
Localdb auth is enabled or localdb is used for storing APM-related information like for MDM intune.

Impact:
Localdbmgr is killed by oom killer and is restarted, thereby affecting the execution of access policies.

Workaround:
N/A

Fix:
N/A


1053173 : Support for MQTT functionality over websockets.

Component: Local Traffic Manager

Symptoms:
MQTT does publish and receive messages for data through websockets.

Conditions:
-- Virtual server configured with an MQTT profile and a websocket profile
-- Selection of associated MQTT ports for the relevant broker

Impact:
No impact

Workaround:
None

Fix:
BIG-IP virtual servers now support MQTT configuration over websockets.


1053149 : A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received.

Links to More Info: BT1053149

Component: Local Traffic Manager

Symptoms:
Depending on the software version running on the BIG-IP system, this issue can manifest in one of two ways:

- Versions with the fix for ID1008077 will fail to forward the client's final ACK (from the TCP 3-way handshake) to the server. Eventually, once the TCP handshake timeout expires, the BIG-IP system will reset both sides of the connection.

- Versions without the fix for ID1008077 will forward the traffic correctly, but will not advance the internal FastL4 state for the connection. Given enough traffic for the same 4-tuple, the connection may never expire. Traffic for subsequent connections will appear to be forwarded correctly, but no load-balancing will occur due to the original connection not having expired yet.

Conditions:
A FastL4 TCP connection not completing the TCP handshake correctly, and the client retrying with a new (different SEQ number) SYN.

Impact:
Traffic failures (intended as either connections failing to establish, or improper load-balancing occurring).

Fix:
A FastL4 TCP connection which is yet to fully establish now correctly updates its internal SEQ space when a new SYN is received. This means the connection advances as it should through internal FastL4 states, and is removed from the connection table when the connection closes.


1052929 : MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized.

Links to More Info: BT1052929

Component: Local Traffic Manager

Symptoms:
When MCPD starts, it may log an error message reporting an issue communicating with the onboard FIPS HSM. If the HSM is uninitialized, this message is erroneous, and an be ignored.

Depending on the hardware platform, the message may be one of the following:

err mcpd[12345]: 01b50049:3: FIPSUserMgr Error: An internal login failure is being experienced on the FIPS card. Please issue 'FIPSutil loginreset -r' followed by 'bigstart restart' for a password reset. You will need your FIPS Security Officer password to reset the password..
err mcpd[12345]: 01b50049:3: FIPSUserMgr Error: An internal login failure is being experienced on the FIPS card. The FIPS card must be reinitialized, which will erase its contents..

Conditions:
-- BIG-IP system with an onboard FIPS HSM, or a vCMP guest running on a BIG-IP system with an onboard FIPS HSM
-- the FIPS HSM is not initialized, i.e. "fipsutil info" reports "FIPS state: -1".

Impact:
This message can be ignored when the FIPS HSM is not in-use, and is uninitialized.

Workaround:
Initialize the FIPS HSM following the instructions in the F5 Platforms : FIPS Administration manual.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1052781-1 : JavaScript obfuscation is very slow.

Links to More Info: BT1052781

Component: Fraud Protection Services

Symptoms:
The Obfuscator process creates only one file at a time, rather than large batches. Therefore the creation of the full set takes a long time.

Conditions:
Clientside Defense is provisioned.

Impact:
High CPU usage on device.

Workaround:
N/A

Fix:
N/A


1052317 : The BIG-IP system does not output the show security nat source-translation command.

Component: Advanced Firewall Manager

Symptoms:
The tmsh show security nat source-translation command contains no output.

Conditions:
-- Static NAT is enabled

Impact:
An error occurs:
01020002:3: A null pointer was passed into a function.

Workaround:
None

Fix:
The tmsh show security nat source-translation command now shows the expected output.


1052173 : For wildcard SSRF hosts "Matched Disallowed Address" field is wrong in the SSRF violation.

Links to More Info: BT1052173

Component: Application Security Manager

Symptoms:
"Matched Disallowed Address" and "Actual Disallowed Address" both are shown as same "Actual Disallowed Address" only.

Conditions:
- configure wildcard SSRF host

Impact:
Misleading SSRF violation details

Workaround:
None.

Fixed Versions:
16.1.2.2


1052153-3 : Signature downloads for traffic classification updates via proxy fail

Links to More Info: BT1052153

Component: Traffic Classification Engine

Symptoms:
Downloading IM package via proxy fails.

Conditions:
Downloading the IM file through a proxy.

Impact:
Auto-download IM package from f5.com will fail

Workaround:
Disable the proxy and trigger the IM package download from the management interface.

Fix:
Fixed an issue with downloading updates through a proxy.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1051561 : iControl REST request hardening

Component: TMOS

Symptoms:
iControl REST does not follow current best practices.

Conditions:
- iControl REST request

Impact:
iControl REST does not follow current best practices.

Workaround:
N/A

Fix:
iControl REST now follows current best practices.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1051305 : CVE-2021-34798: A NULL pointer dereference in httpd via malformed requests

Links to More Info: K72382141


1051213 : Increase default value for violation 'Check maximum number of headers'.

Links to More Info: BT1051213

Component: Application Security Manager

Symptoms:
Due to recent change in browsers, up to 7 headers are newly inserted in the request.

In ASM, there is default limit of 20 headers. So, when legitimate requests have more than 20 headers, they're blocked with violation "Maximum Number of Headers exceeded".

Conditions:
When the number of headers passed in request is greater than the value of maximum number of headers set, then this violation is raised.

Impact:
Legitimate requests are blocked with violation "Maximum Number of Headers exceeded" when number of header is greater than the value set for the policy (default 20).

Workaround:
Increase "Check maximum number of headers" to 30 under Learning and Blocking settings screen for a policy.

Fix:
Increased default value of maximum number of headers to 30.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1051209 : BD may not process certain HTTP payloads as expected

Component: Application Security Manager

Symptoms:
Under certain conditions BD may not process HTTP payloads as expected.

Conditions:
- HTTP request

Impact:
Payloads are not processed as expected, potentially leading to missed signature matches.

Workaround:
N/A

Fix:
BD now processes HTTP payloads as expected.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1050969 : After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid

Links to More Info: BT1050969

Component: TMOS

Symptoms:
Running clear-rest-storage removes all the available tokens as well as cookie files from /var/run/pamchache.

Conditions:
Run the clear-rest-storage command.

Impact:
All users are logged out of the GUI.

Workaround:
Re-login.

Fix:
Clear-rest-storage should only remove tokens not cookies.

Fixed Versions:
15.1.5.1, 16.1.2.2


1050697 : Traffic learning page counts Disabled signatures when they are ready to be enforced

Component: Application Security Manager

Symptoms:
The traffic learning page counts Disabled signatures when they are ready to be enforced.

Conditions:
Policy has a disabled signature.

Impact:
Traffic learning page shows different counts of "ready to be enforced" signatures compared to Security ›› Application Security : Security Policies : Policies List ›› <policy name>

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1050537 : GTM pool member with none monitor will be part of load balancing decisions.

Links to More Info: BT1050537

Component: Global Traffic Manager (DNS)

Symptoms:
A GTM pool member containing no monitor (status=BLUE) is not included in load balancing decisions.

Conditions:
GTM pool member the monitor value set to none.

Impact:
GTM does not load balance to this pool member.

Workaround:
N/A

Fix:
Handled GTM pool with "none" monitor

Behavior Change:
GTM pool members with "none" monitor are now part of load balancing decisions

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1050413 : Drive model HGST HUS722T1TALA604 must be added to pendsect drives.xml.

Links to More Info: BT1050413

Component: TMOS

Symptoms:
When using the hard drive model HGST HUS722T1TALA604, pendsect does not recognize the hard drive and skips during sector checks.

Conditions:
- Using a HGST HUS722T1TALA604 hard drive on a BIG-IP system.
- Pendsect runs a sector check.

Impact:
Warning messages like the following will be logged to /var/log/messages:
-- warning pendsect[31898]: skipping drive -- Model: HDC WD1005FBYZ-01YCBB2
-- warning pendsect[31898]: No known drives detected for pending sector check. Exiting

Pendsect can't properly check the hard drive.

Workaround:
Give write permissions to modify file:
chmod u+w /etc/pendsect/drives.xml

Open the file and add the following at the end of the file, before default:
<snip>
         <HUS722T1TA>
            <offset firmware="RAGNWA09">0</offset>
            <offset firmware="default">0</offset>
            <family> "HA210"</family>
            <wd_name>"Ultrastar"</wd_name>
         </HUS722T1TA>
         <DEFAULT>
              <firmware version="default">
                     <offset>0</offset>
              </firmware>
              <name> "UNKNOWN"</name>
              <family> "UNKNOWN"</family>
              <wd_name>"UNKNOWN"</wd_name>
         </DEFAULT>
   </model>
  </drives>

Save and close the file.

Remove write permissions so that no one accidentally modifies this file:
chmod u-w /etc/pendsect/drives.xml



Run the following command and check /var/log/messages to verify no errors are seen:
/etc/cron.daily/pendsect

Fix:
N/A


1050393 : Dynamic VLAN support in BIG-IP Virtual Edition

Component: Local Traffic Manager

Symptoms:
Dynamic VLAN's can be created in BIG-IP Virtual Edition but they do not work. Packets are dropped when configured as Interface in virtual-wire mode.

Conditions:
Dynamic VLAN configuration on BIG-IP Virtual Edition

Impact:
Support for Dynamic VLAN is present in Hardware but not on Virtual Edition.

Workaround:
None

Fix:
Adding vlan_add_interface in Virtual Edition case after validating trunk cases & Regression fix for Trunk cases getting failed for a delete VLAN interface in BIG-IP Virtual Edition.


1050273 : ERR_BOUNDS errors observed with HTTP explicit proxy service in SSL Orchestrator.

Links to More Info: BT1050273

Component: SSL Orchestrator

Symptoms:
The following similar error log messages repeated many times:

err tmm[13905]: 01c80017:3: CONNECTOR: Listener=/Common/sslo_intercept.app/sslo_intercept-in-t-4, Profile=/Common/ssloS_httpEpxy.app/ssloS_httpEpxy-t-4-connector: Error forwarding egress to return virtual server (null) - ERR_BOUNDS
err tmm8[13905]: 01c50003:3: Service : encountered error: ERR_BOUNDS File: ../modules/hudfilter/service/service_common.c Function: service_cmp_send_data, Line: 477

Conditions:
1. SSL Orchestrator with HTTP explicit proxy as a service.
2. System is under load.
3. On VELOS platform.

Impact:
SSL Orchestrator throughput is degraded.

Workaround:
N/A

Fix:
After the fix, no such errors are observed and the throughput is back to normal.

Fixed Versions:
15.1.5


1049229 : When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays.

Links to More Info: BT1049229

Component: Advanced Firewall Manager

Symptoms:
An authenticated administrative user tries to create a sub-rule under the Network Firewall rule list from the GUI and is redirected to a 'No Access' error page.

Conditions:
This error can occur when you create a sub-rule under the Network Firewall rule list in the TMOS GUI on a version of BIG-IP (including engineering hotfixes) that include the fixes for BIG-IP bugs ID1032405 and ID941649.

Impact:
The user cannot create a sub-rule under the Network Firewall rule list in the TMOS GUI.

Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.

Fix:
After the fixes for ID1032405 and ID941649 are installed, the "No Access" errors no longer occur when you create a sub-rule under the Network Firewall rule list in the TMOS GUI.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


1049213 : A new disaggregation (DAG) mode based on TEID field in GTP-U header is introduced

Component: Protocol Inspection

Symptoms:
The default DAG mode uses the source and destination ports for hash calculation to distribute the traffic across TMMs. This does not scale well for GTP-U traffic since the source and destination port are unchanged (default well known port 2152).

This results in a single TMM (CPU) processing all the GTP-U packets results in high load on a single CPU whilst the other CPUs are underutilized.

Conditions:
GTP-U traffic uses the same source and destination well known port 2152.

Impact:
One CPU being overloaded where as other CPUs are under utilized.

Fix:
A new disaggregation (DAG) mode for GTP-U traffic is introduced to effectively distribute the traffic across different TMM's and thereby proper utilization of CPU resources.

This can be enabled/disabled by configuring sys db variable "iptunnel.gtp.teid_hash". This sys db variable is set to disabled by default. When enabled, this behavior is applied to only GTP-U traffic when it matches the below criteria:
- GTP-U version needs to be 1 (GTP-U v1)
- Source and destination ports need to be 2152.

Behavior Change:
When the new disaggregation (DAG) mode is enabled for GTP-U traffic by configuring "iptunnel.gtp.teid_hash", the TEID field in the GTP-U header is used to calculate the hash to disaggregate the packets to TMMs.

NOTE: The source-address translation is not supported for GTP-U traffic processing virtual when this mode is enabled. The source-port is preserved, and no ephemeral port is used to create connections on the BIG-IP.


1048913 : APM internal virtual server leaks memory under certain conditions.

Links to More Info: BT1048913

Component: Access Policy Manager

Symptoms:
The internal virtual server used for APM leaks memory while passing traffic.

Conditions:
1. Client/Backend is slow in responding to packets from the BIG-IP system.
2. There is some congestion on the network which prompts BIG-IP to throttle egress.

Impact:
TMM memory use grows over time. This will lead to out-of-memory for TMM and eventually trigger a restart. Traffic is disrupted while TMM restarts.

Workaround:
N/A

Fix:
N/A


1048853 : "IKE VBUF" memory leak debug.

Links to More Info: BT1048853

Component: TMOS

Symptoms:
The memory increase is seen through tmctl memory_usage_stat when ipsec-sa are deleted and new ipsec-sa are created.

Conditions:
A tunnel connection exists between the BIG-IP initiator and responder.

Impact:
Memory consumption increases after every ipsec-sa delete operation when the new ipsec-sa is created.

Workaround:
N/A

Fix:
Fixed a memory leak related to ipsec-sa.


1048685 : Rare TMM crash when using Bot Defense Challenge

Links to More Info: BT1048685

Component: Application Security Manager

Symptoms:
When using the Bot Defense Profile on Blocking mode, TMM could crash on rare cases with a core dump.

Conditions:
Using the Bot Defense profile on blocking mode.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM will no longer crash on rare conditions when using the Bot Defense Challenge


1048541 : Certificate Order Manager: renew requests to the Comodo (now Sectigo) CA are unsuccessful.

Links to More Info: BT1048541

Component: TMOS

Symptoms:
A BIG-IP Administrator utilizing the 'Certificate Order Manager' feature is unable to renew SSL certificates issued by the Comodo (now Sectigo) certification authority.

Conditions:
Using the 'Certificate Order Manager' feature on BIG-IP to renew SSL certificates issued by the Comodo (now Sectigo) certification authority.

Impact:
The renew requests fail.

Fix:
The renew requests now succeed.

Fixed Versions:
15.1.5.1, 16.1.2.2


1048445 : Accept Request button is clickable for unlearnable violation illegal host name

Links to More Info: BT1048445

Component: Application Security Manager

Symptoms:
For the following violations:
- VIOL_HOSTNAME (Hostname violation)
- VIOL_HOSTNAME_MISMATCH (Hostname mismatch violation)

The accept button is clickable when it should not. Accept Request button should be disabled for this violations.

Conditions:
Generate an illegal host name or hostname mismatch violation.

Impact:
Request will not be accepted even though you have elected to accept the illegal request.

Workaround:
Do not accept the request to hostname and hostname mismatch violation, no ASM config changes will be triggered.

Fixed Versions:
16.1.2.2


1048141 : Sorting pool members by 'Member' causes 'General database error'

Links to More Info: BT1048141

Component: TMOS

Symptoms:
The configuration utility (web UI) returns 'General database error' when sorting pool members. The pool member display does not work for the duration of the login.

Conditions:
Sorting the pool member list by member.

Impact:
A pool's pool member page cannot be displayed.

Workaround:
Clear site and cached data on browser and do not sort by pool member.

Fix:
Pool members can be sorted by member.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1048137 : IPsec IKEv1 intermittent but consistent tunnel setup failures

Links to More Info: BT1048137

Component: TMOS

Symptoms:
IKEv1 tunnels fail to start or re-key after an upgrade.

Conditions:
-- IPsec IKEv1 tunnels

Impact:
IPsec tunnels will not work as expected.

Workaround:
The only workaround is to switch to IKEv2.

Fix:
Internal message handling related to IKEv2 high availability (HA) has changed, unintentionally breaking IKEv1's ability to keep tunnel states up-to-date. IKEv1 can now track tunnel state correctly.

Note: IKEv1 high availability (HA) / mirroring is still not supported and there is no plan to support it.


1048033 : Server-speaks-first traffic might not work with SSL Orchestrator

Links to More Info: BT1048033

Component: SSL Orchestrator

Symptoms:
Server-speaks-first traffic does not pass through BIG-IP SSL Orchestrator. BIG-IP does not do service chaining to the service that has port-remap enabled.

Conditions:
- Interception Rule has verified accept enabled.
- Security policy is service chaining and port-remap is enabled on one of the security services

Impact:
Connection does not succeed, client sees a reset after timeout.

Workaround:
Disable port-remap on service and redeploy.

Fix:
Fix SSL Orchestrator connector to handle server-speaks-first traffic. After fix, server speaks first traffic will work even with port-remap enabled on the service.

Fixed Versions:
16.1.2.2


1047933 : Virtual server security policy - An error has occurred while trying to process your request

Links to More Info: BT1047933

Component: Advanced Firewall Manager

Symptoms:
While loading the security tab page in the virtual server configuration page, you see an error: "An error has occurred while trying to process your request"

Conditions:
This is encountered when clicking the security tab in the virtual server configuration page, when there are a large number of virtual servers on the BIG-IP system (~2500).

Impact:
Delay in security tab page loading times and possible page timeout.

Workaround:
None

Fix:
Updated the back-end logic to return details related to requested virtual server instead of all virtual servers.


1047581 : Ramcache can crash when serving files from the hot cache

Links to More Info: BT1047581

Component: Local Traffic Manager

Symptoms:
Under certain circumstances, TMM may crash when processing traffic for a virtual server that uses RAM Cache.

Conditions:
- RAM Cache configured
- Document served not out of the hotcache
- The server served with must-revalidate.
- The server 304 contains a 0 byte gzip payload

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
16.1.2.2


1047389 : Bot Defense challenge hardening

Links to More Info: BT1047389

Component: Application Security Manager

Symptoms:
Under certain conditions, the Bot Defense profile does not follow current best practices.

Conditions:
Bot Defense profile used

Impact:
The Bot Defense profile does not follow current best practices.

Workaround:
None

Fix:
The Bot Defense profile now follows current best practices.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1047377 : "Server-speak-first" traffic might not work with SSL Orchestrator

Links to More Info: BT1047377

Component: SSL Orchestrator

Symptoms:
Server-speaks-first traffic does not pass through BIG-IP SSL Orchestrator. BIG-IP does not perform a TCP three-way handshake to the server.

Conditions:
SSL Orchestrator interception rule has an attached security policy that is service chaining and at-least one service has port-remap enabled.

Impact:
Connection does not succeed, client sees a reset after timeout.

Workaround:
Disable port-remap on service and redeploy.

Fix:
Fix SSL Orchestrator connector to handle server speaks first traffic. After fix, server-speaks-first traffic will work even with port-remap enabled on the service.

Fixed Versions:
16.1.2.2


1047213 : VPN Client to Client communication fails when clients are connected to different TMMs.

Links to More Info: BT1047213

Component: TMOS

Symptoms:
Client-to-client communication between APM VPN clients connected to different TMMs does not work.

Conditions:
-- Clustered multiprocessing (CMP) is enabled.

Impact:
Client to client communication over the network access connection fails.

Workaround:
Demote the virtual server from CMP processing.

# tmsh modify ltm virtual <virtual> cmp-enabled no

Fix:
N/A

Fixed Versions:
16.1.2.2


1047169 : GTM AAAA pool can be deleted from the configuration despite being in use by an iRule.

Links to More Info: BT1047169

Component: TMOS

Symptoms:
A BIG-IP Administrator is incorrectly able to delete a GTM AAAA pool from the configuration, despite this object being referenced in an iRule in use by an AAAA wideip.

An error similar to the following example will be visible in the /var/log/gtm file should the iRule referencing the pool run after the pool has been deleted:

err tmm[11410]: 011a7001:3: TCL error: Rule /Common/my_rule <DNS_REQUEST> - GTM Pool 'my_pool' of type 'A' not found (line 1)GTM Pool 'my_pool' of type 'A' not found (line 1) invoked from within "pool my_pool"

Note the error message incorrectly reports the pool as type A (it should report type AAAA).

Conditions:
-- Two GTM pools of type A and AAAA share the same exact name (which is legal).

-- The pool name is referenced in an iRule by the 'pool' command.

-- The iRule is in use by an AAAA wideip.

-- A BIG-IP Administrator attempts to delete the AAAA pool.

Impact:
The system incorrectly allows the deletion of the AAAA pool from the configuration.

Consequently, the next time the GTM configuration is reloaded from file, the operation will fail.

Additionally, traffic which relied on the pool being present in the configuration will fail.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1047089-1 : TMM may terminate while processing TLS/DTLS traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions TMM may terminate while proxying traffic between TLS and DTLS.

Conditions:
- Virtual configured for server-side DTLS
- Virtual configured for client-side TLS

Impact:
TMM may terminate, leading to a failover event.

Workaround:
N/A

Fix:
TMM may no longer be configured for DTLS/TLS gateway traffic.

Fixed Versions:
14.1.4.6, 15.1.5, 16.1.2.2


1047053 : TMM may consume excessive resources while processing RTSP traffic

Component: Service Provider

Symptoms:
Under certain conditions, TMM may consume excessive resources while processing RTSP traffic.

Conditions:
- RTSP profile enabled
- Undisclosed traffic

Impact:
An increase in TMM resource utilization, potentially leading to a crash and failover event.

Workaround:
N/A

Fix:
TMM now processes RTSP traffic as expected.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5, 16.1.2.2


1046785 : Missing GTM probes when max synchronous probes are exceeded.

Links to More Info: BT1046785

Component: Global Traffic Manager (DNS)

Symptoms:
GTM probes are missing, resources are marked down.
When instances fail and BIG-IP is not aware of the failure, some virtual servers/pool members are marked as available and some objects are marked down on part of the sync group members.

In the /var/log/gtm file, the following message may be seen:

011ae116:4: The list processing time (x seconds) exceeded the interval value. There may be too many monitor instances configured with a y second interval

Note that this message is only logged once when gtmd is restarted, or when monitors are added or removed in the gtm configuration.

Conditions:
Max synchronous probes are exceeded. This value is controlled by the GTM global variable max-synchronous-monitor-requests.

Impact:
-- Resources are marked down.
-- Inconsistent monitor statuses across BIG-IP DNS systems in a single sync group
-- Because some monitor instances don't have monitor traffic, if an instance fails, the BIG-IP DNS systems may not be aware of the failure.

Workaround:
Increase the value of Max Synchronous Monitor Requests:

tmsh modify gtm global-settings metrics max-synchronous-monitor-requests value <value - default is 20>

Fix:
All monitors are now allowed to probe without triggering a failure.

Fixed Versions:
13.1.5, 15.1.5.1, 16.1.2.2


1046693 : TMM with BFD confgured might crash under significant memory pressure

Links to More Info: BT1046693

Component: TMOS

Symptoms:
TMM might crash when processing BFD traffic under high memory pressure.

Conditions:
- BFD in use.
- TMM under high memory pressure.

Impact:
Traffic disrupted while tmm restarts.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1046669 : The audit forwarders may prematurely time out waiting for TACACS responses

Links to More Info: BT1046669

Component: TMOS

Symptoms:
If a TACACS server takes longer than five seconds to respond, the audit forwarder will reset the connection.

Conditions:
-- Using remote TACACS logging.
-- TACACS server takes longer than 5 seconds to respond to logging requests.

Impact:
Misleading log messages.

Fix:
The time that a BIG-IP system will wait for a response from a TACACS server is now configurable using the DB variable config.auditing.forward.tacacs.timeout.response.

Behavior Change:
The time that a BIG-IP system will wait for a response from a TACACS server is now configurable using the DB variable config.auditing.forward.tacacs.timeout.response.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1046633 : Rare tmm crash when sending packets to apmd fails

Links to More Info: BT1046633

Component: Access Policy Manager

Symptoms:
Tmm crashes while passing APM traffic

Conditions:
iRules involving ACCESS::session evaluate, or presence of access per-request policies that involves apmd like ldap/saml authentication.

Impact:
Traffic disrupted while tmm restarts.


1046317 : Violation details are not populated with staged URLs for some violation types

Component: Application Security Manager

Symptoms:
The "Triggered Violations" field in the event log screen and corresponding data in remote logging is not populated.

Conditions:
- The URL is in staging
- The triggered violation is one of the following violations
VIOL_MANDATORY_REQUEST_BODY
VIOL_URL_CONTENT_TYPE
VIOL_METHOD

Impact:
Lack of details in the request log event.

Workaround:
None

Fix:
This defect is closely related to ID1036305 and both defects are fixed together


1045549 : BFD sessions remain DOWN after graceful TMM restart

Links to More Info: BT1045549

Component: TMOS

Symptoms:
BFD sessions remain DOWN after graceful TMM restart

Conditions:
TMM is gracefully restarted, for example with 'bigstart restart tmm' command.

Impact:
BFD sessions remain DOWN after graceful TMM restart

Workaround:
After restarting TMM, restart tmrouted.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1045421 : No Access error when performing various actions in the TMOS GUI

Links to More Info: K16107301, BT1045421

Component: TMOS

Symptoms:
An authenticated administrative user is redirected to a 'No Access' error page while performing various actions in the TMOS GUI, including when trying to:
-- Apply a policy to a virtual server
-- Import images (TMOS images / hotfixes / apmclients)
-- Export/apply an APM policy
-- Run the high availability (HA) setup wizard
-- Export a certificate/key through one of the following paths:
    ---- System / Certificate Management : Traffic Certificate Management : SSL Certificate List / test-renew-self-sign / Renew
    ---- DNS / GSLB : Pools : Pool List / Click Testpool / Click Members / Click Manage
    ---- System / Software Management : APM Clients / Import
    ---- System / Certificate Management : Traffic Certificate Management : SSL Certificate List / NewSSLCert / Certificate / Export / Click Download

Conditions:
This may occur when performing various actions in the TMOS GUI on a version of BIG-IP software (including Engineering Hotfixes) that includes fixes for ID1032405 :: https://cdn.f5.com/product/bugtracker/ID1032405.html and ID941649 :: https://cdn.f5.com/product/bugtracker/ID941649.html .

Impact:
Cannot perform various actions in the TMOS GUI.

Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.

Fix:
'No Access' errors no longer occur when performing various actions in the TMOS GUI under these conditions.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


1045229 : APMD leaks Tcl_Objs as part of the fix made for ID 1002557

Links to More Info: BT1045229

Component: Access Policy Manager

Symptoms:
APMD memory grows over time causing OOM killer to kill apmd

Conditions:
Access policy has resource assignment agents/variable assignments

Impact:
APMD memory grows over time and OOM killer may terminate apmd thereby affecting traffic. Access traffic disrupted while apmd restarts.

If APMD is not killed by OOM killer the system may start thrashing and become unstable, generally resulting in cores from innocent processes that are no longer scheduled correctly - keymgmtd, bigd, mcpd are typical victims.
Ultimately system may restart automatically as watchdogs fail.

Fixed Versions:
14.1.4.5, 15.1.5.1, 16.1.2.2


1045101 : Bd may crash while processing ASM traffic

Component: Application Security Manager

Symptoms:
Bd may crash when handling HTTP requests with APM and ASM.

Conditions:
- ASM and APM are provisioned
- Session awareness is enabled and "Use APM Username and Session ID" is selected in "Application Username" configuration
- Specially crafted HTTP request

Impact:
Bd crash leading to a traffic disruption and failover event.

Workaround:
N/A

Fix:
Bd now process ASM and APM traffic as expected.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5, 16.1.2.1


1045065 : Enable traffic group modification in source-translation object

Links to More Info: BT1045065

Component: Advanced Firewall Manager

Symptoms:
You are unable to modify the traffic group in an address translation policy using tmsh.

Conditions:
This is encountered if you wish to use tmsh to change the traffic group.

Impact:
Traffic group can be modified in NAT source translation object using tmsh.

Workaround:
None

Fix:
The traffic group can be modified in NAT source translation object using tmsh.

Fixed Versions:
15.1.4.1


1044425 : NSEC3 record improvements for NXDOMAIN

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP DNSSEC NSEC3 records for NXDOMAIN responses can be improved to support current best practices.

Conditions:
- DNSSEC zone configured

Impact:
BIG-IP DNSSEC NSEC3 records for NXDOMAIN responses do not follow current best practices.

Workaround:
N/A

Fix:
BIG-IP DNSSEC NSEC3 records for NXDOMAIN responses now follow current best practices.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1044121 : APM logon page is not rendered if db variable "ipv6.enabled" is set to false

Links to More Info: BT1044121

Component: Access Policy Manager

Symptoms:
When accessing a Virtual Server with an access policy, users are redirected to the hangup page.

Conditions:
Db variable "ipv6.enabled" is set to false

Impact:
Users will not be able to access the virtual server and associated resources behind it.

Workaround:
Keep the value of db variable "ipv6.enabled" set to true.

# setdb "ipv6.enabled" true

Fixed Versions:
14.1.4.5, 15.1.5.1, 16.1.2.2


1043805 : ICMP traffic over NAT does not work properly.

Links to More Info: BT1043805

Component: Local Traffic Manager

Symptoms:
ICMP traffic hitting a NAT translation address is dropped and not sent further to the originating address.

Conditions:
-- An LTM NAT is configured.
-- ICMP traffic arrives.

Impact:
ICMP traffic fails to be forwarded over the NAT.


1043533 : Unable to pick up the properties of the parameters from audit reports.

Component: Application Security Manager

Symptoms:
In the GUI under Security ›› Application Security : Audit : Reports, if you select "User-input parameters..." in the menu "Security Policy Audit Reports", then click on the parameter to retrieve the properties, you will see this error:
   " Could not retrieve parameter; Could not get the Parameter, No matching record was found."

Conditions:
1) Create a new parameter.
2) Customize or overwrite an existing ASM signature for the parameter in question.
3) Save and apply to the policy the new changes
4) Go to:
    Security ›› Application Security : Audit : Reports
    Report Type : User-input parameters with overridden attacks signatures (this also happens for other "User-input parameters...")
    Select the parameter to audit
    Error: "Could not retrieve parameter; Could not get the Parameter, No matching record was found."

Impact:
A page error occurs.

Workaround:
1. Open in a separate tab the following screen: Security ›› Application Security : Parameters : Parameters List
2. Under "Parameter List" title, there is a filter dropdown with the "Parameter Contains" texting.
3. On the blank part (before "Go" button) type the name of the required parameter.
4. You will get the desired page with the desired parameter properties.

Fixed Versions:
15.1.5.1, 16.1.2.2


1043513 : ASM rest API endpoints to upload/import a security policy into a partition.

Component: Application Security Manager

Symptoms:
A partition's restricted Application Security Editor is not able to upload files to /tm/asm/file-transfer/uploads/

Conditions:
Using partition's restricted user role "Application Security Editor".

Impact:
Partition's restricted Application Security Editor is not able to import policy using REST API calls.

Workaround:
None


1043385 : No Signature detected If Authorization header is missing padding.

Links to More Info: BT1043385

Component: Application Security Manager

Symptoms:
If the Authentication scheme value in the Authorization header contains extra/missing padding in base64, then ASM does not detect any attack signatures.

Conditions:
HTTP request with Authorization header contains base64 value with extra/missing padding.

Impact:
Attack signature not detected.

Workaround:
N/A

Fix:
Base64 values with extra/missing padding has been handled to detect attack signature

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1043357 : SSL handshake may fail when using remote crypto client

Links to More Info: BT1043357

Component: Local Traffic Manager

Symptoms:
ServerSSL handshake fails when verifying ServerKeyExchange message.

Conditions:
Remote crypto client is configured and the ServerSSL profile connects using an ephemeral RSA cipher suite.

Impact:
The virtual server is unable to connect to the backend server.

Workaround:
Use non-ephemeral RSA or ECDSA cipher suite on ServerSSL.

Fix:
Fix remote crypto client.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1043281 : OpenSSL vulnerability CVE-2021-3712

Links to More Info: K19559038


1043277 : 'No access' error page displays for APM policy export and apply options.

Links to More Info: K06520200, BT1043277

Component: TMOS

Symptoms:
An authenticated administrative user is redirected to a 'NO ACCESS' error page while exporting/applying an APM policy in the TMOS GUI.

Conditions:
This issue can occur when exporting/applying an APM policy in the TMOS GUI on a version of BIG-IP software (including Engineering Hotfixes) that includes fixes for ID1032405 :: https://cdn.f5.com/product/bugtracker/ID1032405.html and ID941649 :: https://cdn.f5.com/product/bugtracker/ID941649.html.

Impact:
Cannot export/apply an APM policy in the TMOS GUI.

Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.

Fix:
'No Access' errors no longer occur when exporting/applying an APM policy in the TMOS GUI under these conditions.

Fixes introduced for ID1045421 and ID1049229 (i.e., both fixes) resolve this issue.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1


1043217 : NTLM frontend auth fails with the latest Microsoft RDP client on MacOS 14.0.1 platform

Component: Access Policy Manager

Symptoms:
NTLM frontend auth fails with the latest Microsoft RDP client on MacOS 14.0.1 platform

Conditions:
Windows Server configured as a back-end and BIG-IP is acting as an RDP gateway. After recent upgrade of MacOS Client (iOS 14.0.1), the Remote desktop starts failing.

Latest Microsoft RDP clients mandate below three flags as part of NTLM CHALLENGE message which will sent from NTLM Auth Server/Proxy

1.NTLMSSP_NEGOTIATE_KEY_EXCH
2.NTLMSSP_NEGOTIATE_VERSION
3.NTLMSSP_REQUEST_TARGET

Due to this, RDP client rejecting the NTLM challenge, and authentication is failing.

Impact:
Users won't be able to establish RDP sessions to the backend Windows Server

Fix:
Updated the ECA (NTLM frontend auth service) to include these flags as part of NTLM Challenge.


1043017 : Virtual-wire with standard-virtual fragmentation

Links to More Info: BT1043017

Component: Local Traffic Manager

Symptoms:
A standard virtual-server configured on top of a virtual-wire has unexpected handling of fragmented IP traffic.

Conditions:
Standard virtual-server configured on top of a virtual-wire handling fragmented IP traffic.

Impact:
- Fragments missing on egress.
- Packet duplication on egress.

Workaround:
Use fastl4 virtual-server instead.

Fixed Versions:
14.1.4.6, 16.1.2.2


1042993 : Provisioning high availability (HA) setup wizard fails to load, reports 'No Access'

Links to More Info: K19272127, BT1042993

Component: TMOS

Symptoms:
An authenticated administrative user is redirected to a 'NO ACCESS' error page while running the high availability (HA) setup wizard.

Conditions:
This may occur when running the high availability (HA) setup wizard in the TMOS GUI on a version of BIG-IP software (including Engineering Hotfixes) that includes fixes for ID1032405 :: https://cdn.f5.com/product/bugtracker/ID1032405.html and ID941649 :: https://cdn.f5.com/product/bugtracker/ID941649.html .

Impact:
You are unable to run/finish the Config Sync/HA setup wizard to completion.

Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.

Fix:
'NO ACCESS' error pages no longer appear while running the high availability (HA) setup wizard in the TMOS GUI under these conditions.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1


1042917 : Using 'Full Export' of security policy should result with no diffs after importing it back to device.

Links to More Info: BT1042917

Component: Application Security Manager

Symptoms:
'Declarative policy import' is adding entities into the policy according what it has in the JSON file.

When it imports the policy builder settings, some automatic changes are created in the policy, and it may override other entities which were added before.

Conditions:
Policy builder settings are added in import after other affected entities were added before.

Impact:
The resulted policy will be different from the exported policy.

Workaround:
N/A

Fix:
'Declarative Policy import' first adds the policy builder settings, and all other affected entities are imported only after it, and in this way the resulted policy is the same as the exported one.

Fixed Versions:
16.1.2


1042913-3 : Pkcs11d CPU utilization jumps to 100%

Links to More Info: BT1042913

Component: Local Traffic Manager

Symptoms:
CPU utilization of pkcs11d increases to 100%.

Conditions:
This occurs when pkcs11d is disconnected from the external HSM.

Impact:
As the pkcs11d consumes most of the CPU, other processes are starved for CPU.

Workaround:
None.

Fix:
Pkcs11d no longer consumes 100% CPU when it is disconnected from the external HSM.

Fixed Versions:
16.1.2.2


1042605 : ASM Critical Warnings during UCS load after upgrade to v15.1.0 or above&start;

Links to More Info: BT1042605

Component: Application Security Manager

Symptoms:
Following an upgrade, an error occurs:
ERROR: Failed during loading ASM configuration.

An "ASM critical warning" banner is displayed in the ASM GUI.

Conditions:
-- ASM is upgraded to v15.1.0 or above
-- The following query returns results prior to upgrading:

SELECT policy_name_crc FROM DCC.ACCOUNTS accounts WHERE policy_name NOT IN (SELECT name FROM PLC.PL_POLICIES)

Impact:
ASM upgrade is aborted due to an exception:
Can't call method "clear_traffic_data" on unblessed reference

Fixed Versions:
15.1.5.1, 16.1.2.2


1042589 : Wrong trunk_id is associated in bcm56xxd.

Links to More Info: BT1042589

Component: TMOS

Symptoms:
When a set of interfaces are moved from one trunk to another, the now empty trunk is left with a valid association in bcm56xxd, and deleting that trunk can cause a valid trunk to be removed in the BCM hardware.

'tmsh show net trunk MY_TRUNK' shows the trunk is UP, but in fact the trunk is unconfigured in hardware.

Conditions:
Moving the interfaces across trunks.
i.e.
tmsh modify net trunk MY_OLD_TRUNK interfaces none
tmsh modify net trunk MY_NEW_TRUNK interfaces add { 1.1 1.2 }
tmsh delete net trunk MY_OLD_TRUNK

Impact:
May cause an L2 traffic loop.


1042509 : On an HTTP2 gateway virtual server, TMM does not ever update the stream's window for a large POST request

Links to More Info: BT1042509

Component: Local Traffic Manager

Symptoms:
On an HTTP2 gateway virtual server (HTTP/2 on clientside, no httprouter profile), TMM does not update the stream's window (i.e. acking data at the HTTP/2 stream layer). This causes large HTTP requests with payloads (i.e. POSTs) to stall and eventually time out.

TMM does sometimes send WINDOW_UPDATE messages for the entire connection, but not for the stream. Since flow control is required at both the connection and stream levels, the client stalls out.

Conditions:
-- Virtual server with HTTP2 profile
-- Configured as HTTP2 Gateway (HTTP2 profile on clientside and no 'httprouter' profile)
-- Client sends large data transfer to the virtual server

Impact:
Client data transfer through HTTP/2 virtual server (POST / PUT / etc) fails.

Workaround:
Use an HTTP router profile (assign the 'httprouter' profile to the virtual server, or select the 'HTTP MRF Router' option in TMUI)

Fixed Versions:
16.1.2.2


1042505 : Session variable "session.user.agent" does not get populated for edge clients

Links to More Info: BT1042505

Component: Access Policy Manager

Symptoms:
Access policy agents and iRules that depend on "session.user.agent" session variable fail to execute properly.

Conditions:
Access polices have agents that depend on the value of session variable "session.user.agent" for its execution.

Impact:
Any access policy agents that depend on this session variable will not be able to follow the rules.

Workaround:
An iRule can be used to generate a session variable. For example:

# This event fires once per session
when ACCESS_SESSION_STARTED {
  log local0. "Setting User-Agent based on HTTP data - [HTTP::header User-Agent]"
  ACCESS::session data set session.custom.client.useragent [HTTP::header User-Agent]
  #Use this variable in the VPE to make some decision
}

Fix:
Fix now sets the session variable properly.


1042153 : AFM TCP connection issues when tscookie-vlans enabled on server/client side VLAN.

Component: Advanced Firewall Manager

Symptoms:
The BIG-IP system is unable to restore the Timestamp (by replacing the TS cookie) when the packet is offloaded to hardware. This happens only when TS cookie enabled on either of the VLANS (client/server), when the TS cookie enabled on both the VLAN no issues are seen.

Conditions:
Configure TCP BADACK Flood DDoS vector to start mitigation at a given value and enable TS cookies on the server VLAN.

Impact:
The TS cookie will not be restored to its original value when the SYN packet is processed by software in BIG-IP and the SYNACK will be handled by the hardware in BIG-IP. As s result, end-hosts (client/server) RTT calculation is incorrect and causes various issues (ex : blocks the Internet access from hosts in the backend infrastructure).

Workaround:
Use fastL4 profile with EST mode i.e. change the 'pva-offload-state to EST'

Fix:
Restoring the Timestamp is fine.


1042069 : Some signatures are not matched under specific conditions.

Component: Application Security Manager

Symptoms:
Some signatures are not matched and attack traffic can pass through.

Conditions:
There are more than 20 signatures that have a common keyword with a signature that does not match (and has a common keyword and a new keyword).

Impact:
Attacking traffic can bypass the WAF.

Workaround:
N/A

Fix:
Attack signatures that share words with other attack signatures will be matched correctly now.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2.1


1042009 : Mcpd fails to reply if a request is proxied to another daemon and the connection to that daemon closes

Links to More Info: BT1042009

Component: TMOS

Symptoms:
Mcpd does not reply to the request if the publisher's connection closes/fails, in this case when bcm56xxd
is restarted. The perceivable signs of the failure are the snmpwalk failing with a timeout and the
"MCPD query response exceeding" log messages

Conditions:
1) Configure snmp on the BIG-IP so you can run snmpwalk locally on the BIG-IP.

2) From one session on the BIG-IP, run a snmpwalk in the while loop.
    
while true;do date; snmpwalk -v2c -c public 127.0.0.1 sysDot1dbaseStat;sleep 2;done

Sample output:

Sat Aug 21 00:57:23 PDT 2021
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatResetStats.0 = INTEGER: 0
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatMacAddr.0 = STRING: 0:23:e9:e3:8b:41
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatNumPorts.0 = INTEGER: 12
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatType.0 = INTEGER: transparentonly(2)

3) From a second session on the BIG-IP restart bcm56xxd

bigstart restart bcm56xxd

4a) the snmpwalk will continually report the following:

Timeout: No Response from 127.0.0.1

And snmpd will continually log "MCPD query response exceeding" every 30 seconds in /var/log/ltm

Impact:
SNMP stopped responding to queries after upgrade

Workaround:
Snmpd restart

Fixed Versions:
13.1.5, 14.1.4.6, 16.1.2.2


1041865 : Correctable machine check errors [mce] should be suppressed

Links to More Info: BT1041865

Component: TMOS

Symptoms:
Log emerg in kern.log similar to:
  emerg kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 10: cc003009000800c1

Conditions:
Correctable errors can be identified by analyzing the 16‐bit value shown in bits [31:16] of the 64‐bit error from the /var/log/kern.log message. When bits [31:16] = 0008 this is a correctable error and not failing hardware.

An example is shown below.

Log error matches this pattern:
  Machine Check: 0 [bank number]: [cc003009][0008][00c1]
  bits [31:16] = 0008

Impact:
Correctable errors are logged in kern.log and to the console. There is no functional impact.

Workaround:
None


1041765 : Racoon may crash in rare cases

Links to More Info: BT1041765

Component: TMOS

Symptoms:
Racoon may crash when NAT Traversal is on and passing IPsec traffic in IKEv1.

Conditions:
-- IKEv1 IPsec tunnel configured
-- NAT Traversal is on in ike-peer configuration.

Impact:
Racoon will crash and any IKEv1 tunnels will restart

Workaround:
Use IKEv2 only.

Fix:
This racoon crash has been stopped.

Fixed Versions:
16.1.2.1


1041757 : Legitimate users using new versions of Chromium-based browsers might be mitigated

Links to More Info: BT1041757

Component: Application Security Manager

Symptoms:
Chromium-based browsers are parsed incorrectly, causing them to be falsely classified as Selenium, and therefore mitigated.

Conditions:
-- Bot Defense profile is attached to the virtual server.
-- Bot Defense Browser Verification is 'Verify Before Access' or 'Verify After Access'.
-- Bot Defense Mitigates 'Malicious Bot' class.
-- An end user navigates to a site using a new Chromium-based browser (v89+), such as Opera, Yandex, and others.

Impact:
Legitimate end users are mitigated and being blocked from access.

Workaround:
Add 'Exception' for 'Selenium WebDriver Detected' Anomaly.

Fix:
Legitimate users using new versions of Chromium-based browsers are no longer mitigated.


1041149 : Staging of URL does not affect apply value signatures

Links to More Info: BT1041149

Component: Application Security Manager

Symptoms:
When a URL is staged and a value content signature is detected, the matched request is blocked.

Conditions:
-- URL is set to staging;
-- Only default ("Any") content profile is present, set to apply value signatures (all other content profiles deleted);
-- Request matches attack signature

Impact:
The request for staged URL is blocked

Workaround:
Configure relevant content profiles or leave the default content profiles configuration.

Fix:
Fixed to correctly handle URL staging in case of only "Any" content profile.

Fixed Versions:
15.1.5.1, 16.1.2.2


1040821 : Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes

Links to More Info: BT1040821

Component: TMOS

Symptoms:
Address Translation and Port Translation checkboxes are automatically checked under the virtual server's advanced configuration.

Conditions:
Virtual Server's Advanced configuration option is selected followed by adding an iRule or a pool.

Impact:
The Address and Port translation options are automatically checked when the default is to have them unchecked.

Workaround:
Manually un-check Address Translation and Port Translation checkboxes under virtual server's advanced configuration

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1040685-2 : Core file on blade slot2 after reboot (TMM SIGSEGV in pktclass_classifier)

Links to More Info: BT1040685

Component: Advanced Firewall Manager

Symptoms:
Tmm crashes after reboot.

Conditions:
This is encountered intermittently after rebooting a blade.

Impact:
Slot usable until manual intervention. Traffic disrupted while tmm restarts.

Note: this issue happened only once and no further occurrence was reported.


1040677-1 : BIG-IP D120 platform reports page allocation failures in N3FIPS driver

Links to More Info: BT1040677

Component: Local Traffic Manager

Symptoms:
Despite having free memory, the BIG-IP system logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/6: page allocation failure: order:2, mode:0x204020

After that, a stack trace follows. The process name in the line ('swapper/16', in this example). You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the appliance D120 (iSeries i15820-DF).

Impact:
As different processes can experience this issue, and the system may behave unpredictably. Software installation may fail.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this to 128 MB (131072 KB).

When instantiating this workaround, consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID 851785' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID851785' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on the BIG-IP appliance and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the BIG-IP appliance and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

Fix:
The BIG-IP system no longer experiences excessive kernel page allocation failures.

Fixed Versions:
16.1.1


1040361 : TMM crashes during its startup when TMC destination port list attached/deleted to virtual server.

Links to More Info: BT1040361

Component: Local Traffic Manager

Symptoms:
-- Log message written to TMM log file:
   panic: ../kern/page_alloc.c:736: Assertion "vmem_hashlist_remove not found" failed.

Conditions:
-- Virtual Server using a traffic-matching-criteria (TMC) with a destination-port-list, with multiple distinct ranges of ports.

-- Config changes to virtual server with traffic-matching criteria can cause memory corruption which can lead to delayed TMM crashes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use Traffic Matching Criteria with destination port lists.
TMM restart is required in case the virtual server is modified with traffic-matching-criteria related config.

Fix:
TMM no longer crashes under these conditions.

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2


1040017 : Final ACK validation during flow accept might fail with hardware SYN Cookie

Links to More Info: BT1040017

Component: Local Traffic Manager

Symptoms:
With hardware SYN cookie mode enabled, final ACK validation during flow accept fails and ACK packets are dropped. Such error messages are being logged in LTM logs :

"An Enforced Device DOS attack start was detected for vector TCP half-open"

Conditions:
-- Hardware SYN Cookie is enabled
-- BIG-IP is under TCP half-open attack and packet hits a CMP forwarding flow

Impact:
ACK packets are wrongly dropped, causing traffic interruption.

Workaround:
Disable hardware SYN Cookie


1039725 : Reverse proxy traffic fails when a per-request policy is attached to a virtual server.

Links to More Info: BT1039725

Component: Access Policy Manager

Symptoms:
Reverse proxy or inbound traffic fails during SSL renegotiation when a per-request policy is attached to the virtual server.

Conditions:
-- SSL Orchestrator is licensed and provisioned.
-- Per-request policy is attached to virtual server.
-- Client or backend server initiates SSL renegotiation.

Impact:
Reverse proxy traffic fails during SSL renegotiation.

Workaround:
If renegotiation is not required then it can be disabled on BIG-IP. The client SSL and server SSL profiles have 'Renegotiation' settings. If it is set to disabled, BIG-IP or SSL Orchestrator does not do SSL renegotiation.

Fix:
Reverse proxy or inbound traffic no longer fails during SSL renegotiation when per-req policy is attached to the virtual server.


1039553 : Non-200 HTTP status codes fail to be matched by GTM HTTP(S) monitors

Links to More Info: BT1039553

Component: Global Traffic Manager (DNS)

Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up, depending on the monitor's configuration).

Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.

-- The monitor tries to match an HTTP status code other than 200 (for example, 301).

-- The monitor uses HTTP version 1.0 or 1.1 for the request (the default is 0.9).

Impact:
The system incorrectly considers all non-200 responses a failed monitor attempt, despite what the user specified as acceptable status codes in the monitor's configuration. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.

Workaround:
You can work around this issue in any of the following ways:

-- Use HTTP version 0.9 for the monitor requests.

-- Match on the 200 HTTP status code.

-- Do not use HTTP status matching altogether.

Fix:
GTM HTTP(S) monitors using HTTP version 1.0 or 1.1 can now successfully match status codes other than 200 in the response.

Fixed Versions:
15.1.5, 16.1.2.1


1039361 : [GraphQL] In case of more than one malformed violation, the first is reported multiple times

Links to More Info: BT1039361

Component: Application Security Manager

Symptoms:
In a scenario where the incoming GraphQL request has more than one malformed violation, the details of the reported malformed violations will include the first reported string only.

Conditions:
GraphQL request has more than one malformed violation.

Impact:
Missing information from Request Log.


1039329 : MRF per peer mode is not working in vCMP guest.

Links to More Info: BT1039329

Component: Service Provider

Symptoms:
MRF diameter setup, in peer profile "auto-initialization" and "per peer" mode are enabled, but no connection attempts towards the pool member occur.

When the mode is switched to "per tmm" or "per blade", connections are established.

Conditions:
The peer connection mode in the peer profile is set to "per peer".

Impact:
The "per peer" setting does not work.

Workaround:
Switch the connection mode to "per tmm" or "per blade"

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1


1039245 : Policy Properties screen does not load and display

Component: Application Security Manager

Symptoms:
On the Security ›› Application Security : Security Policies : Policies List page, if you click one of the policies, the page gets stuck in " Loading policy general settings... "

Conditions:
This occurs if you try to view a policy that has no template associated

Impact:
Unable to use the GUI for the affected ASM policies.

Workaround:
# cp /var/ts/dms/script/dist/angular/TsuiAngularPoliciesScripts.min.js /shared/TsuiAngularPoliciesScripts.min.js.bk
# chmod 644 /var/ts/dms/script/dist/angular/TsuiAngularPoliciesScripts.min.js
# sed -i -e 's/"POLICY_TEMPLATE_GRAPHQL/p.policy.template\&\&"POLICY_TEMPLATE_GRAPHQL/' /var/ts/dms/script/dist/angular/TsuiAngularPoliciesScripts.min.js
# chmod 444 /var/ts/dms/script/dist/angular/TsuiAngularPoliciesScripts.min.js
# bigstart restart httpd

Fixed Versions:
16.1.2.2


1039145 : Tenant mirroring channel disconnects with peer and never reconnects after failover.

Links to More Info: BT1039145

Component: Local Traffic Manager

Symptoms:
`tmctl -d blade ha_stat` shows missing mirroring connections.

Conditions:
This occurs with high availability (HA) pair. This is a VELOS hardware-specific issue.

Impact:
High availability (HA) mirroring does not function correctly.

Workaround:
N/A

Fix:
Fixed high availability (HA) mirroring connections

Fixed Versions:
15.1.4


1039069 : Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049.&start;

Links to More Info: BT1039069

Component: Global Traffic Manager (DNS)

Symptoms:
For more information on the specific issues fixed, please refer to:

https://cdn.f5.com/product/bugtracker/ID1010697.html
https://cdn.f5.com/product/bugtracker/ID1037005.html
https://cdn.f5.com/product/bugtracker/ID1038921.html

Please note the only versions 15.1.3.1 and 16.1.0 are affected.

Conditions:
-- Running BIG-IP version 15.1.3.1 or 16.1.0
-- RESOLV::lookup iRule is used

Impact:
Multiple issues can occur with the RESOLV::lookup command, such as DNS resolutions failing or incorrect DNS responses being received.

Workaround:
None

Fix:
-

Fixed Versions:
15.1.4, 16.1.1


1039049-3 : Installing EHF on particular platforms fails with error "RPM transaction failure"

Links to More Info: BT1039049

Component: TMOS

Symptoms:
-- Installing an EHF fails with the error "RPM transaction failure"

-- Errors similar to the following are seen in the liveinstall.log file:

info: RPM: /var/tmp/rpm-tmp.LooFVF: line 11: syntax error: unexpected end of file
info: RPM: error: %preun(fpga-tools-atlantis-15.1.3-0.0.11.i686) scriptlet failed, exit status 2

Conditions:
-- Installing an EHF that contains an updated version of the 'fpga-tools-atlantis' package
-- Using the following platforms:
  + BIG-IP i4600 / i4800
  + BIG-IP i2600 / i2800
  + BIG-IP i850

Impact:
EHF installation fails.

Workaround:
None

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2


1039041-1 : Log Message: Clock advanced by <number> ticks

Links to More Info: BT1039041

Component: Local Traffic Manager

Symptoms:
<ticks> is the number of milliseconds the Traffic Management Microkernel (TMM) clock is out of sync (behind) the system clock because the TMM thread is waiting for a response.

Logs are similar to below.

bigip1 notice tmm15[46856]: 01010029:5: Clock advanced by 103 ticks
bigip1 notice tmm7[46855]: 01010029:5: Clock advanced by 106 ticks
bigip1 notice tmm10[46855]: 01010029:5: Clock advanced by 107 ticks
bigip1 notice tmm25[46856]: 01010029:5: Clock advanced by 113 ticks
bigip1 notice tmm15[46856]: 01010029:5: Clock advanced by 121 ticks
bigip1 notice tmm5[46855]: 01010029:5: Clock advanced by 106 ticks

Conditions:
These logs are seen more frequently in i15820-DF platforms with FIPS enabled, in comparison to other FIPS platforms. The messages are observed during FIPS key lookup in the HSM. These lookups occur either during TMM start/restart or during SSL profile configuration modification.

Impact:
This message may appear intermittently depending on system load and conditions mentioned above, and it does not necessarily indicate system instability or a cause for concern unless accompanied by another error message or at the time of a serious event.

In all the above conditions, clock advance ticks are in the range of 100 - 170.

Fixed Versions:
16.1.2


1038741 : NTLM type-1 message triggers "Unparsable request content" violation.

Links to More Info: BT1038741

Component: Application Security Manager

Symptoms:
When internal parameter for "authorization header decode failure" is disabled, Valid NTLM type-1 message will be blocked with "Unparsable request content" violation.

Conditions:
Disable internal parameter ignore_authorization_header_decode_failure

Impact:
Valid NTLM Type-1 message will be blocked by ASM.

Workaround:
Enable internal parameter ignore_authorization_header_decode_failure, ASM will not block the NTLM type-1 message request

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1038733 : Attack signature not detected for unsupported authorization types.

Links to More Info: BT1038733

Component: Application Security Manager

Symptoms:
ASM does not detect an Unsupported Bearer authorization type that contains header value in base64 format.

Conditions:
HTTP Request containing Bearer Authorization header which
 contain a matching signature in base64 encoded format.

Impact:
ASM does not raise a violation and does not block the request.

Workaround:
N/A

Fix:
ASM decodes base64 value in Bearer Authorization header and perform attack signature matching, raises violation and block request if it contains attack.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1038669 : Antserver keeps restarting.

Links to More Info: BT1038669

Component: SSL Orchestrator

Symptoms:
Antserver keeps restarting, as indicated in /var/log/ecm:

notice ant_server.sh[5898]: starting ant_server on 057caae1e95a11d7ecd1118861fb49f30ce1c22d
notice ant_server.sh[6311]: no ant_server process
notice ant_server.sh[6312]: check: no running ant_server

Conditions:
The Secure Web Gateway is provisioned on i15800 or i15820 platform.

Impact:
User connection will be reset if request or response analytics agent is deployed with per-request policy.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
15.1.5, 16.1.2


1038629-1 : DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client

Links to More Info: BT1038629

Component: Local Traffic Manager

Symptoms:
With the DTLS virtual server, when client sends the CLOSE_NOTIFY alert, BIG-IP is simply closing the connection without sending the CLOSE_NOTIFY back to client as well as the backend server. This causes the backend server to not close/shutdown the connection completely.

Conditions:
This issue occurs with all DTLS virtual servers which has associated client-ssl and server-ssl profiles.

Impact:
Backend server and client will have a dangling connection for certain period of time (Based on the timeout implementation at the respective ends).

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1


1038445 : During upgrade to 16.1, the previous FPS Engine live update remains active&start;

Links to More Info: BT1038445

Component: Fraud Protection Services

Symptoms:
On a BIG-IP system with FPS JS engine Live Update, after upgrade to 16.1.x , the old live update is not replaced by the engine in the build.

Conditions:
-- BIG-IP with FPS JS engine Live Update
-- Upgrade to 16.1.x
-- FPS / DataSafe / AWAF provisioned.

Impact:
In upgrade from 15.1 or older, this sometimes results in the device staying offline.

Workaround:
Installing a new, 16.1 FPS Engine update will fix the issue (where available).

Alternatively, running these commands fixes the issue, but results in the BIG-IP going offline for a few minutes.

rm -rf /var/datasync/updates/*
touch /etc/datasync/regenerate_all
tmsh -q -c 'cd datasync-global/; delete security datasync update-file update-file-versafe_js*'
bigstart restart tmm

Fixed Versions:
16.1.2.2


1038353 : UI and Schema changes are needed to enable/disable NLA for machine tunnels during client package creation.

Component: Access Policy Manager

Symptoms:
There is no support in the GUI to enable/disable NLA while machine tunnel service is enabled.

Conditions:
1. Machine tunnels service is running.
2. Edge client is not connected to VPN.
3. User moves inside the corporate network.

Impact:
Since there is no NLA Enable/disable support, the settings for NLA during machine tunnel are not pushed towards the client and the client is unable to detect the settings to take further action.

Workaround:
None

Fix:
You can now configure NLA enable/disable on the server side, and the NLA settings will be pushed towards the client side.


1037949 : Import ASM policy fails due to no available index for user defined violation

Component: Application Security Manager

Symptoms:
Policy import fails with a message that there is no available index for a user defined violation.

Conditions:
This occurs when importing a policy with user-defined violations that would exceeded the available amount of user-defined violations available on the device.

Impact:
Policy import fails.

Workaround:
Manually remove the extra user-defined violations from the xml policy before importing.

Fix:
Import will not fail you will get a warning regarding the user-defined violations which will not be added due to no available index.


1037661 : The packet tester does not validate the route domain after applying the rule list when the protocol is changed from IP to any

Component: Advanced Firewall Manager

Symptoms:
After changing a firewall rule protocol to "any" and applying the change, the change is accepted but traffic is not matched.

Conditions:
-- Firewall rules are applied to a non-default route domain
-- One or more rules have the protocol field set to "any" and this is the only change

Impact:
The configuration change is applied but the rule is not applied correctly and some traffic might not be matched.

Workaround:
Make a change to an additional variable and submit the change.

Fix:
IF will work as accepted if interchange any value of ip_protocol_name


1037645 : TMM may crash under memory pressure when using iRule 'AES::key' command

Links to More Info: BT1037645

Component: Local Traffic Manager

Symptoms:
TMM crashes and generates core file.

Conditions:
-- TMM is under memory pressure
-- iRule using 'AES::key' command

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
The system no longer crashes under these conditions.


1037457 : High CPU during specific dos mitigation

Links to More Info: BT1037457

Component: Application Security Manager

Symptoms:
CPU is high.

Conditions:
A dos attack with specific characteristic is active and the policy is configured in a specific way.

Impact:
While the attack is mitigated on the BIG-IP system and does not reach the server, the CPU of the BIG-IP increases and this may impact other services on the BIG-IP device.

Workaround:
N/A

Fix:
A specific high CPU scenario during dos attacks was fixed.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1037181 : TMM may crash while processing HTTP traffic

Links to More Info: K96924184, BT1037181


1036873 : Pre-shared key extension sometimes is not the last extension in ClientHello in TLS1.3

Links to More Info: BT1036873

Component: Local Traffic Manager

Symptoms:
Under some conditions, the BIG-IP's TLS 1.3 Client Hello sometimes does not have the pre-shared key extension as the last extension in the Client Hello. This is contrary to a requirement in the TLS 1.3 RFC, and causes servers to fail the connection.

A backend server may log a message such as:

SSL_do_handshake() failed (SSL: error:141B306E:SSL routines:tls_collect_extensions:bad extension)

Conditions:
-- Server SSL profile (BIG-IP operating as client) with TLS 1.3 enabled.
-- A Client Hello message size that falls between 256 and 512 bytes (without padding), which causes the BIG-IP to introduce a padding extension at the end of the Client Hello.

This issue can be seen via use of the "single-dh-use" or "session-tickets" options in the SSL profile.

Impact:
The TLS handshake fails.

Workaround:
Adjust the configuration of the Server SSL profile by either:

-- Disable Session Tickets
or
-- Disable the single-dh-use option


1036521 : TMM crash in certain cases

Links to More Info: BT1036521

Component: Application Security Manager

Symptoms:
TMM crash in certain case when dosl7 is attached

Conditions:
TMM is configured with dosl7

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
N/A

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1036305 : "Mandatory request body is missing" violation in staging but request is unexpectedly blocked

Component: Application Security Manager

Symptoms:
Request is blocked on a staged URL for the violation "Mandatory request body is missing".

Conditions:
- "Mandatory request body is missing" violation is set for blocking
- The URL is in staging
- "Mandatory request body is missing" is enabled on the URL

Impact:
Requests are blocked unexpectedly

Workaround:
None

Fix:
This defect is closely related to ID1036305 and both defects are fixed together


1036285 : Enforce password expiry after local user creation

Component: TMOS

Symptoms:
When a local user is created, the password is not expired.
[root@bigip1:Active:Standalone] config # chage -l testuser
Last password change : Feb 02, 2021
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

Conditions:
A local user is created

Impact:
The new user's password is not set to expired automatically.

Fix:
When the local user is created, the password is expired.

Behavior Change:
When the local user is created, the password is expired.
When the user logins for the first time, the password change prompt appears.


1036169 : VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500".

Links to More Info: BT1036169

Component: Local Traffic Manager

Symptoms:
Guestagentd will log the message "Exit flags for PID <PID>:0x500" in guest ltm log, if vcmp host rsync server current active connection is more than 4.

Conditions:
-- vCMP guest.
-- Rsync transfer frequency is 10 seconds between vCMP guest to vCMP host.
-- more than 4 vCMP guests.

Impact:
Guest LTM logs fill with "Exit flags for PID <PID>: 0x500".

Workaround:
N/A

Fix:
Modify sys db vcmp.dynamic_rsync_conn_allowed value false -> It will set the max connection limit to 4. (Default setting)
modify sys db vcmp.dynamic_rsync_conn_allowed value true -> It will set the max connection limit to max number of guest that slot supports.

Restart vcmpd by running 'bigstart restart vcmpd'


1035853 : Transparent DNS Cache can consume excessive resources.

Links to More Info: K41415626, BT1035853

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, the Transparent DNS Cache can consume excessive resources.

Conditions:
- GTM/DNS is provisioned
- Transparent DNS Cache is configured on a virtual server

Impact:
Excessive resource consumption, which can lead to increased server-side load.

Workaround:
N/A

Fix:
The Transparent DNS Cache now consumes resources as expected.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2


1035729 : TMM may crash while processing traffic http traffic

Links to More Info: K57111075, BT1035729


1035361 : Illegal cross-origin after successful CAPTCHA

Links to More Info: BT1035361

Component: Application Security Manager

Symptoms:
After enabling CAPTCHA locally on BIG-IP with brute force, after configured login attempts, CAPTCHA appears, but after bypassing the CAPTCHA successfully the user receives a support ID with cross-origin violation.

Conditions:
- brute force with CAPTCHA mitigation enforced on login page.
- cross-origin violation is enforced on the login page.
- user fails to login until CAPTCHA appears
- user inserts the CAPTCHA correctly

Impact:
- blocking page appears.
- on the event log cross-origin violation is triggered.

Workaround:
- disable cross-origin violation enforcement.

Fix:
Fixing origin header offset in reconstruct challenge request.

Fixed Versions:
15.1.5.1, 16.1.2.2


1035133 : Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab

Links to More Info: BT1035133

Component: Application Visibility and Reporting

Symptoms:
In various BIG-IQ GUI forms under the "Monitoring" tab (for example Monitoring -> Local Traffic -> HTTP), data for some time periods are missing.

Multiple "Unexpected end of ZLIB input stream" errors appear in BIG-IQ DCD logs under /var/log/appiq/gc_agent-manager.log

Conditions:
BIG-IP is attached to BIG-IQ, traffic volume is high

Impact:
Data in BIG-IQ are missing therefore some graphs show incorrect information

Workaround:
None

Fix:
Fixed an issue with missing statistics.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


1035121 : Configsync syncs the node's monitor status

Links to More Info: BT1035121

Component: TMOS

Symptoms:
After config sync, nodes may be marked marked down when they are up, even if the monitor determines that the node is up.

The logs will show something similar to :

notice mcpd[8091]: 010714a0:5: Sync of device group /Common/device_trust_group to commit id 1 6986973310536375596 /Common/xxxxxxxx 1 from device /Common/yyyyyyyy

notice mcpd[8091]: 01070640:5: Node /Common/node1 address 10.10.100.1 monitor status down. [ /Common/icmp: up ] [ was up for 0hr:3mins:15sec ]
notice mcpd[8091]: 01070640:5: Node /Common/node2 address 10.10.100.2 monitor status down. [ /Common/icmp: up ] [ was up for 0hr:3mins:15sec ]

The node/pool member/pool/virtual server will be marked down.
Checking the actual monitor it will be up, tcpdump will show successful monitor transactions.

Conditions:
1. Two or more devices in a sync/failover device group
2. The config sync from-device has marked nodes down
3. A config sync occurs

This can occur on both incremental and full config sync.

Impact:
The node's monitor status is synced to the peer device. If the from-device's monitor was unable to reach the nodes and was marking the nodes as DOWN, then the node status will be set to DOWN on the other device, even if the monitor is successfully connecting to the node. This can cause a traffic disruption.

Note: the opposite can occur, where a "node up" status is sent to a device whose monitor is failing to connect to the nodes due to a network issue.

Workaround:
If a device is in this state, you can work around this issue by doing one of the following:

-- Save and reload the configuration on the device with the bad state
   tmsh save sys config && tmsh load sys config

-- Perform a full-load sync from the peer device to the affected device:
   (On the peer) tmsh run cm config-sync force-full-load-push to-group group-name

Fix:
Node monitor statuses are not synced between devices.


1034941 : Exporting and then re-importing "some" XML policy does not load the XML content-profile properly

Links to More Info: BT1034941

Component: Application Security Manager

Symptoms:
Exporting and then re-importing an existing ASM policy in XML format does not load its XML content-profile properly. An XML content-profile containing a firewall configuration shows the 'Import URL' as N/A for most .xsd files.

Conditions:
Corner case, when the second import_url value is null

Impact:
The import_url field is set as N/A for all files, except for the first one

Workaround:
None

Fix:
Fixed incorrect XML export when we've multiple import_url in content-profile

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1034617 : Login/Security Banner text not showing in console login.

Links to More Info: BT1034617

Component: TMOS

Symptoms:
Setting the Login/Security Banner causes the banner to appear when connecting via the management port and not when connecting via the console.

Conditions:
-- The login banner is configured.
-- You log into the command line.

Impact:
Mismatch in displaying banner text with management and console logins.

Workaround:
Configure an identical banner for ssh sessions by following https://support.f5.com/csp/article/K6068.

Fix:
The banner text now displays for both management and console logins.

Fixed Versions:
16.1.2


1034589 : No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration.

Links to More Info: BT1034589

Component: TMOS

Symptoms:
It is possible to delete a Pool or Trunk from the configuration while one or more high availability (HA) Groups still reference it.

As a result, the configuration of affected high availability (HA) Groups is automatically and silently adjusted (i.e. the deleted object is no longer referenced by any high availability (HA) Group).

The lack of warning about this automatic change could lead to confusion.

Conditions:
A pool or trunk is deleted from the configuration while still being referenced from a high availability (HA) Group.

Impact:
The automatic and silent removal of the deleted object from all high availability (HA) Groups may go unnoticed by BIG-IP Administrators, with potential consequences on the failover behavior of the devices.

Fix:
A warning message is logged to /var/log/ltm, and is also presented in tmsh.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1034329 : SHA-512 checksums for BIG-IP Virtual Edition (VE) images available on downloads.f5.com

Links to More Info: BT1034329

Component: TMOS

Symptoms:
SHA-512 checksums for BIG-IP Virtual Edition images are not available on downloads.f5.com.

Conditions:
You wish to perform a SHA-512 validation of the BIG-IP Virtual Edition images.

Impact:
Cannot download the SHA-512 checksum for checksums for BIG-IP Virtual Edition images.

Workaround:
None

Fix:
Added SHA-512 checksum for ISOs and BIG-IP Virtual Edition images to downloads.f5.com.

Fixed Versions:
16.1.2.2


1034217 : Quic_update_rtt can leave ack_delay uninitialized.

Links to More Info: BT1034217

Component: Local Traffic Manager

Symptoms:
Retransmission times become very long if there is packet loss near the beginning of the connection.

Conditions:
-- Basic QUIC configuration.
-- The first couple of packets in the connection reaches an uninitialized variable path before the connection reaches the ESTABLISHED state.

Impact:
Uninitialized ack_delay variable could be any value and cause RTT measurements to be unusually large. That could cause retransmission times to be very long if there is packet loss near the beginning of the connection.

Workaround:
N/A

Fix:
Reusing existing ack-delay variable fixes the issue.


1034041 : Microsoft Intune Azure AD Graph cannot cannot migrate to Microsoft Graph.

Component: Access Policy Manager

Symptoms:
APM cannot connect to Intune if Microsoft Graph permissions are not set on the Intune Server.

Conditions:
1. Microsoft Intune is configured.
2. Azure AD Graph permission set in Intune.

Impact:
APM cannot connect to Intune thus fails with Connection error.

Workaround:
N/A

Fix:
APM can now connect to Intune when Microsoft Graph permissions are updated in the Intune server.


1033837 : REST authentication tokens persist on reboot&start;

Links to More Info: BT1033837

Component: TMOS

Symptoms:
REST authentication tokens persist across reboots. Current best practices require that they be invalidated at boot.

Conditions:
- REST authentication token in use
- BIG-IP restarts

Impact:
REST authentication tokens are not invalidated at boot.

Workaround:
NA

Fix:
REST authentication are invalidated at boot.

Behavior Change:
Existing REST tokens are now invalidated on boot; new tokens will need to be generated after a reboot.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1033829-4 : Unable to load Traffic Classification package

Links to More Info: BT1033829

Component: Traffic Classification Engine

Symptoms:
After installation and initial configuration, the latest Traffic Classification IM package fails to load.

Conditions:
This type of behavior is observed when the system is configured as follows,

1. LTM provisioned
2. Create virtual servers with classification profile
3. Then provision PEM module
4. Do a Hitless upgrade

Impact:
The latest Traffic Classification IM package fails to load.

Workaround:
Once the TMM is restarted after the issue, the latest IM is loaded.

Fix:
The traffic classification package now loads successfully.

Fixed Versions:
14.1.4.5, 15.1.5.1, 16.1.2.2


1033781-1 : IP Reputation database sync fails when DB variable iprep.protocol is set to auto-detect

Links to More Info: BT1033781

Component: Advanced Firewall Manager

Symptoms:
The IP Reputation database is not updated at the regular intervals, as expected.

Conditions:
The DB variable iprep.protocol is configured with the default value of "auto-detect".

Impact:
The connection to the IP reputation database fails, and therefore traffic is not IP reputed.

Workaround:
Set the DB variable iprep.protocol to either ipv4 or ipv6, depending on the management IP.


1033021 : UI: Partition does not work when clicking through security zones

Links to More Info: BT1033021

Component: Advanced Firewall Manager

Symptoms:
1. Zones UI is not refreshed when the partition changes
2. You are unable to administer zones while using partitions

Conditions:
Change the partition in GUI, then view the corresponding mapped zones.

Impact:
All zones are displayed for every partition instead of just the mapped zones

Workaround:
None

Fix:
Fixed a display issue related to partitions and security zones


1033017 : Policy changes learning mode to automatic after upload and sync

Links to More Info: BT1033017

Component: Application Security Manager

Symptoms:
When newly created policies are synchronized, the learning states of the policies are different.

Conditions:
-- Active/Active high availability (HA) setup in sync-failover device group with ASM enabled.
-- Sync a new policy configured with disabled/manual learning mode.

Impact:
Learning mode changes from disabled to automatic on peer device after sync, so learning modes differ on the peer devices.

Workaround:
1. On the peer device, change the learning mode to disabled.
2. Push sync from the originator device.

Both devices are then in sync and policies have the same learning mode (disabled), so operations complete as expected.

Fix:
The sync operation no longer attempts to keep the learning flags enabled on the receiving device.

Fixed Versions:
16.1.2.2


1032949-2 : Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate.

Links to More Info: BT1032949

Component: TMOS

Symptoms:
When you configure Dynamic CRL and set the client authentication as "Request", the handshake fails when clients do not supply a certificate.

Conditions:
Clientssl profile configured with the following:

1. Dynamic CRL
2. Client Authentication enabled with "Request" option

Impact:
SSL handshake fails

Workaround:
Workaround 1:
Use Static CRL

Workaround2:
Use Client authentication with either "Require" or "Ignore"

Workaround3:
Disable TLS1.2 and below versions in the Client SSL profile.
Which means allow only TLS1.3 traffic.

Fix:
N/A

Fixed Versions:
15.1.5, 16.1.2.1


1032821 : Syslog: invalid level/facility from /usr/libexec/smart_parse.pl

Links to More Info: BT1032821

Component: TMOS

Symptoms:
When the smart_parse.pl script is run and finds a disk error, it attempts to log an error with an incorrect syslog level.

Conditions:
Run smart_parse.pl on a BIG-IP platform with a disk error.

Impact:
When this script is run (usually as a cron job) the following message occurs:

syslog: invalid level/facility: error at /etc/cron.daily/pendsect line 194.

Workaround:
None.

Fix:
Smart_parse.pl now logs errors at the correct level 'err'.


1032797 : Tmm continuously cores when parsing custom category URLs

Links to More Info: BT1032797

Component: SSL Orchestrator

Symptoms:
Tmm crashes when trying to parse more than 256 custom category URLs.

Conditions:
-- More than 256 URLs defined in custom url-category.

Impact:
Traffic disrupted while tmm restarts.

Fix:
TMM no longer crashes and it can parse more than 256 custom category URLs.

Fixed Versions:
15.1.5, 16.1.2


1032737 : IPsec: tmm SIGSEGV in getlocaladdr in ikev2_initiate

Links to More Info: BT1032737

Component: TMOS

Symptoms:
Tmm crashes while passing IPsec traffic

Conditions:
Wildcard selectors are used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Avoid the core dump by adding checks.

Fixed Versions:
15.1.4.1, 16.1.2


1032513 : TMM may consume excessive resources while processing MRF traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may consume excessive resources while processing traffic with the MRF.

Conditions:
- MRF routing enabled

Impact:
Excessive resource consumption, potentially leading to crash and failover event.

Workaround:
N/A

Fix:
TMM now processes MRF traffic as expected.

Fixed Versions:
16.1.2.2


1032405 : TMUI XSS vulnerability CVE-2021-23037

Links to More Info: K21435974, BT1032405


1032077-4 : TACACS authentication fails with tac_author_read: short author body

Links to More Info: BT1032077

Component: TMOS

Symptoms:
If a TACACS user is part of a group with 10s of attribute value pairs (AVPs) were the length of all the avp's combined is such that the authorization reply message from the TACACS server is segmented, the login will fail.

The error message that is logged when the login fails is
"tac_author_read: short author body, 4468 of 6920: Operation now in progress" Where the numbers 4468 and 6920 will vary.

Conditions:
- TACACS authentication
- TACACS user that is part of a group where the combined length of the AVPs is greater then the largest TCP segment the TACACS server is able to send.

Impact:
User is unable to login.

Workaround:
If possible, reduce the number of attributes of the TACACS group or user.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


1031901 : In HTTP2 deployment, RST_STREAM sent to client if server in CLOSING state is picked

Links to More Info: BT1031901

Component: Local Traffic Manager

Symptoms:
When request from client is forwarded to server which is in CLOSING state due to server sent GOAWAY but not yet close the connection, request will be failed to be forwarded to server and RST_STREAM will be sent to client

Conditions:
-- Virtual Server with HTTP2 profile
-- There is an open connection from BIG-IP to the server.
-- The server sends a GOAWAY message to the BIG-IP and the connection is kept open.
-- The client sends a request to BIG-IP, BIG-IP picks the connection mentioned above to forward the request to

Impact:
Traffic from the specific client is interrupted

Workaround:
N/A

Fix:
In HTTP2 deployment, RST_STREAM is no longer sent to client if server in CLOSING state is picked

Fixed Versions:
15.1.4.1, 16.1.2


1031777-2 : Connection not immediately closed on ssl handshake failure

Links to More Info: BT1031777

Component: Local Traffic Manager

Symptoms:
Failure to close connection

Conditions:
Handshake failure on certificate processing

Impact:
Connection will linger until idle timeout

Fix:
Connnection closes on ssl handshake failure in certificate processing


1031609-2 : Improve nethsm-thales-install.sh and nethsm-thales-rfs-install.sh to be compatible with Entrust Client v12.60.10 package.&start;

Links to More Info: BT1031609

Component: Local Traffic Manager

Symptoms:
Formerly Thales now nShield/Entrust has changed the directory structure of their client package and also added new libraries. Due to this change, install script will be incompatible with v12.60.10 onwards.

Conditions:
Upgrading to PKCS11 client package v12.60.10.

Impact:
The installation script will fail while extracting the package.

Workaround:
N/A

Fix:
Extracted all the tarballs in the target directory to resolve the issue.

Fixed Versions:
15.1.5.1, 16.1.2.1


1031425 : Provide a configuration flag to disable BGP peer-id check.

Links to More Info: BT1031425

Component: TMOS

Symptoms:
A fix for ID 945265 (https://cdn.f5.com/product/bugtracker/ID945265.html) introduced strict checking of a peer-id. This check might be not desired in some configurations.

Conditions:
EBGP peering with two routers in the same autonomous system, configured with the same peer-id.

Impact:
BIG-IP will not pass the NLRIs between two eBGP peers. The following message can be seen in debug logs:
172.20.10.18-Outgoing [RIB] Announce Check: 0.0.0.0/0 Route Remote Router-ID is same as Remote Router-ID

Workaround:
Change peer-ids to be unique on eBGP peers.

Fix:
New, neighbor-specific, af-specific configuration option is provided to allow routes to be passed to external peers sharing the same router-id. The check is done on egress, so the configuration should be changed towards the peer that is supposed to receive a route.

router bgp 100
 bgp graceful-restart restart-time 120
 neighbor as200 peer-group
 neighbor as200 remote-as 200
 neighbor as200 disable-peerid-check
 neighbor 172.20.8.16 peer-group as200
 neighbor 172.20.8.16 disable-peerid-check
 neighbor 172.20.10.18 peer-group as200
 neighbor 172.20.10.18 disable-peerid-check
 !
 address-family ipv6
 neighbor as200 activate
 neighbor as200 disable-peerid-check
 neighbor 172.20.8.16 activate
 neighbor 172.20.8.16 disable-peerid-check
 neighbor 172.20.10.18 activate
 neighbor 172.20.10.18 disable-peerid-check
 exit-address-family

When configured on a single neighbor it will cause session to be re-established.
When configured on a peer-group a manual session restart is required for changes to take effect.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1031357 : After reboot of standby and terminating peer, some IPsec traffic-selectors are still online

Links to More Info: BT1031357

Component: TMOS

Symptoms:
HA Standby marks traffic selectors up when they are actually down on the Active device.

Conditions:
-- High availability (HA) configured and mirroring configured
-- IPsec tunnels up on Active
-- Reboot Standby
-- Standby starts correctly and all SAs are mirrored
-- Tunnel(s) go down on Active

Impact:
-- Traffic Selector is incorrectly marked up on the Standby when it is actually down on the Active.
-- While this is cosmetic, the information is misleading.

Workaround:
None

Fix:
After Standby reboot and deleting IPsec tunnels, the
traffic selectors on the Standby are marked in down state.

Fixed Versions:
16.1.2


1031269-1 : TMM may consume excessive resources when processing logging profiles

Links to More Info: K17514331, BT1031269


1030881 : [GTM] Upgrade failure - 01070022:3: The monitor template min was not found.&start;

Links to More Info: BT1030881

Component: Global Traffic Manager (DNS)

Symptoms:
GTM config load fails with the following error message:
01070022:3: The monitor template min was not found.

Conditions:
Min or required feature is applied to GTM generic host and upgrade from v15.x to v16.x.

Impact:
GTM config load fails.

Workaround:
Delete the special config for the generic host server and add it back after upgrade.

Fixed Versions:
16.1.2.2


1030853 : Route domain IP exception is being treated as trusted (for learning) after being deleted

Links to More Info: BT1030853

Component: Application Security Manager

Symptoms:
Traffic is considered trusted for learning even though a trusted IP exception was deleted.

Conditions:
Creating and deleting a route domain-specific IP exception

Impact:
Traffic learning suggestions scores are miscounted.
In automatic policy builder mode the policy can be updated by the policy builder based on the wrong score counting.

Workaround:
Stop and restart learning for the relevant policy

Fix:
When a route domain IP Exception configured for trusted learning is deleted, the upcoming suggestions scores will be calculated correctly without considering the deleted IP trusted.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1030845 : Time change from TMSH not logged in /var/log/audit.

Links to More Info: BT1030845

Component: TMOS

Symptoms:
Whenever time is changed, the message is not logged in /var/log/audit.

Conditions:
This occurs when the system time is changed manually using either the 'date' command or 'tmsh modify sys clock'.

Impact:
The time change is not logged to the audit log.

Workaround:
N/A

Fix:
Time changes are now logged to the audit log.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2


1030689 : TMM may consume excessive resources while processing Diameter traffic

Links to More Info: K82793463, BT1030689


1030645 : BGP session resets during traffic-group failover

Links to More Info: BT1030645

Component: TMOS

Symptoms:
BGP session might be hard reset during a traffic group failover. The following log is displayed:

BGP[11111]: BGP : %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down Peer reset due to nh address change

Conditions:
Floating self-ips defined on a single vlan/subnet, with different traffic-groups configured.

Impact:
BGP session goes down during traffic-group failover.

Fix:
Soft clear is performed instead.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1030533 : The BIG-IP system may reject valid HTTP responses from OCSP servers.

Links to More Info: BT1030533

Component: Local Traffic Manager

Symptoms:
When this happens, the BIG-IP system can be seen closing the TCP connection to the OCSP server prematurely (for instance, as soon as the HTTP response headers are received, before the response body is transmitted).

If log.keymgmtd.level is set to debug, an error similar to the following example will be logged to the /var/log/ltm file:

Jun 22 14:40:08 bigip1.local debug tmm[9921]: 01a40004:7: OCSP validation result of certificate(/config/filestore/files_d/Common_d/certificate_d/:Common:endpoint-intermediate_69993_1): OCSP response - (connection - HTTP error), certificate status - (error), lifetime - 10.

Conditions:
The server uses a Content-Type HTTP header in its response that isn't just "application/ocsp-response" (for instance, it may include a charset specification after that string, or the string may use a mix of uppercase and lowercase letters).

Impact:
Valid HTTP responses from OCSP servers are rejected. OCSP stapling and OCSP validation are not available on the BIG-IP system.

Workaround:
If you control the OCSP server and are able to customize its HTTP response headers, setting the Content-Type to simply "application/ocsp-response" (all lowercase) is a workaround for this issue.

Otherwise, no workaround exists.

Fix:
Valid HTTP responses from OCSP servers are not longer rejected.


1030185 : TMM may crash when looking up a persistence record using "persist lookup" iRule commands

Links to More Info: BT1030185

Component: Local Traffic Manager

Symptoms:
Tmm may crash with a SIGSEGV when looking up a persistence record in an iRule when using the "any" flag

Conditions:
-- The persistence entry exists on a virtual server other than the virtual server the iRule is configured on.
-- The iRule contains [persist lookup source_addr "[IP::client_addr] any"]

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Discontinue the use of the "any" flag in the persist lookup iRule.

Fix:
TMM no longer crashes


1029949 : IPsec traffic selector state may show incorrect state on high availability (HA) standby device

Links to More Info: BT1029949

Component: TMOS

Symptoms:
IPsec traffic selector state can be viewed in the config utility or by tmsh with the "tmsh show net ipsec traffic-selector" command. On an high availability (HA) standby device, some selector states may be incorrect.

Conditions:
-- High availability (HA) environment
-- Standby reboots or in some way, such as a tmm restart, is forced to re-learn all the mirrored IPsec security associations (SAs).

Impact:
There is no functional impact. The issue is that a selector may incorrectly appear down in one or both directions.

Workaround:
When the tunnel re-keys on the high availability (HA) active device, the selector state shows the correct value.

Fix:
IPsec traffic selectors show the correct state after the high availability (HA) standby device reboots.

Fixed Versions:
16.1.2


1029897 : Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members.

Links to More Info: K63312282, BT1029897

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may pass malicious requests to server-side pool members.

Conditions:
1. The BIG-IP LTM has one or more virtual servers configured to proxy HTTP/2 requests from the client-side to HTTP/1 requests on the server-side.
2. An HTTP/2 client sends a request with one of the following issues and the BIG-IP passes it to the server-side pool members:
a. H2.TE request line injection
   I. An HTTP/1 request embedded within an HTTP/2 pseudo-header value
   II. Individual carriage return (CR) or line feed (LF) allowed within an HTTP/2 pseudo-header
b. Request line injection (folder traps)
c. Request line injection (rule bypass)

Impact:
Malicious HTTP/2 requests can be translated to HTTP/1 requests and sent to the pool member web server. Depending on the behavior of the pool member web server, this can lead to an HTTP request smuggling attack. When the affected virtual server is configured with the OneConnect profile, an attacker might be able to impact the responses sent to a different client.

Workaround:
You can configure the BIG-IP ASM system or Advanced WAF to block an HTTP/1 request that is embedded within an HTTP/2 pseudo header value from being sent to the backend server.

Fix:
This has been fixed so that client requests are appropriately rejected by BIG-IP.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1029869 : Use of ha-sync script may cause gossip communications to fail

Links to More Info: BT1029869

Component: SSL Orchestrator

Symptoms:
Using the ha-sync script on platforms in a sync-failover device group may cause gossip communications to fail.

Conditions:
This issue occurs after using the ha-sync script on devices that are in a sync-failover device-group.

Impact:
When the gossip communications fail, SSL Orchestrator will be unable to communicate iAppLX configuration from one device to the other. This can lead to deployment failures upon redeployment of SSL Orchestrator topologies.

Workaround:
None

Fixed Versions:
16.1.2.2


1029629 : TMM may crash while processing DNS lookups

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, TMM may crash while processing DNS lookups.

Conditions:
TMM processing DNS lookups.

Impact:
TMM crash leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes DNS lookups as expected.

Fixed Versions:
15.1.5.1, 16.1.2


1029585 : Use of ha-sync script may cause platforms in a sync-failover device group to fall out of sync

Links to More Info: BT1029585

Component: SSL Orchestrator

Symptoms:
Following the use of the ha-sync script on platforms in a sync-failover device group to become out of sync.

Conditions:
This can occur following the use of the ha-sync script.

Impact:
Both platforms in the sync-failover device group to fall out of sync. Forcing the admin to perform a device-group sync operation.

Workaround:
None

Fixed Versions:
16.1.2.2


1029413 : BIG-IP needs to support different password complexity variables for Android 10.

Links to More Info: K09131713

Component: Access Policy Manager

Symptoms:
It is not possible to configure Google-compliant password complexity rules on Android devices.

Conditions:
This issue is encountered for network access connectivity profiles for Android devices.

Impact:
New password complexity criteria cannot be configured on BIG-IP.

Workaround:
None

Fix:
BIG-IP now provides configuration ability needed to support Android device password complexity rules.


1029397 : Tmm may crash with SIP-ALG deployment in a particular race condition

Links to More Info: BT1029397

Component: Service Provider

Symptoms:
Tmm crashes in SIP-ALG deployment, when lsn DB callback is returned from a different tmm, and the SIP connection has been lost on tmm where the REGISTER request arrived.

Conditions:
--- SIP-ALG is deployed
--- Processing of SIP REGISTER message at server side
--- lsn DB entry is mapped to a different tmm

Impact:
Traffic disrupted while tmm restarts

Workaround:
NA

Fix:
Tmm no longer crashes in this race condition

Fixed Versions:
14.1.4.6, 15.1.5, 16.1.2.2


1028969 : An unused traffic-selector can prevent an IKEv2 IPsec tunnel from working

Links to More Info: BT1028969

Component: TMOS

Symptoms:
If both IKEv1 and IKEv2 try to listen to the same self IP address on the BIG-IP for a local tunnel IP address, only one can win, and previously a v2 ike-peer would be blocked if a v1 listener managed to get installed first.

If a partial tunnel config exists, with no ike-peer and only ipsec-policy and traffic-selector definitoins, this is understood to be IKEv1 implicitly, by default, and will install a v1 listener for the IP address and port.

Then if a fully configured ike-peer is added using IKEv2, it can fail to establish the required listener for v2 when an existing v1 listener is squatting on that IP address.

Conditions:
Conflict between IKEv2 and IKEv1 on the same IP address when:

-- a v2 ike-peer has local tunnel IP address X

-- a v1 ike-peer, or a traffic-selector with no peer at all, has the same local IP address X

Impact:
An IKEv2 tunnel can fail to negotiate when v2 packets cannot be received on a local IP address because a listener for IPsec cannot be established on that IP address.

Workaround:
You can avoid conflict between v1 and v2 by:

-- removing a traffic-selector not in use (which is v1)

-- avoiding use of the same local IP in both v1 and v2 definitions of ike-peer

Fix:
The fix gives precedence to IKEv2, so any pre-existing IKEv1 listener is simply removed from an IP address whenever a v2 listener is desired for that IP address.

This means IKEv1 can never be negotiated on a local IP address which is also in use by an IKEv2 ike-peer.

Importantly, this fix may cause tunnels to be permanently down after an upgrade. Prior to this change it was possible to have IKEv1 and IKEv2 tunnels working on the same self IP, but in that scenario some tunnels would intermittently fail to establish and the success of the tunnel establishment depended on whether the BIG-IP was the Initiator. IKEv1 and IKEv2 tunnels on the same self IP may still work after this change, but are not considered a valid or supported config by F5.

Fixed Versions:
16.1.2


1028773 : Support for DNS Over TLS

Links to More Info: BT1028773

Component: Global Traffic Manager (DNS)

Symptoms:
The BIG-IP system does not have support for DNS over TLS (DoT).

Conditions:
This is encountered if you wish to combine a clientssl profile with the dns profile on a virtual server.

Impact:
Performance is degraded.

Workaround:
None

Fix:
Clients can now initiate DNS over TLS requests to virtual servers that have the clientssl and dns profiles attached.

Fixed Versions:
16.1.2


1028669 : Python vulnerability: CVE-2019-9948

Links to More Info: K28622040, BT1028669


1028573 : Perl vulnerability: CVE-2020-10878

Links to More Info: K40508224, BT1028573


1028497 : libexpat vulnerability: CVE-2019-15903

Links to More Info: K05295469, BT1028497


1028493 : Live Update genesis file for Server Technologies installation fails

Component: Application Security Manager

Symptoms:
Installation of the Live Update genesis file (file included in BIG-IP) fails.

Conditions:
Live Update genesis file version is different than the BIG-IP version.

Impact:
"Server Technologies" will not be properly updated

Workaround:
Install latest "Server Technologies" update manually or upload the latest "Server Technologies" file.

Fix:
Live Update genesis file with different version will be accepted.


1028473 : URL sent with trailing slash might not be matched in ASM policy

Links to More Info: BT1028473

Component: Application Security Manager

Symptoms:
Request sent to a specific URL with added trailing slash may not be handled according to expected policy.

Conditions:
-- Request is sent with URL containing trailing slash.
-- Security policy contains the same URL, but without slash.

Impact:
URL enforcement is not done according to expected rules.

Workaround:
Add configuration for same URL with added trailing slash.

Fix:
URL with trailing slash is now handled as expected.

Fixed Versions:
16.1.2.2


1028269 : Device using CGNAT + subscriber discovery license shows unknown for pem_subscriber-id.

Links to More Info: BT1028269

Component: Carrier-Grade NAT

Symptoms:
On a BIG-IP device configured with CGNAT + subscriber discovery license, the LSN log shows "unknown" for the pem_subscriber-id field.

Conditions:
-- PEM and CGNAT enabled
-- RADIUS and CGNAT traffic are in different route domains

Impact:
LSN log shows "unknown" for the pem_subscriber-id field.

Workaround:
N/A

Fix:
Subscriber-id now shows correctly in the LSN log after it is added with CGNAT provisioned check in subscriber-discovery.

Fixed Versions:
15.1.5.1, 16.1.2.2


1028109 : Detected attack signature is reported with the wrong context.

Links to More Info: BT1028109

Component: Application Security Manager

Symptoms:
A detected attack signature on a multipart request might be reported with the wrong context.

Conditions:
Attack signature is detected in a multipart request.

Impact:
Reporting of the signature might contain the wrong context.

Workaround:
N/A

Fix:
All detected signatures on multipart requests are reported with the correct context.

Fixed Versions:
16.1.2


1027805 : DHCP flows crossing route-domain boundaries might fail.

Links to More Info: BT1027805

Component: Local Traffic Manager

Symptoms:
DHCP flows crossing route-domain boundaries might fail.

Conditions:
Example of a configuration leading to the problem:
- route-domain RD%2 with parent defined as route-domain RD%1.
- Virtual-server in route-domain RD%2.
- Pool member configured in RD%2 (sharing IP addressing with RD1)
- DHCP client connects to the virtual-server in route-domain RD%2.
- Route lookup for a pool member ends up with connection in route-domain RD%1

Impact:
The second and subsequent DHCP clients requests will not be forwarded to the DHCP pool members.

Workaround:
When configuring a DHCP pool member, use the ID of the parent route-domain (the one that will be returned by a route-lookup for the pool member's IP address).


1027657 : Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules.

Links to More Info: BT1027657

Component: Global Traffic Manager (DNS)

Symptoms:
Inconsistent monitor intervals for resource monitoring.

Conditions:
"require M from N" monitor rules configured.

Impact:
Monitor status flapping.

Workaround:
Do not use "require M from N" monitor rules.

Fixed Versions:
15.1.5.1, 16.1.2.2


1027217-2 : Script errors in Network Access window using browser.

Links to More Info: BT1027217

Component: Access Policy Manager

Symptoms:
1. Users may receive JavaScript errors in their browser when starting Network Access resources.
2. User resources may fail to display when accessing a Full webtop.
3. When logging out, users may be redirected to https://apm-virtual-server/vdesk/undefined and get a blank page
4. Logon Page from SWG Policies may fail to display inside a browser.

Conditions:
The issue can be observed with at least one of these conditions.

1. Accessing APM virtual server using a browser.
2. Accessing APM resources via a Full webtop.
3. Starting APM resources via a Full webtop.
4. Accessing Logon Page in SWG deployment.

Impact:
1. Users cannot start Network Access resources.
2. Users are unable to logout properly from full webtop.
3. Logon page is not rendered and users will not be able to access resources.

Workaround:
1. Log into BIG-IP.
2. mount -o remount,rw /usr/.
3. Add "response_chunking 2" to _tmm_apm_portal_http in "/usr/lib/tmm/tmm_base.tcl" Example:

profile http _tmm_apm_portal_http {
    max_header_size 32768
    max_header_count 64
    known_methods "CONNECT DELETE GET HEAD LOCK OPTIONS POST PROPFIND PUT TRACE UNLOCK"
    response_chunking 2
}

4. Restart tmm once the above param is added.
5. Garbage values in JavaScript aren't inserted after this change.
6. Remount the /usr directory as read-only.
  mount -o remount,ro /usr/
-------------------------

Fix:
The logon page now renders correctly, resources are properly displayed on the webtop, you can start resources without JavaScript errors, and you no longer receive blank pages when logging out.

Fixed Versions:
15.1.4.1, 16.1.2


1026605 : When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes

Links to More Info: BT1026605

Component: Local Traffic Manager

Symptoms:
When bigd.mgmtroutecheck is enabled and monitors are configured in a non-default route-domain, bigd may calculate the interface index incorrectly. This can result in monitor probes improperly being denied when they egress a non-mgmt VLAN. Or monitor probes might be allowed to egress the management interface

Conditions:
-- Bigd.mgmtroutecheck is enabled.
-- Monitor probes in a non-default route domain
-- More than one VLAN configured in the route-domain

Impact:
Monitor probes may be denied even thought they egress a non-mgmt VLAN.

Monitor probes may be improperly allowed out a mgmt interface.

/var/log/ltm:
err bigd.0[19431]: 01060126:3: Health check would route via mgmt port, node fc02:0:0:b::1%1. Check routing table.

bigd debug log:
:(_do_ping): probe denied; restricted egress device and route check [ tmm?=false td=true tr=false addr=fc02:0:0:b::1%1:0 srcaddr=none ]

Workaround:
Disable bigd.mgmtroutecheck, reduce the number of VLANs inside the route-domain

Fix:
The Bigd interface index is now calculated properly

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1026549 : Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd

Links to More Info: BT1026549

Component: TMOS

Symptoms:
For some BIG-IP Virtual Edition drivers, TMM may occasionally communicate an incorrect interface state change that might cause the interface to flap.

Conditions:
-- BIG-IP Virtual Edition using ixlv, ixvf, mlx5, or xnet drivers.
-- More TMMs and interfaces configured make this issue more likely to happen, but it happens randomly.

Impact:
In the case where the interface is part of a trunk a flap will occur when this happens.

There may be other as-yet unknown impacts for this issue.

Workaround:
Use a different VE driver than one of the ones listed above.

Fix:
BIG-IP Virtual Edition drivers no longer communicate incorrect interface states to mcpd.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2


1026277 : Apply Policy can get ignored in auto-sync setup, while importing/replacing several existing policies with policies that have Policy Builder enabled

Component: Application Security Manager

Symptoms:
With auto-sync enabled, replacing multiple policies on Unit-A with policies having Policy Builder enabled, "Apply Policy" initiated by Policy Builder can be ignored at Unit-B that results all the policy on Unit-A appear as not-edited while a few policies on Unit-B appear as edited.

Conditions:
-- Using auto-sync
-- Multiple policies are replaced (imported as replacing method) at the same time
  Note : bulk import/replace is only possible via Ansible (also, maybe scripting that utilizes REST API)
-- Those imported policies have Policy Builder enabled

Impact:
Inconsistent policy state in auto-sync members

Workaround:
Make a minor update on those affected policies, then "Apply Policy" will fix the inconsistent state.

Fix:
The particular call is now not relayed to the peer


1026005 : BIG-IP Virtual Edition (VE) does NOT preserve the order of NICs 5-10 defined in the VMware ESXi hypervisor and NSXT platforms.

Links to More Info: BT1026005

Component: Local Traffic Manager

Symptoms:
The ordering of NICs 5-10 in VMware ESXi is based on PCI coordinates for the first boot and the order is ensured based on the /etc/ethmap script written by the kernel during initialization. BIG-IP VE does not follow/maintain the NIC order defined in the VMware ESXi hypervisor.

Conditions:
Using 5-10 interfaces, swap/remove/add an interface at the hypervisor level.

Impact:
When using 5-10 NICs in VMware ESXi and NSXT platforms, automation is prohibited due to BIG-IP VE not maintaining the NIC order defined in the hypervisor.

Workaround:
N/A

Fix:
Enabled BIG-IP VE scripts to honor the NIC order defined by the user in the VMware ESXi hypervisor and NSXT platforms.

Fixed Versions:
16.1.2.2


1025529 : TMM generates core when iRule executes a nexthop command and SIP traffic is sent

Links to More Info: BT1025529

Component: Service Provider

Symptoms:
If an iRule uses the 'nexthop' command to select a VLAN for a virtual server, TMM may crash.

Conditions:
-- Virtual server with SIP profile and iRule that executes a 'nexthop' command
-- SIP network traffic occurs

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Avoid using 'nexthop vlan' in an iRule in a SIP environment.

Fix:
iRule creation does not cause any TMM core.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2.1


1025117 : APM Access Guided Configuration hardening

Component: Guided Configuration

Symptoms:
APM Guided Configuration does not follow current best practices

Conditions:
- APM provisioned
- Authenticated administrative user

Impact:
Guided Configuration does not follow current best practices.

Workaround:
N/A

Fix:
Guided Configuration now follows current best practices.


1024841 : SSL connection mirroring with ocsp connection failure on standby

Links to More Info: BT1024841

Component: Local Traffic Manager

Symptoms:
SSL connection mirroring with ocsp stapling connection failure on standby, active completes handshake with delay.

Conditions:
SSL connection mirroring with ocsp stapling

Impact:
Handshake delay on active

Workaround:
Disable ocsp stapling or ssl connection mirroring

Fix:
SSL connection mirroring handshake with ocsp stapling completes normally.

Fixed Versions:
15.1.5.1, 16.1.2.2


1024761 : HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body

Links to More Info: BT1024761

Component: Local Traffic Manager

Symptoms:
When rechunking is requested, HTTP responses with methods or status codes indicating that no body be present (like HEAD or 304) are receiving a Transfer-Encoding header and a terminating chunk. These responses should not have a body of any sort.

Conditions:
HTTP virtual server with rewrite profile present with the server that does HTTP caching.

Impact:
HTTP clients are unable to connect.

Workaround:
Remove the rewrite profile.

Possibly change http profile response-chunking from sustain to unchunk. This resolves the issue for the 304, but means that all other requests are changed from either chunking or unchunked with Content-Length header to unchunked without Content-Length and with "Connection: Close".

Fixed Versions:
15.1.5, 16.1.2.1


1024621 : Re-establishing BFD session might take longer than expected.

Links to More Info: BT1024621

Component: TMOS

Symptoms:
It might take a few minutes for a BFD session to come up. During this time you will notice session state transition multiple times between 'Admin Down' <-> 'Down'.

Conditions:
BFD peer trying to re-establish a session with BIG-IP, choosing ephemeral ports dis-aggregating to different TMMs.

Impact:
It might take a few minutes for a BFD session to come up.

Workaround:
Increasing Tx/Rx timers will minimize a chance of hitting the problem (For example 1000 TX/RX)

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1024437 : Urldb index building fails to open index temp file

Links to More Info: BT1024437

Component: Access Policy Manager

Symptoms:
The following error message shows up in /var/log/urldbmgr-trace.log:

THREAD: 2CDD4700; ERROR; WsFileOpen: Could not open file /var/urldb/staging/current/host.6417.byte.dat.003
THREAD: 2CDD4700; ERROR; WsIndexBuilderOpenFile: Failed to open index file /var/urldb/staging/current/host.6417.byte.dat.003.
THREAD: 2CDD4700; ERROR; WsHostIndexV7OpenFile: Failed to open Host index file /var/urldb/staging/current/host.6417.byte.dat.003.
THREAD: 2CDD4700; ERROR; WsHostIndexV7BuildProcessTempFiles: Failed to open host index temp file

As a result of this error, some requested URL category lookups return "Uncategorized".

Conditions:
The error can happen during index building after a new primary URLDB is downloaded.

Impact:
Some websites are categorized as "Uncategorized"

Workaround:
1) Stop urldbmgrd:
    bigstart stop urldb urldbmgrd

2) Delete databases:
    rm -rf /var/urldb/master/
    rm -rf /var/urldb/rtu/

3) Start urldbmgrd:
    bigstart start urldb urldbmgrd
 
4) Force database download:
   - tmsh command: "modify sys url-db download-schedule urldb download-now true", or
   - Admin GUI: Access >> Secure Web Gateway >> Database Settings >> Database Download >> Download Now
 
Databases will re-download and index.

Fix:
N/A


1024225-1 : BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request

Links to More Info: BT1024225

Component: Local Traffic Manager

Symptoms:
BIG-IP proxying http2 -> http1.1. In response to a HEAD request, pool member sends response with "Transfer-Encoding: chunked" header without chunked payload. BIG-IP sends "Transfer-Encoding: chunked" header back to http2 client which generates RST_STREAM, PROTOCOL_ERROR. According to RFC 7450 a proxy SHOULD remove such headers.

Conditions:
1) H2 <-> H1 is configured on virtual server
2) HEAD request over http2->http1.1 gateway getting chunked response.

Impact:
Http2 connection is reset

Workaround:
iRule to remove "Transfer-Encoding: Chunked" header from response.

Fixed Versions:
16.1.2.2


1024101 : SWG as a Service license improvements

Links to More Info: BT1024101

Component: Access Policy Manager

Symptoms:
SWG sessions maxed out and the SWG license is not released until the APM session is ended.

Conditions:
SWG and APM are in use.

Impact:
SWG sessions are tied to APM sessions and can reach the limit and not be recycled even if the APM session is not actively using SWG.

Workaround:
None

Fix:
Fixed an issue with SWG session tracking.

Fixed Versions:
16.1.1


1024029 : TMM may crash when processing traffic with per-session APM Access Policy

Component: Access Policy Manager

Symptoms:
Under certain conditions, TMM may crash while processing traffic with per-session APM Access Policy rules.

Conditions:
- APM provisioned
- Per-Request APM Access Policy enabled

Impact:
TMM crash leading to a failover event.

Workaround:
Remove all perflow vars like %{perflow.*} from per session APM policy

Fix:
TMM now processes traffic with APM as expected.


1023993 : Brute Force is not blocking requests, even when auth failure happens multiple times

Links to More Info: BT1023993

Component: Application Security Manager

Symptoms:
Send traffic with multiple Authorization headers in the request after configuring the brute force. The traffic will not be blocked, when it is supposed to be.

Conditions:
When there is more than one Authorization header present in the requests.

Impact:
Brute force is possible with specially crafted requests having multiple Authorization headers and will be able to bypass brute force checks.

Workaround:
Enable "Illegal repeated header violation" and configure Authorization header repeated occurrence to disallow.

Fix:
ASM detects the brute force attempt with multiple Authorization headers in the request.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1023829-1 : Security->Policies in Virtual Server web page spins mcpd 100%, which later cores

Links to More Info: BT1023829

Component: TMOS

Symptoms:
With a large number of VLANs (3000+) and virtual servers (2000+), the virtual server list page consumes excessive resources, eventually leading to a mcpd crash.

Conditions:
-- A huge number of VLANs and virtual servers exist.
-- The virtual server list page is displayed

Impact:
Page becomes inaccessible. Mcpd may crash. Traffic and control plane disrupted while mcpd restarts.

Fix:
Listing of virtual servers on the webpage will work as expected.


1023817 : Misleading "Enabling NAT64 for virtual server with security NAT policy configured is redundant/not required." warning

Links to More Info: BT1023817

Component: TMOS

Symptoms:
While loading the configuration or specifying that NAT64 should be disabled on a virtual server, a warning is displayed or logged:

"Enabling NAT64 for virtual server with security NAT policy configured is redundant/not required."

This warning should only be displayed when a virtual server has both NAT64 enabled and a security NAT policy present, but may occur incorrectly even when NAT64 is disabled.

Conditions:
This warning may be incorrectly generated when all of these conditions are met:

-- a multi-bladed VIPRION
-- virtual servers in the configuration security NAT policies
-- receiving a ConfigSync from a peer, or running "tmsh load sys config" on the primary blade

Impact:
An erroneous warning is logged. It can be safely ignored.

Fix:
The warning message is now only generated when both NAT64 and a security NAT policy are present on a virtual server.

Fixed Versions:
15.1.5.1


1023461-1 : Multiple entries for CGNAT when PBA pools allocation is defined: for each request, a new entry is created

Links to More Info: BT1023461

Component: Carrier-Grade NAT

Symptoms:
Two pools are configured, for example:
A: any destination
B: destination 8.8.8.8

1. Making connections and utilizing port block allocation (PBA) pool A works as expected; pools are correctly allocated and released as needed.
2. When a client has active PBA pool A allocated and requests pool B (because of connectivity to specific destination IP), then each subsequent connection request from that client results in new PBA pool B allocation.

Conditions:
Multiple rules are defined to configure PBA.

Impact:
If a request does not belong to the first pool then it will not belong any other, so the system creates a new pool.

Workaround:
None

Fix:
BIG-IP checks all allocated pools first before creating a new pool.


1023437 : Buffer overflow during attack with large HTTP Headers

Component: Anomaly Detection Services

Symptoms:
When the HTTP Headers are larger than 1024 characters and one of the anomalous textual headers is located after 1024, a buffer overflow might occur.

Conditions:
HTTP or TLS Signature protection is activated and during attack anomalous request arrives.

Impact:
Most of the time results in bad characters in the signature name, more rarely results in Memory Access Violation which could be exploited as buffer overflow attack.

Fix:
Enforce HTTP metadata size limit to be within the first 1024 characters of the HTTP Headers payload.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1


1023365 : SSL server response could be dropped on immediate client shutdown.

Links to More Info: BT1023365

Component: Local Traffic Manager

Symptoms:
SSL server response might be dropped if peer shutdown arrives before the server response.

Conditions:
-- the virtual server is using a Server SSL profile
-- the client sends FIN/ACK before the server responds

Impact:
The response from the pool member may be dropped.

Workaround:
N/A.

Fix:
Serverssl response now received after peer shutdown

Fixed Versions:
15.1.4.1, 16.1.2


1023341 : HSM hardening

Component: Local Traffic Manager

Symptoms:
Under certain conditions, HSM interactions do not follow current best practices.

Conditions:
- HSM in use

Impact:
Certain HSM interactions do not follow current best practices.

Workaround:
N/A

Fix:
HSM interactions now follow current best practices.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.1


1022757 : Tmm core due to corrupt list of ike-sa instances for a connection

Links to More Info: BT1022757

Component: TMOS

Symptoms:
Tmm generates a core when a corrupt list of ike-sa instances is processed.

Conditions:
Deletion of an expired ike-sa.

Impact:
Restart of tmm and re-negotiation of IPsec tunnels. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
The internal list data structure has been reorganized to use fewer entities in less-complex relationships. This makes it less likely for a corrupted list to occur, so this issue is less likely to occur.

Fixed Versions:
16.1.2


1022637 : A partition other than /Common may fail to save the configuration to disk

Links to More Info: BT1022637

Component: TMOS

Symptoms:
A mismatch between the running-configuration (i.e. what is returned by "tmsh list ...") and the saved-configuration (i.e. what is stored in the flat configuration files) for a partition other than /Common, despite a "tmsh save config" operation was just performed (either by the user or as a result of a config-sync).

Conditions:
- One or more partitions other than /Common exist on the system.

- One or more of said partitions have no more configuration objects defined in them (i.e. are empty).

- A config save operation similar to "tmsh save sys config partitions { Common part1 [...] }" occurs, either manually initiated by an Administrator or as a result of a config-sync operation (in which case the device-group must be configured for manual synchronization).

Impact:
Should a BIG-IP Administrator notice the mismatch, the only immediate impact is confusion as to why the config save operation was not effective.

However, as the flat config files are now out-of-date, performing a config load operation on a unit in this state will resurrect old configuration objects that had been previously deleted.

On an Active unit, this may affect traffic handling. On a redundant pair, there is the risk that the resurrected objects may make it to the Active unit after a future config-sync operation.

Workaround:
If you notice the mismatch, you can resolve it by performing a config save operation for all partitions (i.e. "tmsh save sys config").

Fix:
Non /Common partitions now get saved to disk as intended.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5, 16.1.2.2


1022625 : Profile type 'swg-transparent' should be selected on create page when 'create-new' is selected for SwgAsService in SSL Orchestrator

Links to More Info: BT1022625

Component: Access Policy Manager

Symptoms:
When creating a new service, certain default access profiles are not automatically selected.

Conditions:
1. SSL Orchestrator + APM + SWG provisioned
2. Select 'create-new' for access profile drop-down when adding a SwgAsService in SSL Orchestrator

A new tab opens with the profile creation page, but the access profile type drop-down does not have any type selected.

Impact:
When adding a SwgAsService in SSL Orchestrator, the only supported access profile type is SWG-Transparent, hence it should be automatically selected.

Workaround:
None

Fix:
Fixed an issue with automatic profile selection.

Fixed Versions:
16.1.1


1022493 : Slow file descriptor leak in urldbmgrd (sockets open over time)

Links to More Info: BT1022493

Component: Access Policy Manager

Symptoms:
Unix domain sockets are opened and never closed in urldbmgrd. This is a very slow leak over time.

Conditions:
SWG or URLDB is provisioned.

Impact:
Urldbmgrd may hit a limit of open file descriptors, and may eventually core and restart. When urldbmgrd restarts, urldb also restarts. This may result in a momentary instant where URL categorization is not available.

Workaround:
Restarting urldbmgrd will clear the open file descriptors. Performing a forced restart during a time of no traffic will mitigate the risk of urldbmgrd restarting at an inconvenient time if there are too many sockets open.

"bigstart restart urldbmgrd" will restart the daemon.


1022417 : Ike stops with error ikev2_send_request: [WINDOW] full window

Links to More Info: BT1022417

Component: TMOS

Symptoms:
IKE SAs will be lost.

Conditions:
A failover occurs while IKE is sending DPD to the peer, and the reply is received by the newly active BIG-IP.

Multiple failovers can increase the likelihood that this occurs.

Impact:
IKE SAs may be deleted and there will be traffic loss.

Workaround:
Increase in DPD interval to reduce the probability of occurrence of the issue.

Fix:
Fixed an issue where IKE SAs were being lost during failover events.

Fixed Versions:
16.1.2


1022269 : False positive RFC compliant violation

Links to More Info: BT1022269

Component: Application Security Manager

Symptoms:
False positive RFC compliant violation.

Conditions:
Authorization header with specific types.

Impact:
False positive violations.

Workaround:
Turn on an internal parameter:
 
/usr/share/ts/bin/add_del_internal add ignore_authorization_header_decode_failure 1

Fix:
Added tolerance to the authorization headers parser.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.2


1021773 : Mcpd core.

Links to More Info: BT1021773

Component: TMOS

Symptoms:
Mcpd crashes and leaves a core file.

Conditions:
This issue can occur if BIG-IP fails to allocate huge pages, which can occur during module provisioning.

Impact:
Mcpd crashes and the system goes into an inoperative state.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
16.1.2


1021713 : TMM may crash when processing AFM NAT64 policy

Component: Local Traffic Manager

Symptoms:
TMM may crash or become unstable after producing the error:

Enabling NAT64 for virtual server (/Common/test) with security NAT policy configured is redundant/not required.

Conditions:
Either of the following configurations:

-- NAT64 enabled and AFM NAT64 policy attached.
-- security-nat-policy attached and NAT64 disabled.

Impact:
TMM may crash, leading to a traffic interruption and failover event.

Workaround:
N/A

Fix:
The system now handles these configurations.

Fixed Versions:
15.1.5.1, 16.1.2


1021637 : In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs

Links to More Info: BT1021637

Component: Application Security Manager

Symptoms:
CSRF is sometimes enforced on URLs that do not match the CSRF URLs list

Conditions:
ASM policy with CSRF settings

Impact:
URLs that do not match the CSRF URLs list can be blocked due to CSRF violation.

Workaround:
None

Fix:
N/A

Fixed Versions:
16.1.2.2


1021521 : JSON Schema is not enforced if OpenAPI media-type is wild card.

Links to More Info: BT1021521

Component: Application Security Manager

Symptoms:
If the openAPI configuration contains a wildcard media type for an endpoint, ASM does not enforce the JSON schema for requests with a JSON payload.

Conditions:
Create an OpenAPI policy with media type set to wildcard.

Impact:
ASM doesn't enforce JSON schema validation for HTTP requests containing a JSON payload.

Workaround:
N/A

Fix:
Provided fix and verified

Fixed Versions:
16.1.2.2


1021485 : VDI desktops and apps freeze with Vmware and Citrix intermittently

Links to More Info: BT1021485

Component: Access Policy Manager

Symptoms:
VMware VDI:
Blank screen is seen while opening remote desktop when VDI is configured with VMware.

Citrix:
Desktop freezes immediately after opening remote desktop when VDI is configured with Citrix.

Conditions:
VMware VDI:
-- VDI is configured with VMware
-- Desktop or App is launched using native client from Webtop.
wait till 2X inactivity timeout if inactivity timeout

Citrix:
-- VDI is configured with Citrix
-- Desktop or App is launched using native client from Webtop.
-- Configure Inactivity timeout to 0.

Impact:
VDI desktops freeze while opening or immediately after opening.
The following error is seen in APM logs:
"Session stats update failed: ERR_NOT_FOUND"

Workaround:
No

Fix:
Users should not experience any intermittent desktop freeze.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2


1021481 : 'http-tunnel' and 'socks-tunnel' (which are internal interfaces) should be hidden.

Links to More Info: BT1021481

Component: Local Traffic Manager

Symptoms:
The Linux command 'ifconfig' or 'ip a' shows two devices 'http-tunnel' and 'socks-tunnel' that are for TMM internal use only.

Conditions:
These interfaces show up regardless of the BIG-IP configuration.

Impact:
As long as these devices are not used there is no impact aside from possibly causing confusion. Any attempt to use those devices from a host process fails or produces unpredictable results. These devices should not be exposed on the Linux host.

Workaround:
N/A

Fix:
The devices 'http-tunnel' and 'sock-tunnel' no longer show up on the Linux host.

Fixed Versions:
16.1.2


1021417 : Modifying GTM pool members with replace-all-with results in pool members with order 0

Links to More Info: BT1021417

Component: Global Traffic Manager (DNS)

Symptoms:
GTMpool has multiple members with order 0.

Conditions:
There is an overlap for the pool members for the command replace-all-with and the pool members to be replaced.

Impact:
Multiple pool members have the same order.

Workaround:
Perform this procedure:
1. Delete all pool members from the GTM pool.
2. Use replace-all-with.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


1021061 : Config fails to load for large config on platform with Platform FIPS license enabled

Links to More Info: BT1021061

Component: Global Traffic Manager (DNS)

Symptoms:
Config fails to load.

Conditions:
-- Platforms with Platform FIPS license enabled.
-- There are several ways to encounter this. One is with a large GTM (DNS) configuration that requires extending the gtmd stats file.

Impact:
Config file fails to load. For the gtmd configuration, gtmd repeatedly logs error messages similar to:

err gtmd[14954]: 011af002:3: TMSTAT error 'Invalid argument' creating row '/Common/vs_45_53' in table 'gtm_vs_stat'

For merged daemon, reports messages similar to:
err merged[9166]: 011b0900:3: TMSTAT error tmstat_row_create: Invalid argument.

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1


1021005-1 : IPI IPV6 traffic Reputation.

Component: Advanced Firewall Manager

Symptoms:
The IPI module in BIG-IP is responsible for the reputation of IP addresses. IPI only works on IPv4 traffic.

Conditions:
-- IP Intelligence License installed
-- The environment has a mix of IPv4 and IPv6

Impact:
The BIG-IP Intelligence features cannot do IPV6 traffic reputation.

Workaround:
N/A

Fix:
The BIG-IP Intelligence features can now do both IPv4 and IPV6 traffic Reputation

Behavior Change:
The BIG-IP Intelligence features can do both IPv4 and IPV6 traffic Reputation


1020957 : HTTP response may be truncated by the BIG-IP system

Links to More Info: BT1020957

Component: Local Traffic Manager

Symptoms:
Web pages are not rendered properly; HTTP responses are truncated when traversing the BIG-IP system.

Conditions:
-- Virtual server with an HTTP profile
-- HTTP server generates a compressed response
-- BIG-IP system determines that it must decompress the payload, e.g., a rewrite profile attached to the virtual server

Impact:
HTTP responses are truncated when passing through the BIG-IP system.

Workaround:
One of the following:

-- Add an HTTP Compression profile to the virtual server, and ensure that 'Keep Accept-Encoding' is not selected.
-- Use an iRule to remove the Accept-Encoding header from requests, e.g.:

ltm rule workaround {
    when HTTP_REQUEST {
        HTTP::header remove Accept-Encoding
    }
}

Fixed Versions:
16.1.2


1020789 : Cannot deploy a four-core vCMP guest if the remaining cores are in use.

Links to More Info: BT1020789

Component: TMOS

Symptoms:
When trying to deploy a vCMP guest on an i11800 vCMP host using four or more cores while all of the other cores are in use, the following error message may be seen:

err mcpd[<pid>]: 0107131f:3: Could not allocate vCMP guest (<guest_name>) because fragmented resources

--------------------------------------------------
one more similar issue has raised for 8 guests allocation failure

When trying to deploy a eight core guest on an i11800 vCMP host where four 2 cores are in use, the following error message may be seen:

0107131f:3: Could not allocate vCMP guest (guest-8cores-A) because fragmented resources

Conditions:
-- VCMP provisioned and all or most cores are in use.
-- Attempt to deploy a guest.

This is more likely to occur with vCMP guests that use four or more cores.

Impact:
All of the available cores cannot be used.

Workaround:
You may be able to work around this by deploying the largest guests first, then any remaining 2-core guests.

There is currently no other fix.

Fix:
N/A

Fixed Versions:
13.1.5, 14.1.4.6, 16.1.2.2


1020717 : Policy versions cleanup process sometimes removes newer versions

Links to More Info: BT1020717

Component: Application Security Manager

Symptoms:
The policy versions cleanup process sometimes removes versions in incorrect order. Newer versions are removed while older versions are preserved.

Conditions:
"maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg" has very low value.

Impact:
Newer versions are removed.

Workaround:
increase value of "maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg"

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1020705 : tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name

Links to More Info: BT1020705

Component: Application Visibility and Reporting

Symptoms:
Output of "tmsh show analytics dos-l3 report view-by attack-id" command has changed from version 13.x to 15.x. "Attack type" was removed from the system, so it was automatically replaced by the first metric "allowed-requests-per-second". For DOS L3 "Attack type" was replaced by "Vector Name" but it currently is not shown in the report along wit "Attack ID"

Conditions:
AFM is provisioned

Impact:
This change might cause scripts to fail if they use the name of the field.

Workaround:
1) edit /etc/avr/monpd/monp_dosl3_entities.cfg file. Change [dosl3_attack_id] section the following way: add 'vector_name' to measures list and add an additional parameter 'default_measure' as specified below :

[dosl3_attack_id]
...
measures=allowed_requests_per_sec,count,drop_per_sec,drop_count,total_per_sec,total_count,attacks_count,attack_type_name,category_name,vip_name,period,vector_name
default_measure=vector_name
...

2) edit /etc/avr/monpd/monp_dosl3_measures.cfg file. Add in the end the following section:

[vector_name]
id=vector_crc
formula=IF(count(distinct FACT.vector_crc)>1,'Aggregated',attack_vector_str)
merge_formula=IF(count(distinct vector_name)>1,'Aggregated',vector_name)
dim=AVR_DIM_DOS_VIS_ATTACKS_VECTOR
dim_id=attack_vector_crc
tmsh_display_name=vector-name
display_name=Vector
comulative=false
priority=65

3) restart the BIG-IP system: bigstart restart

After the system is up you can apply the same tmsh command: "tmsh show analytics dos-l3 report view-by attack-id"
You will get a result similar to 13.x. Note that "attack_type_name" is replaced by "vector-name"

Fix:
Workaround applied as fix.

Fixed Versions:
14.1.4.4, 15.1.3.1, 16.1.2


1020561 : Session memory increases over time due to db_access_set_accessinfo can leak sresult key/data in error case

Links to More Info: BT1020561

Component: Access Policy Manager

Symptoms:
Session memory is growing over time. memory_usage_stat indicates 'session' is growing.

Conditions:
Db_access_set_accessinfo is hitting the error case

Impact:
Memory will leak in tmm daemons. This affects all modules that use tmm.

Workaround:
Restart the tmms periodically when the memory grows

Fixed Versions:
15.1.5


1020549 : Server-side connections stall with zero window with OneConnect profile

Links to More Info: BT1020549

Component: Local Traffic Manager

Symptoms:
Serverside connections from pool member to BIG-IP hang, with the BIG-IP advertising a TCP zero window.

Conditions:
-- Virtual server with OneConnect profile
-- The BIG-IP applies flow-control to the serverside connection (e.g. the server's response to the BIG-IP is faster than the BIG-IP's forwarding the response to the client)
-- The serverside connection is subsequently re-used

Impact:
Serverside connections hang in the middle of data transfer, and will eventually time out.

Workaround:
If possible, remove the OneConnect profile from the virtual server.

Note: removing a OneConnect profile may cause problems with persistence, as described in
K7964: The BIG-IP system may appear to ignore persistence information for Keep-Alive connections (https://support.f5.com/csp/article/K7964)

Fixed Versions:
16.1.2.2


1020377 : Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon

Links to More Info: BT1020377

Component: TMOS

Symptoms:
If an IKEv2 tunnel terminates with an error condition, afterward it is possible for IKE packets to be received by the IKEv1 racoon daemon, which is listening to local host (i.e 127.0.0.1) on ports 500 and 4500.

Conditions:
To get the problem to occur, you may need these details:

-- an IKEv2 config where traffic selector narrowing happens
-- termination of an IKEv2 tunnel with an error condition
-- some other BIG-IP service using the same local self IP

Packets can reach the IKEv1 racoon daemon only when some BIG-IP service uses bigself as the proxy, which forwards packets to localhost (127.0.0.1) with the same port number. So even if no IKEv1 config is present for a local self IP, if some other BIG-IP service also uses bigself as a proxy, this can forward IKE packets to localhost as well.

Impact:
The IKEv2 tunnel does not get renegotiated, because IKE packets reach the IKEv1 daemon, which ignores them, because the proper listener to handle IKEv2 is missing. As a result, tunnel service is interrupted.

Workaround:
Deleting and re-adding the problematic ike-peer and traffic-selector should bring back IPsec support for that tunnel.

If the initiating and responding sides of the tunnel have identical traffic-selector proposals, then narrowing should not happen, and this would also prevent the problem in the first place.

Fix:
BIG-IP systems now manage and handle multiple references to the same listener in a more rigorous way, so the IKEv2 listener cannot go away while it is still needed.

Fixed Versions:
16.1.2


1020337 : DNS msg_ObjType can cause buffer overrun due to lack of NUL terminator

Links to More Info: BT1020337

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm cores with umem debug enabled.

Conditions:
A string operation is performed against DNS resource records (RRs) from DNSMSG::section in an iRule.

Impact:
Tmm memory corruption. In some situations, tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
Do not use string operations against DNS RRs returned from DNSMSG::section.

Fixed Versions:
15.1.5.1, 16.1.2.2


1020061 : Nested address lists can increase configuration load time

Links to More Info: BT1020061

Component: Advanced Firewall Manager

Symptoms:
Whenever there are a number of nested address lists configured, the 'load sys config' command takes a long time to complete.

Conditions:
-- Several nested Address Lists are configured.
-- The 'load sys config' command is run.

Impact:
Upgrading (load sys config) takes a lot of time of time to complete, which sometimes causes Packet Correlation Classification Daemon (pccd) to fail.

If pccd fails, the system is unable to detect and compile firewall configuration changes, meaning that changes made to the firewall configuration are not enforced.

Note: The firewall configuration that was running before pccd goes down continues to be enforced; only changes are not enforced.

Workaround:
None

Fix:
Fixed an issue with config load time when nested address lists are used.


1019853 : Some signatures are not matched under specific conditions

Links to More Info: K30911244, BT1019853

Component: Application Security Manager

Symptoms:
Some signatures are not matched, attacking traffic may pass through.

Conditions:
- Undisclosed signature conditions

Impact:
Attacking traffic can bypass the WAF.

Workaround:
N/A

Fix:
Signatures are now matched as expected.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


1019721 : Wrong representation of JSON/XML validation files in template based (minimal) JSON policy export

Links to More Info: BT1019721

Component: Application Security Manager

Symptoms:
When exporting template-based (minimal) JSON policy with profiles and associated validation files, the resulting configuration is wrong.
 - Configuration for the JSON validation file is missing from the exported policy
 - The JSON profile associated validation file has the name but no content

Conditions:
Export a minimal JSON policy with JSON/XML validation files associated to the JSON/XML profile.

Impact:
Error due to wrong configuration of the validation file during import.

Fixed Versions:
16.1.2.2


1019613 : Unknown subscriber in PBA deployment may cause CPU spike

Links to More Info: BT1019613

Component: Carrier-Grade NAT

Symptoms:
in PBA deployment, a CPU spike may be observed if the subscriber-id log is enabled and the subscriber-id is unknown.

Conditions:
-- PBA configuration
-- Address translation persistent is enabled
-- Subscriber-id log is enabled
-- There is an unknown subscriber

Impact:
Overall system capacity reduces.

Workaround:
Disable subscriber-id logging.

Fix:
Unknown subscriber in PBA deployment no longer causes a CPU spike.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1019609-2 : No Error logging when BIG-IP device's IP address is not added in client list on netHSM.&start;

Links to More Info: BT1019609

Component: Local Traffic Manager

Symptoms:
"Ensure BIG-IP's IP address is added to the client list"
error log is not displayed, despite the BIG-IP not being added to the client list in Thales/nShield/Entrust HSM.

Conditions:
BIG-IP is not added to the client list in Thales/nShield/Entrust HSM.

Impact:
Difficult to debug the error condition to due lack of error message

Workaround:
None

Fix:
Grep error text information on stderror stream now works.

Fixed Versions:
15.1.5.1, 16.1.2.1


1019557 : Bdosd does not create /var/bdosd/*.json

Links to More Info: BT1019557

Component: Advanced Firewall Manager

Symptoms:
JSON files for historical data are not created for each virtual server in /var/bdosd.

BDOS for DDoS works on current data in memory but cannot to depend on the historical data for all virtual servers

Conditions:
BDOS is configured for any virtual server

Impact:
Custom signature or BDDoS-generated signature for the virtual server does not work correctly.

Workaround:
None


1019453 : Core generated for autodosd daemon when synchronization process is terminated

Links to More Info: BT1019453

Component: Advanced Firewall Manager

Symptoms:
Autodosd cores on SIGSEGV.

Conditions:
-- AFM DoS vectors configured
-- This can occur during normal operation but the specific conditions that trigger it are unknown

Impact:
Autodosd is restarted, but up to 15 seconds of history may be lost.

Workaround:
None

Fix:
Fixed an autodosd crash.

Fixed Versions:
15.1.3.1


1019429 : CMP Forwarded flows do not get syncache counter decremented when only server-side is PVA accelerated

Links to More Info: BT1019429

Component: TMOS

Symptoms:
Virtuals with CMP forwarded flows and PVA acceleration may see a higher than expected syncache counter which can lead to permanent syncookie activation.

Also, under certain conditions the internal listeners used for config-sync may have syncookies activated. Logs will show the syncookie counter increasing after every activation.

bigip1 warning tmm1[18356]: 01010038:4: Syncookie counter 9830 exceeded vip threshold 2496 for virtual = 192.168.1.1:4353
bigip1 warning tmm1[18356]: 01010038:4: Syncookie counter 9834 exceeded vip threshold 2497 for virtual = 192.168.1.1:4353

Conditions:
-- Virtual servers with CMP forwarded flows - commonly occurring when the FTP profile is in use.
-- A platform with PVA acceleration enabled.
-- Only the server-side flow of a connection is offloaded to hardware.

Impact:
Elevated syncache_curr, epva_connstat.embryonic_hw_conns, epva_connstat, embryonic_hw_tcp_conns stas. Improper syncooke activation. Syncookie activation on the config-sync listener may cause config-sync to fail.

Workaround:
Remove the ftp profile or disable PVA acceleration:

modify sys db pva.acceleration value none

Fix:
Counters are now correctly decremented.

Fixed Versions:
15.1.4.1


1019357 : Active fails to resend ipsec ikev2_message_id_sync if no response received

Links to More Info: BT1019357

Component: TMOS

Symptoms:
In high availability (HA) setup, after failover, the newly active BIG-IP device, will send ikev2_message_id_sync messages to the other device.

If the BIG-IP device did not receive a response, it has to retransmit the packet. Some of the IKE tunnels are trying to retransmitting the packet, but its not going out of BIG-IP due to wrong state of relation between IKE tunnel and connection flow.

After 5 retries, it marks the peer as down, and the IKE tunnel is deleted.

Conditions:
-- High availability (HA) environment
-- IKE tunnels configured
-- A failover occurs

Impact:
Traffic loss.

Workaround:
None

Fix:
Fetch latest connection flow during retransmission of IKE/IPSEC packet.

Fixed Versions:
16.1.2.2


1018877 : Subsession variable values mixing between sessions

Links to More Info: BT1018877

Component: Access Policy Manager

Symptoms:
Subsession variable lookup internally assumes that a complete session DB lookup name (Session ID + Subsession key) is used. However, when using the lookup table, only the subsession key is passed in.

Conditions:
Subsession variables are referenced in the Per-Request Policy outside of the Subsession without the Session ID.

Impact:
A Per-Request Policy execution may get the value of the subsession variable from a different APM session.

Workaround:
Add the session ID to the reference to the subsession variables used in Per-Request Policies.

Fix:
Fixed an issue with subsession variable lookup.


1018613 : Modify wideip pools with replace-all-with results pools with same order 0

Links to More Info: BT1018613

Component: Global Traffic Manager (DNS)

Symptoms:
Multiple wideip pools have the order 0.

Conditions:
There are overlap for the pools for command replace-all-with and the pools to be replaced.

Impact:
iQuery flapping between GTMs.

Workaround:
First delete all pools from the wideip and then use replace-all-with.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1018577 : SASP monitor does not mark pool member with same IP Address but different Port from another pool member

Links to More Info: BT1018577

Component: Local Traffic Manager

Symptoms:
When the LTM SASP monitor is applied to a pool with multiple members having the same IP Address but different Ports, only one of the pool members with the duplicated IP Address will be monitored (marked UP or DOWN as appropriate). Other pool members sharing the same IP Address will remain in a 'checking' state.

Conditions:
This occurs when using the SASP monitor in a pool with multiple members having the same IP Address but different Ports.
For example:
ltm pool sasp_test_pool {
    members {
        sasp_1:80 {
            address 10.10.10.1
        }
        sasp_1:8080 {
            address 10.10.10.1
        }
        sasp_2:80 {
            address 10.10.10.2
        }
        sasp_2:8080 {
            address 10.10.10.2
        }
    }
    monitor sasp_test
}

In this case, only one pool member with a given IP Address will be correctly monitored by the sasp monitor.
Any additional pool members with the same IP Address but different port will not be monitored by the SASP monitor and will remain in a 'checking' state.

Impact:
Not all pool members may be effectively/accurately monitored by the SASP monitor.

Fix:
The ltm sasp monitor correctly monitors members of a pool which share the same IP Address but different Ports.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


1018493 : Response code 304 from TMM Cache always closes TCP connection.

Links to More Info: BT1018493

Component: Local Traffic Manager

Symptoms:
When a virtual server is configured to accelerate HTTP traffic, it caches responses with 200 and 304 response codes. Serving a response with "304 Not Modified" code, TMM may close a connection to a client.

Conditions:
-- A virtual server has a web-acceleration profile (without a web application for versions prior 16.0.0).
-- A response with code 304, stored in TMM cache, is served to a request.

Impact:
A client needs to open a new TCP connection every time when a response with "304 Not Modified" code is served.

Fix:
TMM correctly serves a response with "304 Not Modified" code, allowing to correctly handle TCP connection status.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4, 16.1.2


1018309 : Loading config file with imish removes the last character

Links to More Info: BT1018309

Component: TMOS

Symptoms:
While loading a configuration from the file with IMISH ('imish -f <f_name>'),truncating the last line.

printf 'log file /var/log/zebos.log1' >/shared/tmp/new.cfg
Running imish -r 0 -f /shared/tmp/new.cfg have the last character missing like below:
log file /var/log/zebos.log

Conditions:
Loading a config with 'imish -f <f_name>' commands.

Note: This command is used with the bigip_imish_config Ansible module.

Impact:
Configuration commands cannot be created properly.

Workaround:
For CLI, use extra control char at the end or \n.

Fixed Versions:
15.1.4.1, 16.1.1


1018285 : MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction

Links to More Info: BT1018285

Component: Service Provider

Symptoms:
MRF DIAMETER is not DIAMETER-application aware. It does not have application-specific business logic. When creating a DIAMETER solution, BIG-IP operators often need to write iRule scripts that remove a session persistence entry at the end of a transaction.

Conditions:
Some applications require removal of the persistence entry upon successful and unsuccessful completion of a transaction.

root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm rule log_dia_error
ltm rule log_dia_error {
when DIAMETER_INGRESS {
set cmd_code [DIAMETER::command]
if { $cmd_code == 272 } {
    set cc_req_type [DIAMETER::avp data get 416 integer32]
    if {[DIAMETER::is_response] && $cc_req_type == 3 } {
       log local0. "Persistence record delete-on-any"
       DIAMETER::persist delete-on-any
    }
 }
}

Impact:
iRule script is required.

Fix:
DIAMETER::persist irule are supported to remove a persistence entry based on the result status of a answer message.
below irule commands are supported.
DIAMETER::persist delete-on-any
DIAMETER::persist delete-on-success
DIAMETER::persist delete-on-failure
DIAMETER::persist delete-none

Fixed Versions:
15.1.4.1, 16.1.2


1017721 : WebSocket does not close cleanly when SSL enabled.

Links to More Info: BT1017721

Component: Local Traffic Manager

Symptoms:
After sending a close frame to the WebSocket server, the WebSocket client receives 1006 response.

Conditions:
Virtual server with the following profiles:
-- WebSocket
-- HTTP over SSL (at least server side SSL)

and connection closure is initiated by the client.

Impact:
Client side applications experience errors in the form of WebSocket abnormally closing connections with error code 1006.

Workaround:
Avoid using SSL on WebSocket server context.

Fix:
WebSocket connections close without any error.

Fixed Versions:
16.1.2.2


1017533 : Using TMC might cause virtual server vlans-enabled configuration to be ignored

Links to More Info: BT1017533

Component: Local Traffic Manager

Symptoms:
When switching between traffic-matching-criteria (TMC) and regular virtual-server configuration, the vlans-enabled option might be ignored, causing unexpected traffic handling.

Conditions:
Changing virtual-server configuration when using traffic-matching-criteria.

Impact:
Unexpected traffic handling and disruption

Workaround:
Avoid using TMC (port lists and address lists). When in a 'faulty' state you can try changing vlan-enabled on and changing it back on the virtual server, you might need to clear existing connections afterwards.

Follow below articles.

K53851362: Displaying and deleting BIG-IP connection table entries from the command line

K52091701: Handling Connections that have been matched to the wrong Virtual Server.

Fixed Versions:
14.1.4.6, 16.1.2.2


1017513 : Config sync fails with error Invalid monitor rule instance identifier

Links to More Info: BT1017513

Component: Local Traffic Manager

Symptoms:
If you remove or attach a different monitor to an fqdn pool, then perform a full config-sync, an error occurs:

Load failed from /Common/bigip1 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 58.

Conditions:
-- BIG-IP device is configured with fqdn nodes/pools with monitors.
-- Modify an fqdn pool to remove or attach a different monitor.
-- Run the command: run cm config-sync to-group Failover
-- Perform a full config-sync.

Impact:
Sync to the peer device(s) fails.

Workaround:
Use incremental-sync.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5.1, 16.1.2.1


1017233 : APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption

Links to More Info: BT1017233

Component: Access Policy Manager

Symptoms:
A corrupted password is sent as part of the "Authorization" header to the backend device and as a result, http 404 is returned

Conditions:
-- iRule for ActiveSync is used
-- The BIG-IP system has multiple tmms running

Impact:
User Authentication is failed by the backed server

Fixed Versions:
15.1.4.1, 16.1.2


1017153 : Asmlogd suddenly deletes all request log protobuf files and records from the database.

Links to More Info: BT1017153

Component: Application Security Manager

Symptoms:
Asmlogd suddenly deletes all request log protobuf files and records from the database.

Additionally, after the deletion happens, newly generated event logs seen in database do not show up in TMUI.

Conditions:
-- ASM provisioned
-- Config-sync setup, with frequent sync recovery and/or with a manual-sync device-group with ASM sync enabled.

Impact:
Sudden loss of request logs.

Workaround:
Delete all empty partitions and restart asmlogd.

1) View all the partitions:

   # perl -MF5::Db::Partition -MData::Dumper -MF5::DbUtils -e 'print Dumper(F5::Db::Partition::retrieve_partitions_info(dbh => F5::DbUtils::get_dbh(), table_name => "PRX.REQUEST_LOG"))'

Take note of the 'PARTITION_NAME' and 'TABLE_ROWS' for each partition.

2) For every partition_X (in PARTITION_NAME) with '0' in TABLE_ROWS, delete it by:

   # perl -MF5::Db::Partition -MF5::DbUtils -e 'F5::Db::Partition::delete_partition(dbh => F5::DbUtils::get_dbh(), table_name => "PRX.REQUEST_LOG", partition_name => "partition_X")'

3) restart asmlogd if and after done all deletes:

   # pkill -f asmlogd

NOTE: this workaround is temporary. Meaning, that the number of empty partitions will again accumulate and the same issue will happen again. The MAX number of partitions is - 100. Thus, it is advised to monitor the total number of *empty* partitions and repeat the workaround periodically. A cron script should work well. Normally, empty partitions should NOT accumulate. Thus, it is safe to run this script once an hour and remove all empty partitions.


Optionally, if you are having TMUI issue with newly generated event logs, perform the additional command below to delete rows from PRX.REQUEST_LOG_PROPERTIES for which no corresponding rows exist in PRX.REQUEST_LOG.

# mysql -t -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e 'delete from PRX.REQUEST_LOG_PROPERTIES where request_log_id > (select id from PRX.REQUEST_LOG order by id desc limit 1)'

Fix:
Upgrading to a fixed software version will not delete accumulated partitions and will not clear the symptom away. The fix will prevent ASM from accumulating partitions unnecessarily in the scenarios.

If your ASM system is experiencing this and partitions are accumulated, perform the workaround to clear the symptom. Using a fixed software version, you only need to perform the workaround once. You no longer have to perform it periodically.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2


1017053 : [SSL Orchestrator] Policy fails to complete when URL branching is configured

Links to More Info: BT1017053

Component: SSL Orchestrator

Symptoms:
SessionDB returns ERR_NOT_FOUND when Allow Agent attempts to update URL info in the session entry.

Conditions:
SSL Orchestrator session does not have a session entry in the SessionDB corresponding to the URL info.

Impact:
This causes policy execution failure and connection aborts.

Workaround:
Setting perflow.branching.url with no value, then the Allow Agent will not update the session entry. This will avoid the ERR_NOT_FOUND error message.

Fix:
Ensure the session is an APM session before setting the URL info for the session entry.


1016921 : SSL Connection mirroring - session resumption does not occur on standby when the session ticket is enabled

Links to More Info: BT1016921

Component: Local Traffic Manager

Symptoms:
Eight-second delays occur on traffic through an SSL connection mirroring virtual server, and errors occur on the standby device:

crit tmm7[11598]: 01010025:2: Device error: crypto codec Couldn't create an OpenSSL EC group object OpenSSL error:0906D06C:PEM
err tmm7[11598]: 01010282:3: Crypto codec error: sw_crypto-7 Couldn't initialize the elliptic curve parameters.
crit tmm7[11598]: 01010025:2: Device error: crypto codec No codec available to initialize request context.

Conditions:
All of these conditions:
-- SSL connection mirroring enabled
-- Session tickets are enabled
-- High availability (HA) environment

and one of the following:
-- Running BIG-IP v14.1.4.1 or above (in the v14.1.x branch)
or
-- Engineering hotfix applied to v14.x/v15.x that has the ID760406 fix (see https://cdn.f5.com/product/bugtracker/ID760406.html)

Impact:
SSL traffic is significantly delayed and errors are thrown on the standby device.

Workaround:
Any one of the following could prevent the problem.

-- client-ssl profile cache-size 0.
-- client-ssl profile session-ticket disabled (default).
-- disable SSL connection mirror on virtual server.


1016449 : After certain configuration tasks are performed, TMM may run with stale Self IP parameters.

Links to More Info: BT1016449

Component: Local Traffic Manager

Symptoms:
A Self IP instantiated by performing specific configuration tasks (see Conditions) does not work (e.g. the system does not respond to ARP requests for it).

On the contrary, the system continues to use (e.g. respond to ARP requests for) an old version of the Self IP specifying a different address.

Conditions:
This issue is known to occur when one of the following operations is performed:

- Restoring a UCS or SCF archive in which a Self IP with a specific name specifies a different address.

- Performing a config-sync between redundant units in which the sender changes a Self IP with a specific name to use a different address. For example:

tmsh delete net self <name>
tmsh create net self <name> address <new_address> ...
tmsh run cm config-sync to_group ...

- Performing specific tmsh CLI transactions involving Self IP modifications.

Impact:
The system does not utilise the configured Self IP address. Traffic will be impacted as a result (for example, in connections to the unit, in snat automap, etc.).

Workaround:
Restart TMM (bigstart restart tmm) on affected units.

Fix:
TMM now correctly handles supported Self IP address modifications.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1016441 : RFC Enforcement Hardening

Component: Local Traffic Manager

Symptoms:
When the HTTP profile RFC Enforcement Flag is enabled, certain non-RFC compliant headers are still allowed.

Conditions:
- Virtual Server with HTTP profile.
- RFC Enforcement Flag enabled.
- HTTP request with non-RFC compliant headers.

Impact:
Non-RFC compliant headers passed to server.

Workaround:
N/A

Fix:
BIG-IP will drop non-RFC compliant HTTP requests when the RFC compliance flag is ON.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1016309 : When two policies with the same properties are configured with geo property, the geo for the second policy is ignored.

Links to More Info: BT1016309

Component: Advanced Firewall Manager

Symptoms:
If two policies are configured with rule lists of same type of properties (1 allow and 1 deny) with the geo property used, the geo settings of the first rule will be used in the second rule.

Conditions:
-- Two policies having the same type of rule lists (1 allow rule and 1 deny rule)
-- The same geo is configured in a rule in each of the rule lists.
-- One rule is configured to allow, one is configured to deny

Impact:
Connection requests for the second virtual server that uses the second policy will use the geo settings from the first policy.

Workaround:
None

Fix:
Connection request for second virtual server will be dropped and allowed as configured in the policy that is attached.

Fixed Versions:
15.1.4


1016113 : HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile.

Links to More Info: BT1016113

Component: Local Traffic Manager

Symptoms:
Configurations containing HTTP response-chunking 'sustain' and a Web Acceleration profile do not rechunk payload regardless of whether the web server responds with a chunked response.

Conditions:
-- Incoming response payload to the BIG-IP system is chunked.
-- HTTP profile is configured with response-chunking 'sustain'.
-- Web Acceleration profile also configured on the same virtual server.

Impact:
The BIG-IP response is not chunked, regardless of whether the associated web server responds with a chunked payload when the Web Acceleration is utilized.

Workaround:
For a chunked response to be delivered to the client, apply the iRule command 'HTTP::rechunk' to responses when a Web Acceleration profile is used.

Fix:
The BIG-IP response is chunked appropriately when a Web Acceleration profile is used.

Fixed Versions:
15.1.4, 16.1.2


1016049 : EDNS query with CSUBNET dropped by protocol inspection

Links to More Info: BT1016049

Component: Local Traffic Manager

Symptoms:
EDNS query might be dropped by protocol inspection with an error log in /var/log/ltm similar to:

info tmm[21575]: 23003139 SECURITYLOG Drop sip:192.168.0.0 sport:64869 dip:1.1.1.1 dport:53 query:test.f5.com qtype:malformed attack:malformed

Conditions:
Query containing CSUBNET option.

Impact:
Some queries might fail.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1016033 : Remote logging of WS/WSS shows date_time equal to Unix epoch start time

Links to More Info: BT1016033

Component: Application Security Manager

Symptoms:
Enable the BD_MISC log and notice the REMOTE_LOG buffer printed in the bd logs. The date_time field will be set as closer to epoch time, for eg: "1969-12-31 16:27:00", instead of the current date. The same will be reflected in the remote logs as well.

Conditions:
Remote logging is enabled and the WS/WSS requests are sent to the BIG-IP

Impact:
The date_time information in WS traffic logged to a remote destination is incorrect. This makes correlating data difficult or impossible depending on the traffic.

Fixed Versions:
15.1.5


1015645 : IPSec SA's missing after reboot

Links to More Info: BT1015645

Component: TMOS

Symptoms:
Some IPSec SA's created after Tunnel migration may be missing after a reboot.

Conditions:
- IPSec tunnels
- Load balancing continues through tunnel migration
- The active BIG-IP system is rebooted

Impact:
Some IPSec SA's may be missing after the reboot

Workaround:
None

Fix:
During reboot, Load balancing information is loaded based on creation time instead of arrival time.

Fixed Versions:
16.1.2


1015133 : Tail loss can cause TCP TLP to retransmit slowly.

Links to More Info: BT1015133

Component: Local Traffic Manager

Symptoms:
If a long tail loss occurs during transmission, TCP might be slow to recover.

Conditions:
-- A virtual server is configured with the TCP profile attached.
-- SACK and TLP are enabled.
-- A tail loss of multiple packets sent by the BIG-IP occurs.

Impact:
BIG-IP retransmits one packet per RTT, causing a long recovery. The impact is more pronounced if an entire window is lost.

Workaround:
Disabling TLP may improve performance in this particular case, but may degrade performance in other situations.

Fix:
A new sys db key was added: tm.tcpaggressivepartialack (disabled by default). When enabled, more data is retransmitted every RTT, similar to slow-start.

Behavior Change:
A new sys db key was added: tm.tcpaggressivepartialack (disabled by default). When enabled, more data is retransmitted every RTT, similar to slow-start.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1


1014085 : SSL Orchestrator traffic summary logs incorrectly identify decryption-status

Component: SSL Orchestrator

Symptoms:
SSL Orchestrator traffic summary log (in /var/log/apm) incorrectly identifies decryption-status as 'decrypted' when the TLS handshake is incomplete.

Conditions:
-- SSL Orchestrator is licensed and provisioned.
-- Per-request policy or security policy is defined and attached to Virtual server.
-- Per-request policy log level is set to Info.

Impact:
Traffic summary log in /var/log/apm incorrectly identifies decryption status.

Fix:
SSL Orchestrator traffic summary log now correctly identifies decryption-status as 'NA' when tls handshake is incomplete. Two new fields cleint & server tls-handshake-status also got added to indicate handshake status of each side.


1013729 : Changing User login password using VMware View Horizon client results in “HTTP error 500”

Component: Access Policy Manager

Symptoms:
“HTTP error 500" is shown when user changes the password using VMware view horizon client.

Conditions:
User tries to change user password using the VMware native client.

Impact:
Users can't login to the VMware VDI.

Workaround:
None

Fix:
Users can now modify their password via the VMware native client and are able to login to VMware vdi.


1013629 : URLCAT: Vulnerability Scan finds many Group/User Read/Write (666/664/662) files

Links to More Info: BT1013629

Component: Traffic Classification Engine

Symptoms:
Shared memory files in relation with URLCAT have file permissions set to (-rwxrwxrwx), which is not necessary and needs to be restricted to (-rw-rw-r--).

Conditions:
Performing a Vulnerability Scan on shared memory files in relation with URLCAT.

Impact:
Full permission can result in unintentional/unauthorized access, which could result in unexpected behavior of the URLCAT feature.

Workaround:
Manually change permissions from (-rwxrwxrwx) to (-rw-rw-r--) using the chmod command.

Fix:
Shared Memory file permissions are now set to (-rw-rw-r--).

Fixed Versions:
16.1.2


1013569-2 : Hardening of iApps processing

Component: Guided Configuration

Symptoms:
Under certain conditions, iApps do not follow current best practices.

Conditions:
- iApps in use

Impact:
iApps do not follow current best practices.

Workaround:
N/A

Fix:
iApps now follow current best practices.

Fixed Versions:
15.1.4, 16.1.1


1012721 : Tmm may crash with SIP-ALG deployment in a particular race condition

Links to More Info: BT1012721

Component: Service Provider

Symptoms:
Tmm crashes in SIP-ALG deployment

Conditions:
--- SIP-ALG is deployed
--- While processing first SIP REGISTER at server-side

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Tmm no longer crashes in this race condition

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1, 16.1.1


1012701 : BD crash on websocket traffic

Component: Application Security Manager

Symptoms:
BD crash when handling websocket traffic

Conditions:
ASM policy with webosocket and features that require response handling.

Impact:
Traffic disrupted while bd restarts.

Workaround:
N/A


1012581 : Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered

Links to More Info: BT1012581

Component: Advanced Firewall Manager

Symptoms:
As soon as global syncookie enabled stats counts starts decrementing and when attack_detection_common callback function calls, the stats range is always under the configured packets per-second threshold, resulting in some tmms not being able to detect the attack but syncookies are already enabled on these tmms, and no statistics are gathered.

Conditions:
A SYN flood attack or similar SYN attack where SYNs are flooded into the BIG-IP system.

Impact:
SYN cookies may still be sent after traffic goes below the attack detection threshold.

Workaround:
Restart tmm

Fix:
Now, global syncookie state changing from full-hardware to non-activated when attack ends.


1012413 : Tmm performance impact for DDoS vector on virtual server when hardware mitigation is enabled

Links to More Info: BT1012413

Component: Advanced Firewall Manager

Symptoms:
When a DoS profile is attached to a virtual server, the mitigation limit is set to the system limit and not the HSB limit. This causes more packets to be handled by software. Depending on attack size, it could pass up to 200% of the set mitigation limit. This can impact tmm performance.

Conditions:
-- Dos profile is configured on virtual server.
-- Hardware platform that has HSB
-- Hardware mitigation is enabled

Impact:
Tmm performance may be degraded.

Workaround:
None

Fix:
The HSB limit is set to (vector configured mitigation limit) / (number of hsbs on BIG-IP)

Fixed Versions:
15.1.4


1012365 : Nettle cryptography library vulnerability CVE-2021-20305

Links to More Info: K33101555, BT1012365


1012221 : Message: childInheritanceStatus is not compatible with parentInheritanceStatus&start;

Links to More Info: BT1012221

Component: Application Security Manager

Symptoms:
The BIG-IP system is unable to deploy a revision of upgraded child policies and you see an error:

Failed pushing changed objects to device <device>: Could not update the Section 'Threat Campaigns'. childInheritanceStatus is not compatible with parentInheritanceStatus.

Conditions:
-- An ASM Child Policy is present on the BIG-IP device in a version earlier than 14.0.0
-- The BIG-IP system is upgraded to version 14.0.0 or later

Impact:
This corruption impacts BIG-IQ interactions with the Child Policy and causes exported Child Policies to be incorrect.

Workaround:
After upgrading, perform the following:

1. Log into the BIG-IP Configuration Utility
2. Go to Security :: Application Security :: Security Policies :: Policies List
3. Select the first Parent Policy
4. Go to Inheritance settings and change Threat Campaigns from None to Optional
5. Click Save Changes
6. Change Threat Campaigns from Optional back to None
7. Click Save Changes
8. Click Apply
9. Repeat steps 3-8 for each additional Parent Policy

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1011433 : TMM may crash under memory pressure when performing DNS resolution

Links to More Info: BT1011433

Component: Global Traffic Manager (DNS)

Symptoms:
When running low on free memory, TMM may crash when performing DNS resolution.

Conditions:
-- TMM is under memory pressure.
-- TMM is performing DNS resolution via one of the following mechanisms:
--+ iRule using the "RESOLV::lookup" command
--+ AFM firewall rules that reference hostnames
--+ APM

Impact:
Traffic disrupted while tmm restarts.

Fixed Versions:
16.1.2.2


1011217 : TurboFlex Profile setting reverts to turboflex-base after upgrade&start;

Links to More Info: BT1011217

Component: TMOS

Symptoms:
Custom TurboFlex Profile settings revert to the default turboflex-base profile after an upgrade.

Conditions:
-- iSeries platform with ix800 performance license
-- A non-default TurboFlex Profile is applied
-- The BIG-IP device is upgraded

Impact:
Some features of the previously selected TurboFlex Profile that are not part of the turboflex-base profile, are missing after upgrade. The TurboFlex Profile must be reconfigured after upgrade.

Workaround:
Reconfigure the TurboFlex Profile after upgrade.

Fix:
TurboFlex Profile settings are now preserved after the upgrade.

Fixed Versions:
16.1.2.2


1011069 : Group/User R/W permissions should be changed for .pid and .cfg files.

Links to More Info: BT1011069

Component: Application Security Manager

Symptoms:
The following files should be set with lower permissions:
/etc/ts/dcc/dcc.cfg (-rw-rw--w-)
/run/asmcsd.pid (-rw-rw--w-)
/run/bd.pid (-rw-rw--w-)
/run/dcc.pid (-rw-rw--w-)
/run/pabnagd.pid (-rw-rw--w-)

Conditions:
Always

Impact:
Incorrect file permissions.

Workaround:
chmod 664 <files_list>

Fix:
The corrected permissions 664 are applied to the given list of files.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1011065 : Certain attack signatures may not match in multipart content

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM may not correctly detect attack signatures.

Conditions:
- ASM provisioned
- Request contains multipart body that matches specific attack signatures.

Impact:
Attack detection is not triggered as expected.

Workaround:
None

Fix:
Attack detection is now triggered as expected.

Fixed Versions:
15.1.4.1, 16.1.2


1011061 : Certain attack signatures may not match in multipart content

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM may not correctly detect attack signatures.

Conditions:
- ASM provisioned
- Request contains a specially-crafted multipart body

Impact:
Attack detection is not triggered as expected.

Workaround:
None

Fix:
Attack detection is now triggered as expected.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


1010617 : String operation against DNS resource records cause tmm memory corruption

Links to More Info: BT1010617

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm cores with umem debug enabled.

Conditions:
A string operation is performed against DNS resource records (RRs) in an iRule.

Impact:
Tmm memory corruption. In some situations, tmm could crash. Traffic disrupted while tmm restarts.

Workaround:
Do not use string operation against DNS RRs.

Fixed Versions:
15.1.5.1, 16.1.2.2


1010597 : Traffic disruption when virtual server is assigned to a non-default route domain&start;

Links to More Info: BT1010597

Component: Access Policy Manager

Symptoms:
Assigning a virtual server to a non-default route domain might cause a traffic disruption.

Conditions:
-- An APM virtual server is assigned to a route domain other than 0 (zero, the default).
-- An access policy has an agent that results in tmm communicating to the renderer (e.g., Logon agent, HTTP 401 Response agent, and others).

Impact:
Access policy fails.

Workaround:
1. Log in to the Configuration utility.
2. Go to Network > Route Domains > affected route domain.
3. In the section Parent Name select '0 (Partition Default Route Domain)'.
4. Select Update.


1009949 : High CPU usage when upgrading from previous version&start;

Links to More Info: BT1009949

Component: TMOS

Symptoms:
When upgrading version from 12.x to 14.1.4, ospfd has high cpu utilization.

Conditions:
-- OSPF is enabled.
-- The BIG-IP system is upgraded from 12.x to 14.1.4.

Impact:
Performance Impact.

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2


1009725 : Excessive resource usage when ixlv drivers are enabled

Links to More Info: K53442005, BT1009725


1009093 : GUI widgets pages are not functioning correctly

Links to More Info: BT1009093

Component: Application Visibility and Reporting

Symptoms:
Some links and drop-down fields are not available for 'pressing/clicking' on AVR-GUI widgets pages

Conditions:
AVR/ASM is provisioned

Impact:
Cannot use AVR GUI pages correctly

Workaround:
1. Back up the following file, and then edit it:
/var/ts/dms/amm/templates/overview.tpl

1.a. Remove the following line:
<script type="text/javascript" src="script/analytics_stats.js{{BIGIP_BUILD_VERSION_JS}}"></script>

1.b. Add the following lines after the 'var _default_smtp = '{{smtp_mailer}}';' line:
$(document).ready(function() {
        if(!window.AVR_LOCALIZATION) return;
        $('.need-localization-avr').each(function() {
            var item = $(this);
            if (item.is("input")) {
                var key = "avr." + item.val().replace(/\s/g, '');
                item.val(window.AVR_LOCALIZATION[key] || item.val());
            } else {
                var key = "avr." + item.text().replace(/\s/g, '');
                item.text(window.AVR_LOCALIZATION[key] || item.text());
            }
        }).removeClass('need-localization-avr');
    });

1.c. Save and exit (might require the 'force' save with root user).

2. Log out of the GUI.
3. Log back in.

Fix:
GUI widgets pages now function correctly.

Fixed Versions:
15.1.5, 16.1.2.1


1009049-10 : browser based vpn did not follow best practices while logging.&start;

Component: Access Policy Manager

Symptoms:
sensitive information is visible in logs in case of an upgrade.

Conditions:
auto upgrade enabled on big-ip
browser based vpn components are auto updated while establishing vpn.

Impact:
sensitive information could be misused to establish a vpn connection

Workaround:
disable auto upgrade on big-ip and manually install using an installer.

Fix:
The sensitive information is masked during upgrade.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1009037 : Tcl resume on invalid connection flow can cause tmm crash

Links to More Info: BT1009037

Component: Local Traffic Manager

Symptoms:
Tmm crashes.
Tmm logs contain a line that looks like: "Oops @ 0x2bbd463:139: Unallocated flow while polling for rule work. Skipping."

Conditions:
1) iRule uses a function that may suspend iRule processing (see https://support.f5.com/csp/article/K12962 for more about this).
2) The connflow associated with the iRule is being torn down by tmm.
3) Depending upon the exact timing there is a rare chance that the iRule will resume on the wrong connflow which can cause a core.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2


1008849 : OWASP "A4 XML External Entities (XXE)" is not reflecting the XXE signatures configuration.

Links to More Info: BT1008849

Component: Application Security Manager

Symptoms:
To fulfill "A4 XML External Entities (XXE)", some required signatures need to be enforced.

Due to an update in some of those attack signatures names, this section does not find the signatures and by mistake it shows that the signatures are not enforced.

Also, when you choose to enforce the required signatures, this section tries to enforce the signatures, but looks for them via the old name, so it does not find them, and can't enforce them.

Conditions:
The attack signatures file is updated with the new names for the XXE signatures.

The old names are in use while trying to find and enforce the signatures, but it does not find them and can't enforce them and also can't see if they are already enforced.

Impact:
"A4 XML External Entities (XXE)" Compliance can't be fully compliant.

Workaround:
N/A

Fix:
The signature ID is being used instead of signature name, and now it can find them and enforce them if needed.

Fixed Versions:
15.1.5.1, 16.1.2.2


1008837 : Control plane is sluggish when mcpd processes a query for virtual server and address statistics

Links to More Info: BT1008837

Component: TMOS

Symptoms:
When there are thousands of rows in the virtual_server_stat table and mcpd receives a query for for all virtual server or virtual address statistics, mcpd can take a long time to process the request.

There might be thousands of rows if thousands of virtual servers server are configured.

There could also be thousands of rows if there are virtual servers configured for source or destination address lists, where those lists contain tens or hundreds of addresses.

Conditions:
-- Thousands of virtual_server_stat rows.
-- mcpd processes a query_stats request for the virtual_server_stat table.

Impact:
When mcpd is processing a query for virtual server statistics:

-- TMSH and GUI access is very slow or non-responsive.
-- SNMP requests timeout.
-- mcpd CPU usage is high.

Workaround:
None

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.2.2


1008561 : In very rare condition, BIG-IP may crash when SIP ALG is deployed

Links to More Info: K44110411, BT1008561


1008501 : TMM core

Links to More Info: BT1008501

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
Transparent monitors monitoring a virtual server's IP address.

Note: Although this is the current understanding of the issue, it is not clear whether this is an true requirement for the issue to occur.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1008269 : Error: out of stack space

Links to More Info: BT1008269

Component: TMOS

Symptoms:
When polling for profile statistics via iControl REST, the BIG-IP system returns an error:

Error: out of stack space

Conditions:
Polling stats via iControl REST.

Impact:
You are intermittently unable to get stats via iControl REST.

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1008265 : DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond&start;

Component: Advanced Firewall Manager

Symptoms:
DoS Flood and Sweep vector states are disabled after upgrade.

Conditions:
DoS Flood and Sweep vectors are enabled prior to an upgrade to software release 14.x and beyond.

Impact:
DoS Flood and Sweep vector states are disabled. System is susceptible to a DoS attack.

Workaround:
Reset the DoS Flood and Sweep vectors to their previous state.

Fix:
Removed default disabled state from upgrade scripts so that both vectors were restored to previous configured state

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


1008017 : Validation failure on Enforce TLS Requirements and TLS Renegotiation

Links to More Info: BT1008017

Component: Local Traffic Manager

Symptoms:
The configuration load fails with an error:

err mcpd[4182]: 0107186b:3: Invalid "enforce-tls-requirements" value for profile /prod/my_profile. In Virtual Server (/common/my_virtual_server) an http2 profile with enforce-tls-requirements enabled is incompatible with client-ssl/server-ssl profile with renegotiation enabled. Value must be disabled.

Conditions:
BIG-IP system allows this configuration and fails later:

-- Virtual server with HTTP/2, HTTP, and client SSL profiles (with renegotiation disabled).

1. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile (by default it is enabled).
2. Add server SSL profile with 'TLS Renegotiation' enabled.
3. Save the configuration.
4. Load the configuration.

Impact:
The configuration will not load if saved.

Workaround:
If enabling 'Enforce TLS Requirements' in a HTTP/2 profile configured on a virtual server, ensure that 'TLS Renegotiation' is disabled in the Server SSL profiles on that virtual server.

Fix:
There is now a validation check to prevent this configuration, which is the correct functionality.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


1008009 : SSL mirroring null hs during session sync state

Links to More Info: BT1008009

Component: Local Traffic Manager

Symptoms:
Tmm crashes.

Conditions:
-- SSL connection mirroring enabled
-- Running a version where ID 760406 is fixed (https://cdn.f5.com/product/bugtracker/ID760406.html)
-- A handshake failure occurs during session sync

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable connection mirroring

Fix:
The system now protects for dropped SSL handshakes during connection mirror session sync.

Fixed Versions:
14.1.4.5, 15.1.5.1, 16.1.2.2


1007901 : Support for FIPS 140-3 Module identifier service.

Links to More Info: BT1007901

Component: TMOS

Symptoms:
The module provides a service to output module name/identifier and version that can be mapped to the validation records.
The 'tmsh show sys version' command shows a version, but it does not show a module name, where the "module name" is the name on the FIPS certificate.

Conditions:
Running 'tmsh show sys version' while the system is running in FIPS mode

Impact:
The module does not provide a service to output module name/identifier and version that can be mapped to the validation records.

Workaround:
N/A

Fix:
Added the FIPS module information to output of command "show sys version". FIPS module information is now appended after "Project" field info of the "show sys version"

The syntax of the new field is "FIPS Module <FIPS_module_name>"

In the GUI, FIPS module info shall be appended to existing "Version" information shown under system(tab)→Device→Version

The syntax will be "Version: <Existing Info> <FIPS_module_name>

Fixed Versions:
16.1.2.2


1007821 : SIP message routing may cause tmm crash

Links to More Info: BT1007821

Component: Service Provider

Symptoms:
In very rare circumstances, tmm may core while performing SIP message routing.

Conditions:
This can occur while passing traffic when SIP message routing is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
SIP message routing no longer results in a core due to internal memory errors in message parsing.

Fixed Versions:
15.1.4, 16.1.1


1007749 : URI TCL parse functions fail when there are interior segments with periods and semi-colons

Links to More Info: BT1007749

Component: Local Traffic Manager

Symptoms:
URI::path, URI::basename, etc., return the wrong strings, e.g., URI::path can return a subset of what it should return.

Conditions:
This happens for URIs like these:
   /alpha/beta/Sample.text;param/trailer/
   /alpha/beta/Sample.text;param/file.txt

Impact:
iRules fail to work as expected for these types of URIs.

This occurs because the combination of the period and semi-colon in 'Some.thing;param' confuses the BIG-IP system parser, causing incorrect results to be returned.

Workaround:
If this is happening for known URIs, then it should be possible to process those URIs in a special way within iRules to do things like temporarily replacing interior periods with another character, like a plus sign.

Fixed Versions:
15.1.5, 16.1.2.1


1007677 : Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector'

Links to More Info: BT1007677

Component: Access Policy Manager

Symptoms:
SAML fails on APM SAML IdP after receiving the SAML ArtifactResolve Request, and needs to extract Artifact data from sessionDB to build the assertion. An error is logged:

-- err tmm[24421]: 014d1211:3: ::ee23458f:SAML SSO: Cannot find SP connector (/Common/example_idp)
-- err tmm[24421]: 014d0002:3: SSOv2 plugin error(12) in sso/saml.c:11864

Conditions:
The 'session-key' in the sessiondb includes a colon ':' in its value.

Impact:
SAML may fail on APM SAML IdP using artifact binding.

Fix:
The system now handles this occurrence of 'session-key'.

Fixed Versions:
15.1.4.1, 16.1.2.1


1007489 : TMM may crash while handling specific HTTP requests&start;

Links to More Info: K24358905, BT1007489


1007113 : Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds

Links to More Info: BT1007113

Component: Service Provider

Symptoms:
In case of diameter over SCTP, while aborting the connection of the pool member, if SCTP INIT is sent by the BIG-IP system before the SCTP ABORT is processed, the pool member is marked UP (provided the SCTP connection is established successfully), and then goes down later, immediately after ABORT is fully processed.

Conditions:
The time difference between SCTP ABORT and SCTP INIT is very small, i.e., 2 seconds or less

Impact:
Pool member is marked DOWN even though it is active

Workaround:
If the watchdog is configured in the diameter session profile (i.e., watchdog-timeout is greater than 0), the pool member is marked UP after DWA is received from the pool member.

Fix:
The system now marks the pool member as UP if DWA is received from the pool member.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2


1006893 : Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core

Links to More Info: BT1006893

Component: Access Policy Manager

Symptoms:
When ACCESS::oauth is used after ACCESS::session create/delete in an iRule event, TMM may core.

Conditions:
ACCESS::oauth is used after ACCESS::session create/delete in an iRule event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround

Fix:
TMM does not core and functionality works as expected.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2


1006781 : Server SYN is sent on VLAN 0 when destination MAC is multicast

Links to More Info: BT1006781

Component: Local Traffic Manager

Symptoms:
TCP connections cannot be established when a multicast destination MAC is used. Traffic outage occurs.

Conditions:
Virtual wire with multicast destination MAC used while establishing TCP connections.

Impact:
Traffic outage.

Workaround:
None

Fixed Versions:
15.1.4.1, 16.1.2.2


1005109 : TMM crashes when changing traffic-group on IPv6 link-local address

Links to More Info: BT1005109

Component: Local Traffic Manager

Symptoms:
TMM crashes when changing the traffic-group on an IPv6 link-local address.

Conditions:
Changing the traffic-group on an IPv6 link-local address.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1


1005105 : Requests are missing on traffic event logging

Links to More Info: BT1005105

Component: Application Security Manager

Symptoms:
Some traffic requests are missing in Security :: Event Logs.

Conditions:
-- Local logging enabled
-- Two or more virtual servers passing heavy traffic

Impact:
High CPU load prevents the Policy Builder from analyzing and sending all traffic requests to the request log.

Workaround:
None

Fix:
The Policy Builder now attempts to send traffic requests to the request log, even when learning analysis is limited due to high CPU load.

Fixed Versions:
14.1.4.5, 15.1.4, 16.1.1


1004929 : During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid.

Links to More Info: BT1004929

Component: TMOS

Symptoms:
While receiving a config sync operation, mcpd on a secondary blade may restart, logging:

err mcpd[6383]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020012:3: A unsigned four-byte integer message item is invalid.... failed validation with error 16908306

Conditions:
-- A VIPRION system (or cluster-based vCMP guest) with more than one blade processes a full configuration load, i.e. as a result of running "tmsh load sys config" or receiving a full-load config sync from peer BIG-IP.

-- The system generates a large number of warning messages during a configuration load, whose total length is larger than 65,535 bytes.

These warnings can be seen in the output of "tmsh load sys config" or "tmsh load sys config verify", or are logged under message ID 01071859

An example of such a warning is:

SSLv2 is no longer supported and has been removed. The 'sslv2' keyword in the cipher string of the ssl profile (/Common/ssl-profile-1) has been ignored.

Impact:
MCPD on secondary blades restart. Those blades are inoperative while services restart.

Workaround:
Address the warnings reported by the system.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5


1004897 : 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason

Links to More Info: BT1004897

Component: Local Traffic Manager

Symptoms:
In HTTP2 setup, when the header count from the client request exceeds max-header-count value in the HTTP profile , COMPRESSION_ERROR(0x09) is seen in GoAway frame instead of FRAME_SIZE_ERROR(0x06)

Conditions:
- Virtual server with HTTP2 enabled
- A http2 request has a header count that exceeds 'Maximum Header Count' in the HTTP profile (default value is 64)

Impact:
Wrong GoAway Reason is logged

Fix:
When header count in client request exceeds max-header-count value in HTTP profile
1) FRAME_SIZE_ERROR(0x06) error code sent with GoAway frame
2) In http2 profile stats (tmsh show ltm profile http2 all) 'Max Headers Exceeded' is logged as GoAway reason

Fixed Versions:
14.1.4.4, 16.1.2.2


1004881-6 : Update angular, jquery, moment, axios, and lodash libraries in AGC

Component: Guided Configuration

Symptoms:
Vulnerabilities discovered in the angular, jquery, moment, axios, and lodash libraries used by AGC.

Conditions:
- AGC in use

Impact:
The angular, jquery, moment, axios, and lodash libraries include known vulnerabilities.

Workaround:
N/A

Fix:
Libraries updated to resolve CVE-2015-9251 CVE-2016-7103 CVE-2017-18214 CVE-2018-16487 CVE-2018-3721 CVE-2019-1010266 CVE-2019-10744 CVE-2019-10768 CVE-2019-10768 CVE-2019-11358 CVE-2020-11022 CVE-2020-11023 CVE-2020-28168 CVE-2020-28500 CVE-2020-7676 CVE-2020-7676 CVE-2020-8203 CVE-2021-23337


1004833-3 : NIST SP800-90B compliance

Links to More Info: BT1004833

Component: TMOS

Symptoms:
Common Criteria and FIPS 140-2 certifications require compliance with NIST SP800-90B; this completes that compliance.

Conditions:
This applies to systems requiring Common Criteria and/or FIPS 140-2 compliance.

Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 14.1.4.2 or BIG-IP 15.1.2.1) will not be running a Common Criteria and/or FIPS 140-2 certified configuration.

Workaround:
None

Fix:
Apply this fix to ensure that the system is compliant with NIST SP800-90B.

Fixed Versions:
14.1.4.2, 15.1.4


1004689 : TMM might crash when pool routes with recursive nexthops and reselect option are used.

Links to More Info: BT1004689

Component: Local Traffic Manager

Symptoms:
When re-selecting to the non-directly-connected pool route member for which the route was withdrawn, TMM might experience a crash.

Conditions:
- Pool routes with non-directly-connected or recursive nexthops (pool members).
- Reselect option enabled.
- Pool members go down/up so that the re-select is triggered.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Do not use non-directly-connected/recursive nexthops (pool members) in pool routes.

Fix:
N/A

Fixed Versions:
16.1.2.2


1004665-1 : Secure iAppsLX Restricted Storage issues.

Component: iApp Technology

Symptoms:
iAppLX restricted storage needs hardening.

Conditions:
iAppLX applications (such as SSL Orchestrator) that contain configuration objects that use restricted parameters like password or passphrase.

Impact:
Stronger encryption needed for sensitive data.

Workaround:
None

Fix:
The iAppLX master key is now stored in mcpd's secure vault as a new secure config object name "iapp_restricted_key".


1004537 : Traffic Learning: Accept actions for multiple suggestions not localized

Links to More Info: BT1004537

Component: Application Security Manager

Symptoms:
When you open the accept suggestions actions list, the actions are not localized. Labels are shown instead of text, for example asm.button.Accept instead of Accept.

Conditions:
This occurs after selecting several suggestions and opening the Accept suggestions actions list.

Impact:
Actions not localized.

Workaround:
None

Fix:
Fixed localization for Accept suggestions actions list.

Fixed Versions:
15.1.4, 16.1.2


1004069 : Brute force attack is detected too soon

Links to More Info: BT1004069

Component: Application Security Manager

Symptoms:
A Brute force attack is detected too soon.

Conditions:
The login page has the expected header validation criteria.

Impact:
The attack is detected earlier than the setpoint.

Workaround:
N/A

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2


1003633 : There might be wrong memory handling when message routing feature is used

Links to More Info: BT1003633

Component: Service Provider

Symptoms:
The following log is observed from /var/log/ltm
Oops @ 0x28c3060:232: buf->ref == 0

Conditions:
Message routing is used either by
- Generic message (ltm message-routing generic) or
- HTTP2 with Message router option enabled

Impact:
For most cases, this kind of incorrect memory handling may only generate warning log message. In rare case, it might lead to a tmm crash.

Workaround:
N/A

Fix:
Wrong memory handling in message routing is fixed.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2


1003257 : ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected

Links to More Info: BT1003257

Component: TMOS

Symptoms:
ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' commands are not working properly. The address is always set to interface-configured global/local addresses respectively.

Conditions:
Using BGPv4 with IPv6 capability extension and a route-map with 'set ipv6 next-hop' and/or 'set ipv6 next-hop local' configuration.

Impact:
Wrong next-hop is advertised.

Workaround:
None.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


1002945 : Some connections are dropped on chained IPv6 to IPv4 virtual servers.

Links to More Info: BT1002945

Component: Local Traffic Manager

Symptoms:
IPv6 virtual servers targeting IPv4 virtual servers (for example, using the 'virtual' iRule command) might drop traffic coming from some clients unexpectedly.

Conditions:
- IPv6 to IPv4 virtual server chaining.

Impact:
Traffic is dropped.

Workaround:
None

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2


1002809 : OSPF vertex-threshold should be at least 100

Links to More Info: BT1002809

Component: TMOS

Symptoms:
OSPF vertex-threshold should be at least 100, but you are able to set it to any number between 0 and 10000000.

Conditions:
-- Using OSPFv2/OSPFv3
-- Configuring the vertex-threshold setting

Impact:
When the setting is less than the default of 100, routes may not be installed properly.

Workaround:
Ensure that vertex-threshold is set to 100 (default) or above.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


1002761 : SCTP client's INIT chunks rejected repeatedly with ABORT during re-establishment of network link after failure

Links to More Info: BT1002761

Component: TMOS

Symptoms:
A SCTP client's INIT chunks are rejected repeatedly.

Conditions:
-- Client-side SCTP association times out and is terminated with ABORT.
-- The client attempts to INIT the association again using the same source port.

Impact:
Client cannot reconnect to BIG-IP systems, even after the network failures are resolved.

Workaround:
Fail over and restart tmm on the affected device.

Fixed Versions:
15.1.4, 16.0.1.2


1002565 : OpenSSL vulnerability CVE-2021-23840

Links to More Info: K24624116, BT1002565


1002413 : Websso puts quotation marks around non-string claim type 'custom' values

Links to More Info: BT1002413

Component: Access Policy Manager

Symptoms:
When you define a claim to use with OAuth bearer SSO, and the claim-type setting is set to custom, the claim value is treated as a string and encapsulated in quotation marks.

Conditions:
-- OAuth bearer SSO is configured.
-- The OAuth claim value being used is of type 'custom'.

Impact:
The claim value is encapsulated in quotation marks and processed as a string and OAuth does not work properly.

Workaround:
None


1002385 : Fixing issue with input normalization

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM does not follow current best practices.

Conditions:
- ASM provisioned

Impact:
Attack detection is not triggered as expected

Workaround:
N/A

Fix:
Attack detection is now triggered as expected

Fixed Versions:
14.1.4.6, 15.1.5, 16.1.2.1


1001937 : APM configuration hardening

Component: Access Policy Manager

Symptoms:
APM does not follow current best practices for configuration.

Conditions:
- APM provisioned

Impact:
APM does not follow current best practices for configuration.

Workaround:
N/A

Fix:
APM now follows current best practices for configuration.

Fixed Versions:
15.1.5.1, 16.1.2.2


1000789-4 : ASM-related iRule keywords may not work as expected

Links to More Info: BT1000789

Component: Application Security Manager

Symptoms:
Some ASM-related iRule keywords may not work as expected when DoSL7 is used.

Conditions:
ASM iRule keywords are used in a bot defense- or DoSL7-related event, and DoSL7 is used.

Impact:
ASM-related iRule keywords may not work as expected.

Workaround:
None

Fixed Versions:
16.1.2.2


1000741 : Fixing issue with input normalization

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM does not follow current best practices.

Conditions:
- ASM provisioned

Impact:
Attack detection is not triggered as expected

Workaround:
N/A

Fix:
Attack detection is now triggered as expected

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1


1000669-5 : Tmm memory leak 'string cache' leading to SIGFPE

Links to More Info: BT1000669

Component: Access Policy Manager

Symptoms:
SIGFPE core on tmm. The tmm string cache leaks aggressively and memory reaches 100% and triggers a core.

In /var/log/tmm you see an error:

Access encountered error: ERR_OK. File: ../modules/hudfilter/access/access_session.c, Function: access_session_delete_callback, Line: 2123

Conditions:
This can be encountered while APM is configured and passing traffic. Specific conditions are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed mishandled error code path


1000405 : VLAN/Tunnels not listed when creating a new rule via GUI

Links to More Info: BT1000405

Component: Advanced Firewall Manager

Symptoms:
Available tunnels are not displayed on the AFM rules-creation page in the GUI.

Conditions:
-- Navigate to the firewall network rules creation page in the GUI.
-- In the rules source section, under the VLAN/Tunnel dropdown, select the 'specify' option.

Impact:
Available tunnels do not display in the select box. Cannot specify tunnels for firewall rules from the GUI.

Workaround:
Use tmsh to specify tunnels for firewall rules.

Fix:
The available tunnels now display in the VLAN/Tunnels dropdown.

Fixed Versions:
15.1.4, 16.1.1


1000021 : TMM may consume excessive resources while processing packet filters

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may consume excessive resources while processing packet filters.

Conditions:
- Packet filters in use

Impact:
Excessive resource consumption, potentially leading to memory exhaustion and reduced performance or a failover event.

Workaround:
N/A

Fix:
TMM now processes packet filters as expected.

Fixed Versions:
14.1.4.6, 15.1.5, 16.1.2.2



Known Issues in BIG-IP v17.0.x


TMOS Issues

ID Number Severity Links to More Info Description
989517-4 2-Critical BT989517 Acceleration section of virtual server page not available in DHD
979045-5 2-Critical BT979045 The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms
950201-5 2-Critical BT950201 Tmm core on GCP
940225-5 2-Critical BT940225 Not able to add more than 6 NICs on VE running in Azure
1095217-2 2-Critical BT1095217 Peer unit incorrectly shows the pool status as unknown after upgrade to version 16.1.2.1
1085597-2 2-Critical BT1085597 IKEv1 IPsec peer cannot be created in config utility (web UI)
1077789-5 2-Critical BT1077789 System might become unresponsive after upgrading.&start;
992865-4 3-Major BT992865 Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances
992053-7 3-Major BT992053 Pva_stats for server side connections do not update for redirected flows
966949-7 3-Major BT966949 Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node
950153-4 3-Major BT950153 LDAP remote authentication fails when empty attribute is returned
945413-5 3-Major BT945413 Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync
930393-1 3-Major BT930393 IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration
886649-6 3-Major BT886649 Connections stall when dynamic BWC policy is changed via GUI and TMSH
879969-9 3-Major BT879969 FQDN node resolution fails if DNS response latency >5 seconds
801525 3-Major K07047203, BT801525 With large config, SNMP response times may be long due to processing burden of requests
775845-7 3-Major BT775845 Httpd fails to start after restarting the service using the iControl REST API
760982-4 3-Major BT760982 An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios
760354-16 3-Major BT760354 Continual mcpd process restarts after removing big logs when /var/log is full
755207-4 3-Major BT755207 Large packets silently dropped on VE mlxvf5 devices
749011-4 3-Major BT749011 Datasync may start background tasks during high disk IO utilization
566995-5 3-Major BT566995 bgpd might crash in rare circumstances.
1100409-5 3-Major   Valid connections may fail while a virtual server is in SYN cookie mode.
1093973-8 3-Major BT1093973 Tmm may core when BFD peers select a new active device.
1093553-5 3-Major BT1093553 OSPF "default-information originate" injects a new link-state advertisement
1091725-5 3-Major BT1091725 Memory leak in IPsec
1091345-1 3-Major BT1091345 The /root/.bash_history file is not carried forward by default during installations.
1090313-4 3-Major BT1090313 Virtual server may remain in hardware SYN cookie mode longer than expected
1089849-1 3-Major   NIST SP800-90B compliance
1087621-3 3-Major BT1087621 IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload
1085837-3 3-Major BT1085837 Virtual server may not exit from hardware SYN cookie mode
1083537-1 3-Major BT1083537 FIPS 140-3 Certification
1080925-4 3-Major BT1080925 Changed 'ssh-session-limit' value is not reflected after restarting mcpd
1077533-4 3-Major BT1077533 BIG-IP fails to restart services after mprov runs during boot.
1077405-1 3-Major BT1077405 Ephemeral pool members may not be created with autopopulate enabled.
1076801-5 3-Major BT1076801 Loaded system increases CPU usage when using CS features
1076785-3 3-Major BT1076785 Virtual server may not properly exit from hardware SYN Cookie mode
1060145-4 3-Major BT1060145 Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2.
1057709 3-Major BT1057709 Invalid Certificate for all BIG-IP VE OVA images on vCenter 7.0U2.
1036613-6 3-Major BT1036613 Client flow might not get offloaded to PVA in embryonic state
1032257-5 3-Major BT1032257 Forwarded PVA offload requests fail on platforms with multiple PDE/TMM
1031025 3-Major BT1031025 Nitrox 3 FIPS: Upgrade from v12.1.x to v14.1.x results in new .key.exp files for the FIPS keys created before upgrade.&start;
1029105-2 3-Major BT1029105 Hardware SYN cookie mode state change logs bogus virtual server address
1025261-4 3-Major BT1025261 When restjavad.useextramb is set, java immediately uses more resident memory in linux
1024661-4 3-Major   SCTP forwarding flows based on VTAG for bigproto
1024421-4 3-Major BT1024421 At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log
1019829-4 3-Major BT1019829 Configsync.copyonswitch variable is not functioning on reboot
964533-6 4-Minor BT964533 Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.
929173-5 4-Minor BT929173 Watchdog reset due to CPU stall detected by rcu_sched
915141-6 4-Minor BT915141 Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'
658943-6 4-Minor BT658943 Errors when platform-migrate loading UCS using trunks on vCMP guest
1101741-1 4-Minor   Virtual server with default pool down and iRule pool up will flap for a second during a full config-sync.
1096461-1 4-Minor BT1096461 TACACS system-auth Accounting setting has no effect when set to send-to-all-servers/send-to-first-server
1095973-4 4-Minor BT1095973 Config load failure when Trusted CA Bundle is missing and URL is present in the Bundle Manager
1095205-5 4-Minor BT1095205 Config.auditing.forward.multiple db Variable with value "none" is not working as expected with multiple destination addresses in audit_forwarder.
1090569-2 4-Minor BT1090569 After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV
1089005-5 4-Minor BT1089005 Dynamic routes might be missing in the kernel on secondary blades.
1082193-4 4-Minor BT1082193 TMSH: Need to update the version info for SERVER_INIT in help page
1080317-4 4-Minor BT1080317 Logged hostname not consistent when hostname contains "."
1077293-3 4-Minor BT1077293 APPIQ option still showing in BIG-IP GUI even though its functionality migrated to BIG-IQ.
1071621-2 4-Minor BT1071621 Increase the number of supported traffic selectors


Local Traffic Manager Issues

ID Number Severity Links to More Info Description
999669-4 2-Critical BT999669 Some HTTPS monitors are failing after upgrade when config has different SSL option&start;
922737-3 2-Critical BT922737 TMM crash
1100249-1 2-Critical BT1100249 SNAT with FLOW_INIT firewall rule may core TMM due to wrong type of underlying flow structure
1091021-1 2-Critical BT1091021 The BIG-IP system may take no fail-safe action when the bigd daemon becomes unresponsive.
1087469-3 2-Critical BT1087469 iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate.
1074517-4 2-Critical BT1074517 Tmm may core while adding/modifying traffic-class attached to a virtual server
1073897-1 2-Critical BT1073897 TMM core due to memory corruption
1060369-2 2-Critical BT1060369 HTTP MRF Router will not change serverside load balancing method
966785-4 3-Major BT966785 Rate Shaping stops TCP retransmission
912293-6 3-Major BT912293 Persistence might not work properly on virtual servers that utilize address lists
901569-5 3-Major BT901569 Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.
888885 3-Major BT888885 BIG-IP Virtual Edition TMM restarts frequently without core
887265-5 3-Major BT887265 BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration&start;
748886-5 3-Major BT748886 Virtual server stops passing traffic after modification
739475-7 3-Major BT739475 Site-Local IPv6 Unicast Addresses support.
1097473-5 3-Major BT1097473 BIG-IP transmits packets with incorrect content
1093061-1 3-Major BT1093061 MCPD restart on secondary blade during hot-swap of another blade
1091969-4 3-Major BT1091969 iRule 'virtual' command does not work for connections over virtual-wire.
1091785-1 3-Major BT1091785 DBDaemon restarts unexpectedly and/or fails to restart under heavy load
1088597-1 3-Major BT1088597 TCP keepalive timer can be immediately re-scheduled in rare circumstances
1088173-3 3-Major BT1088173 With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile
1087569-5 3-Major BT1087569 Changing max header table size according HTTP2 profile value may cause stream/connection to terminate
1086473-4 3-Major BT1086473 BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake
1083621-5 3-Major BT1083621 The virtio driver uses an incorrect packet length
1083589-4 3-Major BT1083589 Some connections are dropped on chained IPv6 to IPv4 virtual servers.
1082225-6 3-Major BT1082225 Tmm may core while Adding/modifying traffic-class attached to a virtual server.
1081813-3 3-Major BT1081813 A rst_stream can erronously tear down the overall http2 connection.
1077553-4 3-Major BT1077553 Traffic matches the wrong virtual server after modifying the port matching configuration
1076577-4 3-Major BT1076577 iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg'
1070957-4 3-Major BT1070957 Database monitor log file backups cannot be rotated normally.
1070789-1 3-Major BT1070789 SSL fwd proxy invalidating certificate even through bundle has valid CA
1068673-4 3-Major BT1068673 SSL forward Proxy triggers CLIENTSSL_DATA event on bypass.
1063977-4 3-Major BT1063977 Tmsh load sys config merge fails with "basic_string::substr" for non-existing key.
1060021-3 3-Major BT1060021 Using OneConnect profile with RESOLVER::lookup_name iRule might result in core.
1040465-2 3-Major BT1040465 Incorrect SNAT pool is selected
1023529-4 3-Major BT1023529 FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory.
1006157-7 3-Major BT1006157 FQDN nodes not repopulated immediately after 'load sys config'
1000069-5 3-Major BT1000069 Virtual server does not create the listener
990173-7 4-Minor BT990173 Dynconfd repeatedly sends the same mcp message to mcpd
929429-9 4-Minor BT929429 Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed
1093545-5 4-Minor BT1093545 Attempts to create illegal virtual-server may lead to mcpd crash.
1015117 4-Minor BT1015117 Headers are corrupted during modification/insertion if a mix of end-of-line markers <CRLF> and <LF> are used


Performance Issues

ID Number Severity Links to More Info Description
908001 2-Critical BT908001 vCMP guest CPU usage may increase 4-5% after upgrade of vCMP host to v16.1.x&start;


Global Traffic Manager (DNS) Issues

ID Number Severity Links to More Info Description
940733 2-Critical K29290121, BT940733 Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt&start;
931149-4 2-Critical BT931149 Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings
966461-8 3-Major BT966461 Tmm memory leak
1100197-1 3-Major BT1100197 GTM sends wrong commit_id originator for iqsyncer to do gtm group sync
1091249-1 3-Major BT1091249 BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address.
1073677-2 3-Major BT1073677 Add a db variable to enable answering DNS requests before reqInitState Ready
1040153-4 3-Major BT1040153 Topology region returns narrowest scope netmask without matching
1084673-1 4-Minor BT1084673 GTM Monitor "require M from N" status change log message does not print pool name
1067821-5 4-Minor BT1067821 Stats allocated_used for region inside zxfrd is overflowed
1054717-4 4-Minor BT1054717 Incorrect Client Summary stats for transparent cache.


Application Security Manager Issues

ID Number Severity Links to More Info Description
1095185-1 2-Critical BT1095185 Failed Configuration Load on Secondary Slot After Device Group Sync
886533-4 3-Major BT886533 Icap server connection adjustments
1085661-2 3-Major BT1085661 Standby system saves config and changes status after sync from peer
1082461-1 3-Major BT1082461 The enforcer cores during a call to 'ASM::raise' from an active iRule
1080613-4 3-Major BT1080613 "Installation of Automatically Downloaded Updates" configuration in LiveUpdate is lost during the first tomcat restart, after upgrading to versions having the fix of ID907025.&start;
1078765-5 3-Major BT1078765 Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer.
1077281-1 3-Major   Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages
1072165-5 3-Major BT1072165 Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format
1069137-1 3-Major BT1069137 Missing AWAF sync diagnostics
1062905 3-Major   ASM::Support_ID may issue an error when invoked from ASM_REQUEST_BLOCKING.
1062493-5 3-Major BT1062493 BD crash close to it's startup
1056957-2 3-Major BT1056957 An attack signature can be bypassed under some scenarios.
1036057-5 3-Major BT1036057 Add support for line folding in multipart parser.
1030133-1 3-Major BT1030133 BD core on XML out of memory
1029989 3-Major   CORS : default port of origin header is set 80, even when the protocol in the header is https
1029373-3 3-Major BT1029373 Firefox 88+ raising Suspicious browser violations with bot defense
1023889 3-Major BT1023889 HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message
1021609-5 3-Major BT1021609 Improve matching of URLs with specific characters to a policy.
1014973-6 3-Major BT1014973 ASM changed cookie value.
1006181-4 3-Major BT1006181 ASM fails to start if different ASM policies use login pages with the same name&start;
987977 4-Minor BT987977 VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation
948241-5 4-Minor   Count Stateful anomalies based only on Device ID
1087005-1 4-Minor BT1087005 Application charset may be ignored when using Bot Defense Browser Verification
1084857-1 4-Minor BT1084857 ASM::support_id iRule command does not display the 20th digit
1083513-3 4-Minor BT1083513 BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd
1073625-1 4-Minor   Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled.
1040513-4 4-Minor BT1040513 The counter for "FTP commands" is always 0.
1014573-5 4-Minor   Several large arrays/objects in JSON payload may core the enforcer
1012185 4-Minor   No violation details on the graphQL max depth format-setting violation.
1005309 4-Minor BT1005309 Additional Tcl variables showing information from the AntiBot Mobile SDK
1005181 4-Minor BT1005181 Bot Defense Logs indicate the mobile debugger is used even when it is not
1029689-1 5-Cosmetic BT1029689 Incosnsitent username "SYSTEM" in Audit Log


Access Policy Manager Issues

ID Number Severity Links to More Info Description
1097821-1 3-Major   Unable to create apm policy customization image using tmsh command when source-path is specified
1059085 3-Major   Unable to perform device posture check for Android version 11 or more device with Microsoft Intune.
1037877-5 3-Major BT1037877 OAuth Claim display order incorrect in VPE
1079441-4 4-Minor BT1079441 APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries
1028081-2 4-Minor BT1028081 [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page


Advanced Firewall Manager Issues

ID Number Severity Links to More Info Description
990461-6 3-Major BT990461 Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade&start;
1079985-2 3-Major BT1079985 int_drops_rate shows an incorrect value
1039993 3-Major   AFM NAT Excessive number of logs "Port Block Updated" and "LSN_PB_UPDATE"
1084901-2 4-Minor BT1084901 Updating the firewall rule list for IPv6 with route domain throws an error in the GUI, works from tmsh


Policy Enforcement Manager Issues

ID Number Severity Links to More Info Description
1091565-2 2-Critical   Gy CCR AVP:Requested-Service-Unit is misformatted/NULL
956013-3 3-Major BT956013 System reports{{validation_errors}}
1093357-5 3-Major BT1093357 PEM intra-session mirroring can lead to a crash
1090649-4 3-Major BT1090649 PEM errors when configuring IPv6 flow filter via GUI
1089829-4 3-Major BT1089829 PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers
1084993-5 3-Major BT1084993 [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching
911585-6 4-Minor BT911585 PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval


Carrier-Grade NAT Issues

ID Number Severity Links to More Info Description
1096317-5 3-Major BT1096317 SIP msg alg zombie flows


Fraud Protection Services Issues

ID Number Severity Links to More Info Description
1016481 3-Major BT1016481 Special JSON characters in Dom Signatures breaks configuration


iApp Technology Issues

ID Number Severity Links to More Info Description
1004697-4 3-Major BT1004697 Saving UCS files can fail if /var runs out of space


In-tmm monitors Issues

ID Number Severity Links to More Info Description
832133-6 3-Major BT832133 In-TMM monitors fail to match certain binary data in the response from the server.


SSL Orchestrator Issues

ID Number Severity Links to More Info Description
969297-2 3-Major BT969297 Virtual IP configured on a system with SelfIP on vwire becomes unresponsive
1095145-4 4-Minor BT1095145 Virtual server responding with ICMP unreachable after using /Common/service

 

Known Issue details for BIG-IP v17.0.x

999669-4 : Some HTTPS monitors are failing after upgrade when config has different SSL option&start;

Links to More Info: BT999669

Component: Local Traffic Manager

Symptoms:
Some HTTPS monitors are failing after upgrade when the config has different SSL option properties for different monitors.

Conditions:
-- Individual SSL profiles exist for different HTTPS monitors with SSL parameters.
-- A unique server SSL profile is configured for each HTTP monitor (one with cert/key, one without).

Impact:
Some HTTPS monitors fail. Pool is down. Virtual server is down.

Workaround:
None


992865-4 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances

Links to More Info: BT992865

Component: TMOS

Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.

Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
  + BIG-IP i11000 series (C123)
  + BIG-IP i15000 series (D116)

Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.

Workaround:
None


992053-7 : Pva_stats for server side connections do not update for redirected flows

Links to More Info: BT992053

Component: TMOS

Symptoms:
Pva_stats for server side connections do not update for the re-directed flows

Conditions:
-- Flows that are redirected to TMM.
-- Server flows are offloaded to PVA.

Impact:
PVA stats do not reflect the offloaded flow.

Workaround:
None


990461-6 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade&start;

Links to More Info: BT990461

Component: Advanced Firewall Manager

Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.

Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.

Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.

Workaround:
Manually update the SYN cookie threshold values after an upgrade.


990173-7 : Dynconfd repeatedly sends the same mcp message to mcpd

Links to More Info: BT990173

Component: Local Traffic Manager

Symptoms:
If dynconfd sends a single message to mcpd containing two or more operations, and one of the operations fails mcpd validation, dynconfd repeatedly sends same message to mcpd.

An example of two operations in one mcp message would be an ephemeral node creation and an ephemeral pool member creation in a single mcp message.

Conditions:
This can occur when:

-- Using FQDN nodes and FQDN pool members.

-- There is an additional issue where the message from dynconfd fails validation within mcpd (e.g., a misconfiguration in which the monitor assigned to the pool is configured with a wildcard destination and the pool member is added to the pool with a port of '0' or 'any'.

Impact:
By repeatedly resending the same messages, which fail repeatedly, dynconfd causes increased mcpd CPU utilization.

This might cause the population of ephemeral nodes and pool members to fail and become out of sync with what the DNS server is resolving.

Workaround:
Examine the LTM logs for mcpd error messages indicating failed attempts to create ephemeral nodes or ephemeral pool members, and resolve the cause of the failed node or pool-member creation.


989517-4 : Acceleration section of virtual server page not available in DHD

Links to More Info: BT989517

Component: TMOS

Symptoms:
The acceleration section in the virtual server page(UI) is not visible if a DHD license is installed.

Conditions:
The acceleration section is not visible in case "Dos" is provisioned

Impact:
1) You are unable to use the GUI to modify any parameters of the Acceleration table in the virtual server page.

2) Loss of configuration items if making changes via the GUI.

Workaround:
A virtual server with parameters present in the Acceleration table can still be created using TMSH


987977 : VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation

Links to More Info: BT987977

Component: Application Security Manager

Symptoms:
Remote logging message, violation_details field, includes XML document for VIOL_HTTP_RESPONSE_STATUS even though there was no VIOL_HTTP_RESPONSE_STATUS violation triggered.

Conditions:
When all the following conditions are met

-- Response status code is not one of 'Allowed Response Status Codes'.
-- Alarm/Block flags are disabled with 'Illegal HTTP status in response'.
-- Logging profile is configured for remote storage.
-- Storage format is comma-separated.
-- Both violation_details and violations fields are set.

Impact:
Remote logging server receives inaccurate message.

Workaround:
None


979045-5 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms

Links to More Info: BT979045

Component: TMOS

Symptoms:
After installing an Engineering Hotfix version of BIG-IP v14.1.0 or later, certain BIG-IP hardware systems. The Trusted Platform Module (TPM), status is showing as INVALID.

Conditions:
This may occur:
-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
   - ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
   - ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
   - ID963017 (https://cdn.f5.com/product/bugtracker/ID963017.html)
-- The issue is observed only on the following platforms:
   - i11600 / i11800
   - i11400-DS / i11600-DS / i11800-DS

Impact:
The TPM status INVALID indicates that the system integrity is compromised when it is actually valid.

Workaround:
None.


969297-2 : Virtual IP configured on a system with SelfIP on vwire becomes unresponsive

Links to More Info: BT969297

Component: SSL Orchestrator

Symptoms:
Virtual IP ARP does not get resolved when a SelfIP is configured on a virtual-wire.

Conditions:
Issue happens when a SelfIP address is configured and a Virtual IP address is configured for a Virtual Server.

Impact:
The virtual server is unreachable.

Workaround:
None


966949-7 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node

Links to More Info: BT966949

Component: TMOS

Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.

Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230

This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.

Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.

Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")


966785-4 : Rate Shaping stops TCP retransmission

Links to More Info: BT966785

Component: Local Traffic Manager

Symptoms:
When rate shaping is applied to a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.

Conditions:
This issue occurs when both of the following conditions are met:

-- Virtual server configured with a rate shaping.
-- Standard type of virtual server.

Impact:
The BIG-IP system does not retransmit unacknowledged data segments.

Workaround:
None


966461-8 : Tmm memory leak

Links to More Info: BT966461

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm leaks memory for DNSSEC requests.

Conditions:
NetHSM is configured but disconnected.

or

Internal FIPS card is configured and tmm receives more DNSSEC requests than the FIPS card is capable of handling.

Impact:
Tmm memory utilization increases over time.

Workaround:
None


964533-6 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.

Links to More Info: BT964533

Component: TMOS

Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.

Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.

Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.

There is no impact other than additional log entries.

Workaround:
None.


956013-3 : System reports{{validation_errors}}

Links to More Info: BT956013

Component: Policy Enforcement Manager

Symptoms:
A {{validation_errors}} at Subscriber Management :: Control Plane Listeners and Data Plane Listeners with ipv6 addresses

Conditions:
Specifying an IPv6 address in the expression in Subscriber Management :: Control Plane Listeners and Policy Enforcement :: Data Plane Listeners.

Impact:
Cannot access the BIG-IP GUI through IPv6 address from any web browser. Admin/User cannot enter input through GUI.

Workaround:
None.


950201-5 : Tmm core on GCP

Links to More Info: BT950201

Component: TMOS

Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.

TMM panic with this message in a tmm log file:

panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.

Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141

-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.


Note: Each of these workarounds have performance impact.


950153-4 : LDAP remote authentication fails when empty attribute is returned

Links to More Info: BT950153

Component: TMOS

Symptoms:
LDAP /AD Remote authentication fails and the authenticating service may crash.

The failure might be intermittent.

Conditions:
LDAP/AD server SearchResEntry includes attribute with empty or NULL value.

This can be seen in tcpdump of the LDAP communication in following ways

1. No Value for attribute . Example in tcpdump taken on affected user :

vals: 1 item
        AttributeValue:

2. 1. NULL Value for attribute . Example in tcpdump taken on affected user :

vals: 1 item
    AttributeValue: 00

Impact:
Logging in via the GUI will fail silently
Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log

The logs will be similar to :

info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000]
info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0

Workaround:
There is no Workaround on the LTM side.

For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue


948241-5 : Count Stateful anomalies based only on Device ID

Component: Application Security Manager

Symptoms:
Currently when Device ID is enabled, the BIG-IP system counts stateful anomalies on both IP and Device ID. When a client has a proxy (without XFF), and many requests arrive with the same IP, this can cause false positives

Conditions:
- Bot Defense profile is attached to a virtual server.
- Bot Defense profile has "Browser Verification" set to "Verify After Access" or "Device ID Mode" set to "Generate After Access".

Impact:
False positives may occur in case of a proxy without XFF

Workaround:
None


945413-5 : Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync

Links to More Info: BT945413

Component: TMOS

Symptoms:
The BIG-IP system constantly downloads the certificate bundle if the CA-bundle manager config includes a URL.

Symptoms are different depending on if BIG-IP systems is in a manual or automatic sync device group.

Manual sync device groups will not stay in sync.

Automatic sync device groups will constantly sync.

Conditions:
The CA-bundle manager is configured.

Impact:
The keymgmtd and mcpd process gets into a loop that causes constant config changes and if the ca-bundle-manager includes a URL, the BIG-IP system constantly downloads the bundle.


940733 : Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt&start;

Links to More Info: K29290121, BT940733

Component: Global Traffic Manager (DNS)

Symptoms:
The system fails during the boot-up process, reports a libcrypto validation error, and the system halts. The console will show this error:

Power-up self-test failures:
OpenSSL: Integrity test failed for libcrypto.so

This occurs after one of the following:
-- Upgrading a FIPS-enabled BIG-IP system, booting to a volume running an earlier software version
-- running big3d_install from a BIG-IP GTM to an LTM

Conditions:
-- FIPS-licensed BIG-IP system.
-- Upgrade.
-- Boot into an volume running an earlier version of the software.

Another way to encounter the issue is:

-- FIPS-licensed BIG-IP LTM.
-- BIG-IP DNS (GTM) device running a higher software version than the LTM.
-- Run big3d_install from GTM pointing to FIPS-licensed LTM.

Impact:
System boots to a halted state.

Workaround:
Before booting to the volume with the earlier version, delete /shared/bin/big3d.

Note: This issue might have ramifications for DNS/GTM support. DNS/GTM is not FIPS certified.

If the target software volume has already experienced this issue (the system boots to a halted state), follow the instructions in K25205233: BIG-IP System halted while booting. Halt at boot after FIPS Integrity Check Result FAIL :: https://support.f5.com/csp/article/K25205233, in addition to deleting /shared/bin/big3d.

For additional information, see K29290121: Rollback after upgrade or big3d_install may cause FIPS to halt system on boot :: https://support.f5.com/csp/article/K29290121.


940225-5 : Not able to add more than 6 NICs on VE running in Azure

Links to More Info: BT940225

Component: TMOS

Symptoms:
Azure BIG-IP Virtual Edition (VE) with more than 6 NICs fails to boot.

Conditions:
-- Standard_DS4_v2 Azure instance type.
-- Mellanox ConnectX-3 ethernet controller.
-- A greater-than-2-NIC template is used, for example https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/standalone/n-nic/existing-stack/byol with "numberOfAdditionalNics" set.
-- Accelerated networking is enabled on two or more NICs.

Impact:
Not able to boot BIG-IP VM with 8 NICs, which should be supported for Standard_DS4_v2 instance type:
8 vCPU
28 GiB
8 Max NICs

Adding more NICs to the instance makes the device fail to boot.

Workaround:
None


931149-4 : Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings

Links to More Info: BT931149

Component: Global Traffic Manager (DNS)

Symptoms:
RESOLV::lookup returns an empty string.

Conditions:
The name being looked up falls into one of these categories:

-- Forward DNS lookups in these zones:
    - localhost
    - onion
    - test
    - invalid

-- Reverse DNS lookups for:
    - 127.0.0.0/8
    - ::1
    - 10.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16
    - 0.0.0.0/8
    - 169.254.0.0/16
    - 192.0.2.0/24
    - 198.51.100.0/24
    - 203.0.113.0/24
    - 255.255.255.255/32
    - 100.64.0.0/10
    - fd00::/8
    - fe80::/10
    - 2001:db8::/32
    - ::/64

Impact:
RESOLV::lookup fails.

Workaround:
Use a DNS Resolver ('net dns') and RESOLVER::name_lookup / DNSMSG:: instead of RESOLV::lookup:

1. Configure a local 'net dns' resolver, replacing '192.88.99.1' with the IP address of your DNS resolver:

    tmsh create net dns-resolver resolver-for-irules answer-default-zones no forward-zones add { . { nameservers add { 192.88.99.1:53 } } }

2. Use an iRule procedure similar to this to perform PTR lookups for IPv4 addresses:

proc resolv_ptr_v4 { addr_v4 } {
    # Convert $addr_v4 into its constituent bytes
    set ret [scan $addr_v4 {%d.%d.%d.%d} a b c d]
    if { $ret != 4 } {
        return
    }

    # Perform a PTR lookup on the IP address $addr_v4, and return the first answer
    set ret [RESOLVER::name_lookup "/Common/resolver-for-irules" "$d.$c.$b.$a.in-addr.arpa" PTR]
    set ret [lindex [DNSMSG::section $ret answer] 0]
    if { $ret eq "" } {
        # log local0.warn "DNS PTR lookup for $addr_v4 failed."
        return
    }

    # Last element in '1.1.1.10.in-addr.arpa. 600 IN PTR otters.example.com'
    return [lindex $ret end]
}

-- In an iRule, instead of:
    RESOLV::lookup @192.88.9.1 $ipv4_addr
Use:
    call resolv_ptr_v4 $ipv4_addr


930393-1 : IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration

Links to More Info: BT930393

Component: TMOS

Symptoms:
-- IPsec tunnel does not start.
-- Remote IPsec networks unavailable.

Conditions:
-- Using IKEv1 and one of the following:
   + Performing an upgrade.
   + IPsec tunnel reconfiguration generally involving a change to, or addition of, a traffic-selector.

Impact:
IPsec tunnel is down permanently.

Workaround:
-- Reconfigure or delete and re-create the traffic selectors associated with the IPsec tunnel that does not start.

Special Notes:
-- This occurs rarely and does not happen spontaneously, without intentional changes (reconfiguration or upgrade).
-- A BIG-IP reboot or a restart of tmipsecd does not resolve this condition.
-- This symptom might also occur due to a genuine misconfiguration.
-- After major version upgrades, default ciphers can change, double-check the encryption and authentication ciphers for the tunnel.


929429-9 : Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed

Links to More Info: BT929429

Component: Local Traffic Manager

Symptoms:
Whenever you create Oracle or SQL (mssql, mysql or postgresql) database monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.

Conditions:
-- Create an Oracle or SQL database LTM monitor.
-- Add a pool member to the Oracle or SQL database monitor created.
-- Platform FIPS is licensed.

Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.

Workaround:
None.


929173-5 : Watchdog reset due to CPU stall detected by rcu_sched

Links to More Info: BT929173

Component: TMOS

Symptoms:
Rcu_sched detected CPU stall, which can cause vCMP host reboot. The device reboots without core and records "Host Watchdog timeout."

Typically there will logs in kern.log similar to:
err kernel: : [526684.876928] INFO: rcu_sched detected stalls on CPUs/tasks: ...

Conditions:
Host undergoing a watchdog reset in a vCMP environment.

Impact:
CPU RCU stalls and host watchdog reboots


922737-3 : TMM crash

Links to More Info: BT922737

Component: Local Traffic Manager

Symptoms:
TMM crashes with a sigsegv while passing traffic

Conditions:
Virtual server with a Connector profile that redirects to an internal virtual server on the same BIG-IP system

Impact:
Traffic disrupted while tmm restarts.


915141-6 : Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'

Links to More Info: BT915141

Component: TMOS

Symptoms:
Availability status of virtual server can be left 'available' even if the corresponding pool's availability becomes 'unknown'.

Conditions:
- Pool member is configured as an FQDN node.
- You set monitor to 'none' with the pool.

Impact:
Inconsistent availability status of pool and virtual server.

Workaround:
Set the FQDN node to 'force offline', and then 'enable'. This triggers virtual server's status updates and syncs to pool.


912293-6 : Persistence might not work properly on virtual servers that utilize address lists

Links to More Info: BT912293

Component: Local Traffic Manager

Symptoms:
-- Connections to the virtual server might hang.
-- Increased tmm CPU utilization.

Conditions:
-- A virtual server is configured with a traffic-matching-criteria that utilizes a source-address-list and/or destination-address-list.

-- The virtual server utilizes certain persistence one of the following persistence types:
  + Source Address (but not hash-algorithm carp)
  + Destination Address (but not hash-algorithm carp)
  + Universal
  + Cookie (only cookie hash)
  + Host
  + SSL session
  + SIP
  + Hash (but not hash-algorithm carp)

Impact:
-- High tmm CPU utilization.
-- Stalled connections.

Workaround:
Enable match-across-virtuals in the persistence profile.

Note: Enabling match-across-virtuals might might affect the behavior of other virtual servers in the configuration that utilize persistence.


911585-6 : PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval

Links to More Info: BT911585

Component: Policy Enforcement Manager

Symptoms:
PEM sessions go to a stale state and the Credit Control Request (CCRi) is not sent.

Conditions:
-- PEM is configured and passing normal PEM traffic.
-- Using BIG-IP Virtual Edition (VE)

Impact:
Session is not established.

Workaround:
None.


908001 : vCMP guest CPU usage may increase 4-5% after upgrade of vCMP host to v16.1.x&start;

Links to More Info: BT908001

Component: Performance

Symptoms:
All vCMP guest configurations might see a 4-5% increase in CPU usage while running on VIPRION and iSeries platforms with the vCMP host upgraded to v16.1.x

Conditions:
-- All configurations (guest software version is not relevant)
-- Running vCMP on VIPRION and iSeries platforms
-- 'Host' upgraded to v16.1.x

Impact:
Increase of CPU usage of about 4-5% on the vCMP guest. This is not expected to cause noticeable performance impacts unless the vCMP guest CPU is already close to 100% use, when it is possible there may be up to a 15% TPS decrease.
 
If you are running vCMP on VIPRION and iSeries platforms, first evaluate your scenarios and capacity plan if you plan to upgrade the 'host' to 16.1.x.

Note: There is no CPU usage increase when v16.1.x 'guest' instances are run on an earlier 'host' version.

Guidance: In determining whether to upgrade the vCMP host to v16.1.x, carefully evaluate the performance and sizing requirements of your specific configuration.

Workaround:
None


901569-5 : Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.

Links to More Info: BT901569

Component: Local Traffic Manager

Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow.

Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.).

Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server.

Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue.


888885 : BIG-IP Virtual Edition TMM restarts frequently without core

Links to More Info: BT888885

Component: Local Traffic Manager

Symptoms:
The following messages are found in the QKViews:
"bigipA notice MCP bulk connection aborted, retrying"
"bigipA notice Initiating TMM shutdown"

Prior to this, the TMM process logs that it is waiting for its instances to reach different states. For example,
"localhost notice ixlv(1.3)[0:7.0]: Waiting for tmm1 to reach state 1..."

In the /var/log/ltm file, the following message are found sometimes.
"bigip1 crit tmm9[19358]: 01230017:2: Unable to attach to PCI device 00:09.00 for Interface 1.5"

Conditions:
BIG-IP VE with SR-IOV enabled on a Red Hat Enterprise Linux 7.7 which is a part of Red Hat OpenStack Platform 13

Impact:
The TMM process restarts without a core file repeatedly.
Traffic disrupted while tmm restarts.


887265-5 : BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration&start;

Links to More Info: BT887265

Component: Local Traffic Manager

Symptoms:
When booting to a boot location for the first time, the system does not come on-line.

Conditions:
-- There is a large configuration.
-- VLAN failsafe is configured, and the failsafe-action is something other than failover.
-- The BIG-IP system is an appliance.

Impact:
BIG-IP processes continually restart (VLAN failsafe-action failover-restart-tm), or the BIG-IP system continually reboots (VLAN failsafe-action reboot)

Workaround:
Either disable VLAN failsafe or set the failsafe-action to failover during an upgrade.


886649-6 : Connections stall when dynamic BWC policy is changed via GUI and TMSH

Links to More Info: BT886649

Component: TMOS

Symptoms:
Connections stall when dynamic BWC policy is changed via GUI and TMSH.

Conditions:
Issue is seen when you have a dynamic bandwidth control policy configured, and you make a change to the policy via the GUI and TMSH.

Impact:
Connection does not transfer data.

Workaround:
Restart TMM. Delete the relevant configuration, create a new configuration, and apply it.


886533-4 : Icap server connection adjustments

Links to More Info: BT886533

Component: Application Security Manager

Symptoms:
Request getting to the ICAP server takes a long time to process (several seconds), which makes the whole transaction slower than expected. When testing the connection to the ICAP server itself, you determine that it is fast.

Conditions:
This happens especially with large file uploads that are mixed with smaller file uploads. The smaller uploads are waiting for the bigger upload.

Impact:
Slow responses to specific requests.

Workaround:
None.


879969-9 : FQDN node resolution fails if DNS response latency >5 seconds

Links to More Info: BT879969

Component: TMOS

Symptoms:
When resolving FQDN names for FQDN nodes/pool members, pending DNS requests are timed out after 5 seconds with no response from the DNS server.
If there is a persistent latency of 5 seconds or greater in the DNS server responses, FQDN name resolution will fail and ephemeral nodes/pool members will not be created.

Conditions:
- BIG-IP using FQDN nodes/pool members
- Persistent latency of 5 seconds or greater in the DNS server responses

Impact:
Ephemeral pool members may not be created, thus no traffic will be sent to the intended pool members.

Workaround:
Resolve any persistent latency issues that might cause delays of 5 seconds or more in DNS server responses.


832133-6 : In-TMM monitors fail to match certain binary data in the response from the server.

Links to More Info: BT832133

Component: In-tmm monitors

Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system still marks them DOWN.

Conditions:
This issue occurs when all of the following conditions are met:

-- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).

-- One (or more) of your TCP or HTTP monitors specifies a receive string using HEX encoding, in order to match binary data in the server's response.

-- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.

Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.

Workaround:
You can use either of the following workarounds:

-- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.

-- Do not monitor the application through a binary response (if the application allows it).


801525 : With large config, SNMP response times may be long due to processing burden of requests

Links to More Info: K07047203, BT801525

Component: TMOS

Symptoms:
On devices with large configurations, it is possible to make SNMP requests that require a lot of processing to gather the statistics needed to respond to the request. Possible symptoms include slow responses to SNMP gets, and high mcpd utilization.

Conditions:
-- Large configurations.
-- SNMP queries to large tables (e.g., a large number of pool members, or a large number of virtual servers).
-- High mcpd utilization.

Impact:
Increased load on mcpd and snmpd. SNMP clients might time out and the BIG-IP system may become unresponsive.

Workaround:
-- If you are experiencing slow response time, it can help to use SNMP client options of long timeouts and less retries so that SNMP requests do not keep restarting each time the previous request times out.

-- If you are querying statistics information, it is more efficient to just query the specific table you are interested in rather than doing a full snmpwalk of multiple tables.

-- If you are making bulk requests, you should avoid requesting from multiple different tables in the same request.

-- Avoid having multiple different clients querying different tables simultaneously.


775845-7 : Httpd fails to start after restarting the service using the iControl REST API

Links to More Info: BT775845

Component: TMOS

Symptoms:
After restarting httpd using the iControl REST API, httpd fails to start, even with a subsequent restart of httpd at the command line.

Similar to the following example:

config # restcurl -u admin:admin /tm/sys/service -X POST -d '{"name":"httpd", "command":"restart"}'
{
  "kind": "tm:sys:service:restartstate",
  "name": "httpd",
  "command": "restart",
  "commandResult": "Stopping httpd: [ OK ]\r\nStarting httpd: [FAILED]\r\n(98)Address already in use: AH00072: make_sock: could not bind to address n.n.n.n:n\nno listening sockets available, shutting down\nAH00015: Unable to open logs\n"
}

config # tmsh restart sys service httpd
Stopping httpd: [ OK ]
Starting httpd: [FAILED]

Conditions:
Restarting httpd service using iControl REST API.

Impact:
Httpd fails to start.

Workaround:
To recover from the failed httpd state, you can kill all instances of the httpd daemon and start httpd:

killall -9 httpd

tmsh start sys service httpd


760982-4 : An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios

Links to More Info: BT760982

Component: TMOS

Symptoms:
Soft out reset does not work for the default route.

Conditions:
-- BGP enabled
-- A route configuration change is made and 'clear ip bgp <IP-addr> soft in/out' is executed

Impact:
A default-route is not propagated in Network Layer Reachability Information (NLRI) by 'soft out' request.

Workaround:
None


760354-16 : Continual mcpd process restarts after removing big logs when /var/log is full

Links to More Info: BT760354

Component: TMOS

Symptoms:
The BIG-IP device suddenly stops passing traffic. You might see errors similar to the following:

err mcpd[15230]: 01070596:3: An unexpected failure has occurred, TAP creation failed (tmm): Permission denied - net/validation/routing.cpp, line 168, exiting...

Conditions:
This might occur when when /var/log is full and then you remove big logs.

Impact:
The mcpd process restarts continuously. This occurs because tmm blocks mcpd from restarting after /var/log fills up.

Workaround:
Empty the contents of big size log files under /var/log and reboot the BIG-IP system.


755207-4 : Large packets silently dropped on VE mlxvf5 devices

Links to More Info: BT755207

Component: TMOS

Symptoms:
Jumbo frames are disabled by default for Mellanox ConnectX-4 and ConnectX-5 devices using the mlxvf5 driver (i.e., many BIG-IP Virtual Edition (VE) configurations). Packets larger than 1500 bytes are silently dropped. Only packets up to 1500 bytes are supported when jumbo framers are disabled.

Conditions:
BIG-IP VE with SR-IOV using Mellanox ConnectX-4 or ConnectX-5 NICs.

Typically this represents VE configurations running on private Cloud environments such as VMware, KVM, OpenStack, and others.

Note: You can determine your environment by running the following commands:

# tmctl -d blade tmm/device_probed
# tmctl -d blade xnet/device_probed

Configurations exhibiting this issue either:

1. reports a value of 'mlxvf5' in the driver_in_use column in tmm/device_probed, and possibly reports 'tmctl: xnet/device_probed: No such table.'
2. reports a value of 'xnet' in the driver_in_use column in tmm/device_probed, and a value of 'mlxvf5' in the driver_in_use column in xnet/device_probed.

Impact:
Packets larger than 1500 bytes are dropped without a warning.

Workaround:
Enable jumbo frames and then restart tmm.

1. Add the following line to /config/xnet_init.tcl:
drvcfg mlxvf5 jumbo_support 1

2. Restart tmm:
bigstart restart tmm

Important: There are two possible mlxvf5 drivers. It is possible to enable jumbo frames only for the xnet-based driver.

Important: Enabling jumbo frames causes a performance loss for 1500-byte-size packet, but offers higher throughput at lower CPU usage for larger packets. Note that 1500 bytes is the most common size for internet packets.


749011-4 : Datasync may start background tasks during high disk IO utilization

Links to More Info: BT749011

Component: TMOS

Symptoms:
Datasync daemon runs background tasks only when CPU and RAM resources are available. However, there is no check for when the disk IO is busy. When the disk IO is heavily used but CPU and RAM are available, the background tasks may start causing the disk IO to be used even heavier, affecting performance.

Conditions:
- Client-side ASM/FPS features are enabled.
- Other conditions causing high disk IO usage on the device.

Impact:
- High disk IO causing occasional performance degradation
- On extreme cases, datasyncd may miss its heartbeat and cause a failover

Workaround:
None


748886-5 : Virtual server stops passing traffic after modification

Links to More Info: BT748886

Component: Local Traffic Manager

Symptoms:
A virtual server stops passing traffic after changes are made to it.

Conditions:
-- Virtual server is using a port-list or address-list
-- High availability (HA) environment with multiple traffic groups
-- A change is made to the virtual server

Impact:
Every time you make changes to the virtual server, the traffic-group for the virtual address is changed, and traffic goes down.


739475-7 : Site-Local IPv6 Unicast Addresses support.

Links to More Info: BT739475

Component: Local Traffic Manager

Symptoms:
No reply to Neighbor Advertisement packets.

Conditions:
Using FE80::/10 addresses in network.

Impact:
Cannot use FE80::/10 addressees in network.

Workaround:
N/A


658943-6 : Errors when platform-migrate loading UCS using trunks on vCMP guest

Links to More Info: BT658943

Component: TMOS

Symptoms:
During platform migration from a physical BIG-IP system to a BIG-IP vCMP guest, the load fails with one of these messages:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.

01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.

Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest.

Impact:
The platform migration fails and the configuration does not load.

Workaround:
You can use one of the following workarounds:

-- Remove all trunks from the source configuration prior to generation of the UCS.

-- Before loading the UCS archive onto the target BIG-IP, edit the archive and remove the trunk configuration from ./config/bigip_base.conf, and then repack the UCS.

-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.


566995-5 : bgpd might crash in rare circumstances.

Links to More Info: BT566995

Component: TMOS

Symptoms:
Under unspecified conditions and in rare cases, bgpd might crash. Although bgpd restarts right away, routing table might be impacted.

Conditions:
The conditions under which this occurs are not known.

Impact:
This might impact routing table and reachability.

Workaround:
None known.


1101741-1 : Virtual server with default pool down and iRule pool up will flap for a second during a full config-sync.

Component: TMOS

Symptoms:
During a full manual config-sync, a virtual server with a default pool which is down and an iRule pool which is up will flap for a second on the receiving unit.

For instance:

Apr 22 13:52:31 bigip-ntr-b.local notice mcpd[7733]: 01071682:5: SNMP_TRAP: Virtual /Common/my_vs has become unavailable
Apr 22 13:52:31 bigip-ntr-b.local notice mcpd[7733]: 010719e7:5: Virtual Address /Common/10.0.0.71 general status changed from GREEN to RED.
Apr 22 13:52:31 bigip-ntr-b.local notice mcpd[7733]: 010719e8:5: Virtual Address /Common/10.0.0.71 monitor status changed from UP to DOWN.
<...>
Apr 22 13:52:32 bigip-ntr-b.local notice mcpd[7733]: 01071681:5: SNMP_TRAP: Virtual /Common/my_vs has become available
Apr 22 13:52:35 bigip-ntr-b.local notice mcpd[7733]: 010719e7:5: Virtual Address /Common/10.0.0.71 general status changed from RED to GREEN.
Apr 22 13:52:35 bigip-ntr-b.local notice mcpd[7733]: 010719e8:5: Virtual Address /Common/10.0.0.71 monitor status changed from DOWN to UP.

Conditions:
-- device-group configured for full manual sync
-- virtual server with default pool up and iRule pool down
-- a config sync is initiated

Impact:
There is no impact to application traffic during the flapping, as the virtual server continues to function correctly even when the unit receiving the config-sync is the Active one.

However, the logs (and the ensuing SNMP traps) may be confusing to BIG-IP Administrators and/or network operators monitoring alarms from the system.

Workaround:
You can work around this issue by configuring the device-group for incremental config-sync instead (either manual or automatic).


1100409-5 : Valid connections may fail while a virtual server is in SYN cookie mode.

Component: TMOS

Symptoms:
Some of the valid connections to a TCP virtual server may fail while the virtual server is in SYN cookie mode due to an attack.

Conditions:
-- BIG-IP i4x00 platform.
-- TCP virtual server under SYN flood attack.

Impact:
Failed connections, service degradation.

Workaround:
Disabling SYN cookie in the TCP or fastL4 profile is a possible workaround, but that would leave the virtual server vulnerable to SYN flood attacks.


1100249-1 : SNAT with FLOW_INIT firewall rule may core TMM due to wrong type of underlying flow structure

Links to More Info: BT1100249

Component: Local Traffic Manager

Symptoms:
Tmm crashes with SIGSEGV while passing firewall traffic.

Conditions:
-- SNAT + firewall rule
-- FLOW_INIT used in an iRule

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1100197-1 : GTM sends wrong commit_id originator for iqsyncer to do gtm group sync

Links to More Info: BT1100197

Component: Global Traffic Manager (DNS)

Symptoms:
GTM sends wrong commit_id originator for iqsyncer to do gtm group sync, which converts an incremental sync into a full sync.

Conditions:
Frequent GTM group syncs.

Impact:
Unnecessary GTM full sync.

Workaround:
None


1097821-1 : Unable to create apm policy customization image using tmsh command when source-path is specified

Component: Access Policy Manager

Symptoms:
Creating apm policy image file with source_path attribute fails.

Conditions:
APM provisioned

Impact:
User will not be able to use source_path attribute for creating apm customization image files.

Workaround:
Copy the image file to one of the directories of /var/config/rest/, /var/tmp/, /shared/tmp/ and use local_path instead source_path.

E.g. create apm policy image-file test.jpg local-path /var/tmp/<file name>


1097473-5 : BIG-IP transmits packets with incorrect content

Links to More Info: BT1097473

Component: Local Traffic Manager

Symptoms:
In rare instances, BIG-IP transmits packets with incorrect content

Conditions:
BIG-IP virtual edition utilizing the ixlv driver.

Impact:
Incorrect packets transmitted from the BIG-IP.


1096461-1 : TACACS system-auth Accounting setting has no effect when set to send-to-all-servers/send-to-first-server

Links to More Info: BT1096461

Component: TMOS

Symptoms:
If the destination address is a single server, then the accounting info is sent to only the particular server.
If the destination has multiple servers, then the accounting info is sent to all servers irrespective of the setting "auth tacacs system-auth accounting"

Conditions:
Select multiple destination addresses and change the "auth tacacs system-auth accounting" to send-to-first-server, the accounting information is sent to all the destination servers.

Impact:
You are unable to use send-to-first server functionality

Workaround:
None


1096317-5 : SIP msg alg zombie flows

Links to More Info: BT1096317

Component: Carrier-Grade NAT

Symptoms:
The SIP msg alg can disrupt the expiration of a connflow in a way that it stays alive forever.

Conditions:
SIPGmsg alg with suspending iRule commands attached.

Impact:
Zombie flow, which cannot be expired anymore.

Workaround:
Restart TMM.


1095973-4 : Config load failure when Trusted CA Bundle is missing and URL is present in the Bundle Manager

Links to More Info: BT1095973

Component: TMOS

Symptoms:
1. BIG-IP will come up but there will be a config load failure.
2. During the upgrade, config sync issues occur.

Conditions:
1. Bundle Manager contains URL( exclude-url/include-url)
2. Trusted CA Bundle is not populated in the Bundle Manager.

Impact:
1. BIG-IP will be in "Inoperative"/"Not All Devices Synced" state

Workaround:
Add the Trusted CA Bundle (default ca-bundle.crt) to the Bundle Manager.

OR

Remove the URLS (both exclude-url and include-url) from the Bundle Manager.


1095217-2 : Peer unit incorrectly shows the pool status as unknown after upgrade to version 16.1.2.1

Links to More Info: BT1095217

Component: TMOS

Symptoms:
The peer unit incorrectly shows the status of pools as UNKNOWN

Conditions:
This is encountered for all pools that were created on the active device using tmsh load sys config merge from-terminal

Impact:
Pools are marked UNKNOWN.

Workaround:
Manually load the configuration after making a configuration change via tmsh load sys config merge from-terminal


1095205-5 : Config.auditing.forward.multiple db Variable with value "none" is not working as expected with multiple destination addresses in audit_forwarder.

Links to More Info: BT1095205

Component: TMOS

Symptoms:
When config.auditing.forward.multiple db is set to none, BIG-IP should restrict the system to send it to only one destination when multiple destination addresses are configured.

Conditions:
When configured to "none", logs are broadcasted to all the destination addresses. Working as "broadcast" mode.

Impact:
End user could not use "none" functionality


1095185-1 : Failed Configuration Load on Secondary Slot After Device Group Sync

Links to More Info: BT1095185

Component: Application Security Manager

Symptoms:
Configuration synchronization fails on secondary slots after the primary slot receives a full sync from a peer in a device group.

Conditions:
Bladed chassis devices are configured in an ASM enabled device group

Impact:
Incorrect enforcement on secondary slots.

Workaround:
None


1095145-4 : Virtual server responding with ICMP unreachable after using /Common/service

Links to More Info: BT1095145

Component: SSL Orchestrator

Symptoms:
After adding /Common/service profile and removing it from the virtual server, the virtual server starts dropping traffic with ICMP unreachable.

This profile is normally only needed in SSLo deployments.

Conditions:
/Common/service was attached and removed from a virtual server.

Impact:
Traffic is dropped on a virtual server.

Workaround:
Restart TMM after making the configuration change.


1093973-8 : Tmm may core when BFD peers select a new active device.

Links to More Info: BT1093973

Component: TMOS

Symptoms:
Tmm cores.

Conditions:
-- BFD is in use
-- the active/owner BFD device changes

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1093553-5 : OSPF "default-information originate" injects a new link-state advertisement

Links to More Info: BT1093553

Component: TMOS

Symptoms:
When configured with "default-information originate", the BIG-IP system might inject a new 0.0.0.0 link-state advertisement when receiving a default route from an OSPF neighbor.

This results in two 0.0.0.0 link-state advertisements being advertised from the box.

Conditions:
"default-information originate" is configured.

Impact:
Duplicate link-state advertisements

Workaround:
None


1093545-5 : Attempts to create illegal virtual-server may lead to mcpd crash.

Links to More Info: BT1093545

Component: Local Traffic Manager

Symptoms:
Mcpd crashes after the creation of virtual server with incorrect or duplicate configuration is attempted.

Conditions:
-- One or more attempts to create a virtual server with an illegal configuration are performed (i.e. attempts to create a virtual server that shares a configuration with an existing virtual server or has an incorrect configuration)

Impact:
Mcpd crashes with __GI_abort. Traffic disrupted while mcpd restarts.

Workaround:
None


1093357-5 : PEM intra-session mirroring can lead to a crash

Links to More Info: BT1093357

Component: Policy Enforcement Manager

Symptoms:
TMM crashes while passing PEM traffic

Conditions:
-- PEM mirroring enabled and passing traffic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1093061-1 : MCPD restart on secondary blade during hot-swap of another blade

Links to More Info: BT1093061

Component: Local Traffic Manager

Symptoms:
In rare instances, inserting a new blade into a VIPRION system can trigger a config error on another secondary blade due to attempting to delete the old blade's physical disk while it is still "in use":
err mcpd[7965]: 01070265:3: The physical disk (S3F3NX0J902788) cannot be deleted because it is in use by a disk bay (1).
err mcpd[7965]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070265:3: The physical disk (S3F3NX0J902788) cannot be deleted because

This causes MCPD to restart on the secondary blade due to the config error.

Conditions:
-- VIPRION system with at least 3 blades
-- Remove a blade and replace it with a different one

Impact:
-- MCPD restarts on the secondary blade other than the blade that was replaced.

The config error triggering this is due to an issue with the cluster syncing process between blades; however, the config issue is temporary, and should be resolved after mcpd restarts on the secondary blade.

Workaround:
None


1091969-4 : iRule 'virtual' command does not work for connections over virtual-wire.

Links to More Info: BT1091969

Component: Local Traffic Manager

Symptoms:
iRule 'virtual' command does not work for connections over virtual-wire.

Conditions:
- Connection over a virtual-wire.
- Redirecting traffic to another virtual-server (for example, using an iRule 'virtual' command)

Impact:
Connection stalls on the first virtual-server and never completes.


1091785-1 : DBDaemon restarts unexpectedly and/or fails to restart under heavy load

Links to More Info: BT1091785

Component: Local Traffic Manager

Symptoms:
While under heavy load, the Database monitor daemon (DBDaemon) may:
- Restart for no apparent reason
- Restart repeatedly in rapid succession
- Log the following error while attempting to restart:
   java.net.BindException: Address already in use (Bind failed)
- Fail to start (remain down) after several attempts, leaving database monitors disabled and marking monitored resources Down

Conditions:
- Configure one or more GTM database monitors with short probe-timeout, interval and timeout values (e.g., 2, 5, 16 respectively)
- Configure a large number (e.g., 2,000) of GTM [or perhaps LTM?] database monitor instances (combinations of above monitor + pool
member)
- Optionally: configure GTM database monitors with debug yes and count 0 (for easier diagnosis, and assumption that count = 0 will
generate more stress/concurrency to aid repro; vary as needed)
- Watch for DBDaemon restarts (either through changes in the PID returned by ps, or watching for "Starting" messages in DBDaemon logs)

Impact:
Restart for no apparent reason
Fail to start (remain down) after several attempts, leaving database monitors disabled and marking monitored resources Down

Workaround:
None


1091725-5 : Memory leak in IPsec

Links to More Info: BT1091725

Component: TMOS

Symptoms:
Slow memory growth of tmm over time.

This leak affects both the active and standby BIG-IPs.

Conditions:
IPsec is in use.

Security associations are being created or recreated.

Impact:
Over time, tmm may exhaust its memory causing a tmm crash.


1091565-2 : Gy CCR AVP:Requested-Service-Unit is misformatted/NULL

Component: Policy Enforcement Manager

Symptoms:
Observed diameter protocol warning when Requested Service Unit(RSU) is empty for CCR-I and CCR-U requests.

Conditions:
If the 'Initial Quota' is EMPTY in policy under Policy Enforcement ›› Rating Groups, the BIG-IP system reports empty data in AVP: Requested-Service-Unit.

Impact:
In Wireshark, a protocol warning occurs.

Workaround:
None


1091345-1 : The /root/.bash_history file is not carried forward by default during installations.

Links to More Info: BT1091345

Component: TMOS

Symptoms:
By default, the /root/.bash_history file is not included in the UCS archives. As such, this file is not rolled forward during a software installation.

Conditions:
Performing a BIG-IP software installation.

Impact:
This issue may hinder the efforts of F5 Support should the need to determine what was done prior to a software installation arise.

Workaround:
None


1091249-1 : BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address.

Links to More Info: BT1091249

Component: Global Traffic Manager (DNS)

Symptoms:
As BIG-IP DNS and Link Controller systems connect with one another (or with monitored BIG-IP systems) over iQuery, you may notice:

-- Log messages that specify IPv6 translation addresses non-existent in your configuration and often meaningless (as in not pertaining to some of the more common IPv6 address spaces). For example:

debug gtmd[24229]: 011ae01e:7: Creating new socket to connect to 2001::1 (a06d:3d70:fd7f:0:109c:7000::)

-- If you restart the gtmd daemon, the IPv6 translation address mentioned above between parenthesis changes to a new, random meaningless value.

-- The GTM portion of the configuration fails to synchronize.

Conditions:
IPv6 translation addresses are in use in relevant objects.

Impact:
The logs are misleading and the GTM portion of the configuration may fail to synchronize.

Workaround:
If possible, do not use IPv6 translation addresses.


1091021-1 : The BIG-IP system may take no fail-safe action when the bigd daemon becomes unresponsive.

Links to More Info: BT1091021

Component: Local Traffic Manager

Symptoms:
You may observe LTM monitors are malfunctioning on your system. For instance, you may notice some probes are not sent out on the network, and some monitored objects are showing the wrong status.

Conditions:
-- The bigd daemon consists of multiple processes (which you can determine by running "ps aux | grep bigd").

-- One or more of the processes (but not all of them) becomes disrupted for some reason, and stops serving heartbeats to the sod daemon.

Under these conditions, sod will not take any fail-safe action and the affected bigd processes will continue running impaired, potentially indefinitely.

Impact:
LTM monitoring is impacted.

Workaround:
If you have determined, or if you suspect, this issue is present on your system, you can resolve it by killing all bigd processes using the following command:

pgrep -f 'bigd\.[0-9]+' | xargs kill -9

However, this does not prevent the issue from manifesting again in the future if the cause for bigd's disruption occurs again.

Monitoring may become further disrupted as bigd restarts, and a failover may occur depending on your specific configuration.


1090649-4 : PEM errors when configuring IPv6 flow filter via GUI

Links to More Info: BT1090649

Component: Policy Enforcement Manager

Symptoms:
An error occurs while configuring an IPv6 flow filter using the GUI:
0107174e:3: The source address (::) and source netmask (0.0.0.0) addresses for pem flow info filter (filter0) must be be the same type (IPv4 or IPv6).

Conditions:
Configuring an IPv6 flow filter using the GUI

Impact:
You are unable to configure the IPv6 flow filter via the GUI

Workaround:
The error does not occur when using tmsh.


1090569-2 : After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV

Links to More Info: BT1090569

Component: TMOS

Symptoms:
Some SSL handshakes are fail when using the CRL certificate validator and tmm crashes.

Conditions:
-- TLS virtual server
-- The virtual server passes network traffic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1090313-4 : Virtual server may remain in hardware SYN cookie mode longer than expected

Links to More Info: BT1090313

Component: TMOS

Symptoms:
A virtual server may remain in hardware SYN cookie mode longer than expected after the SYN flood attack has stopped. The TMSH 'show ltm virtual' command shows that the virtual has already exited SYN Cookie mode, but the SYN packets are still responded from hardware for a few minutes longer.

Conditions:
The problem is a result of a race condition in TMM, so the issue might show up intermittently.

Impact:
Discrepancy between the actual SYN Cookie mode and the reported SYN Cookie mode for a short period of time after a SYN flood attack.

Workaround:
Disable hardware SYN Cookie mode.


1089849-1 : NIST SP800-90B compliance

Component: TMOS

Symptoms:
Common Criteria and FIPS 140-3 certifications require compliance with NIST SP800-90B; this completes that compliance.

Conditions:
This applies to systems requiring Common Criteria and/or FIPS 140-3 compliance.

Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be using a Common Criteria and/or FIPS 140-3 certified configuration.

Workaround:
None


1089829-4 : PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers

Links to More Info: BT1089829

Component: Policy Enforcement Manager

Symptoms:
SIGSEGV tmm cores with back trace in PEM area.
"pem_sessiondump --list" command will show session with custom attribute name as empty/NULL.

Conditions:
Setting pem session custom attribute value with length more than (1024- attribute name length).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
In the iRule, make sure the custom attribute value size + custom attribute name length is not more than 1024.


1089005-5 : Dynamic routes might be missing in the kernel on secondary blades.

Links to More Info: BT1089005

Component: TMOS

Symptoms:
Dynamic routes might be missing in the kernel on secondary blades.

Conditions:
- Long VLAN names (16+ characters).
- MCPD unable to load configuration from binary database (software update/forceload was performed).

Impact:
Kernel routes are missing on secondary blades.

Workaround:
Restart tmrouted on the affected secondary blade. Note, this will also briefly affect TMM dynamic routes.
<bigstart restart tmrouted>


1088597-1 : TCP keepalive timer can be immediately re-scheduled in rare circumstances

Links to More Info: BT1088597

Component: Local Traffic Manager

Symptoms:
In rare circumstances, the TCP timer is rescheduled immediately due to the utilization of the interval encompassing also the idle_timeout.

Conditions:
Virtual Server with:

- TCP Profile
- SSL Profile with alert timeout configured

Another way this can occur is by manually deleting connections, which effectively only sets the idle timeout to 0.

Impact:
High CPU utilization potentially leading to reduced performance.

Workaround:
If the alert timeout is not re-enabled in the SSL Profile that should be sufficient.


1088173-3 : With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile

Links to More Info: BT1088173

Component: Local Traffic Manager

Symptoms:
Log files indicate that the client certificate is retained when it should not be.

Conditions:
Enable TLS 1.3 and disable retain-certificate parameter in SSL profile

Impact:
Storage of client certificates will increase memory utilization.

Workaround:
None


1087621-3 : IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload

Links to More Info: BT1087621

Component: TMOS

Symptoms:
The tunnel stops working after initially starting with no problem.

The BIG-IP will send a bad KE (Key Exchange) Payload when rekeying the IKE SA with ECP.

Conditions:
-- IKEv2
-- ECP PFS
-- Peer attempts to re-key IKE SA (CREATE_CHILD SA) over existing IKE SA.

Impact:
IPsec tunnels stop working for periods of time.

Workaround:
Do not use ECP for PFS.


1087569-5 : Changing max header table size according HTTP2 profile value may cause stream/connection to terminate

Links to More Info: BT1087569

Component: Local Traffic Manager

Symptoms:
BIG-IP initializes HEADER_TABLE_SIZE to the profile value and thus when it exceeds 4K (RFC default), the receiver's header table size is still at the default value. Therefore, upon receiving header indexes which has been removed from its table, receiver sends GOAWAY (COMPRESSION_ERROR)

Conditions:
-- HTTP2 profile used in a virtual server
-- In the HTTP2 profile, 'Header Table Size' is set to a value greater than 4096

Impact:
Stream/connection is terminated with GOAWAY (COMPRESSION_ERROR)

Workaround:
Issue can be avoided by restoring the header-table-size value to the default of 4096


1087469-3 : iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate.

Links to More Info: BT1087469

Component: Local Traffic Manager

Symptoms:
When an SSL client connects to BIG-IP system and sends an empty certificate, the CLIENTSSL_CLIENTCERT is not triggered for iRules.

Conditions:
- Virtual server configured on BIG-IP with SSL
- iRule relying on CLIENTSSL_CLIENTCERT
- A client connects to BIG-IP using an empty certificate

Impact:
CLIENTSSL_CLIENTCERT irules aren't triggered.

Workaround:
None


1087005-1 : Application charset may be ignored when using Bot Defense Browser Verification

Links to More Info: BT1087005

Component: Application Security Manager

Symptoms:
In some cases, when using Bot Defense Browser Verification, the application <meta charset> tag may be ignored.

Conditions:
-- Bot Defense Profile is attached to a virtual server.
-- Bot Defense "Browser Verification" is configured to "Verify Before Access" or "Verify After Access"
-- Backend application uses non-standard charset.

Impact:
Random meta chars are viewed in the web page.

Workaround:
Run the command:
tmsh modify sys db dosl7.parse_html_inject_tags value "after,body"


1086473-4 : BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake

Links to More Info: BT1086473

Component: Local Traffic Manager

Symptoms:
When a client attempts to resume the TLS session using the Session-ID in its Client Hello from a previous session, the BIG-IP agrees by using the same Session-ID in its Server Hello, but then proceeds to perform a full handshake (Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done) instead of an abbreviated handshake (Server Hello, Change Cipher Spec, Server Hello Done).

This is a violation of the TLS RFC.

Conditions:
- High availability (HA) pair of two BIG-IP units.
- LTM virtual server with a client-ssl profile.
- Mirroring enabled on the virtual server

Impact:
Client-side TLS session resumption not working.

Workaround:
Disable mirroring on the virtual server


1085837-3 : Virtual server may not exit from hardware SYN cookie mode

Links to More Info: BT1085837

Component: TMOS

Symptoms:
Once a virtual server enters hardware SYN cookie mode it may not exit until a TMM restart.

Conditions:
-- On B2250 and B4450 platforms.
-- A condition triggers SYN cookie mode and then goes back to normal.

Impact:
-- Virtual servers in hardware SYN cookie mode do not receive TCP SYN packets.
-- The limited number of possible TCP MSS values may have a light performance impact.

Workaround:
Disable hardware SYN cookie mode on the affected objects.


1085661-2 : Standby system saves config and changes status after sync from peer

Links to More Info: BT1085661

Component: Application Security Manager

Symptoms:
After running config sync from an Active to a Standby device, the sync status is in SYNC for a short period time.
After a while, it automatically goes to Changes Pending status.

The same symptom was reported via ID698757 and fixed in earlier versions, but the same can happen via different scenario.

Conditions:
Create an ASM policy and let the system determining language encoding from traffic.

Impact:
The high availability (HA) configuration goes out of SYNC.

Workaround:
To prevent the issue from happening, you can manually configure language encoding


1085597-2 : IKEv1 IPsec peer cannot be created in config utility (web UI)

Links to More Info: BT1085597

Component: TMOS

Symptoms:
It is not possible to configure an IKE peer using the web UI.

Conditions:
-- Configuring an IKEv1 peer
-- Using the configuration utility (web UI)

Impact:
Configuration cannot be created.

Workaround:
Use the tmsh shell to create the ike-peer config.


1084993-5 : [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching

Links to More Info: BT1084993

Component: Policy Enforcement Manager

Symptoms:
E2e id and h2h id in Re-Authorisation Answer from PEM to OCS is not matching with Re-Authorisation Request from OCS to PEM.

Conditions:
Diameter-endpoint configuration. PCEF(PEM) communicating over gy interface with OCS for quota information.

Impact:
OCS will not be able to determine for which RAR it got RAA. This is catastrophic for billing.

Workaround:
None


1084901-2 : Updating the firewall rule list for IPv6 with route domain throws an error in the GUI, works from tmsh

Links to More Info: BT1084901

Component: Advanced Firewall Manager

Symptoms:
You are unable to modify IPV6 + Route domain for Network Firewall Rule Lists using the GUI

Conditions:
-- AFM is provisioned
-- IPv6 with route domain is being used in an address list

Impact:
Unable to create/manage Firewall rule lists for IPv6 with a route domain.

Workaround:
Use tmsh to create/manage firewall rule lists for IPv6 with a route domain.


1084857-1 : ASM::support_id iRule command does not display the 20th digit

Links to More Info: BT1084857

Component: Application Security Manager

Symptoms:
ASM::support_id iRule command does not display the 20th digit.

A support id seen in REST/TMUI that has 20 digits, e.g 13412620314886537617 is displayed as 1341262031488653761 with the iRule command ( the last digit '7' is stripped ).

Conditions:
ASM::support_id iRule command

Impact:
Inability to trace request events using the support id


1084673-1 : GTM Monitor "require M from N" status change log message does not print pool name

Links to More Info: BT1084673

Component: Global Traffic Manager (DNS)

Symptoms:
The number of probes that are succeeding is changing in between different windows in which the "N" number of probes were sent.

Conditions:
- GTM/DNS is provisioned
- A "require M from N" monitor rule is assigned to a gtm pool or an individual gtm pool member.

Impact:
The log written to provide information on the changing number of successful probes does not contain information about the pool member.

Workaround:
None


1083621-5 : The virtio driver uses an incorrect packet length

Links to More Info: BT1083621

Component: Local Traffic Manager

Symptoms:
In some cases, tmm might drop network packets.

In rare circumstances, this might trigger tmm to crash.

Conditions:
BIG-IP Virtual Edition using the virtio driver. You can see this in /var/log/tmm ("indir" is zero):
  notice virtio[0:5.0]: cso: 1 tso: 0 lro: 1 mrg: 1 event: 0 indir: 0 mq: 0 s: 1

Impact:
Tmm might drop packets.

In rare circumstances, this might trigger tmm to crash. Traffic disrupted while tmm restarts.

Workaround:
None


1083589-4 : Some connections are dropped on chained IPv6 to IPv4 virtual servers.

Links to More Info: BT1083589

Component: Local Traffic Manager

Symptoms:
IPv6 virtual servers targeting IPv4 virtual servers (for example, using the 'virtual' iRule command) might drop traffic coming from some clients unexpectedly.

Note: See also ID1002945 (https://cdn.f5.com/product/bugtracker/ID1002945.html), which is a closely related issue.

Conditions:
- IPv6 to IPv4 virtual server chaining.

Impact:
Traffic is dropped.

Workaround:
Apply a SNAT with an IPv4 address to the IPv6 virtual server.


1083537-1 : FIPS 140-3 Certification

Links to More Info: BT1083537

Component: TMOS

Symptoms:
For FIPS 140-3 Certification

Conditions:
This applies to systems requiring FIPS 140-3 Certification.

Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be running a FIPS 140-3 certified configuration.

Workaround:
None


1083513-3 : BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd

Links to More Info: BT1083513

Component: Application Security Manager

Symptoms:
"Challenge Failure Reason" field in a request event log shows N/A.

Conditions:
The db key has not been changed manually on the system.

Impact:
"Challenge Failure Reason" field is disabled.

Workaround:
Disable the key and re-enable, then save.

tmsh modify sys db botdefense.disable_challenge_failure_reporting value disable
tmsh modify sys db botdefense.disable_challenge_failure_reporting value enable
tmsh save sys config


1082461-1 : The enforcer cores during a call to 'ASM::raise' from an active iRule

Links to More Info: BT1082461

Component: Application Security Manager

Symptoms:
In the case of 'ASM::raise' call execution from an iRule that contains a list length greater than 100, the enforcer (bd) will core.

Conditions:
A call to 'ASM::raise' with a list length greater than 100 from an iRule.

Impact:
Traffic disrupted while bd restarts.

Workaround:
While constructing the iRule, make sure that the list passed into 'ASM::raise' contains fewer than 100 elements.


1082225-6 : Tmm may core while Adding/modifying traffic-class attached to a virtual server.

Links to More Info: BT1082225

Component: Local Traffic Manager

Symptoms:
Tmm may core with 'tmm SIGSEGV' while performing addition/updating of traffic class attached to a virtual server.

Conditions:
-- Some Traffic classes have been removed from the virtual server.
-- A new traffic class is attached to the virtual server, or modification of the existing traffic class is triggered.

Impact:
Traffic disrupted while tmm restarts.
The traffic class might not be applied as expected.

Workaround:
None


1082193-4 : TMSH: Need to update the version info for SERVER_INIT in help page

Links to More Info: BT1082193

Component: TMOS

Symptoms:
The SERVER_INIT iRule event was introduced in version 14.0.0. But in tmsh help it is showing as version 13.1.0.

Conditions:
-- Using tmsh to configure an iRule event
-- The BIG-IP version is 13.1.0 and you use tab complete for 'tmsh help ltm rule event SERVER_INIT'

Impact:
The tmsh help makes it appear as if SERVER_INIT is supported in version 13.1.0 when it is not.

Workaround:
None


1081813-3 : A rst_stream can erronously tear down the overall http2 connection.

Links to More Info: BT1081813

Component: Local Traffic Manager

Symptoms:
Clients report pages load intermittently

Conditions:
-- HTTP2 virtual server

Impact:
HTTP2 connections may be erroneously torn down.

Workaround:
None.


1080925-4 : Changed 'ssh-session-limit' value is not reflected after restarting mcpd

Links to More Info: BT1080925

Component: TMOS

Symptoms:
Change 'ssh-session-limit' field from 'disabled' to 'enable'. Save the config . Restart the mcpd and check the value of the field 'ssh-session-limit'. It appears to be the same 'disabled'.

Conditions:
The issue occurs when MCPD restores the configuration from its binary database file.

Impact:
Enabling and disabling "ssh-session-limit" will have an undesirable effect when creating ssh sessions, and you will not be able to edit the field.

Workaround:
None


1080613-4 : "Installation of Automatically Downloaded Updates" configuration in LiveUpdate is lost during the first tomcat restart, after upgrading to versions having the fix of ID907025.&start;

Links to More Info: BT1080613

Component: Application Security Manager

Symptoms:
"Installation of Automatically Downloaded Updates" configuration in LiveUpdate during the first tomcat restart after upgrading.

Conditions:
This occurs during the first tomcat restart, after upgrading to versions that have the fix for ID907025.

Impact:
The live update configuration is reverted to the default.

Workaround:
After upgrade, restart tomcat and re-configure. After this the issue won't occur and the configuration is retained.


1080317-4 : Logged hostname not consistent when hostname contains "."

Links to More Info: BT1080317

Component: TMOS

Symptoms:
Messages which are logged to journald use the configured hostname while sylog-ng uses the hostname (machine name) and truncates it starting at the first '.'. As we're using a mix of logging directly to syslog-ng (e.g., /var/run/tmm.pipe) and from journald, this results in hostnames being inconsistent when it contains '.'; i.e., "my.hostname" is logged as "my" by syslog-ng and "my.hostname" by journald. This can make it difficult for log analysis tools to work with the log files.

Conditions:
When hostname contains '.'

Impact:
Not in readable state as some logs contains truncated hostname and some contain full hostname


1079985-2 : int_drops_rate shows an incorrect value

Links to More Info: BT1079985

Component: Advanced Firewall Manager

Symptoms:
int_drops_rate shows an incorrect value, it shows a cumulative value instead of an avg value, same as int_drops and syncookies.hw_syncookies.

Conditions:
A tcp-halfOpen attack or similar SYN attack where SYNs are flooded into the BIG-IP system.

Impact:
It is difficult to figure out the drop rate per second

Workaround:
None


1079441-4 : APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries

Links to More Info: BT1079441

Component: Access Policy Manager

Symptoms:
APMD memory can grow over a period of time

Conditions:
-- A BIG-IP system with the patched cyrus-sasl/krb5 libraries

Impact:
APMD memory can grow over a period of time

Workaround:
None


1078765-5 : Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer.

Links to More Info: BT1078765

Component: Application Security Manager

Symptoms:
A BD core may occur due to enforcement of 200004390 200004389 signatures with the combination of Arcsight remote logger enabled.

Conditions:
The request must contain 200004390 200004389 signatures with the combination of Arcsight remote logger attached to the virtual server.

Impact:
The enforcer may crash.

Workaround:
Disable 200004390 200004389 signatures.


1077789-5 : System might become unresponsive after upgrading.&start;

Links to More Info: BT1077789

Component: TMOS

Symptoms:
After upgrading, the system encounters numerous issues:

-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.

Conditions:
-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.

Exact conditions that trigger this issue are unknown and could be varied. In the environment in which it occurs, a datagroup is deleted, but an iRule still references it.

Impact:
-- System down, too busy to process traffic.
-- Difficulty logging in over SSH might require serial console access.

Workaround:
Reboot to an unaffected, pre-upgrade volume.

-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.

-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.

Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.

For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.


1077553-4 : Traffic matches the wrong virtual server after modifying the port matching configuration

Links to More Info: BT1077553

Component: Local Traffic Manager

Symptoms:
Traffic matches the wrong virtual server.

Conditions:
A virtual server configured to match any port is modified to matching a specific port. Alternatively, a virtual server matching a specific port is modified to match any port.

Impact:
Traffic may be directed to the wrong backend server.

Workaround:
Restart the TMM after the config change.


1077533-4 : BIG-IP fails to restart services after mprov runs during boot.

Links to More Info: BT1077533

Component: TMOS

Symptoms:
Very occasionally, after mprov runs after a reboot the BIG-IP may fail to start with logs similar to the following:

bigip1 info mprov:7459:[7459]: 'admd failed to stop.'
bigip1 err mprov:7459:[7459]: 'admd failed to stop, provisioning may fail.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
...
bigip1 err mcpd[5584]: 01071392:3: Background command '/usr/bin/mprov.pl --quiet --commit asm avr host tmos ui ' failed. The command was signaled.

Conditions:
Occurs rarely after a reboot.

Impact:
The BIG-IP is unable to finish booting.

Workaround:
Reboot the BIG-IP again.


1077405-1 : Ephemeral pool members may not be created with autopopulate enabled.

Links to More Info: BT1077405

Component: TMOS

Symptoms:
Ephemeral pool members might not be added to a pool with an FQDN pool member "autopopulate enabled".

When this issue occurs:

-- Some or all of the expected Ephemeral Pool Members will not be created for the affected pool.

-- A message will be logged in the LTM log similar to the following:

err mcpd[####]: 01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (/Common/_auto_<IP address>) has autopopulate set to disabled.

(Note that the node name here is an Ephemeral Node.)

Also note that if you attempt to create an FQDN Pool Member with autopopulate enabled while the corresponding FQDN Node has autopopulate disabled, you will see a similar error message:
01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (/Common/fred) has autopopulate set to disabled.

Conditions:
This issue can occur under the following conditions:

-- Two or more FQDN Nodes have FQDN names that resolve to the same IP address(es).
  -- That is, some Ephemeral Nodes have addresses resolved by more than one FQDN name defined in FQDN Nodes.

-- At least one of these FQDN Nodes has "autopopulate enabled."

-- At least one of these FQDN Nodes does not have "autopopulate enabled."
  -- That is, autopopulate is disabled for one or more of these FQDN Nodes.

-- The FQDN Pool Member(s) in the affected pool(s) has "autopopulate enabled."

Impact:
The affected LTM pool(s) are not populated with expected (or any) ephemeral pool members.

Workaround:
To allow some LTM pools to use FQDN pool members with autopopulate enabled (allowing multiple ephemeral pool members to be created) while other LTM pools use FQDN pool members with autopopulate (allowing only one ephemeral pool member to be created), configure the following:

-- Create all FQDN Nodes with FQDN names that might resolve to a common/overlapping set of IP addresses with "autopopulate enabled".

-- Create FQDN Pool Members with autopopulate enabled or disabled depending on the desired membership for each pool.


1077293-3 : APPIQ option still showing in BIG-IP GUI even though its functionality migrated to BIG-IQ.

Links to More Info: BT1077293

Component: TMOS

Symptoms:
AppIQ is still visible in the System :: Configuration screen.

Conditions:
Navigating to the System :: Configuration : AppIQ page.

Impact:
AppIQ appears to be able to be provisioned but it has been removed from the BIG-IP system.

Workaround:
N/A


1077281-1 : Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages

Component: Application Security Manager

Symptoms:
When a policy contains an individual login page in session tracking, the exported xml policy fails to be imported back due to error “Malformed XML: Could not resolve foreign key dependence”.

Conditions:
The policy contains an individual login page in session tracking and the policy is exported in xml format

Impact:
Import the policy fails with an error: "Could not resolve foreign key dependence”.

Workaround:
This occurs when using XML format only, so you can use binary export/import


1076801-5 : Loaded system increases CPU usage when using CS features

Links to More Info: BT1076801

Component: TMOS

Symptoms:
When the BIG-IP system is under heavy load, datasyncd might create multiple java obfuscator processes running at the same time, which increases load even more.

Conditions:
-- CPU utilization on the BIG-IP system is high.

And one or more of the following conditions:

-- Bot Defense profile is attached to a virtual server
-- DoS profile with CS/Captcha mitigation is attached to the virtual server
-- ASM policy with brute force configuration is attached to the virtual server

Impact:
System load is increased.

Workaround:
None.


1076785-3 : Virtual server may not properly exit from hardware SYN Cookie mode

Links to More Info: BT1076785

Component: TMOS

Symptoms:
Virtual servers do not exit hardware SYN Cookie mode even after the SYN flood attack stops. The TMSH 'show ltm virtual' output shows 'full hardware' mode.

Conditions:
Selected HSB platforms where TMM is attached to multiple HSB modules. This depends on platform, BIG-IP version and selected Turboflex profile where applicable.

Impact:
The affected virtual server would not receive the TCP SYN packets until a TMM restart. The limited range of MSS values in SYN Cookie mode may slightly affect performance.

Workaround:
Disable hardware SYN Cookie mode on all virtual servers.


1076577-4 : iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg'

Links to More Info: BT1076577

Component: Local Traffic Manager

Symptoms:
The 'connect' iRule command fails to resume, causing processing of traffic to halt due to 'irule_scope_msg', which causes iRule processing to proceed in a way that 'connect' does not expect.

Conditions:
- iRule using 'connect' command
- Diameter/Generic-message 'irule_scope_msg' enabled

Impact:
Traffic processing halts (no crash)


1074517-4 : Tmm may core while adding/modifying traffic-class attached to a virtual server

Links to More Info: BT1074517

Component: Local Traffic Manager

Symptoms:
Tmm may core while adding/modifying traffic-class attached to a virtual server

Conditions:
-- Traffic class is attached to a virtual server.
-- Add an existing traffic class to a virtual server.
-- Afterwards, a new traffic class is attached to the virtual server, or modification of the existing traffic class is triggered.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1073897-1 : TMM core due to memory corruption

Links to More Info: BT1073897

Component: Local Traffic Manager

Symptoms:
Tmm restarts

Conditions:
Unknown

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1073677-2 : Add a db variable to enable answering DNS requests before reqInitState Ready

Links to More Info: BT1073677

Component: Global Traffic Manager (DNS)

Symptoms:
When a new GTM is added to the Sync group, it takes a significant amount of time, and the newly added GTM won't become ready.

Conditions:
-- GTMs in a cluster with a large number of persist records
-- A new GTM device is added

Impact:
Clients of the BIG-IP GTM do not receive an answer, and application failures may occur.

Workaround:
None


1073625-1 : Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled.

Component: Application Security Manager

Symptoms:
ASM policy import is successful on Active unit and it syncs to standby device, but "Apply changes" is displayed on the standby device policies page.

Conditions:
1. XML policy with learning enabled imported via TMSH.
2. Autosync with incremental sync enabled on device-group with ASM sync enabled.

Impact:
The peer (standby) unit needs to have the policies applied manually even though everything is set to auto-sync

Workaround:
N/A


1072165-5 : Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format

Links to More Info: BT1072165

Component: Application Security Manager

Symptoms:
Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format

Conditions:
ASM remote logging in ArcSight format

Impact:
Due to the missing fields, the remote message does not tell name of threat campaign name(s) that was detected.

Workaround:
Use other message format.


1071621-2 : Increase the number of supported traffic selectors

Links to More Info: BT1071621

Component: TMOS

Symptoms:
There is an imposed limit of 30 traffic selectors that can be attached to an IPsec policy / IKEv2 ike-peer.

Conditions:
-- IKEv2
-- More than 30 traffic selectors required on one IPsec policy / ike-peer.

Impact:
No more than 30 traffic selectors can be added to a single IPsec policy / ike-peer.

Workaround:
None


1070957-4 : Database monitor log file backups cannot be rotated normally.

Links to More Info: BT1070957

Component: Local Traffic Manager

Symptoms:
Debug log files used by the BIG-IP database monitor daemon (DBDaemon) do not exhibit the log-rotation behavior of other BIG-IP log files.
- The active DBDaemon log file is /var/log/DBDaemon-0.log
- DBDaemon log file size is limited to approximately 5MB. DBDaemon log files are backed up/rotated upon reaching this size.
- Exactly 9 (nine) DBDaemon log file backups are retained (/var/log/DBDaemon-0.log.[1-9])
- DBDaemon log file backups are not compressed.
- DBDaemon log file backup/rotation behavior is not user-configurable.

Conditions:
This issue applies when using BIG-IP database monitors:
-- mssql
-- mysql
-- oracle
-- postrgresql

Impact:
-- DBDaemon log file backups may consume more space under /var/log than desired.
-- When troubleshooting database monitor issues, DBDaemon log file rotation may occur so rapidly that older DBDaemon events may be lost, limiting the ability to capture meaningful diagnostic data.

Workaround:
It may be possible to work around this issue by periodically archiving DBDaemon log files, such as in a script with the following core functionality:
pushd /var/log;tar -czf DBDaemon_$(date +%Y%m%d%H%M).tgz DBDaemon-0.log*;popd


1070789-1 : SSL fwd proxy invalidating certificate even through bundle has valid CA

Links to More Info: BT1070789

Component: Local Traffic Manager

Symptoms:
BIG-IP system rejects SSL forward proxy connections due to expired CA certificates present in ca-bundle even though other, valid CA certificates exist.

Conditions:
-- Forward proxy is enabled in client and server SSL profiles.
-- A valid CA certificate is followed by an expired CA certificate in ca-bundle.

Impact:
SSL handshakes will fail.

Workaround:
Remove all invalid trusted (i.e., expired) certificates from the certificate chain and replace them with a valid trusted certificate.


1069137-1 : Missing AWAF sync diagnostics

Links to More Info: BT1069137

Component: Application Security Manager

Symptoms:
Complex issues related to Policy Synchronization over Device Sync Groups and chassis are difficult to diagnose.
More detailed logging is needed if errors occur.

Conditions:
Device Group Sync is enabled on a chassis device.

Impact:
Root cause analysis is lengthy and difficult.

Workaround:
Enable debug logs in the environment:
> tmsh modify sys db log.asm.asmconfiglevel value debug
> tmsh modify sys db log.asm.asmconfigvent.level value debug
> tmsh modify sys db log.asm.asmconfigverbose.level value debug


1068673-4 : SSL forward Proxy triggers CLIENTSSL_DATA event on bypass.

Links to More Info: BT1068673

Component: Local Traffic Manager

Symptoms:
The CLIENTSSL_DATA iRule event is triggered unexpectedly during SSL forward proxy bypass.

Conditions:
This issue is seen when SSL forward proxy with bypass is enabled on client & server SSL profiles.

Impact:
This can cause unexpected failure of existing iRules which only expect CLIENTSSL_DATA on intercepted (and decrypted) data.

Workaround:
N/A


1067821-5 : Stats allocated_used for region inside zxfrd is overflowed

Links to More Info: BT1067821

Component: Global Traffic Manager (DNS)

Symptoms:
No visible symptoms.

Conditions:
Large resource record addition and deletion for dns express zones.

Impact:
Internal zxfrd stats are incorrect.


1063977-4 : Tmsh load sys config merge fails with "basic_string::substr" for non-existing key.

Links to More Info: BT1063977

Component: Local Traffic Manager

Symptoms:
"tmsh load sys config merge" fails with the following error.

Loading configuration...
  /var/tmp/repro.txt
01070711:3: basic_string::substr
Unexpected Error: Loading configuration process failed.

Conditions:
The key referenced in the configuration of the SSL profile does not exist in the BIG-IP.

Impact:
"tmsh load sys config merge" fails which is expected, but the error is not meaningful.

Workaround:
Identify the missing SSL key used in the configuration and correct it.


1062905 : ASM::Support_ID may issue an error when invoked from ASM_REQUEST_BLOCKING.

Component: Application Security Manager

Symptoms:
Resets, TCL error in /var/log/ltm generated from an irule.

Conditions:
ASM::Support_id command is present in the ASM_REQUEST_BLOCKING.

Impact:
Connection resets.

Workaround:
There is an option to acquire the support id from another event and place that in a global.
The violation_data structure also has the support_id in one of it's fields and is accessible (but the policy should be in irule compatibilty mode for this).


1062493-5 : BD crash close to it's startup

Links to More Info: BT1062493

Component: Application Security Manager

Symptoms:
BD crashes shortly after startup.

Conditions:
FTP or SMTP are in use. Other causes are unknown.

Impact:
Traffic disrupted while bd restarts.

Workaround:
No workaround except removal of the FTP/SMTP protection.


1060369-2 : HTTP MRF Router will not change serverside load balancing method

Links to More Info: BT1060369

Component: Local Traffic Manager

Symptoms:
Selecting a different load balancing mechanism (i.e. an iRule or Local Traffic Policy selecting a different pool/node, the "virtual" command, etc) does not work for subsequent HTTP/1.x requests on a keep-alive connection.

Conditions:
-- "HTTP MRF Router" virtual server (virtual server has an "httprouter" profile attached)
-- Virtual server is handling HTTP/1.x traffic

Impact:
Traffic is load-balanced to incorrect destination.

Workaround:
None.


1060145-4 : Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2.

Links to More Info: BT1060145

Component: TMOS

Symptoms:
When secondary slot reboots and it gets the configuration from the primary blade, the secondary throws a validation error and enters into a restart loop.

The following error is logged:

Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/Common/bbt-generic-bigip 10.1.10.12 80 gtm-vs) was not found.... failed validation with error 16908342.

Conditions:
-- Change the virtual server address on the LTM (manual edit of bigip.conf and load).

-- Reboot the secondary slot.

Impact:
Mcpd enters a restart loop on the secondary slot.

Workaround:
N/A


1060021-3 : Using OneConnect profile with RESOLVER::lookup_name iRule might result in core.

Links to More Info: BT1060021

Component: Local Traffic Manager

Symptoms:
Tmm might core while using a OneConnect profile with iRule command RESOLVER::lookup_name.

Conditions:
1. One connect profile attached.
2. iRules with RESOLVER::lookup_name command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Don't use RESOLVER::lookup_name iRule on virtual that uses the oneconnect profile.


1059085 : Unable to perform device posture check for Android version 11 or more device with Microsoft Intune.

Component: Access Policy Manager

Symptoms:
APM is unable to extract the DeviceId field for devices which have Android version 11 or more.

Conditions:
-- Microsoft Intune is configured in APM.
-- Android version of the enrolled device is 11 or higher.

Impact:
The compliance check fails for the device and "Device query failed" error is seen in the log.

Workaround:
1. Modify app configuration policy with following JSON on Intune:
{
    "key": "mdmAssignedId",
    "valueString": "{{deviceid}}"
}

2. Attach the following iRule to the VS.
when ACCESS_POLICY_AGENT_EVENT {
  if { [ACCESS::policy agent_id] eq "intune_id" } {
    set intuneid [b64encode [ACCESS::session data get session.client.mdm_assigned_id]]
    ACCESS::session data set session.custom.intune_id $intuneid
  }
}

3. Add iRule Event Agent to the access policy.
4. Add Variable assign agent with "session.client.mdm_assigned_id=expr {[mcget -nocache {session.custom.intune_id}]}.


1057709 : Invalid Certificate for all BIG-IP VE OVA images on vCenter 7.0U2.

Links to More Info: BT1057709

Component: TMOS

Symptoms:
When deploying all BIG-IP VE OVA/OVF images, vCenter 7.0U2 will display an invalid certificate (not trusted) warning message. This is due to enhanced signing certificate verifications for expiry, and other validity checks for the entire chain of the signing certificate against the VECS store (known vCenter issue https://kb.vmware.com/s/article/84240).

Conditions:
Login to vCenter 7.0U2, deploy a BIG-IP VE using an OVF template, select the Local File option, upload the OVA template from your local directory, and then follow the prompts to complete the deployment. In the review details section, "The certificate is not trusted" warning message appears.

Impact:
You can ignore the message and continue with the deployment, or add the missing signing certificate(s) to the VECS store.

Workaround:
To avoid this warning, do the following to add the signing certificate to the VECS store:

1. Get the OVF/OVA signing certificate's chain (root CA and intermediate certificates, if any). You can use any certificate chain resolver to find the missing certificates from the chain.
2. To add the intermediate and root certificates to VECS store:
    a. login to vCenter as administrator.
    b. From drop-down menu select administration -> Certificates -> Certificate Management.
    c. Click ADD next to Trusted Roots Certificates.
    d. Browse and select the certificate(s) found in step 1.


1056957-2 : An attack signature can be bypassed under some scenarios.

Links to More Info: BT1056957

Component: Application Security Manager

Symptoms:
An attack signature is not detected.

Conditions:
A specific condition.

Impact:
False negative - attack is not detected.

Workaround:
N/A


1054717-4 : Incorrect Client Summary stats for transparent cache.

Links to More Info: BT1054717

Component: Global Traffic Manager (DNS)

Symptoms:
The Client Summary section in transparent cache is incorrect for transparent cache.

Conditions:
Transparent cache attached to a DNS profile.

Impact:
Efficacy of DNS Transparent cache stats reduced.

Workaround:
N/A


1040513-4 : The counter for "FTP commands" is always 0.

Links to More Info: BT1040513

Component: Application Security Manager

Symptoms:
On the FTP Statistics page, the "FTP Commands" value is always zero.

Conditions:
FTP security is applied and "FTP commands violations" is enforced.

Impact:
The FTP security does not show violations statistics regarding the FTP commands.

Workaround:
None


1040465-2 : Incorrect SNAT pool is selected

Links to More Info: BT1040465

Component: Local Traffic Manager

Symptoms:
An incorrect SNAT pool is selected when an SSL Forward Proxy is configured and BYPASS is enabled along with an iRule to choose the SNAT pool.

Conditions:
-- Virtual Server has SSL Forward Proxy Deployment with BYPASS enabled
-- iRule configured to decide the SNAT pool members
-- Virtual Server passes the traffic

Impact:
Traffic disrupted to incorrect SNAT pool when BYPASS happens.


1040153-4 : Topology region returns narrowest scope netmask without matching

Links to More Info: BT1040153

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP returns malformed packets or the narrowest scope not matching the request.

Conditions:
Mixed sub networks with different mask length.

Impact:
Malformed packets.

Workaround:
Do not put mixed subnets in one region.


1039993 : AFM NAT Excessive number of logs "Port Block Updated" and "LSN_PB_UPDATE"

Component: Advanced Firewall Manager

Symptoms:
Although Subscriber ID is not changed, "Port Block Updated","10.10.10.29","0","10.20.20.64","0","1025","1275","","unknown" is being written in the log

Conditions:
If "Log subscriber ID" field is selected in the log profile, this log will be printed.

Impact:
Excessive log messages occur.

Workaround:
If you deselect "Log subscriber ID" field in log profile, this message will not be written. Note that this workaround may impact other messages related to subscriber ID.


1037877-5 : OAuth Claim display order incorrect in VPE

Links to More Info: BT1037877

Component: Access Policy Manager

Symptoms:
In the visual policy editor (VPE), it is difficult to re-order custom previously created Claims in the oAuth Authorization agent.

The following error is thrown in the developer tools screen of the client browser:
common.js?m=st&ver=15.1.2.1-0.0.10.0:902 Uncaught TypeError: Cannot read property 'row' of undefined
    at Object.common_class.swap (common.js?m=st&ver=15.1.2.1-0.0.10.0:902)
    at multipleObjectsSelectionCBDialogue_class.swapEntries (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263)
    at HTMLAnchorElement.<anonymous> (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185)
common_class.swap @ common.js?m=st&ver=15.1.2.1-0.0.10.0:902
multipleObjectsSelectionCBDialogue_class.swapEntries @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263
(anonymous) @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185

Conditions:
-- There are at least two claims in Access :: Federation : OAuth Authorization Server : Claim
-- You are attempting to reorder the claims in the visual policy editor

Impact:
It is not possible to re-order the claims

Workaround:
None


1036613-6 : Client flow might not get offloaded to PVA in embryonic state

Links to More Info: BT1036613

Component: TMOS

Symptoms:
The client flow is not offloaded in embryonic state, but only is only offloaded once the flow transitions to an established state.

Conditions:
-- FastL4 profile configured to offload TCP connections in embryonic state (this is the default)
-- Clientside and serverside ingress traffic is handled by different TMMs
-- Running on a platform with multiple HSB modules per TMM, i.e.:
--+ BIG-IP i11600 Series
--+ BIG-IP i15600 Series

Impact:
- minor performance degradation;
- PVA traffic counters show unexpectedly high values;


1036057-5 : Add support for line folding in multipart parser.

Links to More Info: BT1036057

Component: Application Security Manager

Symptoms:
RFC 2616 allowed HTTP header field values to be extended over multiple lines by preceding each extra line with at least one space or horizontal tab. This was then deprecated by RFC 7230.

The multipart parser of ASM does not support the multiple line header, so these requests cause false positives.

Conditions:
Multiline header in multipart request

Impact:
False positives.

Workaround:
None


1032257-5 : Forwarded PVA offload requests fail on platforms with multiple PDE/TMM

Links to More Info: BT1032257

Component: TMOS

Symptoms:
Forwarded PVA requests use a static bigip_connection that does not have its pva_pde_info initialized, which results in offload failure on platforms that have multiple PDEs per TMM.

Conditions:
Pva_pde_info is not initialized and Forwarded PVA requests occur.

Impact:
Hardware offload does not occur.


1031025 : Nitrox 3 FIPS: Upgrade from v12.1.x to v14.1.x results in new .key.exp files for the FIPS keys created before upgrade.&start;

Links to More Info: BT1031025

Component: TMOS

Symptoms:
During upgrade from v12.1.x to v14.1.x, New ".key.exp" export file is created for the FIPS keys present in the card.

Conditions:
This happens during the upgrade from v12.1.x to v14.1.x for the existing keys with ".key" extension to it in the label.

It occurs only if the key is deleted/not present in the FIPS card (e.g. a faulty card), and BIG-IP has the configuration / metadata for the missing keys.

Impact:
The upgrade fails while loading the configuration.

Workaround:
Delete the missing key's configuration from config file, then perform the upgrade.


1030133-1 : BD core on XML out of memory

Links to More Info: BT1030133

Component: Application Security Manager

Symptoms:
Missing error handling in lib xml parser.

Conditions:
XML parser going out of memory.

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
None


1029989 : CORS : default port of origin header is set 80, even when the protocol in the header is https

Component: Application Security Manager

Symptoms:
Destination port is set to 80, instead of 443, for Origin header value that has https in the schema field.

This causes unexpected "Illegal cross-origin request" violation.

Conditions:
- Using CORS enforcement where you allow HTTPS and port 443 for an origin name
- The Origin header value has https in the schema
- The Origin header value does not specify non default port number

Impact:
Unexpected "Illegal cross-origin request" violation.

Workaround:
Allow port 80 or use 'any' for the given origin name.


1029689-1 : Incosnsitent username "SYSTEM" in Audit Log

Links to More Info: BT1029689

Component: Application Security Manager

Symptoms:
The Security Policy Auto Log in ASM displays the system component that triggered the event. The component name is sometimes shown as 'SYSTEM', other times shown as 'System'

Conditions:
The value is "SYSTEM" when Apply Policy was initiated locally.
The value is "System" when Apply Policy was initiated by the peer unit

Impact:
Component name inconsistency causing confusion

Workaround:
None


1029373-3 : Firefox 88+ raising Suspicious browser violations with bot defense

Links to More Info: BT1029373

Component: Application Security Manager

Symptoms:
Bot-defense might block legal traffic arriving from Firefox version 88

Conditions:
- ASM provisioned
- bot-defense profile assigned on a virtual server

Impact:
Legal traffic is blocked

Workaround:
Tmsh modify sys db botdefense.suspicious_js_score value 60


1029105-2 : Hardware SYN cookie mode state change logs bogus virtual server address

Links to More Info: BT1029105

Component: TMOS

Symptoms:
When a virtual server enters or exits hardware SYN cookie mode, a bogus IP address is logged in /var/log/ltm. For example:

Syncookie HW mode activated, server name = /Common/vs server IP = 0.0.0.3:0

Conditions:
A virtual server enters or exits hardware SYN cookie mode.

Impact:
Only the logging information is wrong, the hardware SYN cookie mode functions correctly.

Workaround:
None


1028081-2 : [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page

Links to More Info: BT1028081

Component: Access Policy Manager

Symptoms:
1. Users connecting with F5 Access from an Android device see string "function () {[native code]}" in the Logon Page Form 'Username' field.
2. This issue only affects the F5 Access embedded browser. It works fine when connecting from the same Android device using Chrome. F5 Access from iOS is also working fine.

Conditions:
Configure an access policy with modern customization that includes a Logon Page.

Impact:
The string "function () {[native code]}" appears in the Logon Page Form 'Username' field.

Workaround:
This solution is temporal as changes are lost after an upgrade.
steps:
1) create a copy of the original "main.js" file
# cp /var/sam/www/webtop/public/include/js/modern/main.js /var/sam/www/webtop/public/include/js/modern/main.js.origin

2) edit the file using an editor (e.g., vi).
# vi /var/sam/www/webtop/public/include/js/modern/main.js
# locate string "value:props.value," and remove this string. save the file.

3) clear ramcache
# tmsh delete ltm profile ramcache all


1025261-4 : When restjavad.useextramb is set, java immediately uses more resident memory in linux

Links to More Info: BT1025261

Component: TMOS

Symptoms:
When restjavad.useextramb is set, java immediately reserves more memory and the process size (RSS) increases.

Conditions:
When restjavad.useextramb and when provision.extramb is set to a non-default value.

Impact:
The restjavad process size will use more RSS.

Workaround:
Revert the restjavad.useextramb value or set provision.extramb higher to compensate.


1024661-4 : SCTP forwarding flows based on VTAG for bigproto

Component: TMOS

Symptoms:
Sometimes SCTP traffic is unidirectionally dropped on one link after an SCTP link down occurs.

Conditions:
-- SCTP configured and BIG-IP is passing traffic
-- A link goes down

Impact:
Flow creation on the wrong TMM and some traffic is dropped.

Workaround:
Disable SCTP flow redirection.
tmm.sctp.redirect_packets == disable


1024421-4 : At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log

Links to More Info: BT1024421

Component: TMOS

Symptoms:
TMM log shows clock advancing and MPI timeout messages:

notice slot1 MPI stream: connection to node aborted for reason: TCP RST from remote system (tcp.c:5201)
notice slot1 tmm[42900]: 01010029:5: Clock advanced by 6320 ticks

Conditions:
-- pva.standby.flush DB key set to 1 (enabled). The default is 0.
-- Processing high traffic volume for some time

Impact:
Upstream switch could receive flow response from both active and standby units and cause a traffic disturbance.


1023889 : HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message

Links to More Info: BT1023889

Component: Application Security Manager

Symptoms:
Protocol filter does not suppress WS/WSS server->client message.

Conditions:
- protocol filter is set to HTTP, HTTPS or HTTP/HTTPS
- response logging is set to For All Requests

Impact:
Remote log server receives unexpected messages

Workaround:
None


1023529-4 : FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory.

Links to More Info: BT1023529

Component: Local Traffic Manager

Symptoms:
Command "tmsh show sys tmm-traffic" reports non-zero number of current connections but "tmsh show sys connection" shows nothing.

Conditions:
-- A virtual sever with fastL4 profile with infinite timeout enabled and an iRule containing "after" command. Having "-periodic" argument makes the problem more prominent.
-- Aggressive sweeper activated due to low memory conditions.

Impact:
Connections that were supposed to be removed by aggressive sweeper but were waiting for completion of an iRule may end up in a state where they are not reported by "tmsh show sys connection." Because of this issue, these connections cannot be deleted manually using 'tmsh del sys connection", but remain in memory. Their presence can be confirmed by non-zero number of current connections shown by "tmsh show sys tmm-traffic". Because of the infinite timeout setting, they will not timeout by themselves either.

Workaround:
N/A


1021609-5 : Improve matching of URLs with specific characters to a policy.

Links to More Info: BT1021609

Component: Application Security Manager

Symptoms:
Request with a URL containing specific characters is not matched to the correct policy.

Conditions:
URL of request contains specific percent-encoded characters.

Impact:
The request will not be matched by an expected policy rule.

Workaround:
Add an additional rule with explicit decoded characters.


1019829-4 : Configsync.copyonswitch variable is not functioning on reboot

Links to More Info: BT1019829

Component: TMOS

Symptoms:
Configsync.copyonswitch variable is not functioning properly during reboot to another partition

Conditions:
-- db variable configsync.copyonswitch modified
-- hostname is changed in global-settings
-- reboot to another partition

Impact:
The hostname will be changed back to the default hostname after reboot


1016481 : Special JSON characters in Dom Signatures breaks configuration

Links to More Info: BT1016481

Component: Fraud Protection Services

Symptoms:
FPS modules malfunction.

Conditions:
Unescaped special JSON characters used in Dom Signatures.

Impact:
FPS client-side JS unable to load configuration JSON.

Workaround:
Manually escape all special JSON characters in Dom Signatures.


1015117 : Headers are corrupted during modification/insertion if a mix of end-of-line markers <CRLF> and <LF> are used

Links to More Info: BT1015117

Component: Local Traffic Manager

Symptoms:
HTTP header corruption occurs after insertion/modification using an iRule in HTTP Headers which contain mixed end-of-line markers <CRLF> and <LF>.

Conditions:
- HTTP virtual server
- An iRule, policy or profile inserts an HTTP Request header - Such as x-forwarded-for
- An HTTP request contains some lines that end with <CRLF> and some that end with <LF>

Impact:
Inserted headers get concatenated in such a way that the HTTP request header gets corrupted.

Workaround:
Use HTTP headers with proper end-of-line markers in compliance with HTTP RFC


1014973-6 : ASM changed cookie value.

Links to More Info: BT1014973

Component: Application Security Manager

Symptoms:
ASM changes the value of a cookie going to the server.

Conditions:
Specific conditions.

Impact:
Domain cookie will reach the server with a wrong value. Can cause different malfunctions depending on the application.

Workaround:
Change the following db variable:
tmsh modify sys db asm.strip_asm_cookies (https://support.f5.com/csp/article/K30023210) value false.

There is no need to restart asm.

Add an iRule without the use of strip_asm_cookies:
https://support.f5.com/csp/article/K13693.


1014573-5 : Several large arrays/objects in JSON payload may core the enforcer

Component: Application Security Manager

Symptoms:
Requests with JSON payload that consists of more than one object with elements, such as a couple of large arrays, may cause the enforcer to crash.

Conditions:
Each of the objects/arrays in JSON payload has to consist lesser amount of elements than defined in the "Maximum Array Length" JSON profile attribute.

Impact:
Large enough arrays may cause performance decrease, in addition, the enforcer may crash.

Workaround:
Set "Maximum Array Length" to a lower value than the requests array length.


1012185 : No violation details on the graphQL max depth format-setting violation.

Component: Application Security Manager

Symptoms:
The max depth violation gives no details and is missing learning suggestions.

Conditions:
-- A violation for graphQL format setting due to max depth.
-- Local logger and/or learning is enabled.

Impact:
Automatic learning is not working for this violation as well as no details regarding the length found.

Workaround:
N/A


1006181-4 : ASM fails to start if different ASM policies use login pages with the same name&start;

Links to More Info: BT1006181

Component: Application Security Manager

Symptoms:
ASM fails to start with error message in asm_config_server.log:

Failed on insert to DCC.ACCOUNT_LOGIN_OBJECT_ATTRIBUTES (DBD::mysql::db do failed: Column 'object_crc' cannot be null

Conditions:
Upgrade system where two or more ASM policies have a login page with the same name.

Impact:
ASM fails to start

Workaround:
Delete the login page that has a name used by multiple ASM policies and create it again.


1006157-7 : FQDN nodes not repopulated immediately after 'load sys config'

Links to More Info: BT1006157

Component: Local Traffic Manager

Symptoms:
A DNS query is not sent for configured FQDN nodes until the TTL value expires.

Conditions:
This occurs when 'load sys config' is executed.

Impact:
Name addresses do not resolve to IP addresses until the TTL expires.

Workaround:
You can use either of the following workarounds:

-- Change the default TTL value to be fewer than 300 seconds (the default value is 300 seconds).

-- Restart dynconfd daemon:
tmsh restart sys service dynconfd


1005309 : Additional Tcl variables showing information from the AntiBot Mobile SDK

Links to More Info: BT1005309

Component: Application Security Manager

Symptoms:
When using the Bot Defense iRules together with the AntiBot Mobile SDK, there are several variables missing. These missing variables would be useful for correct troubleshooting and pattern matching.

Conditions:
Using the AntiBot Mobile SDK together with Bot Defense iRules

Impact:
Some variables that are required for troubleshooting and pattern matching of the AntiBot Mobile SDK are missing.

Workaround:
None


1005181 : Bot Defense Logs indicate the mobile debugger is used even when it is not

Links to More Info: BT1005181

Component: Application Security Manager

Symptoms:
When using the AntiBot Mobile SDK, the Bot Defense Request Log may indicate that the mobile debugger is enabled, even when it is not.

Conditions:
Using the AntiBot Mobile SDK with the Bot Defense Profile

Impact:
Request log is showing an incorrect value.

Workaround:
None


1004697-4 : Saving UCS files can fail if /var runs out of space

Links to More Info: BT1004697

Component: iApp Technology

Symptoms:
When saving a UCS, /var can fill up leading to UCS failure and the following log message:

err diskmonitor[1441]: 011d0004:3: Disk partition /var has only 0% free

Conditions:
-- iApps LX installed.
-- Multiple iApps LX applications.
-- A /var partition of 1.5 GB.

Impact:
UCS archives can not be created.

Workaround:
You can use either of the following Workarounds:

-- Manually remove the /var/config/rest/node/tmp/BUILD and /var/config/rest/node/tmp/BUILDROOT directories.

-- Increase the size of /var/. For information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952


1000069-5 : Virtual server does not create the listener

Links to More Info: BT1000069

Component: Local Traffic Manager

Symptoms:
A virtual-address is in an offline state.

Conditions:
An address-list is used on a virtual server in a non-default route domain.

Impact:
The virtual IP address remains in an offline state.

Workaround:
Using tmsh, create the traffic-matching-criteria. Specify the route domain, and attach it to the virtual server.




&start; This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************