Supplemental Document : BIG-IP 17.1.0.1 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.0

BIG-IP Analytics

  • 17.1.0

BIG-IP Link Controller

  • 17.1.0

BIG-IP LTM

  • 17.1.0

BIG-IP PEM

  • 17.1.0

BIG-IP AFM

  • 17.1.0

BIG-IP FPS

  • 17.1.0

BIG-IP DNS

  • 17.1.0

BIG-IP ASM

  • 17.1.0
Updated Date: 04/20/2023

BIG-IP Release Information

Version: 17.1.0.1
Build: 4.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Known Issues in BIG-IP v17.1.x

Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1238321-6 CVE-2022-4304 K000132943 OpenSSL Vulnerability CVE-2022-4304 17.1.0.1


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1284969 1-Blocking   Adding ssh-rsa key for passwordless authentication 17.1.0.1
1273041-3 1-Blocking BT1273041 Observing config error on R2x00/R4x00 low/high devices while doing tmsh load sys config via performance scripts 17.1.0.1
1226585-1 1-Blocking   Some SSL Orchestrator rest endpoints not loading on startup after BIG-IP is rebooted when it is set to CC/STIP mode 17.1.0.1
1238693-1 3-Major BT1238693 Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519 17.1.0.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1267317-6 3-Major BT1267317 Disabling Access and/or WebSSO for flows cause memory leak 17.1.0.1
1235085-1 3-Major BT1235085 Reinitialization of FIPS HSM in BIG-IP tenant. 17.1.0.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1213305-6 3-Major   Improper query string handling on undisclosed pages 17.1.0.1
1096373-8 3-Major   Unexpected parameter handling in BIG3d 17.1.0.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
1204961-1 3-Major   Improper query string handling on undisclosed pages 17.1.0.1
1204793-6 3-Major   Improper query string handling on undisclosed pages 17.1.0.1

 

Cumulative fix details for BIG-IP v17.1.0.1 that are included in this release

1284969 : Adding ssh-rsa key for passwordless authentication

Component: TMOS

Symptoms:
In FIPS 140-3, SSHD does not support the ssh-rsa key for passwordless authentication.

Conditions:
The system must be in FIPS 140-3 mode.

Impact:
SSHD does not support the ssh-rsa key for passwordless authentication.

Workaround:
None

Fix:
SSHD should support the ssh-rsa key for passwordless authentication.

Fixed Versions:
17.1.0.1


1273041-3 : Observing config error on R2x00/R4x00 low/high devices while doing tmsh load sys config via performance scripts

Links to More Info: BT1273041

Component: TMOS

Symptoms:
The following error occurs which is not expected while doing tmsh load sys config default:
"Invalid attempt to register an n-stage validator, the stage must be greater than the current stage, and within the range 1 to 101 inclusive,  current stage: 7 registered: 5 Unexpected Error: Loading configuration process failed. , retrying 5 more times"

Conditions:
In the Performance test environment, executing a script to load configs fails.

Impact:
Getting Config error and unable to proceed with ptt tests.

Workaround:
Reboot the device.

Fix:
Executing tmsh load sys config fails as vlan tags are not ready by the time in R2x00/R4x00 as tenant restart solves the same.

Fixed Versions:
17.1.0.1


1267317-6 : Disabling Access and/or WebSSO for flows cause memory leak

Links to More Info: BT1267317

Component: Local Traffic Manager

Symptoms:
Disabling Access and/or WebSSO for the flows using iRules causes TMM memory leak.

Conditions:
-- Virtual server with SSO Access profile attached.
-- Virtual server with iRule having WEBSSO::disable
   and/or ACCESS::disable for HTTP_REQUEST event.

Impact:
Continuous memory leak causes system to go out of memory and reboot.

Workaround:
None

Fixed Versions:
17.1.0.1


1238693-1 : Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519

Links to More Info: BT1238693

Component: TMOS

Symptoms:
In FIPS 140-3 mode, SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.

Conditions:
System must be in FIPS 140-3 mode.

Impact:
SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.

Workaround:
None

Fix:
SSHD should support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and must reject ED25519.

Fixed Versions:
17.1.0.1


1238321-6 : OpenSSL Vulnerability CVE-2022-4304

Links to More Info: K000132943


1235085-1 : Reinitialization of FIPS HSM in BIG-IP tenant.

Links to More Info: BT1235085

Component: Local Traffic Manager

Symptoms:
During reinitialization of FIPS HSM in BIG-IP tenant, the presence of existing keys is not validated.

Conditions:
When FIPS HSM in BIG-IP tenant is already initialized and keys are created. Then the reinitialization is triggered.

Impact:
When reinitialization triggered, the existing keys are erased without a warning to the user.

Workaround:
Before reinitialization of FIPS HSM in BIG-IP tenant, make sure the existing keys are deleted.
Use following TMSH command to view the current keys:

"show sys crypto fips keys"

Fix:
When the FIPS HSM in BIG-IP tenant reinitialization is triggered, the existing keys are validated and a message is displayed that the keys are available. Delete all the existing keys before reinitialization.

Fixed Versions:
17.1.0.1


1226585-1 : Some SSL Orchestrator rest endpoints not loading on startup after BIG-IP is rebooted when it is set to CC/STIP mode

Component: TMOS

Symptoms:
Restnoded framework availability monitor times out while waiting for the dependencies(/mgmt/tm/*/** APIs/endpoints registration w.r.t all the provisioned modules) that are initialized during the restjavad startup.

Conditions:
STIP Mode is enabled, hence the below DB variables values are set to true,
tmsh list sys db security.commoncriteria
tmsh list sys db security.commoncriteria.stip

Impact:
Certain functionalities in SSL Orchestrator config GUI are not operational or operational in a limited manner.

Fix:
Now, you can configure a timeout that controls the time period for which restjavad must wait for the initialization to complete before restarting restnoded programmatically; so that, the SSL Orchestrator app finds the dependent rest endpoints that are already registered.

The DB variable Restjavad.Startup.RestnodedRestart.AwaitTimeout was added with the default value set to 1200 seconds.

Fixed Versions:
17.1.0.1


1213305-6 : Improper query string handling on undisclosed pages

Component: Global Traffic Manager (DNS)

Symptoms:
On undisclosed pages, query strings are not processed as expected.

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
The query string is processed as expected.

Fixed Versions:
17.1.0.1


1204961-1 : Improper query string handling on undisclosed pages

Component: Application Visibility and Reporting

Symptoms:
On undisclosed pages, query strings are not processed as expected.

Conditions:
N/A

Impact:
N/A

Workaround:
Reduce access to the control plane to trusted users.

Fix:
The query string is processed as expected.

Fixed Versions:
17.1.0.1


1204793-6 : Improper query string handling on undisclosed pages

Component: Application Visibility and Reporting

Symptoms:
On undisclosed pages, query strings are not processed as expected.

Conditions:
N/A

Impact:
N/A

Workaround:
NA

Fix:
Query strings are processed as expected.

Fixed Versions:
17.1.0.1


1096373-8 : Unexpected parameter handling in BIG3d

Component: Global Traffic Manager (DNS)

Symptoms:
The iQuery listener does not handler certain parameters received correctly.

Conditions:
Messages sent to the iQuery listener.

Impact:
Unexpected behavior.

Workaround:
If the IP addresses or subnets of trusted mesh members are known, then mesh communication security can be improved by creating a network-specific packet filter or by adding management interface firewall rules, depending on the situation.

Fix:
Parameters are handled as expected.

Fixed Versions:
17.1.0.1



Known Issues in BIG-IP v17.1.x


TMOS Issues

ID Number Severity Links to More Info Description
994033-4 2-Critical BT994033 The daemon httpd_sam does not recover automatically when terminated
993481-5 2-Critical BT993481 Jumbo frame issue with DPDK eNIC
950201-6 2-Critical BT950201 Tmm core on GCP
776117-6 2-Critical BT776117 BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type
1209709-5 2-Critical BT1209709 Memory leak in icrd_child when license is applied through BIG-IQ
1105901-6 2-Critical BT1105901 Tmm crash while doing high-speed logging
989501-3 3-Major BT989501 A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus
988745-8 3-Major BT988745 On reboot, 'could not find platform object' errors may be seen in /var/log/ltm
936093-7 3-Major BT936093 Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline
906273-4 3-Major BT906273 MCPD crashes receiving a message from bcm56xxd
778513-5 3-Major BT778513 APM intermittently drops log messages for per-request policies
757787-6 3-Major BT757787 Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI.
715748-4 3-Major BT715748 BWC: Flow fairness not in acceptable limits
1283721-1 3-Major BT1283721 Vmtoolsd memory leak
1253449-4 3-Major BT1253449 After publishing, the draft LTM policy configuration might not be updated (intermittently) into the bigip.conf
1217473-1 3-Major BT1217473 All the UDP traffic is sent to a single TMM
1215613-3 3-Major BT1215613 ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address
1211089-4 3-Major BT1211089 Traffic to IPv6 all nodes address not received by TMM on VE with ixlv driver
1160805-4 3-Major BT1160805 The scp-checkfp fail to cat scp.whitelist for remote admin
1136921-6 3-Major BT1136921 BGP might delay route updates after failover
1124733-3 3-Major BT1124733 Unnecessary internal traffic is observed on the internal tmm_bp vlan
1117305-8 3-Major BT1117305 The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials
1112537-6 3-Major BT1112537 LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete.
1102425-1 3-Major BT1102425 F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary
1090313-5 3-Major BT1090313 Virtual server may remain in hardware SYN cookie mode longer than expected
1067797 3-Major BT1067797 Trunked interfaces that share a MAC address may be assigned in the incorrect order.
1044089-5 3-Major BT1044089 ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI.
1040573-5 3-Major BT1040573 REST operation takes a long time when two different users perform tasks in parallel
1012377-3 3-Major BT1012377 Unable to display/edit 'management route' via GUI
976517-4 4-Minor BT976517 Tmsh run sys failover standby with a device specified but no traffic group fails
895669-4 4-Minor BT895669 VCMP host does not validate when an unsupported TurboFlex profile is configured
857045-5 4-Minor BT857045 LDAP system authentication may stop working
838405-5 4-Minor BT838405 Listener traffic-group may not be updated when spanning is in use
1283749-1 4-Minor BT1283749 Systemctl start and restart fail to start the vmtoolsd service
1270989-1 4-Minor BT1270989 REST MemcachedClient uses fixed TMM address 127.1.1.2 to connect to memcached
1252537-4 4-Minor   Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role
1229325-1 4-Minor BT1229325 Unable to configure IP OSPF retransmit-interval as intended
1217297 4-Minor BT1217297 Removal of guestagentd service from the list of services running inside a tenant.
1217077-1 4-Minor BT1217077 Race condition processing network failover heartbeats with timeout of 1 second
1211617-2 4-Minor BT1211617 High CPU utilisation observed during startup when forced BIG-IP system set offline
1209589-5 4-Minor BT1209589 BFD multihop does not work with ECMP routes
1185257-6 4-Minor BT1185257 BGP confederations do not support 4-byte ASNs
1154685-4 4-Minor BT1154685 Error logged "01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object..." during startup
1121169-5 4-Minor BT1121169 Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use
1064753-6 4-Minor BT1064753 OSPF LSAs are dropped/rate limited incorrectly.
1044893-4 4-Minor BT1044893 Kernel warnings from NIC driver Realtek 8139
1189949-4 5-Cosmetic BT1189949 The TMSH sys core is not displaying help and tab complete behavior


Local Traffic Manager Issues

ID Number Severity Links to More Info Description
752766-4 1-Blocking BT752766 The BIG-IP system might fail to read SFPs after a reboot
1205501-4 2-Critical BT1205501 The iRule command SSL::profile can select server SSL profile with outdated configuration
1154465-2 2-Critical BT1154465 Error attaching few QAT devices to TMM
1146377-6 2-Critical BT1146377 FastHTTP profiles do not insert HTTP headers triggered by iRules
1024241-5 2-Critical BT1024241 Empty TLS records from client to BIG-IP results in SSL session termination
975657-2 3-Major BT975657 With HTTP2 enabled, only partial sorry contents (< 32KB) can be sent to the client via HTTP::respond
966785-5 3-Major BT966785 Rate Shaping stops TCP retransmission
878641-7 3-Major BT878641 TLS1.3 certificate request message does not contain CAs
842425-7 3-Major BT842425 Mirrored connections on standby are never removed in certain configurations
693473-9 3-Major BT693473 The iRulesLX RPC completion can cause invalid or premature TCL rule resumption
1284589-1 3-Major BT1284589 HTTP CONNECT request from client is not successful with iRule HTTP::disable discard command
1284261-4 3-Major BT1284261 Constant traffic on DHCPv6 virtual servers may cause a TMM crash.
1281637-2 3-Major BT1281637 When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE
1273161-4 3-Major BT1273161 Secondary blades are unavailable, clusterd is reporting shutdown, and waiting for other blades
1272501-1 3-Major BT1272501 Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure"
1269733-1 3-Major BT1269733 HTTP GET request with headers has incorrect flags causing timeout
1269709-4 3-Major BT1269709 GUI should throw the error when the VS is configured with both vdi and HTTP/2 profiles
1238529-3 3-Major BT1238529 TMM might crash when modifying a virtual server in low memory conditions
1238413-4 3-Major BT1238413 The BIG-IP might fail to update ARL entry for a host in a VLAN-group
1229369-4 3-Major BT1229369 The fastl4 TOS mimic setting towards client may not function
1210469-1 3-Major BT1210469 TMM can crash when processing AXFR query for DNSX zone
1209945-2 3-Major BT1209945 Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs
1205045-6 3-Major BT1205045 WMI monitor does not put pool members into an offline/unchecked state when BIG-IP receives HTTP responses other than 200
1126841-5 3-Major BT1126841 HTTP::enable can rarely cause cores
1117609-5 3-Major BT1117609 VLAN guest tagging is not implemented for CX4 and CX5 on ESXi
1110485-5 3-Major BT1110485 SSL handshake failures with invalid profile error
1088597-6 3-Major BT1088597 TCP keepalive timer can be immediately re-scheduled in rare circumstances
1064725-5 3-Major BT1064725 CHMAN request for tag:19 as failed.
1059573-5 3-Major BT1059573 Variation in a case insensitive value of an operand in LTM policy may fail in some rules.
1026781-5 3-Major BT1026781 Standard HTTP monitor send strings have double CRLF appended
1025089-7 3-Major BT1025089 Pool members marked DOWN by database monitor under heavy load and/or unstable connections
1017841-3 3-Major BT1017841 Payload manager lacks egress flow control when used through satellite
1281709-4 4-Minor BT1281709 Traffic-group ID may not be updated properly on a TMM listener
1281405-2 4-Minor BT1281405 "fipsutil fwcheck -f" command may not correct result
1280769 4-Minor   Fipsutil's fwcheck and fwupdate sub-commands show errors when run on R10920 and R5920 tenant.
1269773-1 4-Minor BT1269773 Convert network-order to host-order for extensions in TLS1.3 certificate request
1240937-4 4-Minor BT1240937 The FastL4 TOS specify setting towards server may not function for IPv6 traffic
1238897-1 4-Minor BT1238897 TMM TCL interpreter's non-TMM "compat" memcasechr broken in 64-bit build
1211189-4 4-Minor BT1211189 Stale connections observed and handshake failures observed with errors
1167609-4 4-Minor BT1167609 The messages msg->ref > 0 are seen in TMM logs with websockets/ASM plugin
1121349 4-Minor BT1121349 CPM NFA may stall due to lack of other state transition
1034865-6 4-Minor BT1034865 CACHE::enable failed on private/no-store content
1030093 4-Minor BT1030093 An http2 to http2 virtual connection with translate-address disabled might only use one stream on the server side.
926085-4 5-Cosmetic BT926085 In WebUI node or port monitor test is not possible, but it works in TMSH


Global Traffic Manager (DNS) Issues

ID Number Severity Links to More Info Description
1267845-5 2-Critical BT1267845 ISC's internal_current function asserted because ifa_name was NULL
1225061-1 2-Critical BT1225061 The zxfrd segfault with numerous zone transfers
1212081-5 2-Critical BT1212081 The zxfrd segfault and restart loop due to incorrect packet processing
1281433-1 3-Major BT1281433 Missing GTM probes on GTM server when an external monitor is attached to an additional pool
1273141-1 3-Major BT1273141 GTM pool members are not probed and multiple GTMs are reporting inconsistent status
1269601-1 3-Major BT1269601 Unable to delete monitor while updating DNS virtual server monitor through transaction
1250077-6 3-Major BT1250077 TMM memory leak
1182353-6 3-Major BT1182353 DNS cache consumes more memory because of the accumulated mesh_states
1161241-7 3-Major BT1161241 BIND default behavior changed from 9.11 to 9.16
1108237-3 3-Major BT1108237 Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM.
1082197-5 3-Major BT1082197 RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response
1274385-1 5-Cosmetic BT1274385 BIGIP-DNS GUI delivery summary stats shows incorrect count for "Disabled" GTM listeners


Application Security Manager Issues

ID Number Severity Links to More Info Description
1284081-1 1-Blocking BT1284081 Incorrect Enforcement After Sync
923821-5 2-Critical BT923821 Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack
850141-5 2-Critical BT850141 Possible tmm core when using Dosl7/Bot Defense profile
1282281-5 2-Critical BT1282281 Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns
1217549-4 2-Critical BT1217549 Missed ASM Sync on startup
890169-6 3-Major BT890169 URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
1281381-1 3-Major   BD fails to load config when the virtual server name is longer then 64 chars
1280813-3 3-Major BT1280813 Illegal URL violation triggered for after upgrade due to due to missing content-profiles in DB
1271469-5 3-Major BT1271469 Failed to install ASU file scheduled for install
1270133-1 3-Major   bd crash during configuration update
1250209-1 3-Major BT1250209 The message "ERR: in Graphql disallowed response, pcre is null" appears in BD logs
1239297 3-Major BT1239297 TMM URL web scraping limit not synced to secondary slot 2 in VIPRION chassis
1235337-2 3-Major BT1235337 The 'JSON profile' with 'JSON schema validation' was not created for the body parameter in the OpenAPI URL
1216297-3 3-Major   TMM core occurs when using disabling ASM of request_send event
1211905-3 3-Major BT1211905 Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts"
1210321-2 3-Major BT1210321 Parameters are not created for properties defined in multipart request body when URL include path parameter
1196537-5 3-Major BT1196537 BD process crashes when you use SMTP security profile
1196185-1 3-Major BT1196185 Policy Version History is not presented correctly with scrolling
1194173-5 3-Major   BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value
1190365-1 3-Major BT1190365 OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly
1186401-4 3-Major BT1186401 Using REST API to change policy signature settings changes all the signatures.
1184841-6 3-Major   Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API
1173493-2 3-Major   Bot signature staging timestamp corrupted after modifying the profile
1156889-5 3-Major BT1156889 TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions
1148009-8 3-Major BT1148009 Cannot sync an ASM logging profile on a local-only VIP
1144497-5 3-Major   Base64 encoded metachars are not detected on HTTP headers
1137993-6 3-Major BT1137993 Violation is not triggered on specific configuration
1132981-5 3-Major BT1132981 Standby not persisting manually added session tracking records
1132741-7 3-Major BT1132741 Tmm core when html parser scans endless html tag of size more then 50MB
1117245-5 3-Major BT1117245 Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file
1098609-3 3-Major   BD crash on specific scenario
1078065-5 3-Major BT1078065 The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA.
1069729-4 3-Major BT1069729 TMM might crash after a configuration change.
1067557-5 3-Major   Value masking under XML and JSON content profiles does not follow policy case sensitivity
1059513-3 3-Major BT1059513 Virtual servers may appear as detached from security policy when they are not.
1048949-8 3-Major BT1048949 TMM xdata leak on websocket connection with asm policy without websocket profile
1023889-5 3-Major BT1023889 HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message
987977-1 4-Minor BT987977 VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation
1284097-1 4-Minor BT1284097 False positive 'Illegal cross-origin request' violation
1245209-1 4-Minor BT1245209 Introspection query violation is reported regardless the flag status
1210569-1 4-Minor BT1210569 User defined signature rule disappears when using high ASCII in rule
1210053-3 4-Minor BT1210053 The cred_stuffing_fail_open Internal Parameter does not cause Leaked Credential violation in case of expiration or error
1189865-5 4-Minor BT1189865 "Cookie not RFC-compliant" violation missing the "Description" in the event logs
1123153-5 4-Minor   "Such URL does not exist in policy" error in the GUI
1113753-5 4-Minor   Signatures might not be detected when using truncated multipart requests
1084857-6 4-Minor BT1084857 ASM::support_id iRule command does not display the 20th digit
1083513-4 4-Minor BT1083513 BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd
1076825-3 4-Minor BT1076825 "Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.
1030129-5 5-Cosmetic BT1030129 iHealth unnecessarily flags qkview for H701182 with mcp_module.xml


Access Policy Manager Issues

ID Number Severity Links to More Info Description
1282769-1 2-Critical   Localdb user can change the password of other user
1282105 2-Critical BT1282105 Assertion response attributes parsing issue after upgrade to BIG-IP 17.1.0
1270501 2-Critical BT1270501 Before upgrade, if log level is configured as debug, then APMD will continuously restarts with coredump
1111149-4 2-Critical BT1111149 Nlad core observed due to ERR_func_error_string can return NULL
1110489-4 2-Critical BT1110489 TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event
1083053-4 2-Critical BT1083053 Apmd memory grows over time in AD auth scenarios
967185-3 3-Major BT967185 Increase the size limit of JWT for OAuth
796065-3 3-Major BT796065 PingAccess filter can accumulate connections increasing memory use.
1273881-3 3-Major BT1273881 TMM crashes while processing traffic on the virtual server
1268521-1 3-Major BT1268521 SAML authentication with the VCS fails when launching the applications/remote desktops from the APM Webtop when multiple RD resources are assigned to the APM Webtop
1232977-4 3-Major BT1232977 TMM leaking memory in OAuth scope identifiers when parsing scope lists
1207821-1 3-Major BT1207821 APM internal virtual server leaks memory under certain conditions
1180365-3 3-Major   APM Integration with Citrix Cloud Connector
1060477-2 3-Major BT1060477 iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]".
1044457-4 3-Major BT1044457 APM webtop VPN is no longer working for some users when CodeIntegrity is enabled.
1041985-5 3-Major BT1041985 TMM memory utilization increases after upgrade
936061-4 4-Minor BT936061 Variable session.user.agent missing for Edge Client & F5 Access clients
1218813-6 4-Minor BT1218813 "Timeout waiting for TMM to release running semaphore" after running platform_diag
1028081-3 4-Minor BT1028081 [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page


Service Provider Issues

ID Number Severity Links to More Info Description
1270497-3 2-Critical BT1270497 MRF SIP/ALG Core dump observed while accessing trans_data in sipmsg_register_ingress_register_request_session_reply_common method
1269889-1 2-Critical   LTM crashes are observed while running SIP traffic and pool members are offline
1239901-3 2-Critical   LTM crashes while running SIP traffic
1189513-6 3-Major BT1189513 SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header
1156149-5 3-Major BT1156149 Early responses on standby may cause TMM to crash
1038057-5 3-Major BT1038057 Unable to add a serverssl profile into a virtual server containing a FIX profile
1251013-1 4-Minor BT1251013 Allow non-RFC compliant URI characters
1249929-2 4-Minor BT1249929 Diameter MRF sends CER to pool-member even after peer sent DPR and force-offline the pool member
1213469-5 4-Minor BT1213469 MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP dropped


Advanced Firewall Manager Issues

ID Number Severity Links to More Info Description
609878-8 2-Critical BT609878 Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server
1215161-4 2-Critical BT1215161 A new CLI option introduced to display rule-number for policy, rules and rule-lists
1106273-5 2-Critical BT1106273 "duplicate priming" assert in IPSECALG
1080957-1 2-Critical BT1080957 TMM Seg fault while Offloading virtual server DOS attack to HW
1048425-6 2-Critical BT1048425 Packet tester crashes TMM when vlan external source-checking is enabled
1238629-2 3-Major BT1238629 TMM core when client send nxdomain query with BA enabled
1199025-3 3-Major BT1199025 DNS vectors auto-threshold events are not seen in webUI
1196053-4 3-Major BT1196053 The autodosd log file is not truncating when it rotates
1190765-1 3-Major   VelOS | Zone Base DDOS | Aggregation, BD | Seeing Entries in sPVA Registers are not getting reset once the attack is completed
1167969-2 3-Major BT1167969 In DoS Profile level, the Flood attack Vectors with TCP and UDP, Hardware offloading is not working as expected
1110281-7 3-Major BT1110281 Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable
1277641 4-Minor BT1277641 DoS | i-series | After mitigation of bad destination at profile level, bd_hit is not incrementing for host unreachable vector.
1251105-1 4-Minor BT1251105 DoS Overview (non-HTTP) - A null pointer was passed into a function
1215401-2 4-Minor   Under Shared Objects, some country names are not available to select in the Address List
1069265 4-Minor BT1069265 New connections or packets from the same source IP and source port can cause unnecessary port block allocations.


Policy Enforcement Manager Issues

ID Number Severity Links to More Info Description
1186925-6 2-Critical BT1186925 When FUA in CCA-i, PEM does not send CCR-u for other rating-groups
1259489-2 3-Major BT1259489 PEM subsystem memory leak is observed when using PEM::subscriber information
1238249-5 3-Major BT1238249 PEM Report Usage Flow log is inaccurate
1226121-5 3-Major BT1226121 TMM crashes when using PEM logging enabled on session
1207381 3-Major BT1207381 PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored
1190353-4 3-Major BT1190353 The wr_urldbd BrightCloud database downloading from a proxy server is not working
1174085-7 3-Major BT1174085 spmdb_session_hash_entry_delete releases the hash's reference


Carrier-Grade NAT Issues

ID Number Severity Links to More Info Description
1128429-7 4-Minor BT1128429 Rebooting one or more blades at different times may cause traffic imbalance results High CPU


Fraud Protection Services Issues

ID Number Severity Links to More Info Description
1060393-3 3-Major BT1060393 Extended high CPU usage caused by JavaScript Obfuscator.


Anomaly Detection Services Issues

ID Number Severity Links to More Info Description
1211297-1 2-Critical   Handling DoS profiles created dynamically using iRule and L7Policy
1046469-4 3-Major BT1046469 Memory leak during large attack


Device Management Issues

ID Number Severity Links to More Info Description
1196477-8 3-Major BT1196477 Request timeout in restnoded
1049237-6 4-Minor BT1049237 Restjavad may fail to cleanup ucs file handles even with ID767613 fix


In-tmm monitors Issues

ID Number Severity Links to More Info Description
1211985-6 3-Major BT1211985 BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring

 

Known Issue details for BIG-IP v17.1.x

994033-4 : The daemon httpd_sam does not recover automatically when terminated

Links to More Info: BT994033

Component: TMOS

Symptoms:
APM policy redirecting users to incorrect domain, the httpd_sam daemon not running.

Conditions:
Daemon httpd_sam stopped with the terminate command.

Impact:
APM policy performing incorrect redirects.

Workaround:
Restart the daemons httpd_apm and httpd_sam.


993481-5 : Jumbo frame issue with DPDK eNIC

Links to More Info: BT993481

Component: TMOS

Symptoms:
TMM crashes

Conditions:
-- TMM is using DPDK driver with Cisco eNIC
-- TMM receives jumbo sized packet

Impact:
Traffic disrupted while TMM restarts.

Workaround:
- Use a different driver such as sock.
- Do not use or accept jumbo frames, use the following TMSH command to set the MTU to less than or equal to 1500:
tmsh modify net vlan external mtu 1500


989501-3 : A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus

Links to More Info: BT989501

Component: TMOS

Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might fall or drop off of PCI bus, resulting in the BIG-IP system not being able to process traffic. If this happens, a daemon_heartbeat failsafe gets triggered instead of dataplane_inoperable_t action.

Conditions:
The conditions that lead to HSB to fall off of PCI bus are unknown at this time.

Impact:
The BIG-IP system unable to pass traffic and a failover is triggered.

Workaround:
Reboot the device or the blade to recover from the situation and monitor for re-occurrence. If it happens again, it could indicate potential underlying hardware issue.


988745-8 : On reboot, 'could not find platform object' errors may be seen in /var/log/ltm

Links to More Info: BT988745

Component: TMOS

Symptoms:
During a reboot, several error messages are logged in /var/log/ltm:

-- err mcpd[9401]: 01070710:3: Database error (0), get_platform_obj: could not find platform object - sys/validation/Platform.cpp, line 188.

-- err chmand[6578]: 012a0003:3: hal_mcp_process_error: result_code=0x1070710 for result_operation=eom result_type=eom

Conditions:
This occurs when either of the following conditions is met:
-- A fresh installation of a BIG-IP system.
-- A reboot after forcing the mcpd process to reload the BIG-IP configuration,

Impact:
There is no functional impact to these error messages.

Workaround:
None.


987977-1 : VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation

Links to More Info: BT987977

Component: Application Security Manager

Symptoms:
Remote logging message, violation_details field, includes XML document for VIOL_HTTP_RESPONSE_STATUS even though there was no VIOL_HTTP_RESPONSE_STATUS violation triggered.

Conditions:
When all the following conditions are met

-- Response status code is not one of 'Allowed Response Status Codes'.
-- Alarm/Block flags are disabled with 'Illegal HTTP status in response'.
-- Logging profile is configured for remote storage.
-- Storage format is comma-separated.
-- Both violation_details and violations fields are set.

Impact:
Remote logging server receives inaccurate message.

Workaround:
None


976517-4 : Tmsh run sys failover standby with a device specified but no traffic group fails

Links to More Info: BT976517

Component: TMOS

Symptoms:
The tmsh run /sys failiover standby device <device> command fails and returns an error if no traffic-group is specified:

Syntax Error: There is no failover device with a name (/Common/bigip2.localhost).

Conditions:
Two or more BIG-IPs configured with high availability (HA)

Impact:
You are required to specify all the traffic groups you want to failover to a peer.

Workaround:
For each traffic group that you want to failover to a peer run the tmsh run /sys failover standby.

For example if you want to fail over both traffic groups traffic-group-1 and traffic-group-2 to failover to bigip2.localhost, run the following:

tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-1

tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-2

If you want the device to be standby for all traffic groups but you don't care what device takes over as active, run the following command (note there is no traffic-group nor device):

tmsh run /sys failover standby


975657-2 : With HTTP2 enabled, only partial sorry contents (< 32KB) can be sent to the client via HTTP::respond

Links to More Info: BT975657

Component: Local Traffic Manager

Symptoms:
Partial content (<= max allowed "write-size" in HTTP2 profile i.e. 32KB) can be sent to client via the HTTP:respond iRule command.

Conditions:
-- HTTP2 enabled on virtual server
-- Content sent by the iRule exceeds 32KB

Impact:
Client fails to receive the whole content


967185-3 : Increase the size limit of JWT for OAuth

Links to More Info: BT967185

Component: Access Policy Manager

Symptoms:
Currently, the allowed payload size for JWT is 4K. Users whose claims of length exceed the limit are unable to authenticate.

Conditions:
OAuth is configured with JWT.

Impact:
Users whose claims of length are more than the limit are unable to authenticate.


966785-5 : Rate Shaping stops TCP retransmission

Links to More Info: BT966785

Component: Local Traffic Manager

Symptoms:
When rate shaping is applied to a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.

Conditions:
This issue occurs when both of the following conditions are met:

-- Virtual server configured with a rate shaping.
-- Standard type of virtual server.

Impact:
The BIG-IP system does not retransmit unacknowledged data segments.

Workaround:
None


950201-6 : Tmm core on GCP

Links to More Info: BT950201

Component: TMOS

Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.

TMM panic with this message in a tmm log file:

panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.

Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141

-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.


Note: Using either workaround has a performance impact.


936093-7 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline

Links to More Info: BT936093

Component: TMOS

Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.

Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.

Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.

Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:

/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr

This can be accomplished using a command such as:

truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr


936061-4 : Variable session.user.agent missing for Edge Client & F5 Access clients

Links to More Info: BT936061

Component: Access Policy Manager

Symptoms:
When connecting with Edge Client & F5 Access clients the BIG-IP APM session variable session.user.agent is missing from APM sessions.

Conditions:
BIG-IP APM
Edge Client & F5 Access clients

Impact:
Session variable session.user.agent cannot be used for BIG-IP APM Access Policy logic flows

Workaround:
An iRule can be used to generate a like session variable. For example:

# This event fires once per session
when ACCESS_SESSION_STARTED {
  log local0. "Setting User-Agent based on HTTP data - [HTTP::header User-Agent]"
  ACCESS::session data set session.custom.client.useragent [HTTP::header User-Agent]
  #Use this variable in the VPE to make some decision
}


926085-4 : In WebUI node or port monitor test is not possible, but it works in TMSH

Links to More Info: BT926085

Component: Local Traffic Manager

Symptoms:
When attempting to test a newly created Pool Member monitor, node address field is disabled, you cannot enter a node address. This prevents from using the Test operation to test this type of monitor in the WebUI.

Conditions:
-- Create a new Pool Member monitor (not a Node Address monitor). For example, HTTP, HTTPS, FTP, TCP, or Gateway ICMP.
-- With the monitor configuration displayed in the WebUI, click the Test tab.
-- View the Address field, and try to run the test.

Impact:
The Address field is disabled, with *.* in the field. You cannot enter a node address. The test fails with following message:

invalid monitor destination of *.*:80.
invalid monitor destination of *.*:443. (:port used to test)

Workaround:
Run either of the following TMSH commands:

-- tmsh run ltm monitor <type> <name> destination <IP address>:<port>
-- tmsh modify ltm monitor <type> <name> destination *:*

For example, for HTTP:
-- tmsh run ltm monitor http my_http destination <IP address>:<port>
-- tmsh modify ltm monitor http my_http destination *:*

For example, for HTTPS:
-- tmsh run ltm monitor https my_https destination <IP address>:<port>
-- tmsh modify ltm monitor https my_https destination *:*


923821-5 : Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack

Links to More Info: BT923821

Component: Application Security Manager

Symptoms:
When mitigated action is set to CSI followed by captcha for credential stuffing attack, captcha is not triggered even after successful CSI challenge.

Conditions:
1) Mitigated action is set to CSI followed by captcha for credential stuffing attack.
2) Credential stuffing attack occurs.
3) CSI challenge is success.

Impact:
Captcha is not triggered leading to less than configured mitigation action for credential stuffing attack.

Workaround:
None


906273-4 : MCPD crashes receiving a message from bcm56xxd

Links to More Info: BT906273

Component: TMOS

Symptoms:
Under rare circumstances, the Broadcom switch daemon bcm56xxd, can send more then one message at a time to MCPD.
This can cause MCPD to either fail immediately or have it hang and be terminated by sod 5 minutes later.

One of the messages being sent is in response to a link status change. The second message is a reply to a query, for instance a query for l2 forward statistics.

Conditions:
- BIG-IP with a Broadcom switch.
- Link status change is available.
- MCPD sends a query to bcm56xxd, that is, for l2 forward statistics.

Impact:
MCPD failure and restarts causing a failover.

Workaround:
None


895669-4 : VCMP host does not validate when an unsupported TurboFlex profile is configured

Links to More Info: BT895669

Component: TMOS

Symptoms:
There is no validation error for when unsupported TurboFlex profiles are configured on vCMP hosts for relevant platforms. Due to this lack of validation, it can result in incorrect FPGA firmware being loaded on the host and thus a guest may fail to start or reboot constantly.

Conditions:
(1) Provision vCMP on the host and deploy 2x guests with 4 cores
(2) On the vCMP host, manually change TurboFlex profile type to be one that it does not support.

Impact:
Incorrect FPGA firmware is loaded on the host, which can cause problems with the data plane on the guest.

Workaround:
Only use supported turboflex profiles.


890169-6 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.

Links to More Info: BT890169

Component: Application Security Manager

Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.

Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.

Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.

Workaround:
None.


878641-7 : TLS1.3 certificate request message does not contain CAs

Links to More Info: BT878641

Component: Local Traffic Manager

Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4

Conditions:
TLS1.3 and client authentication

Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected


857045-5 : LDAP system authentication may stop working

Links to More Info: BT857045

Component: TMOS

Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.

In /var/log/daemon.log, you may see the following:

warning systemd[1]: nslcd.service failed

Conditions:
Nslcd daemon crashed, and it fails to restart.

Impact:
System authentication stops working until nslcd is restarted.

Workaround:
Manually restart nslcd daemon:

systemctl start nslcd



nslcd can be reconfigured to restart automatically and create core files when it crashes, though these changes will be lost across software installs (and is not backed up as part of a UCS archive):

1. Run "systemctl edit nslcd", which will open a text editor (by default, nano).

2. In the text editor, add these contents:

[Service]

# Allow core files
LimitCORE=infinity
# Try to keep auth daemon running, even if it crashes
Restart=always

3. Exit the text editor and save the file

4. Check the output of "systemctl status nslcd" for any warnings/errors from systemd as a result of editing the file; there should not be any.

5. Restart nslcd:
   systemctl restart nslcd


850141-5 : Possible tmm core when using Dosl7/Bot Defense profile

Links to More Info: BT850141

Component: Application Security Manager

Symptoms:
Tmm crashes.

Conditions:
-- Dosl7/Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- An asynchronous iRule is attached to the virtual server

OR:
-- Device ID feature is enabled, and the current request requires a complex Device ID generation.
-- The connection is closed before the response arrives.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


842425-7 : Mirrored connections on standby are never removed in certain configurations

Links to More Info: BT842425

Component: Local Traffic Manager

Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.

Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.

Impact:
Leaking connections on the standby system.

Workaround:
You can use either of the following workarounds:

-- Use auto-lasthop with mirrored connections.

-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.


838405-5 : Listener traffic-group may not be updated when spanning is in use

Links to More Info: BT838405

Component: TMOS

Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.

Conditions:
Spanning is disabled or enabled on a virtual address.

Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.

Depending on the configuration, virtual server may or may not forward the traffic when expected.

Workaround:
Enable/Disable spanning together with changing a traffic-group (both options have to be changed simultaneously):

> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-2 spanning disabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled


796065-3 : PingAccess filter can accumulate connections increasing memory use.

Links to More Info: BT796065

Component: Access Policy Manager

Symptoms:
Currently the maximum http header count value for ping access is 64. The connection to the backend is aborted if there are more than 64 headers.

Conditions:
1. Ping access is configured.
2. The HTTP header count is more than 64.

Impact:
Connection is aborted by the BIG-IP system users are unable to access the backend.

Workaround:
None


778513-5 : APM intermittently drops log messages for per-request policies

Links to More Info: BT778513

Component: TMOS

Symptoms:
APM may intermittently drop log messages, leading to missing information on policy execution or other events.

Conditions:
This might occur under either of the following conditions:

 -- Using APM per-request policies, or ACCESS::log iRule commands.
 -- APM is configured to use multiple log destinations (such as: local-db and local-syslog).

Impact:
Administrator may fail to report certain logging events, hindering troubleshooting or auditing efforts.

Workaround:
No workaround is possible.

When reviewing APM logs, keep in mind that during periods of high activity (greater than 100 log messages in 1-to-2 seconds) that the system may drop some log messages.


776117-6 : BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type

Links to More Info: BT776117

Component: TMOS

Symptoms:
The BIG-IP Virtual Edition's virtio driver is incompatible with the Q35 machine type.

Conditions:
-- BIG-IP Virtual Edition with the virtio driver.
-- Setting the machine type to Q35 on the hypervisor.

Impact:
The BIG-IP will not use the virtio driver, using the sock (or unic, in versions prior to 14.1.0) driver instead.


757787-6 : Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI.

Links to More Info: BT757787

Component: TMOS

Symptoms:
When creating a new rule or modifying an existing rule in a LTM/AFM Policy policy using the WebUI, the operation fails and an error similar to the following example is returned:

Transaction failed:010715bd:3: The parent folder is owned by application service (/Common/MyPolicy.app/MyPolicy), the object ownership cannot be changed to ().

Conditions:
-- The LTM/AFM Policy belongs to an Application Service (iApp).
-- The modification is attempted via the WebUI.

Impact:
Unable to make changes to existing LTM/AFM Policies.

Workaround:
Use the tmsh utility to make the necessary modifications to the LTM/AFM Policy. For example, the following command modifies an existing rule:

tmsh modify ltm policy myapp.app/Drafts/myapp_l7policy rules modify { 0 { conditions modify { 0 { http-method equals values { GET POST } } } } }


752766-4 : The BIG-IP system might fail to read SFPs after a reboot

Links to More Info: BT752766

Component: Local Traffic Manager

Symptoms:
SFP interfaces are reported as missing:
# tmsh show net interface 2.0
--------------------------------------------------------
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
                In Out In Out
--------------------------------------------------------
2.0 miss 0 0 0 0 0 0 none

sys ha-status will report tmm ready-for-world as failed:
  # tmsh show sys ha-status
  -------------------------------------------------------------------------
  Sys::HA Status
  Feature Key Action Fail
  -------------------------------------------------------------------------
  ready-for-world tmm none yes
  ready-for-world tmm1 none yes
  ready-for-world tmm2 none yes
  ready-for-world tmm3 none yes
  ready-for-world tmm4 none yes
  ready-for-world tmm5 none yes

Conditions:
This has been seen on the i15800 and i11000 series BIG-IP platforms immediately after the system boots.

Impact:
The BIG-IP system does not become ready after a reboot.

Workaround:
Mitigation if the system is in this state, restart tmm:
# tmsh restart sys service tmm


715748-4 : BWC: Flow fairness not in acceptable limits

Links to More Info: BT715748

Component: TMOS

Symptoms:
Flow fairness for BWC dynamic policy instance has reduced.

Conditions:
The flow fairness is up to 50%. It is expected to be within 25%.

Impact:
Flow fairness of BWC dynamic policy across sessions is not as expected.


693473-9 : The iRulesLX RPC completion can cause invalid or premature TCL rule resumption

Links to More Info: BT693473

Component: Local Traffic Manager

Symptoms:
RPC completion will attempt to resume the RPC iRule execution when there is subsequent iRule activity on the flow - CLIENT/SERVER_CLOSED, for instance, which keeps the flow alive and blocks in an iRule event.

Conditions:
Blocking the iRule event When an RPC call is outstanding and the flow is aborted.

Impact:
It will cause the iRule event blocking when RPC call is outstanding and the flow is aborted

Workaround:
None


609878-8 : Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server

Links to More Info: BT609878

Component: Advanced Firewall Manager

Symptoms:
When loose-init is set, which has the implicit semantics of "every ACK packet can create a connection". Hence, there is never a "Bad ACK" to drop. This behavior is expected as per design, so while enabling this option one should aware of the side effects it will cause.

Conditions:
This issue will be seen when loose-init is enabled on the fastL4 profile and when the box is flooded with asymmetric ACK packets (or) Bad-Acks.

Impact:
Enabling loose initiation may make it more vulnerable to denial of service attacks.

Workaround:
When loose-init is set in the fastL4 profile, we need to turn on connection-limits on the virtual and also Eviction Policy to prevent flow-table exhaustion.


1284589-1 : HTTP CONNECT request from client is not successful with iRule HTTP::disable discard command

Links to More Info: BT1284589

Component: Local Traffic Manager

Symptoms:
When you use HTTP::disable discard command, proxy connect/ connection to server is not established.

Conditions:
-> Basic HTTP VS
-> iRule
when HTTP_REQUEST {
HTTP::disable discard
node <ip port>
}

Impact:
HTTP CONNECT requests from clients hangs.

Workaround:
Use HTTP::disable command


1284261-4 : Constant traffic on DHCPv6 virtual servers may cause a TMM crash.

Links to More Info: BT1284261

Component: Local Traffic Manager

Symptoms:
TMM may crash/core if there is a constant stream of DHCP traffic from the server towards the clients, not allowing a connection timeout.

Conditions:
Constant stream of traffic coming from DHCP server not allowing a connection timeout.

Very aggressive lease settings causing constant lease refresh may be a configuration example leading to the problem.

Impact:
Failover/crash.


1284097-1 : False positive 'Illegal cross-origin request' violation

Links to More Info: BT1284097

Component: Application Security Manager

Symptoms:
Under the right configurations, an HTTP request with an HTTPS origins header may get blocked for 'Illegal cross-origin request' violation.

Conditions:
A request that is sent to a virtual server with an HTTP port, that has an Origin header with HTTPS value, will trigger the violation under the following conditions:
1) 'Illegal cross-origin request' violation is enabled.
2) In Security ›› Application Security : Security Policies : Policies List ›› Auto_Security_Policy_Services ›› Headers ›› Host Names -> is configured with the Origin header value.
3) The URL to where the request is sent has 'Enforce on ASM' in 'HTML5 Cross-Domain Request' configuration enabled.

Impact:
'Illegal cross-origin request' violation is reported in version 17.1.x unlike version 16.1.x with the same configurations and the same traffic.

Workaround:
Add HTTPS protocol and Origin name to the desired URL in 'Allowed Origins' that is located in 'HTML5 Cross-Domain Request'


1284081-1 : Incorrect Enforcement After Sync

Links to More Info: BT1284081

Component: Application Security Manager

Symptoms:
In some scenarios, configuration updates are not sent to the enforcer which can cause unexpected enforcement.

Conditions:
A large configuration is synchronized to a device.

Impact:
Incorrect policy enforcement.

Workaround:
1) Apply each policy individually on the affected devices/blades
or
2) Restart ASM on the affected devices and blades


1283749-1 : Systemctl start and restart fail to start the vmtoolsd service

Links to More Info: BT1283749

Component: TMOS

Symptoms:
Because of a non-existent dependency, systemctl start and restart failed to start the vmtoolsd service.

Following is the reported error:

# systemctl restart vmtoolsd.service
Failed to restart vmtoolsd.service: Unit not found.

systetmctl stop is not affected.

Conditions:
BIG-IP VE on VMware.

Impact:
Unable to start/restart the vmtoolsd service.

Workaround:
Systemctl restart --ignore-dependencies vmtoolsd.service

or

systemctl start --ignore-dependencies vmtoolsd.service


1283721-1 : Vmtoolsd memory leak

Links to More Info: BT1283721

Component: TMOS

Symptoms:
The Vmtoolsd service leaks memory on VMware BIG-IP VE guests when the Disk Type is IDE or any disk type other than SCSI.

Conditions:
VMware BIG-IP VE guest
Disk type of IDE or another type that is not SCSI.

Impact:
The VE will eventually run out of memory.

Workaround:
1. Create the file /etc/vmware-tools/tools.conf and add the following to the file:

[guestinfo]

# disable scan for disk device info
diskinfo-report-device=false


2. Restart the vmtoolsd service:

systemctl restart --ignore-dependencies vmtoolsd.service

NB "guestinfo" must be in lower case. The workaround will not work if any letter is not lower case including the following "guestInfo" which was the reported workaround in https://github.com/vmware/open-vm-tools/issues/452


1282769-1 : Localdb user can change the password of other user

Component: Access Policy Manager

Symptoms:
The user was able to change the password for another user in the logon page, when local DB authentication was used.

Conditions:
-- At least one user in the local DB instance is forced to change the password
-- the virtual server is tied in with the trusted CA certificates (that is, it would not happen if the virtual server for the SSL-VPN is associated with self-signed certificates).

Impact:
User authentication based on local DB will be impacted.

Workaround:
None


1282281-5 : Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns

Links to More Info: BT1282281

Component: Application Security Manager

Symptoms:
Roll forward upgrade fails.

The following error message in /ts/log/ts_debug.log and WAF enforcement is not complete:

----------------------------------------------------------------------
Can't locate object method "id_field" via package "F5::ASMConfig::Entity::ThreatCampaign" (perhaps you forgot to load "F5::ASMConfig::Entity::ThreatCampaign"?) at /usr/local/share/perl5/F5/ImportExportPolicy/Binary.pm line 2171.
----------------------------------------------------------------------

Conditions:
- Roll forward upgrade when there is a policy that has unapplied changes and Threat Campaigns.

Impact:
Incorrect enforcement until workaround is applied.

Workaround:
Reapply each policy.


1282105 : Assertion response attributes parsing issue after upgrade to BIG-IP 17.1.0

Links to More Info: BT1282105

Component: Access Policy Manager

Symptoms:
During SAML Authentication while TMM parses the assertion to extract the attributes and its respective values, all the attributes values are combined into a single string with '|' as separator and are assigned to a single variable leaving remaining ones empty.

Conditions:
When the incoming attributes, in the assertion, are considered as multi-valued attributes, all the values of attributes are combined to form a single valued attribute in order to store in the SessionDB.

Impact:
All the session variables related to assertion attributes are assigned and stored incorrectly.

Workaround:
None


1281709-4 : Traffic-group ID may not be updated properly on a TMM listener

Links to More Info: BT1281709

Component: Local Traffic Manager

Symptoms:
A few virtual servers may belong to incorrect traffic-group after a full sync or when mcp transaction is performed.

Conditions:
- The BIG-IP High Availability (HA) is configured with full load on sync.
- Traffic-group is changed on a virtual-address belonging to multiple virtuals.
- Sync happens, leaving the device receiving a sync in an incorrect state.

OR

An MCP transaction that is updating a virtual-address along with a profile change on a virtual-server is executed.

Impact:
Listeners may not belong to a correct traffic group and the the traffic is not forwarded.

Workaround:
Use an incremental sync. Do not use MCP transactions.


1281637-2 : When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE

Links to More Info: BT1281637

Component: Local Traffic Manager

Symptoms:
A RST_STREAM is observed from BIG-IP to server after receiving response from server.

Conditions:
- HTTP/2 full proxy configuration.
- Server to send a DATA_FRAME with END_STREAM flag with a delay.

Impact:
Once the server gets around to process the RST_STREAM, it stops accepting new requests on that connection.

Workaround:
None


1281433-1 : Missing GTM probes on GTM server when an external monitor is attached to an additional pool

Links to More Info: BT1281433

Component: Global Traffic Manager (DNS)

Symptoms:
Incorrect probe behavior when an external monitor is attached to an additional pool.

Conditions:
On a GTM sync group, try to attach an external monitor to an additional pool.

Impact:
Incorrect GTM server monitoring.

Workaround:
None


1281405-2 : "fipsutil fwcheck -f" command may not correct result

Links to More Info: BT1281405

Component: Local Traffic Manager

Symptoms:
The "fipsutil fwcheck -f" command output shows as "Firmware upgrade available." even though now Firmware upgrade is not needed.

Conditions:
All FIPS platforms.

Impact:
Only a display issue with no functional impact. If we try to make a firmware upgrade, it may not work.

Workaround:
Use the command without the "-f" option like "fipsutil fwcheck".


1281381-1 : BD fails to load config when the virtual server name is longer then 64 chars

Component: Application Security Manager

Symptoms:
A virtual server name longer than 64 characters causes ASM to restart repeatedly.

Conditions:
A Virtual server name longer than 64 characters.

Impact:
Repeated ASM restarts (ASM restarts in loop).

Workaround:
Virtual server should be shorter than 64 character


1280813-3 : Illegal URL violation triggered for after upgrade due to due to missing content-profiles in DB

Links to More Info: BT1280813

Component: Application Security Manager

Symptoms:
Illegal URL violation is triggered for valid/Allowed URLs.

Conditions:
NA

Impact:
Illegal violation for allowed URL, content profile for that URL is not seen in PLC.PL_OBJECT_CONTENT_PROFILES DB.

Workaround:
- Delete the problematic URL from Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs.
- Recreate the URL again.
- Apply the policy.


1280769 : Fipsutil's fwcheck and fwupdate sub-commands show errors when run on R10920 and R5920 tenant.

Component: Local Traffic Manager

Symptoms:
When the two commands fwcheck and fwupdate are run, they will not be successful and throw error messages.

bigip#fipsutil fwcheck
ERROR: Failed to parse firmware version: CNN35XX-NFBE-FW-2.08-12
ERROR: Firmare version check failed.
bigip#

Conditions:
When the commands fwcheck and fwupdate are run on R10920 and R5920 fips tenant.

Impact:
No functional impact. Only ignorable error messages displayed.

Workaround:
Do not run these two commands on R10920 and R5920 fips tenant.

To know the present firmware from tenant use "fipsutil info".

To update the firmware on HSM card, do it from host system.


1277641 : DoS | i-series | After mitigation of bad destination at profile level, bd_hit is not incrementing for host unreachable vector.

Links to More Info: BT1277641

Component: Advanced Firewall Manager

Symptoms:
This is specific to iseries platform.
bd related DoS stats are incrementing but SPVA stat of bd_hit is not incremented.

Conditions:
Sending an ipv6 host unreachable traffic to iseries.

Impact:
You can see the dos stats but not in spva stats.

Workaround:
You can see the stats in dos table.


1274385-1 : BIGIP-DNS GUI delivery summary stats shows incorrect count for "Disabled" GTM listeners

Links to More Info: BT1274385

Component: Global Traffic Manager (DNS)

Symptoms:
Statistics >> Module Stats >> DNS >> Delivery >> Summary - shows the incorrect count for "Disabled" GTM listeners.

Conditions:
One or more virtual servers (which may or may not be GTM (DNS) listeners) exist on the BIG-IP device which are in a disabled state.

These virtual servers incorrectly count towards the count of "Disabled" virtual servers in the GTM Listeners statistics.

Impact:
Unexpected "Disabled" count in the GTM Listeners line in the DNS stats table (in any of the columns)


1273881-3 : TMM crashes while processing traffic on the virtual server

Links to More Info: BT1273881

Component: Access Policy Manager

Symptoms:
TMM crashes while processing traffic on the virtual server.

Conditions:
Network Access resource is configured.

Impact:
TMM crashes leading to disruption in traffic flow.

Workaround:
None


1273161-4 : Secondary blades are unavailable, clusterd is reporting shutdown, and waiting for other blades

Links to More Info: BT1273161

Component: Local Traffic Manager

Symptoms:
On a multi-slot chassis, VCMP guest, or F5OS tenant, clusterd can enter a shutdown state causing some slots to become unavailable.

The event that can cause this is called a partition and occurs when clusterd stops receiving heartbeat packets from a slot over the mgmt_bp interface but is still receiving them over the tmm_bp interface.

Here is the error that is logged when this occurs:

Mar 17 10:38:28 localhost err clusterd[4732]: 013a0004:3: Marking slot 1 SS_FAILED due to partition detected on mgmt_bp from peer 2 to local 1

When this occurs, clusterd enters a shutdown state and at times will never recover.

Here is an example, tmsh show sys cluster command where clusterd is in the shutdown yet waiting state:

-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 172.0.0.160/23
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 2
Primary Selection Time 03/17/23 10:38:30

  ----------------------------------------------------------------------------------
  | Sys::Cluster Members
  | ID Address Alt-Address Availability State Licensed HA Clusterd Reason
  ----------------------------------------------------------------------------------
  | 1 :: :: unknown enabled false unknown shutdown ShutDown: default/1 waiting for blade 2
  | 2 :: :: available enabled true standby running Run

Conditions:
Multi-slot chassis, VCMP guest, or F5OS tenant.
A blade determines there is a partition where it's receiving cluster packets over the tmm+bp interface but not the mgmt_bp interface.

Impact:
The unavailable slots/blades will not accept traffic.

Workaround:
Running tmsh show sys cluster will report the primary slot and all slot statuses.

For all blades reporting shutdown or less likely initializing and "waiting for blade(s)" restart clusterd on that slot with bigstart restart clusterd. Ensure you do not restart clusterd on the primary slot.


1273141-1 : GTM pool members are not probed and multiple GTMs are reporting inconsistent status

Links to More Info: BT1273141

Component: Global Traffic Manager (DNS)

Symptoms:
GTM pool members are not probed and multiple GTMs in the same GTM syncgroup report inconsistent status.

Conditions:
1. Create a GTM pool with a pool member disabled.
2. Create another GTM pool with same monitor and pool member as in the previous GTM pool.

Impact:
GTM pool members are marked incorrect status and inconsistent across GTMs.

Workaround:
Use the following command:

# tmsh modify gtm global-settings general monitor-disabled-objects yes

or

Use a unique monitor names for pools that has disabled pool members.


1272501-1 : Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure"

Links to More Info: BT1272501

Component: Local Traffic Manager

Symptoms:
Application failures with reset-cause: "F5RST: HTTP redirect rewrite failure".

Conditions:
-- BIG-IP versions 16.0 and above.
-- HTTPS virtual server with redirect-rewrite of HTTP profile set to 'matching'.

Impact:
Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure".

Workaround:
If the URI cannot be parsed, do not configure the rewrite option so that the Location header passes through untouched.


1271469-5 : Failed to install ASU file scheduled for install

Links to More Info: BT1271469

Component: Application Security Manager

Symptoms:
Live Update installation scheduled for installation for any specific day at time 12:01 AM to 12:14 AM will fail.

Conditions:
- ASU file installation scheduled at 12:01 AM to 12:14 AM (not automatic or manual installation).

Impact:
BIG-IP will not get latest ASU file updates.

Workaround:
Set the installation time after 12:15 AM.


1270989-1 : REST MemcachedClient uses fixed TMM address 127.1.1.2 to connect to memcached

Links to More Info: BT1270989

Component: TMOS

Symptoms:
The RESTcurl command "restcurl -u admin:admin /mgmt/tm/access/session/kill-sessions" returns a "no route to host" error.

Conditions:
Run RESTcurl commands from a vCMP guest to try to kill the session.

Impact:
Attempting to kill sessions returns a 400 - "no route to host error" error.

Workaround:
None


1270501 : Before upgrade, if log level is configured as debug, then APMD will continuously restarts with coredump

Links to More Info: BT1270501

Component: Access Policy Manager

Symptoms:
If access policy log level is configured to debug and proceeds with upgrading the software, rebooting the BIG-IP, or restarting the APM, then coredump is observed from APMD process while starting.

Conditions:
1. Configure the HTTP connection and request timeouts in HTTP authentication using TMSH.
2. Access policy log level is configured to debug.
3. Upgrading the software, rebooting the BIG-IP, or restarting the APMD.

Impact:
APMD will reboot continuously with coredump.

Workaround:
Configure the access policy log level to other than debug.


1270497-3 : MRF SIP/ALG Core dump observed while accessing trans_data in sipmsg_register_ingress_register_request_session_reply_common method

Links to More Info: BT1270497

Component: Service Provider

Symptoms:
TMM generates core file while MRF SIP handles register request.

Conditions:
- SIP ALG configuration with SNAT.

Impact:
TMM generates core file while running SIP traffic with ALG configuration. Traffic is disrupted.

Workaround:
None


1270133-1 : bd crash during configuration update

Component: Application Security Manager

Symptoms:
bd crash occurred during the configuration update.

Conditions:
This issue occurs during configuration update.

Impact:
bd crash that causes failover in High Availability (HA) pair. Intermittent offline with standalone system.

Workaround:
None


1269889-1 : LTM crashes are observed while running SIP traffic and pool members are offline

Component: Service Provider

Symptoms:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer

Conditions:
- When all pool members are offline or there are no pool members in the pool.

Impact:
TMM is inoperative while reloading after crash.

Workaround:
Avoid use of the following pick_host, particularly the use of carp:

MR::message pick_host peer <peer-object-name> [carp <carp-key>]


1269773-1 : Convert network-order to host-order for extensions in TLS1.3 certificate request

Links to More Info: BT1269773

Component: Local Traffic Manager

Symptoms:
The network-order length is sent as argument instead of host-order length.

Conditions:
- A signature algorithms extension is present in the certificate request message from the server.

Impact:
Handshake fails with illegal parameter alert.

Workaround:
None


1269733-1 : HTTP GET request with headers has incorrect flags causing timeout

Links to More Info: BT1269733

Component: Local Traffic Manager

Symptoms:
The 504 Gateway Timeout pool member responses are generated from a Microsoft webserver handling HTTP/2 requests.

The tcpdump shows that the HTTP/2 stream sends the request without an appropriate End Stream flag on the Headers packet.

Conditions:
The server has to provide settings with max-frame-size small enough to force BIG-IP to split the headers across multiple HTTP/2 frames, otherwise this issue does not occur.

Impact:
The HTTP GET request causing timeout.

Workaround:
None


1269709-4 : GUI should throw the error when the VS is configured with both vdi and HTTP/2 profiles

Links to More Info: BT1269709

Component: Local Traffic Manager

Symptoms:
As the VDI profile is currently not supported in the HTTP/2 environment for which there is no warning message on the BIG-IP GUI about this limitation.

Conditions:
When both VDI Profile and HTTP/2 Profile is attached to the VS.

Impact:
The customer wants this error to be displayed on the BIGIP GUI if vdi and http/2 profiles both are attached to the VS together.

Workaround:
None


1269601-1 : Unable to delete monitor while updating DNS virtual server monitor through transaction

Links to More Info: BT1269601

Component: Global Traffic Manager (DNS)

Symptoms:
Unable to delete monitor while updating DNS virtual server monitor through transaction.

Following message displays:

Command added to the current transaction
Command added to the current transaction
transaction failed: 01070083:3: Monitor /Common/tcp_test is in use.

Conditions:
Using transaction of updating the virtual server monitor and deleting the earlier monitor which was untagged currently.

Following is an example:

echo 'create cli transaction; modify /gtm server generc_serv_test virtual-servers modify { test { monitor none }}; delete /gtm monitor tcp tcp_test; submit cli transaction' | tmsh

Impact:
Unable to delete the monitor.

Workaround:
None


1268521-1 : SAML authentication with the VCS fails when launching the applications/remote desktops from the APM Webtop when multiple RD resources are assigned to the APM Webtop

Links to More Info: BT1268521

Component: Access Policy Manager

Symptoms:
User fails to authenticate when VMware VDI with SAML authentication is used with multiple RD resources assigned to Webtop.

Conditions:
1. Webtop is used to connect to a remote desktop.
2. Multiple VCS servers are used.
3. SAML authentication is configured in remote desktop SSO configuration.

Impact:
Remote desktop is not opened.

Workaround:
None


1267845-5 : ISC's internal_current function asserted because ifa_name was NULL

Links to More Info: BT1267845

Component: Global Traffic Manager (DNS)

Symptoms:
Named restarting.

Conditions:
- MCPD is down, resulting the service restart.
- The slot interfaces are down.
- During restart named unable to find the interface and asserting.

Impact:
No Impact, this issue occurs when the services are restarting.

Workaround:
None


1259489-2 : PEM subsystem memory leak is observed when using PEM::subscriber information

Links to More Info: BT1259489

Component: Policy Enforcement Manager

Symptoms:
TMM may show a higher memory allocation in the PEM category observed in the memory_usage_stat table.

Conditions:
- PEM is provisioned.

- PEM iRules are used that access PEM::session or PEM::subscriber information.

Impact:
TMM can have excessive memory consumption.

Workaround:
None


1253449-4 : After publishing, the draft LTM policy configuration might not be updated (intermittently) into the bigip.conf

Links to More Info: BT1253449

Component: TMOS

Symptoms:
Publishing LTM draft policy and "save config" operations are not atomic, hence there exists a race condition. When the latter happens first, then the issue is observed otherwise the LTM draft policy is successfully updated into the bigip.conf file.

Conditions:
- Execute the command "tmsh load /sys config current-partition" or the existing system configuration is loaded from bigip.conf after publishing the draft LTM policy.

Impact:
Published LTM draft policies are reverted to the draft state.

Workaround:
Perform any of the below-mentioned steps immediately after successfully publishing an LTM draft policy:

- Execute the command "tmsh save /sys config current-partition" on the BIG-IP shell.

or

Execute curl -sku $COLON_SEPARATED_USERNAME_PASSWORD https://$HOST/mgmt/tm/sys/config/ -X POST -H "Content-type: application/json" -d '{"command":"save"}'

or

Execute curl -sku $COLON_SEPARATED_USERNAME_PASSWORD https://$HOST/mgmt/tm/util/bash -X POST -H "Content-type: application/json" -d '{"command":"run", "utilCmdArgs":"-c \"tmsh save sys config current-partition\""}'


1252537-4 : Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role

Component: TMOS

Symptoms:
The Resource Admin role has reboot and shutdown options are available in GUI but unavailable in TMSH.

Conditions:
- Resource Admin accessing reboot and shutdown options in TMSH.

Impact:
Limited availability, forces Resource Admin to use GUI.

Workaround:
Resource admin can still use GUI to initiate a reboot or shutdown.


1251105-1 : DoS Overview (non-HTTP) - A null pointer was passed into a function

Links to More Info: BT1251105

Component: Advanced Firewall Manager

Symptoms:
In BIG-IP version all 15.1 builds, when protected object filter is selected in Security > DoS overview page, it displays following error:

Error : DoS Overview (non-HTTP) - A null pointer was passed into a function

Schema changes updated in BIG-IP version 15.1.8 which added context_name and context_type to the mcp_network_attack_data_stat_t structure used to report DoS attack stats.

The MCP code that fills in these fields in the structure when responding to the stats request was not inculded, thus an attempt to get the stats, result in detection of a NULL pointer.

Conditions:
Configure a protection profile.
Create a protected object by attaching the protection profile.
Select protected object filter in DoS Overview (non-HTTP) page.

Impact:
This issue avoids usage of GUI partially.

Workaround:
None


1251013-1 : Allow non-RFC compliant URI characters

Links to More Info: BT1251013

Component: Service Provider

Symptoms:
The MRF Parser fails if the URIs are not as per RFC.
It is required to not validate against the RFC for proper URI formatting, required message headers, and usage of defined method names.

Conditions:
- SIP URIs are not formatted as per RFC.

Impact:
MRF parser allows URI formats which are not comply with RFC.

Workaround:
None


1250209-1 : The message "ERR: in Graphql disallowed response, pcre is null" appears in BD logs

Links to More Info: BT1250209

Component: Application Security Manager

Symptoms:
The following message can appear in BD logs during response enforcement:

"ERR: in Graphql disallowed response, pcre is null"

Conditions:
Two different GraphQL profiles assigned to two different URLs, one of the profiles has "Block Error Responses" enabled, the other does not.

Impact:
Error message in BD logs.

Workaround:
None


1250077-6 : TMM memory leak

Links to More Info: BT1250077

Component: Global Traffic Manager (DNS)

Symptoms:
TMM leaks memory for Domain Name System Security Extensions (DNSSEC) requests.

Conditions:
DNSSEC signing can not catch up with incoming DNSSEC requests.

Impact:
TMM memory utilization increases over time, sometimes could crash with Out of Memory (OOM).

Workaround:
None


1249929-2 : Diameter MRF sends CER to pool-member even after peer sent DPR and force-offline the pool member

Links to More Info: BT1249929

Component: Service Provider

Symptoms:
If Disconnect Peer Action is configured to force-offline and when server peer sends Disconnect Peer Request (DPR), then MRF force-offline the pool-member as expected. However, MRF continues to send CER towards pool member, which means MRF is trying to connect the forced-offline peer and also it sends DPR towards pool member.

Conditions:
In diameter session profile, Disconnect Peer Action is configured to force-offline.

Impact:
Unnecessary CER and DPR messages towards down pool member.

Workaround:
Set auto-initialization to disabled in diameter peer if it does agree with the requirement.


1245209-1 : Introspection query violation is reported regardless the flag status

Links to More Info: BT1245209

Component: Application Security Manager

Symptoms:
The "GraphQL Introspection Query" violation is reported even though introspection queries are allowed.

Conditions:
In the GraphQL profile "Allow Introspection Queries" and "Maximum Query Cost" should be enabled.

Impact:
The "GraphQL Introspection Query" violation is reported while the "Allow Introspection Queries" flag is enabled.

Workaround:
None


1240937-4 : The FastL4 TOS specify setting towards server may not function for IPv6 traffic

Links to More Info: BT1240937

Component: Local Traffic Manager

Symptoms:
The ip-tos-to-server setting in a FastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a serverside flow. There are three special values mimic, pass-through, and specify.

The "specify" setting causes the TMM to set the egress TOS to the specific value configured from GUI for that connflow.

The IPv6 serverside egress TOS is not set to the expected "specify" value. No issue is observed with IPv4 connflow.

Conditions:
- FastL4 profile with ip-tos-to-client set to "specify" with value.
-Connflow is IPv6.

Impact:
The IPv6 serverside egress TOS is not set to the expected value.

Workaround:
None


1239901-3 : LTM crashes while running SIP traffic

Component: Service Provider

Symptoms:
LTM crashes are observed while running SIP traffic.

Conditions:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer

Impact:
TMM is inoperative while reloading after crash.

Workaround:
Avoid use of the following pick_host, particularly the use of carp:

MR::message pick_host peer <peer-object-name> [carp <carp-key>]


1239297 : TMM URL web scraping limit not synced to secondary slot 2 in VIPRION chassis

Links to More Info: BT1239297

Component: Application Security Manager

Symptoms:
Web scraping requests will pass even when the threshold is reached in High Availability (HA) configuration. Some packets are blocked, while some others are passed.

Conditions:
Configure web scraping micro services in high availability (HA) mode in some F5 hardware. Send web scraping requests and check if they are blocked.

Impact:
Web scraping requests can pass even when the requests threshold is reached.

Workaround:
None


1238897-1 : TMM TCL interpreter's non-TMM "compat" memcasechr broken in 64-bit build

Links to More Info: BT1238897

Component: Local Traffic Manager

Symptoms:
The TMM's base TCL interpreter (tmm_tcl) is used both in TMM and in non-TMM environments like APMD. The TMM has it's own implementation of memcasechr which is preferred to the "compat" implementation in the TCL interpreter itself as TMM statically links tmm_tcl while non-TMM usage is dynamically linked.

Conditions:
Following VPE rule does not work (option -nocase):

expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}

Impact:
The memcasechr is broken in 64-bit build.

Following VPE rule does not work (option -nocase):

expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}

Workaround:
Change the VPE rule to the following:

expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}


1238629-2 : TMM core when client send nxdomain query with BA enabled

Links to More Info: BT1238629

Component: Advanced Firewall Manager

Symptoms:
NXDOMAIN queries are causing TMM crash when we have to validate the resolver or resolver cache type enabled.

Conditions:
TMM core when client sends nxdomain query with BA and DNS cache enabled.

Impact:
NXDOMAIN vector will not work when BA/BD enabled.

Workaround:
None


1238529-3 : TMM might crash when modifying a virtual server in low memory conditions

Links to More Info: BT1238529

Component: Local Traffic Manager

Symptoms:
Messages similar to the following are seen in the LTM log:
Feb 1 14:17:09 BIG-IP err tmm[1139]: 01010008:3: Listener config update failed for /Common/virtual: ERR:ERR_MEM

TMM restarts and writes a core file.

Conditions:
- Low memory available in TMM.
- A virtual server modification is made.

Impact:
Traffic is interrupted while TMM writes a core file and restarts.

Workaround:
None


1238413-4 : The BIG-IP might fail to update ARL entry for a host in a VLAN-group

Links to More Info: BT1238413

Component: Local Traffic Manager

Symptoms:
ARP requests through a transparent or translucent VLAN-group might fail.

The command "tmsh show net arp" displays the VLAN as the VLAN-group rather than a child VLAN. This symptom might be intermittent.

Conditions:
- A transparent or translucent VLAN-group is configured.

- ARP requests passing through the VLAN-group.

- Higher gaps (approximately 9 hours) in layer 2 traffic seen by the BIG-IP from the target of the ARP request.

Impact:
ARP resolution failure.

Workaround:
Create a monitor on the BIG-IP to monitor the target of the ARP resolution. This will ensure that layer 2 traffic is seen by the BIG-IP from that host, keeping the ARL entries current.


1238249-5 : PEM Report Usage Flow log is inaccurate

Links to More Info: BT1238249

Component: Policy Enforcement Manager

Symptoms:
PEM Report Usage Flow log for Flow-duration-seconds and Flow-duration-milli-seconds sometimes report incorrectly.

Conditions:
- HSL logging is configured.

Impact:
The statistics for flow duration report longer than the actual, this can result in showing incorrect data and can impact the policy behaviour.

Workaround:
None


1235337-2 : The 'JSON profile' with 'JSON schema validation' was not created for the body parameter in the OpenAPI URL

Links to More Info: BT1235337

Component: Application Security Manager

Symptoms:
The 'JSON profile' with 'JSON schema validation' was not created for the OpenAPI parameters with 'body' location and has 'schema' definitions in case the 'schema' type is 'array' (if the type is 'object' and the 'JSON profile' is created properly).

Conditions:
OpenAPI parameter with 'body' location having schema type 'array'.

Impact:
Some OpenAPI parameters will not include JSON content profile validation.

Workaround:
JSON content profile with JSON schema validation can be created manually after creating a security policy from the OpenAPI file.


1232977-4 : TMM leaking memory in OAuth scope identifiers when parsing scope lists

Links to More Info: BT1232977

Component: Access Policy Manager

Symptoms:
It is observed that oauth_parse_scope fails to increment the index then storing discrete scope identifiers into the output array. Thus all scope identifiers are stored in element 0 and all but the last element parsed are leaked.

Conditions:
OAuth functionality, scope comparisons happen if a scope is provided in request.

Impact:
Failure of High Availability (HA) due to memory issues in TMM over time.

Workaround:
None


1229369-4 : The fastl4 TOS mimic setting towards client may not function

Links to More Info: BT1229369

Component: Local Traffic Manager

Symptoms:
The ip-tos-to-client setting in a fastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a clientside flow. There are two special values - 'mimic' and 'pass-through'.

The mimic setting causes tmm to set the egress TOS to the value seen on the last ingress packet for that connflow.

In affected versions of BIG-IP, this is not set correctly, and behaves like pass-through (uses the TOS value seen arriving on the serverside flow)

Conditions:
FastL4 profile with ip-tos-to-client set to "mimic" (shown as the value 65534 in tmsh)

Impact:
The clientside egress TOS is not set to the expected value

Workaround:
Use an irule to set IP::tos to the desired value. Note that processing every packet with an irule will incur a performance penalty.


1229325-1 : Unable to configure IP OSPF retransmit-interval as intended

Links to More Info: BT1229325

Component: TMOS

Symptoms:
The CLI configuration of OSPF retransmit-interval results in error when retransmit-interval value is less than 5 seconds.

Conditions:
- Configure IP OSPF retransmit-interval.

Impact:
The CLI error even when IP OSPF retransmit-interval value is within range.

Workaround:
None


1226121-5 : TMM crashes when using PEM logging enabled on session

Links to More Info: BT1226121

Component: Policy Enforcement Manager

Symptoms:
TMM may crash when using PEM logging.

Conditions:
When a sessions has PEM logging enabled on it:
pem global-settings subscriber-activity-log

Impact:
TMM crashes and restarts, losing all prior connection.

Workaround:
Disabling PEM logging on sessions will avoid the issue.


1225061-1 : The zxfrd segfault with numerous zone transfers

Links to More Info: BT1225061

Component: Global Traffic Manager (DNS)

Symptoms:
the zxfrd restart loop with cores occasionally.

Conditions:
Numerous dns express zones are doing zone transfers at the same time.

Impact:
he zxfrd restart loops or cores.

Workaround:
Do not add large number of DNS express zones at the same time and also reduce the total number of DNS express zones.


1218813-6 : "Timeout waiting for TMM to release running semaphore" after running platform_diag

Links to More Info: BT1218813

Component: Access Policy Manager

Symptoms:
The platform_diag might not complete properly leaving TMM in an inoperational state. The 'bigstart restart' is required to recover.

Conditions:
Running platform_diag tool on a platform licensed with URL filtering.

Impact:
Unable to run platform_diag tool. TMM remains inoperative.

Workaround:
Open /etc/bigstart/scripts/urldb and modify the dependency list to be:


# wait for processes we are dependent on
depend ${service} mcpd running 1 ${start_cnt}
require ${service} urldbmgrd running 1 ${start_cnt}
require ${service} tmm running 1 ${start_cnt}

Then restart urldb:

> bigstart restart urldb


1217549-4 : Missed ASM Sync on startup

Links to More Info: BT1217549

Component: Application Security Manager

Symptoms:
In few deployment environments, if a device is configured to be part of a device-group before the ASM startup has finished initializing, then it may miss the initial sync from its peer, and not re-request it until another event happens in the system.

Conditions:
Devices are in an auto-sync ASM enabled device-group and a new device is brought into the device-group while initializing the device settings.

Impact:
The devices are out of sync until another action occurs and the sync is requested again.

Workaround:
Restarting ASM on the affected device or causing another sync event will resolve the issue.


1217473-1 : All the UDP traffic is sent to a single TMM

Links to More Info: BT1217473

Component: TMOS

Symptoms:
BIG-IP dataplane's VMXNET3 driver implementation is missing the Receive Side Scaling (RSS) support for the User Datagram Protocol (UDP) available as part of the VMXNET3 version 4.

Conditions:
BIG-IP VE instance is running on a VMWare host and handling UDP traffic.

Impact:
The traffic distribution does not happen evenly across all TMMs but rather all of the UDP traffic is sent to a single TMM.

Workaround:
None


1217297 : Removal of guestagentd service from the list of services running inside a tenant.

Links to More Info: BT1217297

Component: TMOS

Symptoms:
Guestagentd services will be running inside a tenant deployed on VELOS or rseries platform.

Conditions:
Install a tenant on VELOS or rseries platform.

Impact:
No impact

Workaround:
NA


1217077-1 : Race condition processing network failover heartbeats with timeout of 1 second

Links to More Info: BT1217077

Component: TMOS

Symptoms:
Unexpected failover or log messages similar to the following:
sod[1234]: 010c0083:4: No failover status messages received for 1.100 seconds, from device bigip02(192.0.0.1) (unicast: -> 192.0.0.2)

Conditions:
- HA configuration network failover configured
- DB variable 'failover.nettimeoutsec' set to a value of 1 second.

Impact:
A failover event could impact traffic flow.

Workaround:
Following recommended practices of configuring network failover addresses using both the Management IP and Self IP addresses will reduce the chances of initiating a failover. Log messages may still be observed.

Setting the DB variable 'failover.nettimeoutsec' to a value of 2 or greater should avoid the issue.


1216297-3 : TMM core occurs when using disabling ASM of request_send event

Component: Application Security Manager

Symptoms:
When adding an iRule to disable ASM on request_send event, the TMM core occurs.

Conditions:
ASM is provisioned and attached to policy.
Add iRule that disables ASM and HTTP on HTTP_REQUEST_SEND event.

Impact:
TMM cores, system is down.

Workaround:
Remove the iRule, or disable ASM for all events of the URL.


1215613-3 : ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address

Links to More Info: BT1215613

Component: TMOS

Symptoms:
In var/log/ltm following error log is available:

0107146f:3: Self-device config sync address cannot reference the non-existent Self IP (10.155.119.13); Create it in the /Common folder first.

Conditions:
- In High Availability (HA) system ConfigSync-IP is set to IPv6 management address.
[root@00327474-bigip1:Standby:Disconnected] config # tmsh list cm device | grep -iE 'cm device|configsync-ip'
cm device 00327474-bigip1.lucas {
    configsync-ip 10.155.119.12
cm device 00327474-bigip2.lucas {
    configsync-ip 2001:dead:beef::13 <<-------


- Modifying the ConfigSync-IP to IPv4.

tmsh modify cm device 00327474-bigip2.lucas configsync-ip 10.155.119.13

Impact:
Device is not able to configure the ConfigSync-IP for IPv4 once IPv6 is configured.

Workaround:
None


1215401-2 : Under Shared Objects, some country names are not available to select in the Address List

Component: Advanced Firewall Manager

Symptoms:
Users can create a shared object list to define countries to block traffic from. On searching a name, a list will be shown from which the user can choose and add it to the address list.

There is a limit of only 8 entries in the drop-down menu to choose from.

Some countries are not shown in this list due to the ordering of entries returned from the database.

Conditions:
DOS is enabled

Impact:
As some countries are not available to select, they cannot be included in the Address List to block traffic.

Workaround:
Instead of the country (which is not available to select), all the regions within the country can be added to the block list. This is very cumbersome and error-prone as the list of regions should be known that are configurable in BIG IP.


1215161-4 : A new CLI option introduced to display rule-number for policy, rules and rule-lists

Links to More Info: BT1215161

Component: Advanced Firewall Manager

Symptoms:
If a large number of rules and rule-lists are configured, it takes more than 10 minutes to display the output with rule-numbers.
Ex:
tmsh - "list security firewall rule-list"
icrd - "restcurl -u admin /tm/security/firewall/rule-list"

AFM service discovery of BIG-IP fails in BIG-IQ when upgraded to a newer version.

Conditions:
- AFM license is enabled
- Large number of rules and rule-lists are configured

Impact:
AFM service discovery from BIG-IQ fails on upgrade.

Workaround:
-


1213469-5 : MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP dropped

Links to More Info: BT1213469

Component: Service Provider

Symptoms:
BIG-IP not translating SDP or via headers IP with listener IP for an outbound call which causes to drop the 200 OK response.

Conditions:
In SIP ALG, INVITE request with FQDN Route header.

Impact:
Media pinholes are not created for INVITE.

Workaround:
In the SIP_REQUEST event, a specific Route header could be removed and Insert it again in the SIP_REQUEST_SEND event before sending the request out. For example,

when SIP_REQUEST {
    set pd_route_hdr_count [SIP::header count Route]
    set pd_route_unset 0
    set pd_route [SIP::header Route]

    if {[SIP::method] == "INVITE" && ($pd_route_hdr_count equals 1) && $pd_route contains "sip:total.acc.nl;lr" } then {
SIP::header remove "Route"
set pd_route_unset 1
    }
}

when SIP_REQUEST_SEND {

if {[SIP::method] == "INVITE" && ($pd_route_unset == 1)} then {
SIP::header insert "Route" $pd_route
    }
}


1212081-5 : The zxfrd segfault and restart loop due to incorrect packet processing

Links to More Info: BT1212081

Component: Global Traffic Manager (DNS)

Symptoms:
The zxfrd is in restart loop and cores.

Conditions:
During the no transfer of zone, the zxfrd is cored when performing the packet processing.

Impact:
DNS express does not work properly.

Workaround:
None


1211985-6 : BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring

Links to More Info: BT1211985

Component: In-tmm monitors

Symptoms:
When configured with a high number of In-TMM monitors and a high portion are configured as either Reverse monitors or as monitors using the Receive Disable field, the BIG-IP may not mark Nodes and Pool Members DOWN immediately once the configured timeout lapses for non-responsive targets.

Conditions:
This may occur when both:
- In-TMM monitoring is enabled through sys db bigd.tmm.
- A portion of the monitors are configured as Reverse monitors or use the Receive Disable field.

Impact:
Non-Responsive Nodes or Pool Members may not be marked DOWN.

Workaround:
You can work around this issue by disabling In-TMM monitoring, at the expense of decreased monitoring performance (higher CPU usage by the bigd daemon).


1211905-3 : Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts"

Links to More Info: BT1211905

Component: Application Security Manager

Symptoms:
Unable to import the XML format policy.

Conditions:
Having an XML policy with violation_rating_counts elements.

Impact:
Unable to import XML policy.

Workaround:
1) Remove the elements from an exported policy file.

sed -i '/<violation_rating_counts\/>/d' *xml

2) Import the policy again.


1211617-2 : High CPU utilisation observed during startup when forced BIG-IP system set offline

Links to More Info: BT1211617

Component: TMOS

Symptoms:
When BIG-IP is restarted, TMM0 is consuming extremely high CPU.

Conditions:
When set to offline (sys failover offline) and the configuration saved, it happens when BIG-IP is restarted.

Impact:
Box is slow to respond. The impact is minor because the box is in offline state.

Workaround:
None


1211297-1 : Handling DoS profiles created dynamically using iRule and L7Policy

Component: Anomaly Detection Services

Symptoms:
Persistant connections with HTTP requests that may switch according to dynamic change of DoS policy (using iRule or L7Policy) can cause a TMM crash.

Conditions:
A request arrives to BIG-IP and is waiting to be served (it is delayed using iRule), however, if the DoS profile is unbound during that time from the virtual server and a dynamic DoS profile change decision is made, it could potentially cause the request to be incorrectly associated with a context that has already been freed.

Impact:
In few scenarios, when DoS policy is changed during connection lifetime, TMM might crash.

Workaround:
None


1211189-4 : Stale connections observed and handshake failures observed with errors

Links to More Info: BT1211189

Component: Local Traffic Manager

Symptoms:
SSL handshake fails.
Invalid or expired certificates are being used in the handshake.

Conditions:
- When the certificates in BIG-IP are expired and being renewed remotely.
- When the clientssl or serverssl profiles are dynamically being attached to a virtual server through iRule.

Impact:
SSL handshake fails.
Vitual server (SSL Profiles) use old or expired certificates.

Workaround:
Restart the TMM or BIG-IP to resolve the issue temporarily (until next expiry time of the certificates).


1211089-4 : Traffic to IPv6 all nodes address not received by TMM on VE with ixlv driver

Links to More Info: BT1211089

Component: TMOS

Symptoms:
Traffic sent to the IPv6 all nodes multicast address is not seen by TMM.

Conditions:
A virtual environment utilizing TMM's ixlv driver.
Traffic is sent to the IPv6 all nodes multicast address.

Impact:
TMM fails to receive and process traffic to the IPv6 all nodes multicast address.

Workaround:
None


1210569-1 : User defined signature rule disappears when using high ASCII in rule

Links to More Info: BT1210569

Component: Application Security Manager

Symptoms:
WebUI display is empty.

Conditions:
When the configured rule has high ASCII (greater than 127) value.

Impact:
Unable to see the rule in webUI.

Workaround:
Use the following steps:

1. Navigate to Security > Options > Application Security > Attack Signatures.

2. Create a new signature in Advanced Edit Mode. After setting, confirm the setting value with the developer tool.

3. Add it to the signature set (backed by actual signature detection confirmation).

4. Remove the old signatures from signature set.


1210469-1 : TMM can crash when processing AXFR query for DNSX zone

Links to More Info: BT1210469

Component: Local Traffic Manager

Symptoms:
TMM crash with SIGABRT and multiple log messages with "Clock advanced by" messages.

Conditions:
Client querying AXFR to a virtual server or wideip listener that has DNSX enabled in the DNS profile and has a large amount of DNSX zones with a large amount of resource records.

Impact:
TMM cores and runs slow with "Clock advanced by" messages.

Workaround:
Disable zone transfer for the DNS profile associated with the virtual server.


1210321-2 : Parameters are not created for properties defined in multipart request body when URL include path parameter

Links to More Info: BT1210321

Component: Application Security Manager

Symptoms:
Security policy parameters are not created for OpenAPI schema properties in multipart request body section.

Conditions:
Request body defined for URL that include path parameter.

Impact:
Some parameters defined by OpenAPI file will not be created in security policy.

Workaround:
Missed parameters should be created manually through GUI, REST, or TMSH.


1210053-3 : The cred_stuffing_fail_open Internal Parameter does not cause Leaked Credential violation in case of expiration or error

Links to More Info: BT1210053

Component: Application Security Manager

Symptoms:
In case of Leaked Credential server error, there is an internal parameter to raise Leaked Credentials Violation:
cred_stuffing_fail_open (default value is not to raise violation)
Changing the internal parameter value does not trigger the violation.

Conditions:
- ASM is provisioned.
- WAF Policy is attached to virtual server with Credential Stuffing enabled.
- Internal Parameter cred_stuffing_fail_open is set to 0.
- A server error (or timeout) occurred during leaked credential check.

Impact:
Leaked Credential violation is not raised.

Workaround:
None


1209945-2 : Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs

Links to More Info: BT1209945

Component: Local Traffic Manager

Symptoms:
In a case where traffic is not properly egressing a BIG-IP tenant running on rSeries or VELOS platforms, if any TMM log file contains any line with the text "notice SEP: Tx completion failed", that tenant VM may need to be manually restarted. The BIG-IP is unable to detect the traffic degradation automatically and recover or fail-over; the user must manually intervene to restart the tenant.

Conditions:
This is specific to rSeries and VELOS platforms, and does not affect other BIG-IP platforms or virtual editions.

Egress traffic from the affected tenant may appear to be degraded or non-functional. There may be a high number of transmit packet drops.

Check the tenant TMM log files for any line containing the text "notice SEP: Tx completion failed" (which may include additional trailing text). The log files of concern reside in the tenant at paths:
/var/log/tmm*

Impact:
Egress traffic may be severely degraded until the tenant with the offending log messages is manually restarted.

Workaround:
Restart the tenant VM by moving the tenant from deployed -> provisioned -> deployed in the partition or system ConfD command line interface.

Alternatively, issue the "reboot" command from the tenant bash shell.


1209709-5 : Memory leak in icrd_child when license is applied through BIG-IQ

Links to More Info: BT1209709

Component: TMOS

Symptoms:
The memory use for icrd_child may slowly increase, eventually leading to an OOM condition.

Conditions:
License applied through BIG-IQ.

Impact:
Higher than normal control-plane memory usage, possible OOM related crash.

Workaround:
Periodically kill the icrd_child processes. The restjavad will restart them automatically.


1209589-5 : BFD multihop does not work with ECMP routes

Links to More Info: BT1209589

Component: TMOS

Symptoms:
BFD multihop does not work with ECMP routes. TMMs are unable to agree on session ownership and dropping the session after 30 seconds.

Conditions:
On a multi-TMM box, configure BFD multihop peer reachable over ECMP route.

Impact:
BFD multihop does not work with ECMP routes and BFD session is getting dropped every 30 seconds.

Workaround:
None


1207821-1 : APM internal virtual server leaks memory under certain conditions

Links to More Info: BT1207821

Component: Access Policy Manager

Symptoms:
Memory leaks are observed while passing traffic in the internal virtual server used for APM.

Client/Backend is slow in responding to packets from the BIG-IP. Congestion is observed on the network which prompts BIG-IP to throttle egress.

Conditions:
- Traffic processing in the internal virtual server used for APM.

Impact:
TMM memory grows over time, this will lead to out of memory for TMM and eventual restart. Traffic is disrupted when TMM restarts.

Workaround:
None


1207381 : PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored

Links to More Info: BT1207381

Component: Policy Enforcement Manager

Symptoms:
From the following example, a PEM policy rule flow filter
 matches the traffic from any source address and any port, to any destination address and port 81 (the port number is an example):

Source Address    Source Port     VLAN     Destination Address      Destination Port
0.0.0.0/0         0               ANY      0.0.0.0/0                81

When the rule is updated through the GUI or CLI to match traffic from any source address and any port, to any destination address and any port:

Source Address    Source Port     VLAN     Destination Address      Destination Port
0.0.0.0/0         0               ANY      0.0.0.0/0                0

The updated rule is correctly saved into the configuration as shown by the GUI and the CLI, but the new flow filter does not filter the traffic as expected.

The actual flow filter being applied is still the one from the previous version of the policy rule (destination port 81 in the example).

Conditions:
An existing PEM policy rule flow filter that is updated through GUI or CLI selecting Source Port '0' ('any') and/or destination port '0' ('any').

Impact:
The updated flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule.

Workaround:
- Restart TMM to make the updated flow filter effective.

or

- Remove the flow filter altogether instead of replacing it with a filter like '0.0.0.0/0:0 --> 0.0.0.0/0:0' .
The intended result is the same: the rule will catch all traffic.

or

- Create a new additional rule with port number 0 and place in higher precedence (under the same policy).
    - For example, rule with precedence 10 allow flow for port 80 (instead of modifying this rule) and
    - Create a new rule with precedence 9 to allow flow for port "0" and delete the old rule.


1205501-4 : The iRule command SSL::profile can select server SSL profile with outdated configuration

Links to More Info: BT1205501

Component: Local Traffic Manager

Symptoms:
Under few circumstances, an iRule selected server SSL profile can send previously configured certificate to the peer.

Conditions:
The iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made to the profile.

Impact:
The TLS handshake may use an outdated certificate that does not match the current configuration, potentially leading to handshake failures.

Workaround:
Terminate all traffic running on the virtual servers that are using the iRule command for the update to take effect.

or

Do not make changes to a profile that is actively being used by the iRule command.


1205045-6 : WMI monitor does not put pool members into an offline/unchecked state when BIG-IP receives HTTP responses other than 200

Links to More Info: BT1205045

Component: Local Traffic Manager

Symptoms:
With no credentials, WMI monitor status still displays "UP".

Conditions:
With no credentials or stale/expired credentials, the WMI monitor stats displays "UP".

Impact:
The user is misinformed about the status of the WMI monitor.

Workaround:
None


1199025-3 : DNS vectors auto-threshold events are not seen in webUI

Links to More Info: BT1199025

Component: Advanced Firewall Manager

Symptoms:
No option to see DNS auto-threshold event logs from webUI.

Conditions:
- DNS profile configured with fully automatic mode.

Impact:
DNS auto-threshold event logs are not visible from webUI.

Workaround:
None


1196537-5 : BD process crashes when you use SMTP security profile

Links to More Info: BT1196537

Component: Application Security Manager

Symptoms:
The BD process may crash when an SMTP security profile is attached to a virtual server, and the SMTP request is sent to the same virtual server.

Conditions:
- SMTP security profile is attached to VS
- SMTP request is sent to VS

Impact:
Intermittent BD crash

Workaround:
N/A


1196477-8 : Request timeout in restnoded

Links to More Info: BT1196477

Component: Device Management

Symptoms:
The below exception can be observed in restnoded log

Request timeout., stack=Error: [RestOperationNetworkHandler] request timeout.
At ClientRequest. <anonymous> (/usr/share/rest/node/src/infrastructure/restOperationNetworkHandler.js:195:19)

Conditions:
When BIG-IP is loaded with a heavy configuration.

Impact:
SSL Orchestrator deployment will not be successful.

Workaround:
1. mount -o remount,rw /usr
2. In getDefaultTimeout : function() at /usr/share/rest/node/src/infrastructure/restHelper.js

replace 60000 with required required timeout.
3. bigstart restart restnoded
4. mount -o remount /usr


1196185-1 : Policy Version History is not presented correctly with scrolling

Links to More Info: BT1196185

Component: Application Security Manager

Symptoms:
When higher version history is available, then modal window becomes scrollable, and gets distorted.

Conditions:
- Apply Policy multiple times.
- Open Policy Version History in General Settings ->
Version -> Date Link.

Impact:
Policy history modal window gets distorted.

Workaround:
None


1196053-4 : The autodosd log file is not truncating when it rotates

Links to More Info: BT1196053

Component: Advanced Firewall Manager

Symptoms:
The autodosd file size increasing continuously irrespective of log rotation occurring every hour.

Conditions:
- DOS profiles (at Device/VS) configured with fully automatic, autodosd daemon will calculate the thresholds periodically and updates the log file with relevant logs.

Impact:
Logs are not truncated as expected. The autodosd log file size continue to increase even though it is rotated every hour.

Workaround:
Restarting autodosd daemon will truncate the log file content to zero.


1194173-5 : BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value

Component: Application Security Manager

Symptoms:
Attack signature check is not run on normalised parameter value.

Conditions:
- A parameter with location configured as a cookie is present
  in the parameters list.
- Request contains the explicit parameter with URL encoded
  base64 padding value.

Impact:
- Attack signature not detected.

Workaround:
None


1190765-1 : VelOS | Zone Base DDOS | Aggregation, BD | Seeing Entries in sPVA Registers are not getting reset once the attack is completed

Component: Advanced Firewall Manager

Symptoms:
In VELOS platform, the ideal timeout for HW entries is 5 mins(Hw eviction timeout). However, when you delete the VS/Zone configuration it will initiate the eviction immediately(Software eviction). In this case, the eviction does not happen as expected and causes the entry to continue to stay at sPVA for some time.

Conditions:
This issue happens when we configure Zone based DDOS with Aggregation or BD in VELOS platform.

Impact:
This issue causes the sPVA entries to stay for 5 minutes(Ideal eviction timeout) even after the Corresponding Zone configuration is deleted.

Workaround:
Not available


1190365-1 : OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly

Links to More Info: BT1190365

Component: Application Security Manager

Symptoms:
The method used by ASM enforcer to serialize an OpenAPI object configured with "style:form", "explode:true", and "type:object" is not functioning as expected.

Conditions:
Repeated occurrences of parameter names in the query string with "type:object/explode:true/style:form" configured OpenAPI file.

Impact:
The violation "JSON data does not comply with JSON schema" is raised due to the repeated parameters from the query string with "array" configuration.

Workaround:
None


1190353-4 : The wr_urldbd BrightCloud database downloading from a proxy server is not working

Links to More Info: BT1190353

Component: Policy Enforcement Manager

Symptoms:
Downloading BrightCloud database is not working with the proxy.

Conditions:
BrightCloud database download through Proxy management.

Impact:
URL categorization disruption as database not getting downloaded.

Workaround:
None


1189949-4 : The TMSH sys core is not displaying help and tab complete behavior

Links to More Info: BT1189949

Component: TMOS

Symptoms:
The help and tab complete options are not displayed when TMSH sys core commands are executed.

Conditions:
For example, execute following commands:

tmsh sys core modify tmm-manage ?

tmsh sys core modify tmm-manage TABC

Impact:
The help and tab complete options are not displayed.

Workaround:
None


1189865-5 : "Cookie not RFC-compliant" violation missing the "Description" in the event logs

Links to More Info: BT1189865

Component: Application Security Manager

Symptoms:
When a request is blocked due to "Cookie not RFC-compliant' violation, the description field in the request log details is shown as "N/A" instead of having the description (for example "Invalid equal sign preceding cookie name" or "Invalid space in cookie name").

Conditions:
The violation is blocked due to "Cookie not RFC-compliant" violation and we are looking at the request log details.

Impact:
The description is empty and we can't know what is the problem with the request.


1189513-6 : SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header

Links to More Info: BT1189513

Component: Service Provider

Symptoms:
The SIP MRF failed to extract the SDP data and not created media flow pinholes, if SDP Multipurpose Internet Mail Extensions (MIME) multipart body is not generated with content-length header.

Conditions:
An INVITE message contained a MIME multipart payload and body parts miss content-length header.

Impact:
Media flow pinholes are not created.

Workaround:
None


1186925-6 : When FUA in CCA-i, PEM does not send CCR-u for other rating-groups

Links to More Info: BT1186925

Component: Policy Enforcement Manager

Symptoms:
When Final Unit Action (FUA) in CCA-i, the traffic is immediately blocked for that rating-group.
But, PEM does not send CCR-u for other rating-groups any more, which causes all other rating-groups traffic to pass through.
If FUA in CCA-u, everything works as expected.

Conditions:
When FUA received in in CCA-i.

Impact:
PEM receives FUA redirect first and ignores further requests.

Workaround:
Use iRule to remove FUA in CCA-i.


1186401-4 : Using REST API to change policy signature settings changes all the signatures.

Links to More Info: BT1186401

Component: Application Security Manager

Symptoms:
When you use iControl REST to modify the signatures associated with a policy, the modifications are applied to all the signatures.

Conditions:
-- Create a policy named 'test'

-- Associate a signature set like "SQL Injection Signatures" to the policy
  For example, remove the "Generic Detection Signatures (High/Medium Accuracy)" set

-- Look at the low-risk signatures associated with the policy
 Commmand:
     curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' | jq . | head


-- Turn off staging for these signatures:
  Commands:
      curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": false }' -X PATCH | jq . | head
      curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": true }' -X PATCH | jq . | head

-- The "totalItems" shows that 187 signatures were changed

Impact:
The user was unable to leverage the REST API to make the desired changes to the ASM signature policy.

Workaround:
Add 'inPolicy eq true' to the filter
  Command :
      curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low+and+inPolicy+eq+true' -d '{ "performStaging": false }' -X PATCH | jq . | head


1185257-6 : BGP confederations do not support 4-byte ASNs

Links to More Info: BT1185257

Component: TMOS

Symptoms:
The BGP confederations do not support 4-byte AS numbers. Only 2-byte ASNs are supported.

Conditions:
Using BGP confederations.

Impact:
Unable to configure 4-byte AS number under BGP confederation.

Workaround:
None


1184841-6 : Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API

Component: Application Security Manager

Symptoms:
Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API.

Conditions:
- ASM-Sync enabled
- Auto-Sync enabled
- Updating URL through REST API

Impact:
Configuration will be de-synced.

Workaround:
Use TMUI to update configuration.


1182353-6 : DNS cache consumes more memory because of the accumulated mesh_states

Links to More Info: BT1182353

Component: Global Traffic Manager (DNS)

Symptoms:
DNS cache consumes more memory and the mesh_states are accumulated quickly.

Conditions:
Mixed queries with rd flag set and cd flag set/unset.

Impact:
TMM runs out of memory.


1180365-3 : APM Integration with Citrix Cloud Connector

Component: Access Policy Manager

Symptoms:
* Configure Citrix cloud connector instead of Citrix Delivery controller to publish apps and desktops from the cloud configured using DaaS.
* Apps/Desktop will not be published.

Conditions:
* When Citrix cloud connector is used to publish apps instead of Citrix Delivery controller, once the user clicks on the App/Desktop, the cloud connector sends an empty response.
* Hence user will not be able to publish any apps/ Desktop.

Impact:
Users will not be able to publish any Apps/Desktops in webtop which are published through Citrix Cloud Connector.


1174085-7 : spmdb_session_hash_entry_delete releases the hash's reference

Links to More Info: BT1174085

Component: Policy Enforcement Manager

Symptoms:
multiple references accessing and trying to modify the same entry

Conditions:
when failover from active to stand by while stalling the connection

Impact:
Illegal access of the memory.

Workaround:
NA


1173493-2 : Bot signature staging timestamp corrupted after modifying the profile

Component: Application Security Manager

Symptoms:
Bot signature timestamp is not accurate.

Conditions:
Have a bot signature "A" in staging, record the timestamp.
Using webUI, set another bot signature "B" to be in staging and click Save.
The time stamp on "A" is updated and shows the year 1970 in webUI.

Impact:
Can not verify from when the signature was in staging.

Workaround:
Use TMSH, instead of webUI, to update the profile.


1167969-2 : In DoS Profile level, the Flood attack Vectors with TCP and UDP, Hardware offloading is not working as expected

Links to More Info: BT1167969

Component: Advanced Firewall Manager

Symptoms:
In Multiblade platforms which support high number of TMM threads, bigger per HSB rate limit values are received and it is causing the hardware to not trigger offload, even though the attack traffic matching the configured rate limits.

Conditions:
This occurs only in the platforms which supports high number of TMMs (more than 20).

Impact:
Hardware offload for the Flood attack vectors will not trigger as expected.

Workaround:
None


1167609-4 : The messages msg->ref > 0 are seen in TMM logs with websockets/ASM plugin

Links to More Info: BT1167609

Component: Local Traffic Manager

Symptoms:
With web security enabled and ASM policies attached to virtual server, in an unknown scenario, msg->ref > 0 are appearing in TMM logs.

Conditions:
-- ASM is provisioned
-- ASM policy attached to virtual server
-- Web security configured

Impact:
The /var/log/tmm files may be flooded with the messages.

Workaround:
None


1161241-7 : BIND default behavior changed from 9.11 to 9.16

Links to More Info: BT1161241

Component: Global Traffic Manager (DNS)

Symptoms:
The default behavior of BIND configurations for minimal-responses and dnssec-validation is changed in BIND 9.16 and leaving the issues for existing test cases and expected behavior.

Conditions:
Upgrade BIND package from version 9.11.36 to 9.16.27.

Impact:
Behavior change for minimal-responses and dnssec-validation.

Workaround:
None


1160805-4 : The scp-checkfp fail to cat scp.whitelist for remote admin

Links to More Info: BT1160805

Component: TMOS

Symptoms:
Attempt SCP file to BIG-IP:
/shared/images
root user success
remote admin user fails, following is an example:
sinkhole3:~$ scp test.iso apiuser@10.201.69.106:/shared/images
Password:
cat: /co: No such file or directory
cat: fig/ssh/scp.whitelist: No such file or directory
"/shared/images/test.iso": path not allowed

Conditions:
-- Running BIG-IP version with fix for ID 1097193.
-- Create remote admin user.
-- Use SCP command to transfer a file to remote admin user path.

Impact:
SCP command is not working for the remote admin users.

Workaround:
None


1156889-5 : TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions

Links to More Info: BT1156889

Component: Application Security Manager

Symptoms:
When using bot-defense profile with a browser verification and performing redirect actions, there is a memory leak in TMM.

Conditions:
- The bot-defense profile with "Verify After Access" or "Verify Before Access" browser verification is configured.
- Surfing using a browser, during grace period (5 Minutes after config change) to a non-qualified URL, or configuring "Validate Upon Request" in "Cross Domain Requests" configuration, and configuring A and B as "Related Site Domains".
- Surfing using a browser from Domain A to Domain B.

Impact:
Degraded performance, potential eventual out-of-memory.

Workaround:
None


1156149-5 : Early responses on standby may cause TMM to crash

Links to More Info: BT1156149

Component: Service Provider

Symptoms:
TMM cores with an early response and retransmit mechanism and has also happened during a failover event.

Conditions:
If the response of the request message reaches before the request on standby box.

Impact:
Causes a failover while TMM is restarting.

Workaround:
None


1154685-4 : Error logged "01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object..." during startup

Links to More Info: BT1154685

Component: TMOS

Symptoms:
Database error (13) will be logged in /var/log/ltm during startup:

err mcpd[]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:private_mac_addr_freelist status:13 - EdbCfgObj.cpp, line 127.

Conditions:
-- 15.1.8 or later 15.1.x

Impact:
It is a cosmetic error and observed only once during startup.

Workaround:
None


1154465-2 : Error attaching few QAT devices to TMM

Links to More Info: BT1154465

Component: Local Traffic Manager

Symptoms:
Crypto and compression were yielding low throughput when considered more than 32 vCPUs.

Conditions:
A variable was not thread safe and hence not proper.

Impact:
Less throughput.

Workaround:
None


1148009-8 : Cannot sync an ASM logging profile on a local-only VIP

Links to More Info: BT1148009

Component: Application Security Manager

Symptoms:
If an ASM profile, such as a logging profile is applied to a virtual that is local-only, then the state changes to "Changes Pending" but configuration sync breaks.

Conditions:
- ASM provisioned
- high availability (HA) pair
- ASM profile, such as a logging profile is applied to a virtual that is local-only.

Impact:
The state changes to "Changes Pending" but configuration sync breaks.

Workaround:
None


1146377-6 : FastHTTP profiles do not insert HTTP headers triggered by iRules

Links to More Info: BT1146377

Component: Local Traffic Manager

Symptoms:
Virtual servers configured with the FastHTTP profile will not insert HTTP headers even when triggered by iRules.

Conditions:
A virtual server configured with FastHTTP, and an iRule that would insert an HTTP header.

Impact:
The expected headers will not be inserted on packets sent to servers.

Workaround:
None


1144497-5 : Base64 encoded metachars are not detected on HTTP headers

Component: Application Security Manager

Symptoms:
Base64 encoded illegal metachars are not detected.

Conditions:
No specific condition.

Impact:
False negative, illegal characters are not detected and request not blocked.

Workaround:
None


1137993-6 : Violation is not triggered on specific configuration

Links to More Info: BT1137993

Component: Application Security Manager

Symptoms:
The HTTP compliance violation is not triggered for the unparsable requests due to a specific scenario.

Conditions:
A microservice is configured in the security policy.

Impact:
Specific violation is not triggered. A possible false negative.

Workaround:
It is possible to do an irule workaround that checks the length of the URL and issues a custom violation.


1136921-6 : BGP might delay route updates after failover

Links to More Info: BT1136921

Component: TMOS

Symptoms:
The BGP might delay route updates after failover.

Conditions:
- The BGP configured on an High Availability (HA) pair of BIG-IP devices.
- The BGP redistributing kernel routes.
- Failover occurs.

Impact:
New active unit might delay route advertisement up to 15 sec.
New standby unit might delay route withdrawal up to 15 sec.

Workaround:
None


1132981-5 : Standby not persisting manually added session tracking records

Links to More Info: BT1132981

Component: Application Security Manager

Symptoms:
The Session tracking records, with Infinite Block-All period, have an expiration time on the Standby unit after sync.

Conditions:
ASM provisioned
Session Tracking enabled
session tracking records, with Infinite Block-All period, are added

Impact:
Infinite Session Tracking records being removed from standby ASMs.

Workaround:
Use auto-sync DG (instead of manual sync).

After changing the configuration on UI at Security->Application Security: Sessions and Logins: Session Tracking.

You must "Apply Policy" and wait for the DG status to become In-Sync before adding new data-points on UI at Security->Reporting: Application: Session Tracking Status.


1132741-7 : Tmm core when html parser scans endless html tag of size more then 50MB

Links to More Info: BT1132741

Component: Application Security Manager

Symptoms:
Tmm core, clock advanced by X ticks printed

Conditions:
- Dos Application or Bot defense profile assigned to a virtual server
- Single Page Application or Validate After access.
- 50MB response with huge html tag length.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Exclude html parser for url in question.
tmsh modify sys db dosl7.parse_html_excluded_urls value <url>


1128429-7 : Rebooting one or more blades at different times may cause traffic imbalance results High CPU

Links to More Info: BT1128429

Component: Carrier-Grade NAT

Symptoms:
One or more TMMs are consuming more CPU cycles than the other TMMs. The increased CPU usage is caused by a significant number of internal TMM traffic redirections.

Conditions:
- LSN pools enabled.
- The sp-dag configured on the client-side and server-side VLANs (cmp-hash src-ip and cmp-hash dst-ip respectively).

Impact:
Increased TMM CPU usage on one or more TMMs.

Workaround:
- Set up an High Availability (HA) pair of VIPRIONs and make an active VIPRION cluster standby before doing any operation that involves the rebooting, insertion, or removal of one or more blades.

Or if the VIPRION is a stand-alone cluster:

- Stop all external traffic to the VIPRION before rebooting, inserting, or removing one or more blades.

- Restart or reboot all the blades at the same time from the primary, using the following "clsh" command:
"clsh reboot volume <NEW_VOLUME>" or "clsh bigstart restart".


1126841-5 : HTTP::enable can rarely cause cores

Links to More Info: BT1126841

Component: Local Traffic Manager

Symptoms:
The TMM crashes with seg fault.

Conditions:
- SSL profile used.
- The iRule that uses HTTP::enable.

Impact:
The TMM restarts causing traffic interruption.

Workaround:
None


1124733-3 : Unnecessary internal traffic is observed on the internal tmm_bp vlan

Links to More Info: BT1124733

Component: TMOS

Symptoms:
Unnecessary internal traffic can be observed on the internal tmm_bp vlan. It is a UDP broadcast on 62965 port.

Conditions:
Always

Impact:
Unnecessary traffic that does not disrupt normal operation.

Workaround:
None


1123153-5 : "Such URL does not exist in policy" error in the GUI

Component: Application Security Manager

Symptoms:
Unable to create a parameter under Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs ›› URL Parameters

Conditions:
When the policy setting "Differentiate between HTTP/WS and HTTPS/WSS URLs" is set to "Disabled".

Impact:
User is unable to create a Parameter with a URL.

Workaround:
N/A


1121349 : CPM NFA may stall due to lack of other state transition

Links to More Info: BT1121349

Component: Local Traffic Manager

Symptoms:
The CPM NFA string state machines may stall due to missing data.

Conditions:
-- HTTP virtual server with LTM policy and iRule

Impact:
LTM policy rule does not trigger on HTTP URI path condition

Workaround:
Change rule from "HTTP URI path contains" to "HTTP URI full string contains"


1121169-5 : Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use

Links to More Info: BT1121169

Component: TMOS

Symptoms:
On systems where ID1004833 has been fixed, the resizing instructions for /appdata from K74200262 no longer work.

Conditions:
When the jitterentropy-rngd is started by systemd which is the default state of the BIG-IP.

Impact:
A filesystem resize operation may fail with the following error:

# lvreduce --resizefs --size -40G /dev/mapper/vg--db--sda-dat.appdata
Do you want to unmount "/appdata"? [Y|n] y
fsck from util-linux 2.23.2
/dev/mapper/vg--db--sda-dat.appdata is in use.
e2fsck: Cannot continue, aborting.

resize2fs 1.42.9 (28-Dec-2013)
resize2fs: Device or resource busy while trying to open /dev/mapper/vg--db--sda-dat.appdata
Couldn't find valid filesystem superblock.
fsadm: Resize ext3 failed
  fsadm failed: 1
  Filesystem resize failed.

Workaround:
Unmount /appdata and restart the jitterentropy-rngd, and then retry the resize operation.


1117609-5 : VLAN guest tagging is not implemented for CX4 and CX5 on ESXi

Links to More Info: BT1117609

Component: Local Traffic Manager

Symptoms:
Tagged VLAN traffic is not received by the BIG-IP Virtual Edition (VE).

Conditions:
Mellanox CX4 or CX5 with SR-IOV on VMware ESXi.

Impact:
Host-side tagging is required.

Workaround:
If only one VLAN is required, use host-side tagging and set the VLAN to "untagged" in the BIG-IP guest.

If multiple VLANs are required, use the "sock" driver instead. Edit the /config/tmm_init.tcl file and restart the Virtual Edition (VE) instance. Network traffic is disrupted while the system restarts.

echo "device driver vendor_dev 15b3:1016 sock" >> /config/tmm_init.tcl

CPU utilization may increase as a result of switching to the sock driver.

I know it works for sock driver. This bug was about xnet/mlxvf5 drivers.
In hal/internal folder, I saw the VMWare vendor ID in PciVendor.h file was 0x15ad which looks not correct, so I changed it to 0x15b3.


1117305-8 : The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials

Links to More Info: BT1117305

Component: TMOS

Symptoms:
The /api returns 401 when incorrect Basic Authorization credentials are supplied.
The /api returns 404 when correct Basic Authorization credentials are supplied.

Conditions:
Irrespective of the DB variable "httpd.basic_auth" value set to enable or disable.

Impact:
There is no functional impact, but all other non-existent URIs return a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials, /api should also be invariably exhibiting the same behavior.

Workaround:
None


1117245-5 : Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file

Links to More Info: BT1117245

Component: Application Security Manager

Symptoms:
You only see this message in /var/log/tomcat/liveupdate.log file. No other log messages are written, causing troubleshooting capability with LiveUpdate.

liveupdate.script file is corrupted, live update repository initialized with default schema


This error is emitted during tomcat startup.

/var/log/tomcat/catalina.out
java.io.FileNotFoundException: /usr/share/tomcat/logs/liveupdate.log (Permission denied)

Conditions:
You are running on a version which has a bug fix for ID907025. For more information see https://cdn.f5.com/product/bugtracker/ID907025.html

Impact:
Losing troubleshooting capability with LiveUpdate

Workaround:
chown tomcat:tomcat /var/log/tomcat/liveupdate.log
bigstart restart tomcat


1113753-5 : Signatures might not be detected when using truncated multipart requests

Component: Application Security Manager

Symptoms:
On special cases when sending long requests that include a multipart section, signatures that should be detected in the multipart body might not be detected.

Conditions:
1. WAF-policy is attached to virtual server.
2. Signatures are enabled in the WAF policy.
3. Signatures contain special characters, i.e. ;"=\n
4. Request is longer than the value in max_raw_request_len.
5. Sending a multipart request.

Impact:
Signature is not detected.

Workaround:
None


1112537-6 : LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete.

Links to More Info: BT1112537

Component: TMOS

Symptoms:
Upon attempting to delete a LTM or GTM monitor, the system returns an error similar to the following example, even though the monitor being deleted is no longer in use anywhere:

01070083:3: Monitor /Common/my-tcp is in use.

Conditions:
-- The configuration was loaded from file (for example, as restoring a UCS archive would do).

-- A BIG-IP Administrator deletes all objects using the monitor, and then attempts to delete the monitor itself.

Impact:
LTM or GTM monitor no longer in use anywhere cannot be deleted from the configuration.

Workaround:
Run one of the following sets of commands (depending on the affected module) and then try to delete the monitor again:

tmsh save sys config
tmsh load sys config

tmsh save sys config gtm-only
tmsh load sys config gtm-only


1111149-4 : Nlad core observed due to ERR_func_error_string can return NULL

Links to More Info: BT1111149

Component: Access Policy Manager

Symptoms:
The following symptoms are observed

In /var/log/ltm:
err nlad[17535]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.

Nlad core is observed
/var/log/kern.log:Apr 7 03:46:53 <vs name > info kernel: nlad[13119]: segfault at 0 ip <> sp <> error 4.

Conditions:
NLAD core is SIGSEGV - crashing while processing a SSL Certificate via a SAML login.

Impact:
Core results in disruption of APM sessions

Workaround:
None


1110489-4 : TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event

Links to More Info: BT1110489

Component: Access Policy Manager

Symptoms:
Tmm crashes.
/var/log/tmm contains
May 24 18:06:24 sslo.test.local notice panic: ../net/nexthop.c:165: Assertion "nexthop ref valid" failed.

Conditions:
An iRule is applied to a virtual Server containing a ACCESS_ACL_ALLOWED iRule event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1110485-5 : SSL handshake failures with invalid profile error

Links to More Info: BT1110485

Component: Local Traffic Manager

Symptoms:
1. TMM reports SSL handshake failures with reason "hud_ssl_handler:1208: alert(40) invalid profile unknown on VIP"

2. There will be Certificate read errors in the ltm log "reading: Unknown error."

Conditions:
-- The certificates associated with the SSL profile are corrupted by modifying/adding/deleting them manually/Venafi

-- There are frequent unintentional Certificate updates

Impact:
-- The BIG-IP system will not be able process the traffic
-- All traffic to particular virtual servers fails

Workaround:
1. Correct the certificates which are corrupted and make them valid.

2. Deattach/Remove the corresponding SSL profile from all virtual servers to which it is applied.

3. In the GUI open the virtual server and click on update and make sure there are no errors shown on the screen.

4. Now re-apply the SSL profile to the virtual server


1110281-7 : Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable

Links to More Info: BT1110281

Component: Advanced Firewall Manager

Symptoms:
Non-HTTP traffic is not forwarded to the backend server.

Conditions:
- ASM provisioned
- Behavioral DoS profile assigned to a virtual server
- DOSL7::disable and HTTP::disable applied at when CLIENT_ACCEPTED {}

Impact:
Broken webapps with non-HTTP traffic.

Workaround:
Instead of using DOSL7::disable, redirect non-HTTP traffic to a non-HTTP aware virtual server using the iRule command virtual <virtual_server_name>.


1108237-3 : Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM.

Links to More Info: BT1108237

Component: Global Traffic Manager (DNS)

Symptoms:
It is possible for monitor probes to a certain destination to be owned by no GTM device in the sync-group. As a result, no monitoring of the destination will be performed, and the monitored object will be incorrectly marked down with reason "no reply from big3d: timed out".

Conditions:
-- GTM sync-group with multiple GTM devices (including a sync-group that contains only a single GTM server with more than one GTM device in it).

-- Monitors specifying an explicit destination to connect to (e.g. with the property "destination 192.168.1.1:*").

-- The destination of a monitored object (e.g. the IP address of the gtm server) is different from the destination explicitly defined in a monitor assigned to the object.

-- The two mismatching destination values are assigned to different GTM devices in the sync-group for monitoring.

Impact:
Monitored GTM objects may have an incorrect status.

Workaround:
None


1106273-5 : "duplicate priming" assert in IPSECALG

Links to More Info: BT1106273

Component: Advanced Firewall Manager

Symptoms:
This is a specific issue with a complicated firewall/NAT/IPSEC scenario. In this case, when applying changes to a firewall policy in transparent mode, IPSECALG triggers a "duplicate priming" assert

Conditions:
When an IPSec session is established from a device with a source IP which has a firewall policy (transparent mode). As soon as traffic is passed over the new IPSec tunnel, this clash in the rules results in a tmm core.

Impact:
TMM asserts with "duplicate priming" assert.
Traffic disrupted while tmm restarts.

Workaround:
None


1105901-6 : Tmm crash while doing high-speed logging

Links to More Info: BT1105901

Component: TMOS

Symptoms:
Tmm crashes

Conditions:
-- High-speed logging is configured
-- Network instability occurs with the logging pool members

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1102425-1 : F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary

Links to More Info: BT1102425

Component: TMOS

Symptoms:
The secondary blades are inoperative when MCPD is restarted on the primary slot, or the license is installed on the F5OS chassis.

Following are the symptoms:

- Following log message is logged in /var/log/ltm:

mprov:29790:[29790]: 'FPGA change is taking a long time. Unable to start the daemons.' for the secondary slots.

- The presence of the file /var/run/fpga_mcpd_lockfile on the secondary slots.

Conditions:
- Multi-Slot F5OS tenant.
- Restarting MCPD on the primary blade or installing the license from the F5OS chassis.

Impact:
Secondary blades are inoperative.

Workaround:
Execute the following command on the secondary blades that are inoperative:
bigstart restart mcpd


1098609-3 : BD crash on specific scenario

Component: Application Security Manager

Symptoms:
BD crashes while passing traffic.

Conditions:
Specific request criterias that happens while there is a configuration change.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None


1090313-5 : Virtual server may remain in hardware SYN cookie mode longer than expected

Links to More Info: BT1090313

Component: TMOS

Symptoms:
A virtual server may remain in hardware SYN cookie mode longer than expected after the SYN flood attack has stopped. The TMSH 'show ltm virtual' command shows that the virtual has already exited SYN Cookie mode, but the SYN packets are still responded from hardware for a few minutes longer.

Conditions:
The problem is a result of a race condition in TMM, so the issue might show up intermittently.

Impact:
Discrepancy between the actual SYN Cookie mode and the reported SYN Cookie mode for a short period of time after a SYN flood attack.

Workaround:
Disable hardware SYN Cookie mode.


1088597-6 : TCP keepalive timer can be immediately re-scheduled in rare circumstances

Links to More Info: BT1088597

Component: Local Traffic Manager

Symptoms:
In rare circumstances, the TCP timer is rescheduled immediately due to the utilization of the interval encompassing also the idle_timeout.

Conditions:
Virtual Server with:

- TCP Profile
- SSL Profile with alert timeout configured

Another way this can occur is by manually deleting connections, which effectively only sets the idle timeout to 0.

Impact:
High CPU utilization potentially leading to reduced performance.

Workaround:
If the alert timeout is not re-enabled in the SSL Profile that should be sufficient.


1084857-6 : ASM::support_id iRule command does not display the 20th digit

Links to More Info: BT1084857

Component: Application Security Manager

Symptoms:
ASM::support_id iRule command does not display the 20th digit.

A support id seen in REST/TMUI that has 20 digits, e.g 13412620314886537617 is displayed as 1341262031488653761 with the iRule command ( the last digit '7' is stripped ).

Conditions:
ASM::support_id iRule command

Impact:
Inability to trace request events using the support id


1083513-4 : BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd

Links to More Info: BT1083513

Component: Application Security Manager

Symptoms:
"Challenge Failure Reason" field in a request event log shows N/A.

Conditions:
The db key has not been changed manually on the system.

Impact:
"Challenge Failure Reason" field is disabled.

Workaround:
Disable the key and re-enable, then save.

tmsh modify sys db botdefense.disable_challenge_failure_reporting value disable
tmsh modify sys db botdefense.disable_challenge_failure_reporting value enable
tmsh save sys config


1083053-4 : Apmd memory grows over time in AD auth scenarios

Links to More Info: BT1083053

Component: Access Policy Manager

Symptoms:
Apmd memory grows over time. It is not a memory leak. It is mainly due to memory fragmentation due to memory sharing among apmd threads.

Conditions:
The access policy in use has Active Directory auth as one of the agents

Impact:
Apmd memory grows over time. After it grows beyond a limit, oom killer might kill apmd thereby lead to a traffic disruption.

Workaround:
None


1082197-5 : RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response

Links to More Info: BT1082197

Component: Global Traffic Manager (DNS)

Symptoms:
Synthetic SOA returned by BIG-IP has the MNAME and RNAME fields reversed, resulting in the wrong values being noted as the primary name server and mailbox of administrator, respectively.

Conditions:
-- Set the failure-rcode-response enabled and failure-rcode-ttl on a down WIP.
-- Perform a DNS query.
-- Observe the SOA.

Impact:
Per RFC (rfc1035) the order of the fields is significant and MNAME must come before RNAME. When reversed, consumers of the synthetic SOA will associate the wrong values with the wrong fields.


1080957-1 : TMM Seg fault while Offloading virtual server DOS attack to HW

Links to More Info: BT1080957

Component: Advanced Firewall Manager

Symptoms:
TMM crashes during virtual server DOS attack scenarios.

Conditions:
-- HSB-equipped hardware platforms.
-- The attack is detected on configured virtual server Dos Vector and trying to offload to hardware.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1078065-5 : The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA.

Links to More Info: BT1078065

Component: Application Security Manager

Symptoms:
The login page shows a blocking page instead of CAPTCHA or shows the blocking page after resolving a CAPTCHA.

Make five (configured in brute force configuration) failed login attempts and you will receive a blocking page.

Blocking Reason: Resource not qualified for injection.

Conditions:
HTML response message has an html page with a length greater than 32000 bytes.

Impact:
Users are blocked after failed login attempts.

Workaround:
Run tmsh modify sys db asm.cs_qualified_urls value <url value>.


1076825-3 : "Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.

Links to More Info: BT1076825

Component: Application Security Manager

Symptoms:
"Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.

Conditions:
Upgrading to v16.1.x from earlier releases.

Impact:
Configuration of "Installation of Automatically Downloaded Updates" is lost and reverts to default.

Workaround:
Manually configure "Installation of Automatically Downloaded Updates" after the upgrade.


1069729-4 : TMM might crash after a configuration change.

Links to More Info: BT1069729

Component: Application Security Manager

Symptoms:
After modifying a dosl7 profile, on rare cases TMM might crash.

Conditions:
Modifying DoSl7 profile attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A


1069265 : New connections or packets from the same source IP and source port can cause unnecessary port block allocations.

Links to More Info: BT1069265

Component: Advanced Firewall Manager

Symptoms:
A client opening new TCP connections or sending new UDP packets from the same source IP and source port can cause the allocation of multiple new port blocks even if there are still existing translation endpoints in the current blocks.

Conditions:
All of the following conditions must be met:

- AFM NAT or CGNAT configured with port block allocation.

- In the port-block-allocation settings, a block-lifetime value different from zero.

- A client sending UDP packets or opening TCP connections periodically, always from the same source IP address and source port.

- A protocol profile on the virtual server with an idle timeout lower than the interval between the client packets or new connections.

Impact:
After the first allocated port block becomes zombie, a new port block is allocated for each new client packet or client connection coming from the same source IP / source port, even if there are still available translation endpoints in the allocated non-zombie blocks.
The new blocks keep piling up until the original zombie block timeout expires.

Workaround:
Increase the protocol profile idle-timeout to a value greater than the interval between UDP packets or connections from the client.


1067797 : Trunked interfaces that share a MAC address may be assigned in the incorrect order.

Links to More Info: BT1067797

Component: TMOS

Symptoms:
Interfaces that are trunked together and use the same MAC address may end up in an incorrect order when the system is restarted.

Conditions:
Trunked interfaces that use the same MAC address. On reboot the f5-swap-eth script will incorrectly reorder the affected interfaces.

Impact:
Incorrect ordering could result in a failover or outage.

Workaround:
N/A


1067557-5 : Value masking under XML and JSON content profiles does not follow policy case sensitivity

Component: Application Security Manager

Symptoms:
Value masking is always case sensitive regardless of policy case sensitivity.

Conditions:
- Parse Parameters is unchecked under JSON content profile.
- Value masking section contains element/attribute names under
  XML and JSON content profiles.

Impact:
- Value is not masked in a case insensitive manner even when the policy is case insensitive.

Workaround:
None


1064753-6 : OSPF LSAs are dropped/rate limited incorrectly.

Links to More Info: BT1064753

Component: TMOS

Symptoms:
Some LSAs are dropped on BIG-IP with a log similar to:
"LSA is received recently".

Conditions:
Tuning OSPF min LSA arrival has no effect on some LSA handling.

Impact:
OSPF LSAs are dropped/rate limited incorrectly.

Workaround:
N/A


1064725-5 : CHMAN request for tag:19 as failed.

Links to More Info: BT1064725

Component: Local Traffic Manager

Symptoms:
The following log is seen in /var/log/ltm when a qkview is generated:

warning chmand[6307]: 012a0004:4: CHMAN request (from qkview) for tag:19 failed.

or when a tcpdump capture is started:

warning chmand[792]: 012a0004:4: CHMAN request (from bigpcapq33E5-24) for tag:19 failed

or when get a dossier from GUI/CLI:

warning chmand[4319]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed

or when reboot:

warning chmand[8263]: 012a0004:4: CHMAN request (from mcpd) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from DossierValidator) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from LACPD_USER) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed

Conditions:
Any one of the following:

-- Generate a qkview file from the GUI/CLI
-- Start a tcpdump command from the CLI
-- Get a dossier from GUI/CLI
-- Reboot

Impact:
No functional impact.

Workaround:
None


1060477-2 : iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]".

Links to More Info: BT1060477

Component: Access Policy Manager

Symptoms:
Apmd crashes after setting the userName field via an iRule.

Conditions:
1.Setting the userName field:

set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]

2.Getting the sid feild
[ACCESS::session data get session.user.sessionid]

Impact:
APM traffic disrupted while apmd restarts.

Workaround:
Check the username before setting it from iRule.


1060393-3 : Extended high CPU usage caused by JavaScript Obfuscator.

Links to More Info: BT1060393

Component: Fraud Protection Services

Symptoms:
The Obfuscator process (compiler.jar) consumes excessive CPU for an extended period.

Conditions:
FPS is provisioned

OR:
ASM is provisioned
AND:
Bot profile is attached to VS
OR
ASM Policy with brute force feature enabled is attached to VS
OR
DoS profile with Captcha/CSI mitigation is attached to VS

Impact:
High CPU usage on the device.

Workaround:
None


1059573-5 : Variation in a case insensitive value of an operand in LTM policy may fail in some rules.

Links to More Info: BT1059573

Component: Local Traffic Manager

Symptoms:
LTM policy engine compiles a policy into a state machine. If there is a variation of the same case insensitive value for an operand, the state machine may fail to properly build all rules, using this value. An example of a variation is a list of words like "Myself", "myself", "MYself", "mySElf", "MYSELF".

Conditions:
-- LTM policy is configured and attached to a virtual server.
-- The policy has variation in a case insensitive value of an operand.

Impact:
An expected rule does not apply: either a wrong rule is applied, or no rule is applied, causing incorrect traffic processing.

Workaround:
Eliminate variation in any case insensitive value of any operand. For example, replace all variations in the mentioned list with "myself".


1059513-3 : Virtual servers may appear as detached from security policy when they are not.

Links to More Info: BT1059513

Component: Application Security Manager

Symptoms:
When browsing Security >> Overview: Summary page, the virtual servers may appear as detached. The larger the number of virtual servers are, the more likely you are to see all the virtual servers as detached from the security policy.

Conditions:
From a certain amount of virtual servers (20) that are attached to a security policy, the virtual servers may appear as detached from any security policy.

Impact:
Virtual servers are displayed as detached from any security policy, but this is not the case.

Workaround:
None


1049237-6 : Restjavad may fail to cleanup ucs file handles even with ID767613 fix

Links to More Info: BT1049237

Component: Device Management

Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client (such as a BIG-IQ which is out of disk space) does not complete the download.
Since these files remain open, you may see low disk space even after deleting the associated files, and you may see items listed with '(deleted)' in lsof output.

Additionally, on a software version with ID767613 fix, you may see restjavad NullPointerException errors on /var/log/restjavad.*.log.

[SEVERE][1837][23 Sep 2021 10:18:16 UTC][RestServer] java.lang.NullPointerException
at com.f5.rest.workers.FileTransferWorker$3.run(FileTransferWorker.java:230)
at com.f5.rest.common.ScheduleTaskManager$1$1.run(ScheduleTaskManager.java:68)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:473)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1152)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:622)
at java.lang.Thread.run(Thread.java:748)

Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.

Impact:
Low disk space, items listed with '(deleted)' when listed using lsof.

Workaround:
To free the file handles, restart restjavad:

# tmsh restart sys service restjavad

Files that were deleted now have their space reclaimed.


1048949-8 : TMM xdata leak on websocket connection with asm policy without websocket profile

Links to More Info: BT1048949

Component: Application Security Manager

Symptoms:
Excessive memory consumption, tmm core.

Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Websocket profile isn't attached to the virtual server
- Long lived websocket connection with messages

Impact:
Excessive memory consumption, tmm crash. Traffic disrupted while tmm restarts.

Workaround:
Attach the websocket profile to the virtual server


1048425-6 : Packet tester crashes TMM when vlan external source-checking is enabled

Links to More Info: BT1048425

Component: Advanced Firewall Manager

Symptoms:
TMM SIGFPE Core Assertion "packet must already have an ethernet header".

Conditions:
Run the AFM Packet Tracer when external source-checking is enabled on the VLAN.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable source checking on the vlan.


1046469-4 : Memory leak during large attack

Links to More Info: BT1046469

Component: Anomaly Detection Services

Symptoms:
ADMD daemon memory consumption increases over several days until it causes OOM.

Conditions:
A large DoS attack occurs and is not mitigated.

Impact:
ADMD daemon will get killed and restarted. Due to the restart, the BADoS protection might be disabled for a couple of seconds.

Workaround:
To workaround the issue before installing the fix, ADMD could be monitored by a script and restarted as needed. This is similar to the current behavior, but it will avoid reaching OOM which might affect other daemons.


1044893-4 : Kernel warnings from NIC driver Realtek 8139

Links to More Info: BT1044893

Component: TMOS

Symptoms:
Excessive kernel logs occur from the NIC driver Realtek 8139

Conditions:
-- Realtek 8139 driver is used
-- Packets with partial checksum and protocol IPPROTO_TCP/IPPROTO_UDP arrives

Impact:
The Realtek 8139 driver logs excessive kernel warnings.


1044457-4 : APM webtop VPN is no longer working for some users when CodeIntegrity is enabled.

Links to More Info: BT1044457

Component: Access Policy Manager

Symptoms:
Users are unable to use the BIG-IP VPN in Edge, Internet Explorer, Firefox, and Chrome.
Microsoft believes the issue is because the Network Access webtop is using MSXML 2.0a which is blocked by their desktop policy

Conditions:
-- Attempting to connect to Network Access VPN using Edge, Internet Explorer, Chrome and Firefox.
-- CodeIntegrity is enabled

Impact:
Users are not able to connect to F5 VPN through APM Browser.

Workaround:
Workaround is to use the BIG-IP Edge client.


1044089-5 : ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI.

Links to More Info: BT1044089

Component: TMOS

Symptoms:
Virtual address is reachable even when the virtual server is offline.

Conditions:
The virtual server status is updated to offline by modifying the virtual server and adding an iRule via the GUI.

Impact:
ICMP echo requests are still handled by the virtual address even though the virtual server is marked offline.

Workaround:
Use tmsh to attach the iRule to the virtual server:

tmsh modify ltm virtual <virtual_server_name> rules {<rule_name> }


1041985-5 : TMM memory utilization increases after upgrade

Links to More Info: BT1041985

Component: Access Policy Manager

Symptoms:
TMM memory utilization increases after upgrading.

The keep-alive interval of the _tmm_apm_portal_tcp default profile is set to a value that is less than the Idle Timeout setting.

Conditions:
-- APM enabled and passing traffic
-- The configuration has a profile that uses or is derived from _tmm_apm_portal_tcp where the keep-alive interval was reduced to 60

Note that this can be encountered any time a tcp profile contains a keep-alive interval setting that is less than the idle timeout.

For more information about the relationship between keep-alive and idle time out, see K13004262: Understanding Idle Timeout and Keep Alive Interval settings in the TCP profile, available at https://support.f5.com/csp/article/K13004262

Impact:
TMM memory may increase while passing traffic.

Workaround:
Change the tcp keep alive interval to the default setting of 1800 seconds.


1040573-5 : REST operation takes a long time when two different users perform tasks in parallel

Links to More Info: BT1040573

Component: TMOS

Symptoms:
It takes excessive time to execute multiple REST(icr) requests in parallel by different users.

Conditions:
Multiple iControl REST operations are performed by different users in parallel.

Impact:
BIG-IP system performance is impacted.

Workaround:
Use only one user to process the multiple requests.
OR
Use an iControl REST transaction containing multiple requests.


1038057-5 : Unable to add a serverssl profile into a virtual server containing a FIX profile

Links to More Info: BT1038057

Component: Service Provider

Symptoms:
You are unable to configure a virtual server to use server SSL encryption with FIX protocol messages.

Conditions:
This is encountered when serverssl needs to be configured for FIX profiles

Impact:
You are unable to assign a server-ssl profile to the virtual server.

Workaround:
None


1034865-6 : CACHE::enable failed on private/no-store content

Links to More Info: BT1034865

Component: Local Traffic Manager

Symptoms:
BIG-IP provides a possibility to cache HTTP responses with RAMCACHE feature. When a response has either "Cache-Control: private" or "Cache-Control: no-store", the CACHE::enable setting allows the content to be cached. This option was removed when a fix to ID 360047 was introduced.

Conditions:
-- A virtual server has a web-acceleration profile without a policy.
-- An iRule has CACHE::enable command, overwriting Cache-Control header's values "no-store" and/or "private".

Impact:
BIG-IP always requests for a response from the origin web server even when a response is cacheable, putting extra load on the origin web server.


1030129-5 : iHealth unnecessarily flags qkview for H701182 with mcp_module.xml

Links to More Info: BT1030129

Component: Application Security Manager

Symptoms:
iHealth unnecessarily flags the uploaded qkview for Heuristic H701182 "Non-ASCII characters removed from Qkview XML files".

Conditions:
Qkview generated from an unit with asm provisioned is uploaded to iHealth

Impact:
Inaccurate Heuristic on iHealth

Workaround:
None.


1030093 : An http2 to http2 virtual connection with translate-address disabled might only use one stream on the server side.

Links to More Info: BT1030093

Component: Local Traffic Manager

Symptoms:
When there is no pool object available, this issue results in only stream ID 1 succeeding to the server-side. All subsequent streams fail.

Conditions:
With the following configuration:
-- client side HTTP2
-- server side HTTP2
-- HTTP2 MRF enabled
-- translate-address disabled

Impact:
Connection only works for stream 1. All other streams fail.

Workaround:
If you set "translate-address enabled" on the virtual server, then all streams work fine.


1028081-3 : [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page

Links to More Info: BT1028081

Component: Access Policy Manager

Symptoms:
1. Users connecting with F5 Access from an Android device see string "function () {[native code]}" in the Logon Page Form 'Username' field.
2. This issue only affects the F5 Access embedded browser. It works fine when connecting from the same Android device using Chrome. F5 Access from iOS is also working fine.

Conditions:
Configure an access policy with modern customization that includes a Logon Page.

Impact:
The string "function () {[native code]}" appears in the Logon Page Form 'Username' field.

Workaround:
This solution is temporal as changes are lost after an upgrade.
steps:
1) create a copy of the original "main.js" file
# cp /var/sam/www/webtop/public/include/js/modern/main.js /var/sam/www/webtop/public/include/js/modern/main.js.origin

2) edit the file using an editor (e.g., vi).
# vi /var/sam/www/webtop/public/include/js/modern/main.js
modify
window.externalAndroidWebHost.getWebLogonUserName to window.externalAndroidWebHost.getWebLogonUserName()
and
window.externalAndroidWebHost.getWebLogonPassword to window.externalAndroidWebHost.getWebLogonPassword()

3) Restart BIG-IP


1026781-5 : Standard HTTP monitor send strings have double CRLF appended

Links to More Info: BT1026781

Component: Local Traffic Manager

Symptoms:
Standard (bigd-based, not In-TMM) HTTP monitors have a double CRLF appended (\r\n\r\n) to the send string. This does not comply with RFC1945 section 5.1 which states requests must terminate with a single CRLF (\r\n). This non-compliant behavior can lead to unexpected results when probing servers.

Conditions:
Standard bigd (not In-TMM) HTTP monitors

Impact:
Servers probed by these non-RFC-compliant HTTP monitors may respond in an unexpected manner, resulting in false negative or false positive monitor results.

Workaround:
There are several workarounds:

1. If running 13.1.0 or later, switch monitoring from bigd-based to In-TMM. In-TMM monitors properly follow RFC1945 and will send only a single CRLF (\r\n)

2. Remain with bigd-based monitoring and configure probed servers to respond to double CRLF (\r\n\r\n) in a desired fashion

Depending on server configuration, a customized send string, even with the double CRLF, may still yield expected responses.


1025089-7 : Pool members marked DOWN by database monitor under heavy load and/or unstable connections

Links to More Info: BT1025089

Component: Local Traffic Manager

Symptoms:
BIG-IP database monitors (mssql, mysql, oracle, postgresql) may exhibit one of the following symptoms:

- Under heavy, sustained load, the database monitoring subsystem may become unresponsive, causing pool members to be marked DOWN and eventually causing the database monitoring daemon (DBDaemon) to restart unexpectedly.

- If the network connection to a monitored database server is unstable (experiences intermittent interruptions, drops, or latency), pool members may be marked DOWN as the result of a momentary loss of connectivity. This is more likely to occur when a database monitor is used to monitor a GTM pool member instead of an LTM pool member, due to differences between how monitors are configured for GTM versus LTM.

Conditions:
These symptoms may occur under the following conditions:

- The database monitoring subsystem may become unresponsive, and the database monitoring daemon (DBDaemon) may restart unexpectedly, if a large number of LTM or GTM pool members are being monitored by database monitors, and/or with short polling intervals ("interval" of 10 seconds or less), or when GTM pool members are monitored by database monitors with a short "probe-timeout" value (10 seconds or less).

- The GTM pool members may be marked DOWN after a single interrupted connection if they are monitored by a database monitor, configured with a short "probe-timeout" value (10 seconds or less) and "ignore-down-response" configured as "disabled" (default).

Impact:
-- High CPU utilization is observed on control plane cores.

-- The database monitoring daemon (DBDaemon) may restart unexpectedly, causing GTM or LTM pool members monitored by a database monitor to be marked DOWN temporarily.

-- GTM or LTM pool members monitored by a database monitor may be marked DOWN temporarily if the network connection to the database server is dropped or times out.

Workaround:
Perform one of the following actions:

-- Configure the database (mssql, mysql, oracle, postgresql) monitor with a "count" value of "1". This prevents the caching or reuse of network connections to the database server between probes. Thus there is no cached connection to time out or get dropped. However, the overhead of establishing the network connection to the database server will be incurred for each probe and will result in generally higher (but more consistent) CPU usage by the database monitoring daemon (DBDaemon).

-- Configure the database monitor "interval" and "timeout" values (for an LTM monitor), or the "interval", "timeout", "probe-attempts", "probe-interval" and "probe-timeout" values (for a GTM monitor) such that multiple failed monitor probes are required before the monitored member is marked DOWN, and with a minimum value of 10 seconds or greater.

Note: A restart of bigd (and consequently the DBDaemon) might be necessary to properly clear any currently stale/stuck database connections.


1024241-5 : Empty TLS records from client to BIG-IP results in SSL session termination

Links to More Info: BT1024241

Component: Local Traffic Manager

Symptoms:
After client completes TLS handshake with BIG-IP, when it sends an empty TLS record (zero-length cleartext), the client BIG-IP SSL connection is terminated.

Conditions:
This is reported on i7800 which has Intel QAT crypto device
The issue was not reported on Nitrox crypto based BIG-IP platforms. Issue is not seen when hardware crypto is disabled.

Impact:
SSL connection termination is seen in TLS clients.

Workaround:
Disable hardware crypto acceleration.


1023889-5 : HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message

Links to More Info: BT1023889

Component: Application Security Manager

Symptoms:
Protocol filter does not suppress WS/WSS server->client message.

Conditions:
- protocol filter is set to HTTP, HTTPS or HTTP/HTTPS
- response logging is set to For All Requests

Impact:
Remote log server receives unexpected messages

Workaround:
None


1017841-3 : Payload manager lacks egress flow control when used through satellite

Links to More Info: BT1017841

Component: Local Traffic Manager

Symptoms:
Payload manager uses HUDEVT_PAUSE_EGRESS which is not supported by most filters and the TCP proxy. This causes payload manager to accept all egress offered regardless of the state of the lower part of the chain, leading to excessive xfrag buffering.

Conditions:
- HTTP virtual server with HTTP compression, ntlm, oneconnect
- Make a request for a very large compressible document through the VIP which results in a chunked response from server. Simulating a congested client allows the lack of flow control to be much more obvious.

Impact:
- The xfrags usage jumps proportionally to the document size requested and slowly declines as the document is transferred.
- Document transfer from server occurs without pause.


1012377-3 : Unable to display/edit 'management route' via GUI

Links to More Info: BT1012377

Component: TMOS

Symptoms:
Unable to display/edit 'management route' via GUI

Conditions:
-- Viewing the management route in the GUI via System -> Platform
-- The management route is configured manually

Impact:
The management route field is blank, and you cannot make changes.

Workaround:
Display/edit the management route via tmsh:

tmsh list sys management-route
tmsh modify sys management-route <settings>




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************