Applies To:
Show Versions
BIG-IP APM
- 17.1.0
BIG-IP Analytics
- 17.1.0
BIG-IP Link Controller
- 17.1.0
BIG-IP LTM
- 17.1.0
BIG-IP PEM
- 17.1.0
BIG-IP AFM
- 17.1.0
BIG-IP FPS
- 17.1.0
BIG-IP DNS
- 17.1.0
BIG-IP ASM
- 17.1.0
BIG-IP Release Information
Version: 17.1.0.1
Build: 4.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
The blue background highlights fixes |
Known Issues in BIG-IP v17.1.x
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1238321-6 | CVE-2022-4304 | K000132943 | OpenSSL Vulnerability CVE-2022-4304 | 17.1.0.1 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1284969 | 1-Blocking | Adding ssh-rsa key for passwordless authentication | 17.1.0.1 | |
1273041-3 | 1-Blocking | BT1273041 | Observing config error on R2x00/R4x00 low/high devices while doing tmsh load sys config via performance scripts | 17.1.0.1 |
1226585-1 | 1-Blocking | Some SSL Orchestrator rest endpoints not loading on startup after BIG-IP is rebooted when it is set to CC/STIP mode | 17.1.0.1 | |
1238693-1 | 3-Major | BT1238693 | Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519 | 17.1.0.1 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1267317-6 | 3-Major | BT1267317 | Disabling Access and/or WebSSO for flows cause memory leak | 17.1.0.1 |
1235085-1 | 3-Major | BT1235085 | Reinitialization of FIPS HSM in BIG-IP tenant. | 17.1.0.1 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1213305-6 | 3-Major | Improper query string handling on undisclosed pages | 17.1.0.1 | |
1096373-8 | 3-Major | Unexpected parameter handling in BIG3d | 17.1.0.1 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1204961-1 | 3-Major | Improper query string handling on undisclosed pages | 17.1.0.1 | |
1204793-6 | 3-Major | Improper query string handling on undisclosed pages | 17.1.0.1 |
Cumulative fix details for BIG-IP v17.1.0.1 that are included in this release
1284969 : Adding ssh-rsa key for passwordless authentication
Component: TMOS
Symptoms:
In FIPS 140-3, SSHD does not support the ssh-rsa key for passwordless authentication.
Conditions:
The system must be in FIPS 140-3 mode.
Impact:
SSHD does not support the ssh-rsa key for passwordless authentication.
Workaround:
None
Fix:
SSHD should support the ssh-rsa key for passwordless authentication.
Fixed Versions:
17.1.0.1
1273041-3 : Observing config error on R2x00/R4x00 low/high devices while doing tmsh load sys config via performance scripts
Links to More Info: BT1273041
Component: TMOS
Symptoms:
The following error occurs which is not expected while doing tmsh load sys config default:
"Invalid attempt to register an n-stage validator, the stage must be greater than the current stage, and within the range 1 to 101 inclusive, current stage: 7 registered: 5 Unexpected Error: Loading configuration process failed. , retrying 5 more times"
Conditions:
In the Performance test environment, executing a script to load configs fails.
Impact:
Getting Config error and unable to proceed with ptt tests.
Workaround:
Reboot the device.
Fix:
Executing tmsh load sys config fails as vlan tags are not ready by the time in R2x00/R4x00 as tenant restart solves the same.
Fixed Versions:
17.1.0.1
1267317-6 : Disabling Access and/or WebSSO for flows cause memory leak
Links to More Info: BT1267317
Component: Local Traffic Manager
Symptoms:
Disabling Access and/or WebSSO for the flows using iRules causes TMM memory leak.
Conditions:
-- Virtual server with SSO Access profile attached.
-- Virtual server with iRule having WEBSSO::disable
and/or ACCESS::disable for HTTP_REQUEST event.
Impact:
Continuous memory leak causes system to go out of memory and reboot.
Workaround:
None
Fixed Versions:
17.1.0.1
1238693-1 : Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519
Links to More Info: BT1238693
Component: TMOS
Symptoms:
In FIPS 140-3 mode, SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.
Conditions:
System must be in FIPS 140-3 mode.
Impact:
SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.
Workaround:
None
Fix:
SSHD should support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and must reject ED25519.
Fixed Versions:
17.1.0.1
1238321-6 : OpenSSL Vulnerability CVE-2022-4304
Links to More Info: K000132943
1235085-1 : Reinitialization of FIPS HSM in BIG-IP tenant.
Links to More Info: BT1235085
Component: Local Traffic Manager
Symptoms:
During reinitialization of FIPS HSM in BIG-IP tenant, the presence of existing keys is not validated.
Conditions:
When FIPS HSM in BIG-IP tenant is already initialized and keys are created. Then the reinitialization is triggered.
Impact:
When reinitialization triggered, the existing keys are erased without a warning to the user.
Workaround:
Before reinitialization of FIPS HSM in BIG-IP tenant, make sure the existing keys are deleted.
Use following TMSH command to view the current keys:
"show sys crypto fips keys"
Fix:
When the FIPS HSM in BIG-IP tenant reinitialization is triggered, the existing keys are validated and a message is displayed that the keys are available. Delete all the existing keys before reinitialization.
Fixed Versions:
17.1.0.1
1226585-1 : Some SSL Orchestrator rest endpoints not loading on startup after BIG-IP is rebooted when it is set to CC/STIP mode
Component: TMOS
Symptoms:
Restnoded framework availability monitor times out while waiting for the dependencies(/mgmt/tm/*/** APIs/endpoints registration w.r.t all the provisioned modules) that are initialized during the restjavad startup.
Conditions:
STIP Mode is enabled, hence the below DB variables values are set to true,
tmsh list sys db security.commoncriteria
tmsh list sys db security.commoncriteria.stip
Impact:
Certain functionalities in SSL Orchestrator config GUI are not operational or operational in a limited manner.
Fix:
Now, you can configure a timeout that controls the time period for which restjavad must wait for the initialization to complete before restarting restnoded programmatically; so that, the SSL Orchestrator app finds the dependent rest endpoints that are already registered.
The DB variable Restjavad.Startup.RestnodedRestart.AwaitTimeout was added with the default value set to 1200 seconds.
Fixed Versions:
17.1.0.1
1213305-6 : Improper query string handling on undisclosed pages
Component: Global Traffic Manager (DNS)
Symptoms:
On undisclosed pages, query strings are not processed as expected.
Conditions:
N/A
Impact:
N/A
Workaround:
N/A
Fix:
The query string is processed as expected.
Fixed Versions:
17.1.0.1
1204961-1 : Improper query string handling on undisclosed pages
Component: Application Visibility and Reporting
Symptoms:
On undisclosed pages, query strings are not processed as expected.
Conditions:
N/A
Impact:
N/A
Workaround:
Reduce access to the control plane to trusted users.
Fix:
The query string is processed as expected.
Fixed Versions:
17.1.0.1
1204793-6 : Improper query string handling on undisclosed pages
Component: Application Visibility and Reporting
Symptoms:
On undisclosed pages, query strings are not processed as expected.
Conditions:
N/A
Impact:
N/A
Workaround:
NA
Fix:
Query strings are processed as expected.
Fixed Versions:
17.1.0.1
1096373-8 : Unexpected parameter handling in BIG3d
Component: Global Traffic Manager (DNS)
Symptoms:
The iQuery listener does not handler certain parameters received correctly.
Conditions:
Messages sent to the iQuery listener.
Impact:
Unexpected behavior.
Workaround:
If the IP addresses or subnets of trusted mesh members are known, then mesh communication security can be improved by creating a network-specific packet filter or by adding management interface firewall rules, depending on the situation.
Fix:
Parameters are handled as expected.
Fixed Versions:
17.1.0.1
Known Issues in BIG-IP v17.1.x
TMOS Issues
ID Number | Severity | Links to More Info | Description |
994033-4 | 2-Critical | BT994033 | The daemon httpd_sam does not recover automatically when terminated |
993481-5 | 2-Critical | BT993481 | Jumbo frame issue with DPDK eNIC |
950201-6 | 2-Critical | BT950201 | Tmm core on GCP |
776117-6 | 2-Critical | BT776117 | BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type |
1209709-5 | 2-Critical | BT1209709 | Memory leak in icrd_child when license is applied through BIG-IQ |
1105901-6 | 2-Critical | BT1105901 | Tmm crash while doing high-speed logging |
989501-3 | 3-Major | BT989501 | A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus |
988745-8 | 3-Major | BT988745 | On reboot, 'could not find platform object' errors may be seen in /var/log/ltm |
936093-7 | 3-Major | BT936093 | Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline |
906273-4 | 3-Major | BT906273 | MCPD crashes receiving a message from bcm56xxd |
778513-5 | 3-Major | BT778513 | APM intermittently drops log messages for per-request policies |
757787-6 | 3-Major | BT757787 | Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI. |
715748-4 | 3-Major | BT715748 | BWC: Flow fairness not in acceptable limits |
1283721-1 | 3-Major | BT1283721 | Vmtoolsd memory leak |
1253449-4 | 3-Major | BT1253449 | After publishing, the draft LTM policy configuration might not be updated (intermittently) into the bigip.conf |
1217473-1 | 3-Major | BT1217473 | All the UDP traffic is sent to a single TMM |
1215613-3 | 3-Major | BT1215613 | ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address |
1211089-4 | 3-Major | BT1211089 | Traffic to IPv6 all nodes address not received by TMM on VE with ixlv driver |
1160805-4 | 3-Major | BT1160805 | The scp-checkfp fail to cat scp.whitelist for remote admin |
1136921-6 | 3-Major | BT1136921 | BGP might delay route updates after failover |
1124733-3 | 3-Major | BT1124733 | Unnecessary internal traffic is observed on the internal tmm_bp vlan |
1117305-8 | 3-Major | BT1117305 | The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials |
1112537-6 | 3-Major | BT1112537 | LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete. |
1102425-1 | 3-Major | BT1102425 | F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary |
1090313-5 | 3-Major | BT1090313 | Virtual server may remain in hardware SYN cookie mode longer than expected |
1067797 | 3-Major | BT1067797 | Trunked interfaces that share a MAC address may be assigned in the incorrect order. |
1044089-5 | 3-Major | BT1044089 | ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI. |
1040573-5 | 3-Major | BT1040573 | REST operation takes a long time when two different users perform tasks in parallel |
1012377-3 | 3-Major | BT1012377 | Unable to display/edit 'management route' via GUI |
976517-4 | 4-Minor | BT976517 | Tmsh run sys failover standby with a device specified but no traffic group fails |
895669-4 | 4-Minor | BT895669 | VCMP host does not validate when an unsupported TurboFlex profile is configured |
857045-5 | 4-Minor | BT857045 | LDAP system authentication may stop working |
838405-5 | 4-Minor | BT838405 | Listener traffic-group may not be updated when spanning is in use |
1283749-1 | 4-Minor | BT1283749 | Systemctl start and restart fail to start the vmtoolsd service |
1270989-1 | 4-Minor | BT1270989 | REST MemcachedClient uses fixed TMM address 127.1.1.2 to connect to memcached |
1252537-4 | 4-Minor | Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role | |
1229325-1 | 4-Minor | BT1229325 | Unable to configure IP OSPF retransmit-interval as intended |
1217297 | 4-Minor | BT1217297 | Removal of guestagentd service from the list of services running inside a tenant. |
1217077-1 | 4-Minor | BT1217077 | Race condition processing network failover heartbeats with timeout of 1 second |
1211617-2 | 4-Minor | BT1211617 | High CPU utilisation observed during startup when forced BIG-IP system set offline |
1209589-5 | 4-Minor | BT1209589 | BFD multihop does not work with ECMP routes |
1185257-6 | 4-Minor | BT1185257 | BGP confederations do not support 4-byte ASNs |
1154685-4 | 4-Minor | BT1154685 | Error logged "01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object..." during startup |
1121169-5 | 4-Minor | BT1121169 | Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use |
1064753-6 | 4-Minor | BT1064753 | OSPF LSAs are dropped/rate limited incorrectly. |
1044893-4 | 4-Minor | BT1044893 | Kernel warnings from NIC driver Realtek 8139 |
1189949-4 | 5-Cosmetic | BT1189949 | The TMSH sys core is not displaying help and tab complete behavior |
Local Traffic Manager Issues
ID Number | Severity | Links to More Info | Description |
752766-4 | 1-Blocking | BT752766 | The BIG-IP system might fail to read SFPs after a reboot |
1205501-4 | 2-Critical | BT1205501 | The iRule command SSL::profile can select server SSL profile with outdated configuration |
1154465-2 | 2-Critical | BT1154465 | Error attaching few QAT devices to TMM |
1146377-6 | 2-Critical | BT1146377 | FastHTTP profiles do not insert HTTP headers triggered by iRules |
1024241-5 | 2-Critical | BT1024241 | Empty TLS records from client to BIG-IP results in SSL session termination |
975657-2 | 3-Major | BT975657 | With HTTP2 enabled, only partial sorry contents (< 32KB) can be sent to the client via HTTP::respond |
966785-5 | 3-Major | BT966785 | Rate Shaping stops TCP retransmission |
878641-7 | 3-Major | BT878641 | TLS1.3 certificate request message does not contain CAs |
842425-7 | 3-Major | BT842425 | Mirrored connections on standby are never removed in certain configurations |
693473-9 | 3-Major | BT693473 | The iRulesLX RPC completion can cause invalid or premature TCL rule resumption |
1284589-1 | 3-Major | BT1284589 | HTTP CONNECT request from client is not successful with iRule HTTP::disable discard command |
1284261-4 | 3-Major | BT1284261 | Constant traffic on DHCPv6 virtual servers may cause a TMM crash. |
1281637-2 | 3-Major | BT1281637 | When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE |
1273161-4 | 3-Major | BT1273161 | Secondary blades are unavailable, clusterd is reporting shutdown, and waiting for other blades |
1272501-1 | 3-Major | BT1272501 | Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure" |
1269733-1 | 3-Major | BT1269733 | HTTP GET request with headers has incorrect flags causing timeout |
1269709-4 | 3-Major | BT1269709 | GUI should throw the error when the VS is configured with both vdi and HTTP/2 profiles |
1238529-3 | 3-Major | BT1238529 | TMM might crash when modifying a virtual server in low memory conditions |
1238413-4 | 3-Major | BT1238413 | The BIG-IP might fail to update ARL entry for a host in a VLAN-group |
1229369-4 | 3-Major | BT1229369 | The fastl4 TOS mimic setting towards client may not function |
1210469-1 | 3-Major | BT1210469 | TMM can crash when processing AXFR query for DNSX zone |
1209945-2 | 3-Major | BT1209945 | Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs |
1205045-6 | 3-Major | BT1205045 | WMI monitor does not put pool members into an offline/unchecked state when BIG-IP receives HTTP responses other than 200 |
1126841-5 | 3-Major | BT1126841 | HTTP::enable can rarely cause cores |
1117609-5 | 3-Major | BT1117609 | VLAN guest tagging is not implemented for CX4 and CX5 on ESXi |
1110485-5 | 3-Major | BT1110485 | SSL handshake failures with invalid profile error |
1088597-6 | 3-Major | BT1088597 | TCP keepalive timer can be immediately re-scheduled in rare circumstances |
1064725-5 | 3-Major | BT1064725 | CHMAN request for tag:19 as failed. |
1059573-5 | 3-Major | BT1059573 | Variation in a case insensitive value of an operand in LTM policy may fail in some rules. |
1026781-5 | 3-Major | BT1026781 | Standard HTTP monitor send strings have double CRLF appended |
1025089-7 | 3-Major | BT1025089 | Pool members marked DOWN by database monitor under heavy load and/or unstable connections |
1017841-3 | 3-Major | BT1017841 | Payload manager lacks egress flow control when used through satellite |
1281709-4 | 4-Minor | BT1281709 | Traffic-group ID may not be updated properly on a TMM listener |
1281405-2 | 4-Minor | BT1281405 | "fipsutil fwcheck -f" command may not correct result |
1280769 | 4-Minor | Fipsutil's fwcheck and fwupdate sub-commands show errors when run on R10920 and R5920 tenant. | |
1269773-1 | 4-Minor | BT1269773 | Convert network-order to host-order for extensions in TLS1.3 certificate request |
1240937-4 | 4-Minor | BT1240937 | The FastL4 TOS specify setting towards server may not function for IPv6 traffic |
1238897-1 | 4-Minor | BT1238897 | TMM TCL interpreter's non-TMM "compat" memcasechr broken in 64-bit build |
1211189-4 | 4-Minor | BT1211189 | Stale connections observed and handshake failures observed with errors |
1167609-4 | 4-Minor | BT1167609 | The messages msg->ref > 0 are seen in TMM logs with websockets/ASM plugin |
1121349 | 4-Minor | BT1121349 | CPM NFA may stall due to lack of other state transition |
1034865-6 | 4-Minor | BT1034865 | CACHE::enable failed on private/no-store content |
1030093 | 4-Minor | BT1030093 | An http2 to http2 virtual connection with translate-address disabled might only use one stream on the server side. |
926085-4 | 5-Cosmetic | BT926085 | In WebUI node or port monitor test is not possible, but it works in TMSH |
Global Traffic Manager (DNS) Issues
ID Number | Severity | Links to More Info | Description |
1267845-5 | 2-Critical | BT1267845 | ISC's internal_current function asserted because ifa_name was NULL |
1225061-1 | 2-Critical | BT1225061 | The zxfrd segfault with numerous zone transfers |
1212081-5 | 2-Critical | BT1212081 | The zxfrd segfault and restart loop due to incorrect packet processing |
1281433-1 | 3-Major | BT1281433 | Missing GTM probes on GTM server when an external monitor is attached to an additional pool |
1273141-1 | 3-Major | BT1273141 | GTM pool members are not probed and multiple GTMs are reporting inconsistent status |
1269601-1 | 3-Major | BT1269601 | Unable to delete monitor while updating DNS virtual server monitor through transaction |
1250077-6 | 3-Major | BT1250077 | TMM memory leak |
1182353-6 | 3-Major | BT1182353 | DNS cache consumes more memory because of the accumulated mesh_states |
1161241-7 | 3-Major | BT1161241 | BIND default behavior changed from 9.11 to 9.16 |
1108237-3 | 3-Major | BT1108237 | Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM. |
1082197-5 | 3-Major | BT1082197 | RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response |
1274385-1 | 5-Cosmetic | BT1274385 | BIGIP-DNS GUI delivery summary stats shows incorrect count for "Disabled" GTM listeners |
Application Security Manager Issues
ID Number | Severity | Links to More Info | Description |
1284081-1 | 1-Blocking | BT1284081 | Incorrect Enforcement After Sync |
923821-5 | 2-Critical | BT923821 | Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack |
850141-5 | 2-Critical | BT850141 | Possible tmm core when using Dosl7/Bot Defense profile |
1282281-5 | 2-Critical | BT1282281 | Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns |
1217549-4 | 2-Critical | BT1217549 | Missed ASM Sync on startup |
890169-6 | 3-Major | BT890169 | URLs starting with double slashes might not be loaded when using a Bot Defense Profile. |
1281381-1 | 3-Major | BD fails to load config when the virtual server name is longer then 64 chars | |
1280813-3 | 3-Major | BT1280813 | Illegal URL violation triggered for after upgrade due to due to missing content-profiles in DB |
1271469-5 | 3-Major | BT1271469 | Failed to install ASU file scheduled for install |
1270133-1 | 3-Major | bd crash during configuration update | |
1250209-1 | 3-Major | BT1250209 | The message "ERR: in Graphql disallowed response, pcre is null" appears in BD logs |
1239297 | 3-Major | BT1239297 | TMM URL web scraping limit not synced to secondary slot 2 in VIPRION chassis |
1235337-2 | 3-Major | BT1235337 | The 'JSON profile' with 'JSON schema validation' was not created for the body parameter in the OpenAPI URL |
1216297-3 | 3-Major | TMM core occurs when using disabling ASM of request_send event | |
1211905-3 | 3-Major | BT1211905 | Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts" |
1210321-2 | 3-Major | BT1210321 | Parameters are not created for properties defined in multipart request body when URL include path parameter |
1196537-5 | 3-Major | BT1196537 | BD process crashes when you use SMTP security profile |
1196185-1 | 3-Major | BT1196185 | Policy Version History is not presented correctly with scrolling |
1194173-5 | 3-Major | BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value | |
1190365-1 | 3-Major | BT1190365 | OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly |
1186401-4 | 3-Major | BT1186401 | Using REST API to change policy signature settings changes all the signatures. |
1184841-6 | 3-Major | Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API | |
1173493-2 | 3-Major | Bot signature staging timestamp corrupted after modifying the profile | |
1156889-5 | 3-Major | BT1156889 | TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions |
1148009-8 | 3-Major | BT1148009 | Cannot sync an ASM logging profile on a local-only VIP |
1144497-5 | 3-Major | Base64 encoded metachars are not detected on HTTP headers | |
1137993-6 | 3-Major | BT1137993 | Violation is not triggered on specific configuration |
1132981-5 | 3-Major | BT1132981 | Standby not persisting manually added session tracking records |
1132741-7 | 3-Major | BT1132741 | Tmm core when html parser scans endless html tag of size more then 50MB |
1117245-5 | 3-Major | BT1117245 | Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file |
1098609-3 | 3-Major | BD crash on specific scenario | |
1078065-5 | 3-Major | BT1078065 | The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA. |
1069729-4 | 3-Major | BT1069729 | TMM might crash after a configuration change. |
1067557-5 | 3-Major | Value masking under XML and JSON content profiles does not follow policy case sensitivity | |
1059513-3 | 3-Major | BT1059513 | Virtual servers may appear as detached from security policy when they are not. |
1048949-8 | 3-Major | BT1048949 | TMM xdata leak on websocket connection with asm policy without websocket profile |
1023889-5 | 3-Major | BT1023889 | HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message |
987977-1 | 4-Minor | BT987977 | VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation |
1284097-1 | 4-Minor | BT1284097 | False positive 'Illegal cross-origin request' violation |
1245209-1 | 4-Minor | BT1245209 | Introspection query violation is reported regardless the flag status |
1210569-1 | 4-Minor | BT1210569 | User defined signature rule disappears when using high ASCII in rule |
1210053-3 | 4-Minor | BT1210053 | The cred_stuffing_fail_open Internal Parameter does not cause Leaked Credential violation in case of expiration or error |
1189865-5 | 4-Minor | BT1189865 | "Cookie not RFC-compliant" violation missing the "Description" in the event logs |
1123153-5 | 4-Minor | "Such URL does not exist in policy" error in the GUI | |
1113753-5 | 4-Minor | Signatures might not be detected when using truncated multipart requests | |
1084857-6 | 4-Minor | BT1084857 | ASM::support_id iRule command does not display the 20th digit |
1083513-4 | 4-Minor | BT1083513 | BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd |
1076825-3 | 4-Minor | BT1076825 | "Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases. |
1030129-5 | 5-Cosmetic | BT1030129 | iHealth unnecessarily flags qkview for H701182 with mcp_module.xml |
Access Policy Manager Issues
ID Number | Severity | Links to More Info | Description |
1282769-1 | 2-Critical | Localdb user can change the password of other user | |
1282105 | 2-Critical | BT1282105 | Assertion response attributes parsing issue after upgrade to BIG-IP 17.1.0 |
1270501 | 2-Critical | BT1270501 | Before upgrade, if log level is configured as debug, then APMD will continuously restarts with coredump |
1111149-4 | 2-Critical | BT1111149 | Nlad core observed due to ERR_func_error_string can return NULL |
1110489-4 | 2-Critical | BT1110489 | TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event |
1083053-4 | 2-Critical | BT1083053 | Apmd memory grows over time in AD auth scenarios |
967185-3 | 3-Major | BT967185 | Increase the size limit of JWT for OAuth |
796065-3 | 3-Major | BT796065 | PingAccess filter can accumulate connections increasing memory use. |
1273881-3 | 3-Major | BT1273881 | TMM crashes while processing traffic on the virtual server |
1268521-1 | 3-Major | BT1268521 | SAML authentication with the VCS fails when launching the applications/remote desktops from the APM Webtop when multiple RD resources are assigned to the APM Webtop |
1232977-4 | 3-Major | BT1232977 | TMM leaking memory in OAuth scope identifiers when parsing scope lists |
1207821-1 | 3-Major | BT1207821 | APM internal virtual server leaks memory under certain conditions |
1180365-3 | 3-Major | APM Integration with Citrix Cloud Connector | |
1060477-2 | 3-Major | BT1060477 | iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]". |
1044457-4 | 3-Major | BT1044457 | APM webtop VPN is no longer working for some users when CodeIntegrity is enabled. |
1041985-5 | 3-Major | BT1041985 | TMM memory utilization increases after upgrade★ |
936061-4 | 4-Minor | BT936061 | Variable session.user.agent missing for Edge Client & F5 Access clients |
1218813-6 | 4-Minor | BT1218813 | "Timeout waiting for TMM to release running semaphore" after running platform_diag |
1028081-3 | 4-Minor | BT1028081 | [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page |
Service Provider Issues
ID Number | Severity | Links to More Info | Description |
1270497-3 | 2-Critical | BT1270497 | MRF SIP/ALG Core dump observed while accessing trans_data in sipmsg_register_ingress_register_request_session_reply_common method |
1269889-1 | 2-Critical | LTM crashes are observed while running SIP traffic and pool members are offline | |
1239901-3 | 2-Critical | LTM crashes while running SIP traffic | |
1189513-6 | 3-Major | BT1189513 | SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header |
1156149-5 | 3-Major | BT1156149 | Early responses on standby may cause TMM to crash |
1038057-5 | 3-Major | BT1038057 | Unable to add a serverssl profile into a virtual server containing a FIX profile |
1251013-1 | 4-Minor | BT1251013 | Allow non-RFC compliant URI characters |
1249929-2 | 4-Minor | BT1249929 | Diameter MRF sends CER to pool-member even after peer sent DPR and force-offline the pool member |
1213469-5 | 4-Minor | BT1213469 | MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP dropped |
Advanced Firewall Manager Issues
ID Number | Severity | Links to More Info | Description |
609878-8 | 2-Critical | BT609878 | Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server |
1215161-4 | 2-Critical | BT1215161 | A new CLI option introduced to display rule-number for policy, rules and rule-lists |
1106273-5 | 2-Critical | BT1106273 | "duplicate priming" assert in IPSECALG |
1080957-1 | 2-Critical | BT1080957 | TMM Seg fault while Offloading virtual server DOS attack to HW |
1048425-6 | 2-Critical | BT1048425 | Packet tester crashes TMM when vlan external source-checking is enabled |
1238629-2 | 3-Major | BT1238629 | TMM core when client send nxdomain query with BA enabled |
1199025-3 | 3-Major | BT1199025 | DNS vectors auto-threshold events are not seen in webUI |
1196053-4 | 3-Major | BT1196053 | The autodosd log file is not truncating when it rotates |
1190765-1 | 3-Major | VelOS | Zone Base DDOS | Aggregation, BD | Seeing Entries in sPVA Registers are not getting reset once the attack is completed | |
1167969-2 | 3-Major | BT1167969 | In DoS Profile level, the Flood attack Vectors with TCP and UDP, Hardware offloading is not working as expected |
1110281-7 | 3-Major | BT1110281 | Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable |
1277641 | 4-Minor | BT1277641 | DoS | i-series | After mitigation of bad destination at profile level, bd_hit is not incrementing for host unreachable vector. |
1251105-1 | 4-Minor | BT1251105 | DoS Overview (non-HTTP) - A null pointer was passed into a function |
1215401-2 | 4-Minor | Under Shared Objects, some country names are not available to select in the Address List | |
1069265 | 4-Minor | BT1069265 | New connections or packets from the same source IP and source port can cause unnecessary port block allocations. |
Policy Enforcement Manager Issues
ID Number | Severity | Links to More Info | Description |
1186925-6 | 2-Critical | BT1186925 | When FUA in CCA-i, PEM does not send CCR-u for other rating-groups |
1259489-2 | 3-Major | BT1259489 | PEM subsystem memory leak is observed when using PEM::subscriber information |
1238249-5 | 3-Major | BT1238249 | PEM Report Usage Flow log is inaccurate |
1226121-5 | 3-Major | BT1226121 | TMM crashes when using PEM logging enabled on session |
1207381 | 3-Major | BT1207381 | PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored |
1190353-4 | 3-Major | BT1190353 | The wr_urldbd BrightCloud database downloading from a proxy server is not working |
1174085-7 | 3-Major | BT1174085 | spmdb_session_hash_entry_delete releases the hash's reference |
Carrier-Grade NAT Issues
ID Number | Severity | Links to More Info | Description |
1128429-7 | 4-Minor | BT1128429 | Rebooting one or more blades at different times may cause traffic imbalance results High CPU |
Fraud Protection Services Issues
ID Number | Severity | Links to More Info | Description |
1060393-3 | 3-Major | BT1060393 | Extended high CPU usage caused by JavaScript Obfuscator. |
Anomaly Detection Services Issues
ID Number | Severity | Links to More Info | Description |
1211297-1 | 2-Critical | Handling DoS profiles created dynamically using iRule and L7Policy | |
1046469-4 | 3-Major | BT1046469 | Memory leak during large attack |
Device Management Issues
ID Number | Severity | Links to More Info | Description |
1196477-8 | 3-Major | BT1196477 | Request timeout in restnoded |
1049237-6 | 4-Minor | BT1049237 | Restjavad may fail to cleanup ucs file handles even with ID767613 fix |
In-tmm monitors Issues
ID Number | Severity | Links to More Info | Description |
1211985-6 | 3-Major | BT1211985 | BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring |
Known Issue details for BIG-IP v17.1.x
994033-4 : The daemon httpd_sam does not recover automatically when terminated
Links to More Info: BT994033
Component: TMOS
Symptoms:
APM policy redirecting users to incorrect domain, the httpd_sam daemon not running.
Conditions:
Daemon httpd_sam stopped with the terminate command.
Impact:
APM policy performing incorrect redirects.
Workaround:
Restart the daemons httpd_apm and httpd_sam.
993481-5 : Jumbo frame issue with DPDK eNIC
Links to More Info: BT993481
Component: TMOS
Symptoms:
TMM crashes
Conditions:
-- TMM is using DPDK driver with Cisco eNIC
-- TMM receives jumbo sized packet
Impact:
Traffic disrupted while TMM restarts.
Workaround:
- Use a different driver such as sock.
- Do not use or accept jumbo frames, use the following TMSH command to set the MTU to less than or equal to 1500:
tmsh modify net vlan external mtu 1500
989501-3 : A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus
Links to More Info: BT989501
Component: TMOS
Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might fall or drop off of PCI bus, resulting in the BIG-IP system not being able to process traffic. If this happens, a daemon_heartbeat failsafe gets triggered instead of dataplane_inoperable_t action.
Conditions:
The conditions that lead to HSB to fall off of PCI bus are unknown at this time.
Impact:
The BIG-IP system unable to pass traffic and a failover is triggered.
Workaround:
Reboot the device or the blade to recover from the situation and monitor for re-occurrence. If it happens again, it could indicate potential underlying hardware issue.
988745-8 : On reboot, 'could not find platform object' errors may be seen in /var/log/ltm
Links to More Info: BT988745
Component: TMOS
Symptoms:
During a reboot, several error messages are logged in /var/log/ltm:
-- err mcpd[9401]: 01070710:3: Database error (0), get_platform_obj: could not find platform object - sys/validation/Platform.cpp, line 188.
-- err chmand[6578]: 012a0003:3: hal_mcp_process_error: result_code=0x1070710 for result_operation=eom result_type=eom
Conditions:
This occurs when either of the following conditions is met:
-- A fresh installation of a BIG-IP system.
-- A reboot after forcing the mcpd process to reload the BIG-IP configuration,
Impact:
There is no functional impact to these error messages.
Workaround:
None.
987977-1 : VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation
Links to More Info: BT987977
Component: Application Security Manager
Symptoms:
Remote logging message, violation_details field, includes XML document for VIOL_HTTP_RESPONSE_STATUS even though there was no VIOL_HTTP_RESPONSE_STATUS violation triggered.
Conditions:
When all the following conditions are met
-- Response status code is not one of 'Allowed Response Status Codes'.
-- Alarm/Block flags are disabled with 'Illegal HTTP status in response'.
-- Logging profile is configured for remote storage.
-- Storage format is comma-separated.
-- Both violation_details and violations fields are set.
Impact:
Remote logging server receives inaccurate message.
Workaround:
None
976517-4 : Tmsh run sys failover standby with a device specified but no traffic group fails
Links to More Info: BT976517
Component: TMOS
Symptoms:
The tmsh run /sys failiover standby device <device> command fails and returns an error if no traffic-group is specified:
Syntax Error: There is no failover device with a name (/Common/bigip2.localhost).
Conditions:
Two or more BIG-IPs configured with high availability (HA)
Impact:
You are required to specify all the traffic groups you want to failover to a peer.
Workaround:
For each traffic group that you want to failover to a peer run the tmsh run /sys failover standby.
For example if you want to fail over both traffic groups traffic-group-1 and traffic-group-2 to failover to bigip2.localhost, run the following:
tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-1
tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-2
If you want the device to be standby for all traffic groups but you don't care what device takes over as active, run the following command (note there is no traffic-group nor device):
tmsh run /sys failover standby
975657-2 : With HTTP2 enabled, only partial sorry contents (< 32KB) can be sent to the client via HTTP::respond
Links to More Info: BT975657
Component: Local Traffic Manager
Symptoms:
Partial content (<= max allowed "write-size" in HTTP2 profile i.e. 32KB) can be sent to client via the HTTP:respond iRule command.
Conditions:
-- HTTP2 enabled on virtual server
-- Content sent by the iRule exceeds 32KB
Impact:
Client fails to receive the whole content
967185-3 : Increase the size limit of JWT for OAuth
Links to More Info: BT967185
Component: Access Policy Manager
Symptoms:
Currently, the allowed payload size for JWT is 4K. Users whose claims of length exceed the limit are unable to authenticate.
Conditions:
OAuth is configured with JWT.
Impact:
Users whose claims of length are more than the limit are unable to authenticate.
966785-5 : Rate Shaping stops TCP retransmission
Links to More Info: BT966785
Component: Local Traffic Manager
Symptoms:
When rate shaping is applied to a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.
Conditions:
This issue occurs when both of the following conditions are met:
-- Virtual server configured with a rate shaping.
-- Standard type of virtual server.
Impact:
The BIG-IP system does not retransmit unacknowledged data segments.
Workaround:
None
950201-6 : Tmm core on GCP
Links to More Info: BT950201
Component: TMOS
Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.
TMM panic with this message in a tmm log file:
panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.
Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141
-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.
Note: Using either workaround has a performance impact.
936093-7 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline
Links to More Info: BT936093
Component: TMOS
Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.
Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.
Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.
Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:
/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr
This can be accomplished using a command such as:
truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr
936061-4 : Variable session.user.agent missing for Edge Client & F5 Access clients
Links to More Info: BT936061
Component: Access Policy Manager
Symptoms:
When connecting with Edge Client & F5 Access clients the BIG-IP APM session variable session.user.agent is missing from APM sessions.
Conditions:
BIG-IP APM
Edge Client & F5 Access clients
Impact:
Session variable session.user.agent cannot be used for BIG-IP APM Access Policy logic flows
Workaround:
An iRule can be used to generate a like session variable. For example:
# This event fires once per session
when ACCESS_SESSION_STARTED {
log local0. "Setting User-Agent based on HTTP data - [HTTP::header User-Agent]"
ACCESS::session data set session.custom.client.useragent [HTTP::header User-Agent]
#Use this variable in the VPE to make some decision
}
926085-4 : In WebUI node or port monitor test is not possible, but it works in TMSH
Links to More Info: BT926085
Component: Local Traffic Manager
Symptoms:
When attempting to test a newly created Pool Member monitor, node address field is disabled, you cannot enter a node address. This prevents from using the Test operation to test this type of monitor in the WebUI.
Conditions:
-- Create a new Pool Member monitor (not a Node Address monitor). For example, HTTP, HTTPS, FTP, TCP, or Gateway ICMP.
-- With the monitor configuration displayed in the WebUI, click the Test tab.
-- View the Address field, and try to run the test.
Impact:
The Address field is disabled, with *.* in the field. You cannot enter a node address. The test fails with following message:
invalid monitor destination of *.*:80.
invalid monitor destination of *.*:443. (:port used to test)
Workaround:
Run either of the following TMSH commands:
-- tmsh run ltm monitor <type> <name> destination <IP address>:<port>
-- tmsh modify ltm monitor <type> <name> destination *:*
For example, for HTTP:
-- tmsh run ltm monitor http my_http destination <IP address>:<port>
-- tmsh modify ltm monitor http my_http destination *:*
For example, for HTTPS:
-- tmsh run ltm monitor https my_https destination <IP address>:<port>
-- tmsh modify ltm monitor https my_https destination *:*
923821-5 : Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack
Links to More Info: BT923821
Component: Application Security Manager
Symptoms:
When mitigated action is set to CSI followed by captcha for credential stuffing attack, captcha is not triggered even after successful CSI challenge.
Conditions:
1) Mitigated action is set to CSI followed by captcha for credential stuffing attack.
2) Credential stuffing attack occurs.
3) CSI challenge is success.
Impact:
Captcha is not triggered leading to less than configured mitigation action for credential stuffing attack.
Workaround:
None
906273-4 : MCPD crashes receiving a message from bcm56xxd
Links to More Info: BT906273
Component: TMOS
Symptoms:
Under rare circumstances, the Broadcom switch daemon bcm56xxd, can send more then one message at a time to MCPD.
This can cause MCPD to either fail immediately or have it hang and be terminated by sod 5 minutes later.
One of the messages being sent is in response to a link status change. The second message is a reply to a query, for instance a query for l2 forward statistics.
Conditions:
- BIG-IP with a Broadcom switch.
- Link status change is available.
- MCPD sends a query to bcm56xxd, that is, for l2 forward statistics.
Impact:
MCPD failure and restarts causing a failover.
Workaround:
None
895669-4 : VCMP host does not validate when an unsupported TurboFlex profile is configured
Links to More Info: BT895669
Component: TMOS
Symptoms:
There is no validation error for when unsupported TurboFlex profiles are configured on vCMP hosts for relevant platforms. Due to this lack of validation, it can result in incorrect FPGA firmware being loaded on the host and thus a guest may fail to start or reboot constantly.
Conditions:
(1) Provision vCMP on the host and deploy 2x guests with 4 cores
(2) On the vCMP host, manually change TurboFlex profile type to be one that it does not support.
Impact:
Incorrect FPGA firmware is loaded on the host, which can cause problems with the data plane on the guest.
Workaround:
Only use supported turboflex profiles.
890169-6 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
Links to More Info: BT890169
Component: Application Security Manager
Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.
Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.
Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.
Workaround:
None.
878641-7 : TLS1.3 certificate request message does not contain CAs
Links to More Info: BT878641
Component: Local Traffic Manager
Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4
Conditions:
TLS1.3 and client authentication
Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected
857045-5 : LDAP system authentication may stop working
Links to More Info: BT857045
Component: TMOS
Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.
In /var/log/daemon.log, you may see the following:
warning systemd[1]: nslcd.service failed
Conditions:
Nslcd daemon crashed, and it fails to restart.
Impact:
System authentication stops working until nslcd is restarted.
Workaround:
Manually restart nslcd daemon:
systemctl start nslcd
nslcd can be reconfigured to restart automatically and create core files when it crashes, though these changes will be lost across software installs (and is not backed up as part of a UCS archive):
1. Run "systemctl edit nslcd", which will open a text editor (by default, nano).
2. In the text editor, add these contents:
[Service]
# Allow core files
LimitCORE=infinity
# Try to keep auth daemon running, even if it crashes
Restart=always
3. Exit the text editor and save the file
4. Check the output of "systemctl status nslcd" for any warnings/errors from systemd as a result of editing the file; there should not be any.
5. Restart nslcd:
systemctl restart nslcd
850141-5 : Possible tmm core when using Dosl7/Bot Defense profile
Links to More Info: BT850141
Component: Application Security Manager
Symptoms:
Tmm crashes.
Conditions:
-- Dosl7/Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- An asynchronous iRule is attached to the virtual server
OR:
-- Device ID feature is enabled, and the current request requires a complex Device ID generation.
-- The connection is closed before the response arrives.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
842425-7 : Mirrored connections on standby are never removed in certain configurations
Links to More Info: BT842425
Component: Local Traffic Manager
Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.
Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.
Impact:
Leaking connections on the standby system.
Workaround:
You can use either of the following workarounds:
-- Use auto-lasthop with mirrored connections.
-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.
838405-5 : Listener traffic-group may not be updated when spanning is in use
Links to More Info: BT838405
Component: TMOS
Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.
Conditions:
Spanning is disabled or enabled on a virtual address.
Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.
Depending on the configuration, virtual server may or may not forward the traffic when expected.
Workaround:
Enable/Disable spanning together with changing a traffic-group (both options have to be changed simultaneously):
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-2 spanning disabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled
796065-3 : PingAccess filter can accumulate connections increasing memory use.
Links to More Info: BT796065
Component: Access Policy Manager
Symptoms:
Currently the maximum http header count value for ping access is 64. The connection to the backend is aborted if there are more than 64 headers.
Conditions:
1. Ping access is configured.
2. The HTTP header count is more than 64.
Impact:
Connection is aborted by the BIG-IP system users are unable to access the backend.
Workaround:
None
778513-5 : APM intermittently drops log messages for per-request policies
Links to More Info: BT778513
Component: TMOS
Symptoms:
APM may intermittently drop log messages, leading to missing information on policy execution or other events.
Conditions:
This might occur under either of the following conditions:
-- Using APM per-request policies, or ACCESS::log iRule commands.
-- APM is configured to use multiple log destinations (such as: local-db and local-syslog).
Impact:
Administrator may fail to report certain logging events, hindering troubleshooting or auditing efforts.
Workaround:
No workaround is possible.
When reviewing APM logs, keep in mind that during periods of high activity (greater than 100 log messages in 1-to-2 seconds) that the system may drop some log messages.
776117-6 : BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type
Links to More Info: BT776117
Component: TMOS
Symptoms:
The BIG-IP Virtual Edition's virtio driver is incompatible with the Q35 machine type.
Conditions:
-- BIG-IP Virtual Edition with the virtio driver.
-- Setting the machine type to Q35 on the hypervisor.
Impact:
The BIG-IP will not use the virtio driver, using the sock (or unic, in versions prior to 14.1.0) driver instead.
757787-6 : Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI.
Links to More Info: BT757787
Component: TMOS
Symptoms:
When creating a new rule or modifying an existing rule in a LTM/AFM Policy policy using the WebUI, the operation fails and an error similar to the following example is returned:
Transaction failed:010715bd:3: The parent folder is owned by application service (/Common/MyPolicy.app/MyPolicy), the object ownership cannot be changed to ().
Conditions:
-- The LTM/AFM Policy belongs to an Application Service (iApp).
-- The modification is attempted via the WebUI.
Impact:
Unable to make changes to existing LTM/AFM Policies.
Workaround:
Use the tmsh utility to make the necessary modifications to the LTM/AFM Policy. For example, the following command modifies an existing rule:
tmsh modify ltm policy myapp.app/Drafts/myapp_l7policy rules modify { 0 { conditions modify { 0 { http-method equals values { GET POST } } } } }
752766-4 : The BIG-IP system might fail to read SFPs after a reboot
Links to More Info: BT752766
Component: Local Traffic Manager
Symptoms:
SFP interfaces are reported as missing:
# tmsh show net interface 2.0
--------------------------------------------------------
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
In Out In Out
--------------------------------------------------------
2.0 miss 0 0 0 0 0 0 none
sys ha-status will report tmm ready-for-world as failed:
# tmsh show sys ha-status
-------------------------------------------------------------------------
Sys::HA Status
Feature Key Action Fail
-------------------------------------------------------------------------
ready-for-world tmm none yes
ready-for-world tmm1 none yes
ready-for-world tmm2 none yes
ready-for-world tmm3 none yes
ready-for-world tmm4 none yes
ready-for-world tmm5 none yes
Conditions:
This has been seen on the i15800 and i11000 series BIG-IP platforms immediately after the system boots.
Impact:
The BIG-IP system does not become ready after a reboot.
Workaround:
Mitigation if the system is in this state, restart tmm:
# tmsh restart sys service tmm
715748-4 : BWC: Flow fairness not in acceptable limits
Links to More Info: BT715748
Component: TMOS
Symptoms:
Flow fairness for BWC dynamic policy instance has reduced.
Conditions:
The flow fairness is up to 50%. It is expected to be within 25%.
Impact:
Flow fairness of BWC dynamic policy across sessions is not as expected.
693473-9 : The iRulesLX RPC completion can cause invalid or premature TCL rule resumption
Links to More Info: BT693473
Component: Local Traffic Manager
Symptoms:
RPC completion will attempt to resume the RPC iRule execution when there is subsequent iRule activity on the flow - CLIENT/SERVER_CLOSED, for instance, which keeps the flow alive and blocks in an iRule event.
Conditions:
Blocking the iRule event When an RPC call is outstanding and the flow is aborted.
Impact:
It will cause the iRule event blocking when RPC call is outstanding and the flow is aborted
Workaround:
None
609878-8 : Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server
Links to More Info: BT609878
Component: Advanced Firewall Manager
Symptoms:
When loose-init is set, which has the implicit semantics of "every ACK packet can create a connection". Hence, there is never a "Bad ACK" to drop. This behavior is expected as per design, so while enabling this option one should aware of the side effects it will cause.
Conditions:
This issue will be seen when loose-init is enabled on the fastL4 profile and when the box is flooded with asymmetric ACK packets (or) Bad-Acks.
Impact:
Enabling loose initiation may make it more vulnerable to denial of service attacks.
Workaround:
When loose-init is set in the fastL4 profile, we need to turn on connection-limits on the virtual and also Eviction Policy to prevent flow-table exhaustion.
1284589-1 : HTTP CONNECT request from client is not successful with iRule HTTP::disable discard command
Links to More Info: BT1284589
Component: Local Traffic Manager
Symptoms:
When you use HTTP::disable discard command, proxy connect/ connection to server is not established.
Conditions:
-> Basic HTTP VS
-> iRule
when HTTP_REQUEST {
HTTP::disable discard
node <ip port>
}
Impact:
HTTP CONNECT requests from clients hangs.
Workaround:
Use HTTP::disable command
1284261-4 : Constant traffic on DHCPv6 virtual servers may cause a TMM crash.
Links to More Info: BT1284261
Component: Local Traffic Manager
Symptoms:
TMM may crash/core if there is a constant stream of DHCP traffic from the server towards the clients, not allowing a connection timeout.
Conditions:
Constant stream of traffic coming from DHCP server not allowing a connection timeout.
Very aggressive lease settings causing constant lease refresh may be a configuration example leading to the problem.
Impact:
Failover/crash.
1284097-1 : False positive 'Illegal cross-origin request' violation
Links to More Info: BT1284097
Component: Application Security Manager
Symptoms:
Under the right configurations, an HTTP request with an HTTPS origins header may get blocked for 'Illegal cross-origin request' violation.
Conditions:
A request that is sent to a virtual server with an HTTP port, that has an Origin header with HTTPS value, will trigger the violation under the following conditions:
1) 'Illegal cross-origin request' violation is enabled.
2) In Security ›› Application Security : Security Policies : Policies List ›› Auto_Security_Policy_Services ›› Headers ›› Host Names -> is configured with the Origin header value.
3) The URL to where the request is sent has 'Enforce on ASM' in 'HTML5 Cross-Domain Request' configuration enabled.
Impact:
'Illegal cross-origin request' violation is reported in version 17.1.x unlike version 16.1.x with the same configurations and the same traffic.
Workaround:
Add HTTPS protocol and Origin name to the desired URL in 'Allowed Origins' that is located in 'HTML5 Cross-Domain Request'
1284081-1 : Incorrect Enforcement After Sync
Links to More Info: BT1284081
Component: Application Security Manager
Symptoms:
In some scenarios, configuration updates are not sent to the enforcer which can cause unexpected enforcement.
Conditions:
A large configuration is synchronized to a device.
Impact:
Incorrect policy enforcement.
Workaround:
1) Apply each policy individually on the affected devices/blades
or
2) Restart ASM on the affected devices and blades
1283749-1 : Systemctl start and restart fail to start the vmtoolsd service
Links to More Info: BT1283749
Component: TMOS
Symptoms:
Because of a non-existent dependency, systemctl start and restart failed to start the vmtoolsd service.
Following is the reported error:
# systemctl restart vmtoolsd.service
Failed to restart vmtoolsd.service: Unit not found.
systetmctl stop is not affected.
Conditions:
BIG-IP VE on VMware.
Impact:
Unable to start/restart the vmtoolsd service.
Workaround:
Systemctl restart --ignore-dependencies vmtoolsd.service
or
systemctl start --ignore-dependencies vmtoolsd.service
1283721-1 : Vmtoolsd memory leak
Links to More Info: BT1283721
Component: TMOS
Symptoms:
The Vmtoolsd service leaks memory on VMware BIG-IP VE guests when the Disk Type is IDE or any disk type other than SCSI.
Conditions:
VMware BIG-IP VE guest
Disk type of IDE or another type that is not SCSI.
Impact:
The VE will eventually run out of memory.
Workaround:
1. Create the file /etc/vmware-tools/tools.conf and add the following to the file:
[guestinfo]
# disable scan for disk device info
diskinfo-report-device=false
2. Restart the vmtoolsd service:
systemctl restart --ignore-dependencies vmtoolsd.service
NB "guestinfo" must be in lower case. The workaround will not work if any letter is not lower case including the following "guestInfo" which was the reported workaround in https://github.com/vmware/open-vm-tools/issues/452
1282769-1 : Localdb user can change the password of other user
Component: Access Policy Manager
Symptoms:
The user was able to change the password for another user in the logon page, when local DB authentication was used.
Conditions:
-- At least one user in the local DB instance is forced to change the password
-- the virtual server is tied in with the trusted CA certificates (that is, it would not happen if the virtual server for the SSL-VPN is associated with self-signed certificates).
Impact:
User authentication based on local DB will be impacted.
Workaround:
None
1282281-5 : Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns
Links to More Info: BT1282281
Component: Application Security Manager
Symptoms:
Roll forward upgrade fails.
The following error message in /ts/log/ts_debug.log and WAF enforcement is not complete:
----------------------------------------------------------------------
Can't locate object method "id_field" via package "F5::ASMConfig::Entity::ThreatCampaign" (perhaps you forgot to load "F5::ASMConfig::Entity::ThreatCampaign"?) at /usr/local/share/perl5/F5/ImportExportPolicy/Binary.pm line 2171.
----------------------------------------------------------------------
Conditions:
- Roll forward upgrade when there is a policy that has unapplied changes and Threat Campaigns.
Impact:
Incorrect enforcement until workaround is applied.
Workaround:
Reapply each policy.
1282105 : Assertion response attributes parsing issue after upgrade to BIG-IP 17.1.0
Links to More Info: BT1282105
Component: Access Policy Manager
Symptoms:
During SAML Authentication while TMM parses the assertion to extract the attributes and its respective values, all the attributes values are combined into a single string with '|' as separator and are assigned to a single variable leaving remaining ones empty.
Conditions:
When the incoming attributes, in the assertion, are considered as multi-valued attributes, all the values of attributes are combined to form a single valued attribute in order to store in the SessionDB.
Impact:
All the session variables related to assertion attributes are assigned and stored incorrectly.
Workaround:
None
1281709-4 : Traffic-group ID may not be updated properly on a TMM listener
Links to More Info: BT1281709
Component: Local Traffic Manager
Symptoms:
A few virtual servers may belong to incorrect traffic-group after a full sync or when mcp transaction is performed.
Conditions:
- The BIG-IP High Availability (HA) is configured with full load on sync.
- Traffic-group is changed on a virtual-address belonging to multiple virtuals.
- Sync happens, leaving the device receiving a sync in an incorrect state.
OR
An MCP transaction that is updating a virtual-address along with a profile change on a virtual-server is executed.
Impact:
Listeners may not belong to a correct traffic group and the the traffic is not forwarded.
Workaround:
Use an incremental sync. Do not use MCP transactions.
1281637-2 : When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE
Links to More Info: BT1281637
Component: Local Traffic Manager
Symptoms:
A RST_STREAM is observed from BIG-IP to server after receiving response from server.
Conditions:
- HTTP/2 full proxy configuration.
- Server to send a DATA_FRAME with END_STREAM flag with a delay.
Impact:
Once the server gets around to process the RST_STREAM, it stops accepting new requests on that connection.
Workaround:
None
1281433-1 : Missing GTM probes on GTM server when an external monitor is attached to an additional pool
Links to More Info: BT1281433
Component: Global Traffic Manager (DNS)
Symptoms:
Incorrect probe behavior when an external monitor is attached to an additional pool.
Conditions:
On a GTM sync group, try to attach an external monitor to an additional pool.
Impact:
Incorrect GTM server monitoring.
Workaround:
None
1281405-2 : "fipsutil fwcheck -f" command may not correct result
Links to More Info: BT1281405
Component: Local Traffic Manager
Symptoms:
The "fipsutil fwcheck -f" command output shows as "Firmware upgrade available." even though now Firmware upgrade is not needed.
Conditions:
All FIPS platforms.
Impact:
Only a display issue with no functional impact. If we try to make a firmware upgrade, it may not work.
Workaround:
Use the command without the "-f" option like "fipsutil fwcheck".
1281381-1 : BD fails to load config when the virtual server name is longer then 64 chars
Component: Application Security Manager
Symptoms:
A virtual server name longer than 64 characters causes ASM to restart repeatedly.
Conditions:
A Virtual server name longer than 64 characters.
Impact:
Repeated ASM restarts (ASM restarts in loop).
Workaround:
Virtual server should be shorter than 64 character
1280813-3 : Illegal URL violation triggered for after upgrade due to due to missing content-profiles in DB
Links to More Info: BT1280813
Component: Application Security Manager
Symptoms:
Illegal URL violation is triggered for valid/Allowed URLs.
Conditions:
NA
Impact:
Illegal violation for allowed URL, content profile for that URL is not seen in PLC.PL_OBJECT_CONTENT_PROFILES DB.
Workaround:
- Delete the problematic URL from Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs.
- Recreate the URL again.
- Apply the policy.
1280769 : Fipsutil's fwcheck and fwupdate sub-commands show errors when run on R10920 and R5920 tenant.
Component: Local Traffic Manager
Symptoms:
When the two commands fwcheck and fwupdate are run, they will not be successful and throw error messages.
bigip#fipsutil fwcheck
ERROR: Failed to parse firmware version: CNN35XX-NFBE-FW-2.08-12
ERROR: Firmare version check failed.
bigip#
Conditions:
When the commands fwcheck and fwupdate are run on R10920 and R5920 fips tenant.
Impact:
No functional impact. Only ignorable error messages displayed.
Workaround:
Do not run these two commands on R10920 and R5920 fips tenant.
To know the present firmware from tenant use "fipsutil info".
To update the firmware on HSM card, do it from host system.
1277641 : DoS | i-series | After mitigation of bad destination at profile level, bd_hit is not incrementing for host unreachable vector.
Links to More Info: BT1277641
Component: Advanced Firewall Manager
Symptoms:
This is specific to iseries platform.
bd related DoS stats are incrementing but SPVA stat of bd_hit is not incremented.
Conditions:
Sending an ipv6 host unreachable traffic to iseries.
Impact:
You can see the dos stats but not in spva stats.
Workaround:
You can see the stats in dos table.
1274385-1 : BIGIP-DNS GUI delivery summary stats shows incorrect count for "Disabled" GTM listeners
Links to More Info: BT1274385
Component: Global Traffic Manager (DNS)
Symptoms:
Statistics >> Module Stats >> DNS >> Delivery >> Summary - shows the incorrect count for "Disabled" GTM listeners.
Conditions:
One or more virtual servers (which may or may not be GTM (DNS) listeners) exist on the BIG-IP device which are in a disabled state.
These virtual servers incorrectly count towards the count of "Disabled" virtual servers in the GTM Listeners statistics.
Impact:
Unexpected "Disabled" count in the GTM Listeners line in the DNS stats table (in any of the columns)
1273881-3 : TMM crashes while processing traffic on the virtual server
Links to More Info: BT1273881
Component: Access Policy Manager
Symptoms:
TMM crashes while processing traffic on the virtual server.
Conditions:
Network Access resource is configured.
Impact:
TMM crashes leading to disruption in traffic flow.
Workaround:
None
1273161-4 : Secondary blades are unavailable, clusterd is reporting shutdown, and waiting for other blades
Links to More Info: BT1273161
Component: Local Traffic Manager
Symptoms:
On a multi-slot chassis, VCMP guest, or F5OS tenant, clusterd can enter a shutdown state causing some slots to become unavailable.
The event that can cause this is called a partition and occurs when clusterd stops receiving heartbeat packets from a slot over the mgmt_bp interface but is still receiving them over the tmm_bp interface.
Here is the error that is logged when this occurs:
Mar 17 10:38:28 localhost err clusterd[4732]: 013a0004:3: Marking slot 1 SS_FAILED due to partition detected on mgmt_bp from peer 2 to local 1
When this occurs, clusterd enters a shutdown state and at times will never recover.
Here is an example, tmsh show sys cluster command where clusterd is in the shutdown yet waiting state:
-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 172.0.0.160/23
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 2
Primary Selection Time 03/17/23 10:38:30
----------------------------------------------------------------------------------
| Sys::Cluster Members
| ID Address Alt-Address Availability State Licensed HA Clusterd Reason
----------------------------------------------------------------------------------
| 1 :: :: unknown enabled false unknown shutdown ShutDown: default/1 waiting for blade 2
| 2 :: :: available enabled true standby running Run
Conditions:
Multi-slot chassis, VCMP guest, or F5OS tenant.
A blade determines there is a partition where it's receiving cluster packets over the tmm+bp interface but not the mgmt_bp interface.
Impact:
The unavailable slots/blades will not accept traffic.
Workaround:
Running tmsh show sys cluster will report the primary slot and all slot statuses.
For all blades reporting shutdown or less likely initializing and "waiting for blade(s)" restart clusterd on that slot with bigstart restart clusterd. Ensure you do not restart clusterd on the primary slot.
1273141-1 : GTM pool members are not probed and multiple GTMs are reporting inconsistent status
Links to More Info: BT1273141
Component: Global Traffic Manager (DNS)
Symptoms:
GTM pool members are not probed and multiple GTMs in the same GTM syncgroup report inconsistent status.
Conditions:
1. Create a GTM pool with a pool member disabled.
2. Create another GTM pool with same monitor and pool member as in the previous GTM pool.
Impact:
GTM pool members are marked incorrect status and inconsistent across GTMs.
Workaround:
Use the following command:
# tmsh modify gtm global-settings general monitor-disabled-objects yes
or
Use a unique monitor names for pools that has disabled pool members.
1272501-1 : Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure"
Links to More Info: BT1272501
Component: Local Traffic Manager
Symptoms:
Application failures with reset-cause: "F5RST: HTTP redirect rewrite failure".
Conditions:
-- BIG-IP versions 16.0 and above.
-- HTTPS virtual server with redirect-rewrite of HTTP profile set to 'matching'.
Impact:
Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure".
Workaround:
If the URI cannot be parsed, do not configure the rewrite option so that the Location header passes through untouched.
1271469-5 : Failed to install ASU file scheduled for install
Links to More Info: BT1271469
Component: Application Security Manager
Symptoms:
Live Update installation scheduled for installation for any specific day at time 12:01 AM to 12:14 AM will fail.
Conditions:
- ASU file installation scheduled at 12:01 AM to 12:14 AM (not automatic or manual installation).
Impact:
BIG-IP will not get latest ASU file updates.
Workaround:
Set the installation time after 12:15 AM.
1270989-1 : REST MemcachedClient uses fixed TMM address 127.1.1.2 to connect to memcached
Links to More Info: BT1270989
Component: TMOS
Symptoms:
The RESTcurl command "restcurl -u admin:admin /mgmt/tm/access/session/kill-sessions" returns a "no route to host" error.
Conditions:
Run RESTcurl commands from a vCMP guest to try to kill the session.
Impact:
Attempting to kill sessions returns a 400 - "no route to host error" error.
Workaround:
None
1270501 : Before upgrade, if log level is configured as debug, then APMD will continuously restarts with coredump
Links to More Info: BT1270501
Component: Access Policy Manager
Symptoms:
If access policy log level is configured to debug and proceeds with upgrading the software, rebooting the BIG-IP, or restarting the APM, then coredump is observed from APMD process while starting.
Conditions:
1. Configure the HTTP connection and request timeouts in HTTP authentication using TMSH.
2. Access policy log level is configured to debug.
3. Upgrading the software, rebooting the BIG-IP, or restarting the APMD.
Impact:
APMD will reboot continuously with coredump.
Workaround:
Configure the access policy log level to other than debug.
1270497-3 : MRF SIP/ALG Core dump observed while accessing trans_data in sipmsg_register_ingress_register_request_session_reply_common method
Links to More Info: BT1270497
Component: Service Provider
Symptoms:
TMM generates core file while MRF SIP handles register request.
Conditions:
- SIP ALG configuration with SNAT.
Impact:
TMM generates core file while running SIP traffic with ALG configuration. Traffic is disrupted.
Workaround:
None
1270133-1 : bd crash during configuration update
Component: Application Security Manager
Symptoms:
bd crash occurred during the configuration update.
Conditions:
This issue occurs during configuration update.
Impact:
bd crash that causes failover in High Availability (HA) pair. Intermittent offline with standalone system.
Workaround:
None
1269889-1 : LTM crashes are observed while running SIP traffic and pool members are offline
Component: Service Provider
Symptoms:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer
Conditions:
- When all pool members are offline or there are no pool members in the pool.
Impact:
TMM is inoperative while reloading after crash.
Workaround:
Avoid use of the following pick_host, particularly the use of carp:
MR::message pick_host peer <peer-object-name> [carp <carp-key>]
1269773-1 : Convert network-order to host-order for extensions in TLS1.3 certificate request
Links to More Info: BT1269773
Component: Local Traffic Manager
Symptoms:
The network-order length is sent as argument instead of host-order length.
Conditions:
- A signature algorithms extension is present in the certificate request message from the server.
Impact:
Handshake fails with illegal parameter alert.
Workaround:
None
1269733-1 : HTTP GET request with headers has incorrect flags causing timeout
Links to More Info: BT1269733
Component: Local Traffic Manager
Symptoms:
The 504 Gateway Timeout pool member responses are generated from a Microsoft webserver handling HTTP/2 requests.
The tcpdump shows that the HTTP/2 stream sends the request without an appropriate End Stream flag on the Headers packet.
Conditions:
The server has to provide settings with max-frame-size small enough to force BIG-IP to split the headers across multiple HTTP/2 frames, otherwise this issue does not occur.
Impact:
The HTTP GET request causing timeout.
Workaround:
None
1269709-4 : GUI should throw the error when the VS is configured with both vdi and HTTP/2 profiles
Links to More Info: BT1269709
Component: Local Traffic Manager
Symptoms:
As the VDI profile is currently not supported in the HTTP/2 environment for which there is no warning message on the BIG-IP GUI about this limitation.
Conditions:
When both VDI Profile and HTTP/2 Profile is attached to the VS.
Impact:
The customer wants this error to be displayed on the BIGIP GUI if vdi and http/2 profiles both are attached to the VS together.
Workaround:
None
1269601-1 : Unable to delete monitor while updating DNS virtual server monitor through transaction
Links to More Info: BT1269601
Component: Global Traffic Manager (DNS)
Symptoms:
Unable to delete monitor while updating DNS virtual server monitor through transaction.
Following message displays:
Command added to the current transaction
Command added to the current transaction
transaction failed: 01070083:3: Monitor /Common/tcp_test is in use.
Conditions:
Using transaction of updating the virtual server monitor and deleting the earlier monitor which was untagged currently.
Following is an example:
echo 'create cli transaction; modify /gtm server generc_serv_test virtual-servers modify { test { monitor none }}; delete /gtm monitor tcp tcp_test; submit cli transaction' | tmsh
Impact:
Unable to delete the monitor.
Workaround:
None
1268521-1 : SAML authentication with the VCS fails when launching the applications/remote desktops from the APM Webtop when multiple RD resources are assigned to the APM Webtop
Links to More Info: BT1268521
Component: Access Policy Manager
Symptoms:
User fails to authenticate when VMware VDI with SAML authentication is used with multiple RD resources assigned to Webtop.
Conditions:
1. Webtop is used to connect to a remote desktop.
2. Multiple VCS servers are used.
3. SAML authentication is configured in remote desktop SSO configuration.
Impact:
Remote desktop is not opened.
Workaround:
None
1267845-5 : ISC's internal_current function asserted because ifa_name was NULL
Links to More Info: BT1267845
Component: Global Traffic Manager (DNS)
Symptoms:
Named restarting.
Conditions:
- MCPD is down, resulting the service restart.
- The slot interfaces are down.
- During restart named unable to find the interface and asserting.
Impact:
No Impact, this issue occurs when the services are restarting.
Workaround:
None
1259489-2 : PEM subsystem memory leak is observed when using PEM::subscriber information
Links to More Info: BT1259489
Component: Policy Enforcement Manager
Symptoms:
TMM may show a higher memory allocation in the PEM category observed in the memory_usage_stat table.
Conditions:
- PEM is provisioned.
- PEM iRules are used that access PEM::session or PEM::subscriber information.
Impact:
TMM can have excessive memory consumption.
Workaround:
None
1253449-4 : After publishing, the draft LTM policy configuration might not be updated (intermittently) into the bigip.conf
Links to More Info: BT1253449
Component: TMOS
Symptoms:
Publishing LTM draft policy and "save config" operations are not atomic, hence there exists a race condition. When the latter happens first, then the issue is observed otherwise the LTM draft policy is successfully updated into the bigip.conf file.
Conditions:
- Execute the command "tmsh load /sys config current-partition" or the existing system configuration is loaded from bigip.conf after publishing the draft LTM policy.
Impact:
Published LTM draft policies are reverted to the draft state.
Workaround:
Perform any of the below-mentioned steps immediately after successfully publishing an LTM draft policy:
- Execute the command "tmsh save /sys config current-partition" on the BIG-IP shell.
or
Execute curl -sku $COLON_SEPARATED_USERNAME_PASSWORD https://$HOST/mgmt/tm/sys/config/ -X POST -H "Content-type: application/json" -d '{"command":"save"}'
or
Execute curl -sku $COLON_SEPARATED_USERNAME_PASSWORD https://$HOST/mgmt/tm/util/bash -X POST -H "Content-type: application/json" -d '{"command":"run", "utilCmdArgs":"-c \"tmsh save sys config current-partition\""}'
1252537-4 : Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role
Component: TMOS
Symptoms:
The Resource Admin role has reboot and shutdown options are available in GUI but unavailable in TMSH.
Conditions:
- Resource Admin accessing reboot and shutdown options in TMSH.
Impact:
Limited availability, forces Resource Admin to use GUI.
Workaround:
Resource admin can still use GUI to initiate a reboot or shutdown.
1251105-1 : DoS Overview (non-HTTP) - A null pointer was passed into a function
Links to More Info: BT1251105
Component: Advanced Firewall Manager
Symptoms:
In BIG-IP version all 15.1 builds, when protected object filter is selected in Security > DoS overview page, it displays following error:
Error : DoS Overview (non-HTTP) - A null pointer was passed into a function
Schema changes updated in BIG-IP version 15.1.8 which added context_name and context_type to the mcp_network_attack_data_stat_t structure used to report DoS attack stats.
The MCP code that fills in these fields in the structure when responding to the stats request was not inculded, thus an attempt to get the stats, result in detection of a NULL pointer.
Conditions:
Configure a protection profile.
Create a protected object by attaching the protection profile.
Select protected object filter in DoS Overview (non-HTTP) page.
Impact:
This issue avoids usage of GUI partially.
Workaround:
None
1251013-1 : Allow non-RFC compliant URI characters
Links to More Info: BT1251013
Component: Service Provider
Symptoms:
The MRF Parser fails if the URIs are not as per RFC.
It is required to not validate against the RFC for proper URI formatting, required message headers, and usage of defined method names.
Conditions:
- SIP URIs are not formatted as per RFC.
Impact:
MRF parser allows URI formats which are not comply with RFC.
Workaround:
None
1250209-1 : The message "ERR: in Graphql disallowed response, pcre is null" appears in BD logs
Links to More Info: BT1250209
Component: Application Security Manager
Symptoms:
The following message can appear in BD logs during response enforcement:
"ERR: in Graphql disallowed response, pcre is null"
Conditions:
Two different GraphQL profiles assigned to two different URLs, one of the profiles has "Block Error Responses" enabled, the other does not.
Impact:
Error message in BD logs.
Workaround:
None
1250077-6 : TMM memory leak
Links to More Info: BT1250077
Component: Global Traffic Manager (DNS)
Symptoms:
TMM leaks memory for Domain Name System Security Extensions (DNSSEC) requests.
Conditions:
DNSSEC signing can not catch up with incoming DNSSEC requests.
Impact:
TMM memory utilization increases over time, sometimes could crash with Out of Memory (OOM).
Workaround:
None
1249929-2 : Diameter MRF sends CER to pool-member even after peer sent DPR and force-offline the pool member
Links to More Info: BT1249929
Component: Service Provider
Symptoms:
If Disconnect Peer Action is configured to force-offline and when server peer sends Disconnect Peer Request (DPR), then MRF force-offline the pool-member as expected. However, MRF continues to send CER towards pool member, which means MRF is trying to connect the forced-offline peer and also it sends DPR towards pool member.
Conditions:
In diameter session profile, Disconnect Peer Action is configured to force-offline.
Impact:
Unnecessary CER and DPR messages towards down pool member.
Workaround:
Set auto-initialization to disabled in diameter peer if it does agree with the requirement.
1245209-1 : Introspection query violation is reported regardless the flag status
Links to More Info: BT1245209
Component: Application Security Manager
Symptoms:
The "GraphQL Introspection Query" violation is reported even though introspection queries are allowed.
Conditions:
In the GraphQL profile "Allow Introspection Queries" and "Maximum Query Cost" should be enabled.
Impact:
The "GraphQL Introspection Query" violation is reported while the "Allow Introspection Queries" flag is enabled.
Workaround:
None
1240937-4 : The FastL4 TOS specify setting towards server may not function for IPv6 traffic
Links to More Info: BT1240937
Component: Local Traffic Manager
Symptoms:
The ip-tos-to-server setting in a FastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a serverside flow. There are three special values mimic, pass-through, and specify.
The "specify" setting causes the TMM to set the egress TOS to the specific value configured from GUI for that connflow.
The IPv6 serverside egress TOS is not set to the expected "specify" value. No issue is observed with IPv4 connflow.
Conditions:
- FastL4 profile with ip-tos-to-client set to "specify" with value.
-Connflow is IPv6.
Impact:
The IPv6 serverside egress TOS is not set to the expected value.
Workaround:
None
1239901-3 : LTM crashes while running SIP traffic
Component: Service Provider
Symptoms:
LTM crashes are observed while running SIP traffic.
Conditions:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer
Impact:
TMM is inoperative while reloading after crash.
Workaround:
Avoid use of the following pick_host, particularly the use of carp:
MR::message pick_host peer <peer-object-name> [carp <carp-key>]
1239297 : TMM URL web scraping limit not synced to secondary slot 2 in VIPRION chassis
Links to More Info: BT1239297
Component: Application Security Manager
Symptoms:
Web scraping requests will pass even when the threshold is reached in High Availability (HA) configuration. Some packets are blocked, while some others are passed.
Conditions:
Configure web scraping micro services in high availability (HA) mode in some F5 hardware. Send web scraping requests and check if they are blocked.
Impact:
Web scraping requests can pass even when the requests threshold is reached.
Workaround:
None
1238897-1 : TMM TCL interpreter's non-TMM "compat" memcasechr broken in 64-bit build
Links to More Info: BT1238897
Component: Local Traffic Manager
Symptoms:
The TMM's base TCL interpreter (tmm_tcl) is used both in TMM and in non-TMM environments like APMD. The TMM has it's own implementation of memcasechr which is preferred to the "compat" implementation in the TCL interpreter itself as TMM statically links tmm_tcl while non-TMM usage is dynamically linked.
Conditions:
Following VPE rule does not work (option -nocase):
expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}
Impact:
The memcasechr is broken in 64-bit build.
Following VPE rule does not work (option -nocase):
expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}
Workaround:
Change the VPE rule to the following:
expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}
1238629-2 : TMM core when client send nxdomain query with BA enabled
Links to More Info: BT1238629
Component: Advanced Firewall Manager
Symptoms:
NXDOMAIN queries are causing TMM crash when we have to validate the resolver or resolver cache type enabled.
Conditions:
TMM core when client sends nxdomain query with BA and DNS cache enabled.
Impact:
NXDOMAIN vector will not work when BA/BD enabled.
Workaround:
None
1238529-3 : TMM might crash when modifying a virtual server in low memory conditions
Links to More Info: BT1238529
Component: Local Traffic Manager
Symptoms:
Messages similar to the following are seen in the LTM log:
Feb 1 14:17:09 BIG-IP err tmm[1139]: 01010008:3: Listener config update failed for /Common/virtual: ERR:ERR_MEM
TMM restarts and writes a core file.
Conditions:
- Low memory available in TMM.
- A virtual server modification is made.
Impact:
Traffic is interrupted while TMM writes a core file and restarts.
Workaround:
None
1238413-4 : The BIG-IP might fail to update ARL entry for a host in a VLAN-group
Links to More Info: BT1238413
Component: Local Traffic Manager
Symptoms:
ARP requests through a transparent or translucent VLAN-group might fail.
The command "tmsh show net arp" displays the VLAN as the VLAN-group rather than a child VLAN. This symptom might be intermittent.
Conditions:
- A transparent or translucent VLAN-group is configured.
- ARP requests passing through the VLAN-group.
- Higher gaps (approximately 9 hours) in layer 2 traffic seen by the BIG-IP from the target of the ARP request.
Impact:
ARP resolution failure.
Workaround:
Create a monitor on the BIG-IP to monitor the target of the ARP resolution. This will ensure that layer 2 traffic is seen by the BIG-IP from that host, keeping the ARL entries current.
1238249-5 : PEM Report Usage Flow log is inaccurate
Links to More Info: BT1238249
Component: Policy Enforcement Manager
Symptoms:
PEM Report Usage Flow log for Flow-duration-seconds and Flow-duration-milli-seconds sometimes report incorrectly.
Conditions:
- HSL logging is configured.
Impact:
The statistics for flow duration report longer than the actual, this can result in showing incorrect data and can impact the policy behaviour.
Workaround:
None
1235337-2 : The 'JSON profile' with 'JSON schema validation' was not created for the body parameter in the OpenAPI URL
Links to More Info: BT1235337
Component: Application Security Manager
Symptoms:
The 'JSON profile' with 'JSON schema validation' was not created for the OpenAPI parameters with 'body' location and has 'schema' definitions in case the 'schema' type is 'array' (if the type is 'object' and the 'JSON profile' is created properly).
Conditions:
OpenAPI parameter with 'body' location having schema type 'array'.
Impact:
Some OpenAPI parameters will not include JSON content profile validation.
Workaround:
JSON content profile with JSON schema validation can be created manually after creating a security policy from the OpenAPI file.
1232977-4 : TMM leaking memory in OAuth scope identifiers when parsing scope lists
Links to More Info: BT1232977
Component: Access Policy Manager
Symptoms:
It is observed that oauth_parse_scope fails to increment the index then storing discrete scope identifiers into the output array. Thus all scope identifiers are stored in element 0 and all but the last element parsed are leaked.
Conditions:
OAuth functionality, scope comparisons happen if a scope is provided in request.
Impact:
Failure of High Availability (HA) due to memory issues in TMM over time.
Workaround:
None
1229369-4 : The fastl4 TOS mimic setting towards client may not function
Links to More Info: BT1229369
Component: Local Traffic Manager
Symptoms:
The ip-tos-to-client setting in a fastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a clientside flow. There are two special values - 'mimic' and 'pass-through'.
The mimic setting causes tmm to set the egress TOS to the value seen on the last ingress packet for that connflow.
In affected versions of BIG-IP, this is not set correctly, and behaves like pass-through (uses the TOS value seen arriving on the serverside flow)
Conditions:
FastL4 profile with ip-tos-to-client set to "mimic" (shown as the value 65534 in tmsh)
Impact:
The clientside egress TOS is not set to the expected value
Workaround:
Use an irule to set IP::tos to the desired value. Note that processing every packet with an irule will incur a performance penalty.
1229325-1 : Unable to configure IP OSPF retransmit-interval as intended
Links to More Info: BT1229325
Component: TMOS
Symptoms:
The CLI configuration of OSPF retransmit-interval results in error when retransmit-interval value is less than 5 seconds.
Conditions:
- Configure IP OSPF retransmit-interval.
Impact:
The CLI error even when IP OSPF retransmit-interval value is within range.
Workaround:
None
1226121-5 : TMM crashes when using PEM logging enabled on session
Links to More Info: BT1226121
Component: Policy Enforcement Manager
Symptoms:
TMM may crash when using PEM logging.
Conditions:
When a sessions has PEM logging enabled on it:
pem global-settings subscriber-activity-log
Impact:
TMM crashes and restarts, losing all prior connection.
Workaround:
Disabling PEM logging on sessions will avoid the issue.
1225061-1 : The zxfrd segfault with numerous zone transfers
Links to More Info: BT1225061
Component: Global Traffic Manager (DNS)
Symptoms:
the zxfrd restart loop with cores occasionally.
Conditions:
Numerous dns express zones are doing zone transfers at the same time.
Impact:
he zxfrd restart loops or cores.
Workaround:
Do not add large number of DNS express zones at the same time and also reduce the total number of DNS express zones.
1218813-6 : "Timeout waiting for TMM to release running semaphore" after running platform_diag
Links to More Info: BT1218813
Component: Access Policy Manager
Symptoms:
The platform_diag might not complete properly leaving TMM in an inoperational state. The 'bigstart restart' is required to recover.
Conditions:
Running platform_diag tool on a platform licensed with URL filtering.
Impact:
Unable to run platform_diag tool. TMM remains inoperative.
Workaround:
Open /etc/bigstart/scripts/urldb and modify the dependency list to be:
# wait for processes we are dependent on
depend ${service} mcpd running 1 ${start_cnt}
require ${service} urldbmgrd running 1 ${start_cnt}
require ${service} tmm running 1 ${start_cnt}
Then restart urldb:
> bigstart restart urldb
1217549-4 : Missed ASM Sync on startup
Links to More Info: BT1217549
Component: Application Security Manager
Symptoms:
In few deployment environments, if a device is configured to be part of a device-group before the ASM startup has finished initializing, then it may miss the initial sync from its peer, and not re-request it until another event happens in the system.
Conditions:
Devices are in an auto-sync ASM enabled device-group and a new device is brought into the device-group while initializing the device settings.
Impact:
The devices are out of sync until another action occurs and the sync is requested again.
Workaround:
Restarting ASM on the affected device or causing another sync event will resolve the issue.
1217473-1 : All the UDP traffic is sent to a single TMM
Links to More Info: BT1217473
Component: TMOS
Symptoms:
BIG-IP dataplane's VMXNET3 driver implementation is missing the Receive Side Scaling (RSS) support for the User Datagram Protocol (UDP) available as part of the VMXNET3 version 4.
Conditions:
BIG-IP VE instance is running on a VMWare host and handling UDP traffic.
Impact:
The traffic distribution does not happen evenly across all TMMs but rather all of the UDP traffic is sent to a single TMM.
Workaround:
None
1217297 : Removal of guestagentd service from the list of services running inside a tenant.
Links to More Info: BT1217297
Component: TMOS
Symptoms:
Guestagentd services will be running inside a tenant deployed on VELOS or rseries platform.
Conditions:
Install a tenant on VELOS or rseries platform.
Impact:
No impact
Workaround:
NA
1217077-1 : Race condition processing network failover heartbeats with timeout of 1 second
Links to More Info: BT1217077
Component: TMOS
Symptoms:
Unexpected failover or log messages similar to the following:
sod[1234]: 010c0083:4: No failover status messages received for 1.100 seconds, from device bigip02(192.0.0.1) (unicast: -> 192.0.0.2)
Conditions:
- HA configuration network failover configured
- DB variable 'failover.nettimeoutsec' set to a value of 1 second.
Impact:
A failover event could impact traffic flow.
Workaround:
Following recommended practices of configuring network failover addresses using both the Management IP and Self IP addresses will reduce the chances of initiating a failover. Log messages may still be observed.
Setting the DB variable 'failover.nettimeoutsec' to a value of 2 or greater should avoid the issue.
1216297-3 : TMM core occurs when using disabling ASM of request_send event
Component: Application Security Manager
Symptoms:
When adding an iRule to disable ASM on request_send event, the TMM core occurs.
Conditions:
ASM is provisioned and attached to policy.
Add iRule that disables ASM and HTTP on HTTP_REQUEST_SEND event.
Impact:
TMM cores, system is down.
Workaround:
Remove the iRule, or disable ASM for all events of the URL.
1215613-3 : ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address
Links to More Info: BT1215613
Component: TMOS
Symptoms:
In var/log/ltm following error log is available:
0107146f:3: Self-device config sync address cannot reference the non-existent Self IP (10.155.119.13); Create it in the /Common folder first.
Conditions:
- In High Availability (HA) system ConfigSync-IP is set to IPv6 management address.
[root@00327474-bigip1:Standby:Disconnected] config # tmsh list cm device | grep -iE 'cm device|configsync-ip'
cm device 00327474-bigip1.lucas {
configsync-ip 10.155.119.12
cm device 00327474-bigip2.lucas {
configsync-ip 2001:dead:beef::13 <<-------
- Modifying the ConfigSync-IP to IPv4.
tmsh modify cm device 00327474-bigip2.lucas configsync-ip 10.155.119.13
Impact:
Device is not able to configure the ConfigSync-IP for IPv4 once IPv6 is configured.
Workaround:
None
1215401-2 : Under Shared Objects, some country names are not available to select in the Address List
Component: Advanced Firewall Manager
Symptoms:
Users can create a shared object list to define countries to block traffic from. On searching a name, a list will be shown from which the user can choose and add it to the address list.
There is a limit of only 8 entries in the drop-down menu to choose from.
Some countries are not shown in this list due to the ordering of entries returned from the database.
Conditions:
DOS is enabled
Impact:
As some countries are not available to select, they cannot be included in the Address List to block traffic.
Workaround:
Instead of the country (which is not available to select), all the regions within the country can be added to the block list. This is very cumbersome and error-prone as the list of regions should be known that are configurable in BIG IP.
1215161-4 : A new CLI option introduced to display rule-number for policy, rules and rule-lists
Links to More Info: BT1215161
Component: Advanced Firewall Manager
Symptoms:
If a large number of rules and rule-lists are configured, it takes more than 10 minutes to display the output with rule-numbers.
Ex:
tmsh - "list security firewall rule-list"
icrd - "restcurl -u admin /tm/security/firewall/rule-list"
AFM service discovery of BIG-IP fails in BIG-IQ when upgraded to a newer version.
Conditions:
- AFM license is enabled
- Large number of rules and rule-lists are configured
Impact:
AFM service discovery from BIG-IQ fails on upgrade.
Workaround:
-
1213469-5 : MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP dropped
Links to More Info: BT1213469
Component: Service Provider
Symptoms:
BIG-IP not translating SDP or via headers IP with listener IP for an outbound call which causes to drop the 200 OK response.
Conditions:
In SIP ALG, INVITE request with FQDN Route header.
Impact:
Media pinholes are not created for INVITE.
Workaround:
In the SIP_REQUEST event, a specific Route header could be removed and Insert it again in the SIP_REQUEST_SEND event before sending the request out. For example,
when SIP_REQUEST {
set pd_route_hdr_count [SIP::header count Route]
set pd_route_unset 0
set pd_route [SIP::header Route]
if {[SIP::method] == "INVITE" && ($pd_route_hdr_count equals 1) && $pd_route contains "sip:total.acc.nl;lr" } then {
SIP::header remove "Route"
set pd_route_unset 1
}
}
when SIP_REQUEST_SEND {
if {[SIP::method] == "INVITE" && ($pd_route_unset == 1)} then {
SIP::header insert "Route" $pd_route
}
}
1212081-5 : The zxfrd segfault and restart loop due to incorrect packet processing
Links to More Info: BT1212081
Component: Global Traffic Manager (DNS)
Symptoms:
The zxfrd is in restart loop and cores.
Conditions:
During the no transfer of zone, the zxfrd is cored when performing the packet processing.
Impact:
DNS express does not work properly.
Workaround:
None
1211985-6 : BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring
Links to More Info: BT1211985
Component: In-tmm monitors
Symptoms:
When configured with a high number of In-TMM monitors and a high portion are configured as either Reverse monitors or as monitors using the Receive Disable field, the BIG-IP may not mark Nodes and Pool Members DOWN immediately once the configured timeout lapses for non-responsive targets.
Conditions:
This may occur when both:
- In-TMM monitoring is enabled through sys db bigd.tmm.
- A portion of the monitors are configured as Reverse monitors or use the Receive Disable field.
Impact:
Non-Responsive Nodes or Pool Members may not be marked DOWN.
Workaround:
You can work around this issue by disabling In-TMM monitoring, at the expense of decreased monitoring performance (higher CPU usage by the bigd daemon).
1211905-3 : Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts"
Links to More Info: BT1211905
Component: Application Security Manager
Symptoms:
Unable to import the XML format policy.
Conditions:
Having an XML policy with violation_rating_counts elements.
Impact:
Unable to import XML policy.
Workaround:
1) Remove the elements from an exported policy file.
sed -i '/<violation_rating_counts\/>/d' *xml
2) Import the policy again.
1211617-2 : High CPU utilisation observed during startup when forced BIG-IP system set offline
Links to More Info: BT1211617
Component: TMOS
Symptoms:
When BIG-IP is restarted, TMM0 is consuming extremely high CPU.
Conditions:
When set to offline (sys failover offline) and the configuration saved, it happens when BIG-IP is restarted.
Impact:
Box is slow to respond. The impact is minor because the box is in offline state.
Workaround:
None
1211297-1 : Handling DoS profiles created dynamically using iRule and L7Policy
Component: Anomaly Detection Services
Symptoms:
Persistant connections with HTTP requests that may switch according to dynamic change of DoS policy (using iRule or L7Policy) can cause a TMM crash.
Conditions:
A request arrives to BIG-IP and is waiting to be served (it is delayed using iRule), however, if the DoS profile is unbound during that time from the virtual server and a dynamic DoS profile change decision is made, it could potentially cause the request to be incorrectly associated with a context that has already been freed.
Impact:
In few scenarios, when DoS policy is changed during connection lifetime, TMM might crash.
Workaround:
None
1211189-4 : Stale connections observed and handshake failures observed with errors
Links to More Info: BT1211189
Component: Local Traffic Manager
Symptoms:
SSL handshake fails.
Invalid or expired certificates are being used in the handshake.
Conditions:
- When the certificates in BIG-IP are expired and being renewed remotely.
- When the clientssl or serverssl profiles are dynamically being attached to a virtual server through iRule.
Impact:
SSL handshake fails.
Vitual server (SSL Profiles) use old or expired certificates.
Workaround:
Restart the TMM or BIG-IP to resolve the issue temporarily (until next expiry time of the certificates).
1211089-4 : Traffic to IPv6 all nodes address not received by TMM on VE with ixlv driver
Links to More Info: BT1211089
Component: TMOS
Symptoms:
Traffic sent to the IPv6 all nodes multicast address is not seen by TMM.
Conditions:
A virtual environment utilizing TMM's ixlv driver.
Traffic is sent to the IPv6 all nodes multicast address.
Impact:
TMM fails to receive and process traffic to the IPv6 all nodes multicast address.
Workaround:
None
1210569-1 : User defined signature rule disappears when using high ASCII in rule
Links to More Info: BT1210569
Component: Application Security Manager
Symptoms:
WebUI display is empty.
Conditions:
When the configured rule has high ASCII (greater than 127) value.
Impact:
Unable to see the rule in webUI.
Workaround:
Use the following steps:
1. Navigate to Security > Options > Application Security > Attack Signatures.
2. Create a new signature in Advanced Edit Mode. After setting, confirm the setting value with the developer tool.
3. Add it to the signature set (backed by actual signature detection confirmation).
4. Remove the old signatures from signature set.
1210469-1 : TMM can crash when processing AXFR query for DNSX zone
Links to More Info: BT1210469
Component: Local Traffic Manager
Symptoms:
TMM crash with SIGABRT and multiple log messages with "Clock advanced by" messages.
Conditions:
Client querying AXFR to a virtual server or wideip listener that has DNSX enabled in the DNS profile and has a large amount of DNSX zones with a large amount of resource records.
Impact:
TMM cores and runs slow with "Clock advanced by" messages.
Workaround:
Disable zone transfer for the DNS profile associated with the virtual server.
1210321-2 : Parameters are not created for properties defined in multipart request body when URL include path parameter
Links to More Info: BT1210321
Component: Application Security Manager
Symptoms:
Security policy parameters are not created for OpenAPI schema properties in multipart request body section.
Conditions:
Request body defined for URL that include path parameter.
Impact:
Some parameters defined by OpenAPI file will not be created in security policy.
Workaround:
Missed parameters should be created manually through GUI, REST, or TMSH.
1210053-3 : The cred_stuffing_fail_open Internal Parameter does not cause Leaked Credential violation in case of expiration or error
Links to More Info: BT1210053
Component: Application Security Manager
Symptoms:
In case of Leaked Credential server error, there is an internal parameter to raise Leaked Credentials Violation:
cred_stuffing_fail_open (default value is not to raise violation)
Changing the internal parameter value does not trigger the violation.
Conditions:
- ASM is provisioned.
- WAF Policy is attached to virtual server with Credential Stuffing enabled.
- Internal Parameter cred_stuffing_fail_open is set to 0.
- A server error (or timeout) occurred during leaked credential check.
Impact:
Leaked Credential violation is not raised.
Workaround:
None
1209945-2 : Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs
Links to More Info: BT1209945
Component: Local Traffic Manager
Symptoms:
In a case where traffic is not properly egressing a BIG-IP tenant running on rSeries or VELOS platforms, if any TMM log file contains any line with the text "notice SEP: Tx completion failed", that tenant VM may need to be manually restarted. The BIG-IP is unable to detect the traffic degradation automatically and recover or fail-over; the user must manually intervene to restart the tenant.
Conditions:
This is specific to rSeries and VELOS platforms, and does not affect other BIG-IP platforms or virtual editions.
Egress traffic from the affected tenant may appear to be degraded or non-functional. There may be a high number of transmit packet drops.
Check the tenant TMM log files for any line containing the text "notice SEP: Tx completion failed" (which may include additional trailing text). The log files of concern reside in the tenant at paths:
/var/log/tmm*
Impact:
Egress traffic may be severely degraded until the tenant with the offending log messages is manually restarted.
Workaround:
Restart the tenant VM by moving the tenant from deployed -> provisioned -> deployed in the partition or system ConfD command line interface.
Alternatively, issue the "reboot" command from the tenant bash shell.
1209709-5 : Memory leak in icrd_child when license is applied through BIG-IQ
Links to More Info: BT1209709
Component: TMOS
Symptoms:
The memory use for icrd_child may slowly increase, eventually leading to an OOM condition.
Conditions:
License applied through BIG-IQ.
Impact:
Higher than normal control-plane memory usage, possible OOM related crash.
Workaround:
Periodically kill the icrd_child processes. The restjavad will restart them automatically.
1209589-5 : BFD multihop does not work with ECMP routes
Links to More Info: BT1209589
Component: TMOS
Symptoms:
BFD multihop does not work with ECMP routes. TMMs are unable to agree on session ownership and dropping the session after 30 seconds.
Conditions:
On a multi-TMM box, configure BFD multihop peer reachable over ECMP route.
Impact:
BFD multihop does not work with ECMP routes and BFD session is getting dropped every 30 seconds.
Workaround:
None
1207821-1 : APM internal virtual server leaks memory under certain conditions
Links to More Info: BT1207821
Component: Access Policy Manager
Symptoms:
Memory leaks are observed while passing traffic in the internal virtual server used for APM.
Client/Backend is slow in responding to packets from the BIG-IP. Congestion is observed on the network which prompts BIG-IP to throttle egress.
Conditions:
- Traffic processing in the internal virtual server used for APM.
Impact:
TMM memory grows over time, this will lead to out of memory for TMM and eventual restart. Traffic is disrupted when TMM restarts.
Workaround:
None
1207381 : PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored
Links to More Info: BT1207381
Component: Policy Enforcement Manager
Symptoms:
From the following example, a PEM policy rule flow filter
matches the traffic from any source address and any port, to any destination address and port 81 (the port number is an example):
Source Address Source Port VLAN Destination Address Destination Port
0.0.0.0/0 0 ANY 0.0.0.0/0 81
When the rule is updated through the GUI or CLI to match traffic from any source address and any port, to any destination address and any port:
Source Address Source Port VLAN Destination Address Destination Port
0.0.0.0/0 0 ANY 0.0.0.0/0 0
The updated rule is correctly saved into the configuration as shown by the GUI and the CLI, but the new flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule (destination port 81 in the example).
Conditions:
An existing PEM policy rule flow filter that is updated through GUI or CLI selecting Source Port '0' ('any') and/or destination port '0' ('any').
Impact:
The updated flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule.
Workaround:
- Restart TMM to make the updated flow filter effective.
or
- Remove the flow filter altogether instead of replacing it with a filter like '0.0.0.0/0:0 --> 0.0.0.0/0:0' .
The intended result is the same: the rule will catch all traffic.
or
- Create a new additional rule with port number 0 and place in higher precedence (under the same policy).
- For example, rule with precedence 10 allow flow for port 80 (instead of modifying this rule) and
- Create a new rule with precedence 9 to allow flow for port "0" and delete the old rule.
1205501-4 : The iRule command SSL::profile can select server SSL profile with outdated configuration
Links to More Info: BT1205501
Component: Local Traffic Manager
Symptoms:
Under few circumstances, an iRule selected server SSL profile can send previously configured certificate to the peer.
Conditions:
The iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made to the profile.
Impact:
The TLS handshake may use an outdated certificate that does not match the current configuration, potentially leading to handshake failures.
Workaround:
Terminate all traffic running on the virtual servers that are using the iRule command for the update to take effect.
or
Do not make changes to a profile that is actively being used by the iRule command.
1205045-6 : WMI monitor does not put pool members into an offline/unchecked state when BIG-IP receives HTTP responses other than 200
Links to More Info: BT1205045
Component: Local Traffic Manager
Symptoms:
With no credentials, WMI monitor status still displays "UP".
Conditions:
With no credentials or stale/expired credentials, the WMI monitor stats displays "UP".
Impact:
The user is misinformed about the status of the WMI monitor.
Workaround:
None
1199025-3 : DNS vectors auto-threshold events are not seen in webUI
Links to More Info: BT1199025
Component: Advanced Firewall Manager
Symptoms:
No option to see DNS auto-threshold event logs from webUI.
Conditions:
- DNS profile configured with fully automatic mode.
Impact:
DNS auto-threshold event logs are not visible from webUI.
Workaround:
None
1196537-5 : BD process crashes when you use SMTP security profile
Links to More Info: BT1196537
Component: Application Security Manager
Symptoms:
The BD process may crash when an SMTP security profile is attached to a virtual server, and the SMTP request is sent to the same virtual server.
Conditions:
- SMTP security profile is attached to VS
- SMTP request is sent to VS
Impact:
Intermittent BD crash
Workaround:
N/A
1196477-8 : Request timeout in restnoded
Links to More Info: BT1196477
Component: Device Management
Symptoms:
The below exception can be observed in restnoded log
Request timeout., stack=Error: [RestOperationNetworkHandler] request timeout.
At ClientRequest. <anonymous> (/usr/share/rest/node/src/infrastructure/restOperationNetworkHandler.js:195:19)
Conditions:
When BIG-IP is loaded with a heavy configuration.
Impact:
SSL Orchestrator deployment will not be successful.
Workaround:
1. mount -o remount,rw /usr
2. In getDefaultTimeout : function() at /usr/share/rest/node/src/infrastructure/restHelper.js
replace 60000 with required required timeout.
3. bigstart restart restnoded
4. mount -o remount /usr
1196185-1 : Policy Version History is not presented correctly with scrolling
Links to More Info: BT1196185
Component: Application Security Manager
Symptoms:
When higher version history is available, then modal window becomes scrollable, and gets distorted.
Conditions:
- Apply Policy multiple times.
- Open Policy Version History in General Settings ->
Version -> Date Link.
Impact:
Policy history modal window gets distorted.
Workaround:
None
1196053-4 : The autodosd log file is not truncating when it rotates
Links to More Info: BT1196053
Component: Advanced Firewall Manager
Symptoms:
The autodosd file size increasing continuously irrespective of log rotation occurring every hour.
Conditions:
- DOS profiles (at Device/VS) configured with fully automatic, autodosd daemon will calculate the thresholds periodically and updates the log file with relevant logs.
Impact:
Logs are not truncated as expected. The autodosd log file size continue to increase even though it is rotated every hour.
Workaround:
Restarting autodosd daemon will truncate the log file content to zero.
1194173-5 : BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value
Component: Application Security Manager
Symptoms:
Attack signature check is not run on normalised parameter value.
Conditions:
- A parameter with location configured as a cookie is present
in the parameters list.
- Request contains the explicit parameter with URL encoded
base64 padding value.
Impact:
- Attack signature not detected.
Workaround:
None
1190765-1 : VelOS | Zone Base DDOS | Aggregation, BD | Seeing Entries in sPVA Registers are not getting reset once the attack is completed
Component: Advanced Firewall Manager
Symptoms:
In VELOS platform, the ideal timeout for HW entries is 5 mins(Hw eviction timeout). However, when you delete the VS/Zone configuration it will initiate the eviction immediately(Software eviction). In this case, the eviction does not happen as expected and causes the entry to continue to stay at sPVA for some time.
Conditions:
This issue happens when we configure Zone based DDOS with Aggregation or BD in VELOS platform.
Impact:
This issue causes the sPVA entries to stay for 5 minutes(Ideal eviction timeout) even after the Corresponding Zone configuration is deleted.
Workaround:
Not available
1190365-1 : OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly
Links to More Info: BT1190365
Component: Application Security Manager
Symptoms:
The method used by ASM enforcer to serialize an OpenAPI object configured with "style:form", "explode:true", and "type:object" is not functioning as expected.
Conditions:
Repeated occurrences of parameter names in the query string with "type:object/explode:true/style:form" configured OpenAPI file.
Impact:
The violation "JSON data does not comply with JSON schema" is raised due to the repeated parameters from the query string with "array" configuration.
Workaround:
None
1190353-4 : The wr_urldbd BrightCloud database downloading from a proxy server is not working
Links to More Info: BT1190353
Component: Policy Enforcement Manager
Symptoms:
Downloading BrightCloud database is not working with the proxy.
Conditions:
BrightCloud database download through Proxy management.
Impact:
URL categorization disruption as database not getting downloaded.
Workaround:
None
1189949-4 : The TMSH sys core is not displaying help and tab complete behavior
Links to More Info: BT1189949
Component: TMOS
Symptoms:
The help and tab complete options are not displayed when TMSH sys core commands are executed.
Conditions:
For example, execute following commands:
tmsh sys core modify tmm-manage ?
tmsh sys core modify tmm-manage TABC
Impact:
The help and tab complete options are not displayed.
Workaround:
None
1189865-5 : "Cookie not RFC-compliant" violation missing the "Description" in the event logs
Links to More Info: BT1189865
Component: Application Security Manager
Symptoms:
When a request is blocked due to "Cookie not RFC-compliant' violation, the description field in the request log details is shown as "N/A" instead of having the description (for example "Invalid equal sign preceding cookie name" or "Invalid space in cookie name").
Conditions:
The violation is blocked due to "Cookie not RFC-compliant" violation and we are looking at the request log details.
Impact:
The description is empty and we can't know what is the problem with the request.
1189513-6 : SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header
Links to More Info: BT1189513
Component: Service Provider
Symptoms:
The SIP MRF failed to extract the SDP data and not created media flow pinholes, if SDP Multipurpose Internet Mail Extensions (MIME) multipart body is not generated with content-length header.
Conditions:
An INVITE message contained a MIME multipart payload and body parts miss content-length header.
Impact:
Media flow pinholes are not created.
Workaround:
None
1186925-6 : When FUA in CCA-i, PEM does not send CCR-u for other rating-groups
Links to More Info: BT1186925
Component: Policy Enforcement Manager
Symptoms:
When Final Unit Action (FUA) in CCA-i, the traffic is immediately blocked for that rating-group.
But, PEM does not send CCR-u for other rating-groups any more, which causes all other rating-groups traffic to pass through.
If FUA in CCA-u, everything works as expected.
Conditions:
When FUA received in in CCA-i.
Impact:
PEM receives FUA redirect first and ignores further requests.
Workaround:
Use iRule to remove FUA in CCA-i.
1186401-4 : Using REST API to change policy signature settings changes all the signatures.
Links to More Info: BT1186401
Component: Application Security Manager
Symptoms:
When you use iControl REST to modify the signatures associated with a policy, the modifications are applied to all the signatures.
Conditions:
-- Create a policy named 'test'
-- Associate a signature set like "SQL Injection Signatures" to the policy
For example, remove the "Generic Detection Signatures (High/Medium Accuracy)" set
-- Look at the low-risk signatures associated with the policy
Commmand:
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' | jq . | head
-- Turn off staging for these signatures:
Commands:
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": false }' -X PATCH | jq . | head
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": true }' -X PATCH | jq . | head
-- The "totalItems" shows that 187 signatures were changed
Impact:
The user was unable to leverage the REST API to make the desired changes to the ASM signature policy.
Workaround:
Add 'inPolicy eq true' to the filter
Command :
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low+and+inPolicy+eq+true' -d '{ "performStaging": false }' -X PATCH | jq . | head
1185257-6 : BGP confederations do not support 4-byte ASNs
Links to More Info: BT1185257
Component: TMOS
Symptoms:
The BGP confederations do not support 4-byte AS numbers. Only 2-byte ASNs are supported.
Conditions:
Using BGP confederations.
Impact:
Unable to configure 4-byte AS number under BGP confederation.
Workaround:
None
1184841-6 : Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API
Component: Application Security Manager
Symptoms:
Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API.
Conditions:
- ASM-Sync enabled
- Auto-Sync enabled
- Updating URL through REST API
Impact:
Configuration will be de-synced.
Workaround:
Use TMUI to update configuration.
1182353-6 : DNS cache consumes more memory because of the accumulated mesh_states
Links to More Info: BT1182353
Component: Global Traffic Manager (DNS)
Symptoms:
DNS cache consumes more memory and the mesh_states are accumulated quickly.
Conditions:
Mixed queries with rd flag set and cd flag set/unset.
Impact:
TMM runs out of memory.
1180365-3 : APM Integration with Citrix Cloud Connector
Component: Access Policy Manager
Symptoms:
* Configure Citrix cloud connector instead of Citrix Delivery controller to publish apps and desktops from the cloud configured using DaaS.
* Apps/Desktop will not be published.
Conditions:
* When Citrix cloud connector is used to publish apps instead of Citrix Delivery controller, once the user clicks on the App/Desktop, the cloud connector sends an empty response.
* Hence user will not be able to publish any apps/ Desktop.
Impact:
Users will not be able to publish any Apps/Desktops in webtop which are published through Citrix Cloud Connector.
1174085-7 : spmdb_session_hash_entry_delete releases the hash's reference
Links to More Info: BT1174085
Component: Policy Enforcement Manager
Symptoms:
multiple references accessing and trying to modify the same entry
Conditions:
when failover from active to stand by while stalling the connection
Impact:
Illegal access of the memory.
Workaround:
NA
1173493-2 : Bot signature staging timestamp corrupted after modifying the profile
Component: Application Security Manager
Symptoms:
Bot signature timestamp is not accurate.
Conditions:
Have a bot signature "A" in staging, record the timestamp.
Using webUI, set another bot signature "B" to be in staging and click Save.
The time stamp on "A" is updated and shows the year 1970 in webUI.
Impact:
Can not verify from when the signature was in staging.
Workaround:
Use TMSH, instead of webUI, to update the profile.
1167969-2 : In DoS Profile level, the Flood attack Vectors with TCP and UDP, Hardware offloading is not working as expected
Links to More Info: BT1167969
Component: Advanced Firewall Manager
Symptoms:
In Multiblade platforms which support high number of TMM threads, bigger per HSB rate limit values are received and it is causing the hardware to not trigger offload, even though the attack traffic matching the configured rate limits.
Conditions:
This occurs only in the platforms which supports high number of TMMs (more than 20).
Impact:
Hardware offload for the Flood attack vectors will not trigger as expected.
Workaround:
None
1167609-4 : The messages msg->ref > 0 are seen in TMM logs with websockets/ASM plugin
Links to More Info: BT1167609
Component: Local Traffic Manager
Symptoms:
With web security enabled and ASM policies attached to virtual server, in an unknown scenario, msg->ref > 0 are appearing in TMM logs.
Conditions:
-- ASM is provisioned
-- ASM policy attached to virtual server
-- Web security configured
Impact:
The /var/log/tmm files may be flooded with the messages.
Workaround:
None
1161241-7 : BIND default behavior changed from 9.11 to 9.16
Links to More Info: BT1161241
Component: Global Traffic Manager (DNS)
Symptoms:
The default behavior of BIND configurations for minimal-responses and dnssec-validation is changed in BIND 9.16 and leaving the issues for existing test cases and expected behavior.
Conditions:
Upgrade BIND package from version 9.11.36 to 9.16.27.
Impact:
Behavior change for minimal-responses and dnssec-validation.
Workaround:
None
1160805-4 : The scp-checkfp fail to cat scp.whitelist for remote admin
Links to More Info: BT1160805
Component: TMOS
Symptoms:
Attempt SCP file to BIG-IP:
/shared/images
root user success
remote admin user fails, following is an example:
sinkhole3:~$ scp test.iso apiuser@10.201.69.106:/shared/images
Password:
cat: /co: No such file or directory
cat: fig/ssh/scp.whitelist: No such file or directory
"/shared/images/test.iso": path not allowed
Conditions:
-- Running BIG-IP version with fix for ID 1097193.
-- Create remote admin user.
-- Use SCP command to transfer a file to remote admin user path.
Impact:
SCP command is not working for the remote admin users.
Workaround:
None
1156889-5 : TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions
Links to More Info: BT1156889
Component: Application Security Manager
Symptoms:
When using bot-defense profile with a browser verification and performing redirect actions, there is a memory leak in TMM.
Conditions:
- The bot-defense profile with "Verify After Access" or "Verify Before Access" browser verification is configured.
- Surfing using a browser, during grace period (5 Minutes after config change) to a non-qualified URL, or configuring "Validate Upon Request" in "Cross Domain Requests" configuration, and configuring A and B as "Related Site Domains".
- Surfing using a browser from Domain A to Domain B.
Impact:
Degraded performance, potential eventual out-of-memory.
Workaround:
None
1156149-5 : Early responses on standby may cause TMM to crash
Links to More Info: BT1156149
Component: Service Provider
Symptoms:
TMM cores with an early response and retransmit mechanism and has also happened during a failover event.
Conditions:
If the response of the request message reaches before the request on standby box.
Impact:
Causes a failover while TMM is restarting.
Workaround:
None
1154685-4 : Error logged "01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object..." during startup
Links to More Info: BT1154685
Component: TMOS
Symptoms:
Database error (13) will be logged in /var/log/ltm during startup:
err mcpd[]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:private_mac_addr_freelist status:13 - EdbCfgObj.cpp, line 127.
Conditions:
-- 15.1.8 or later 15.1.x
Impact:
It is a cosmetic error and observed only once during startup.
Workaround:
None
1154465-2 : Error attaching few QAT devices to TMM
Links to More Info: BT1154465
Component: Local Traffic Manager
Symptoms:
Crypto and compression were yielding low throughput when considered more than 32 vCPUs.
Conditions:
A variable was not thread safe and hence not proper.
Impact:
Less throughput.
Workaround:
None
1148009-8 : Cannot sync an ASM logging profile on a local-only VIP
Links to More Info: BT1148009
Component: Application Security Manager
Symptoms:
If an ASM profile, such as a logging profile is applied to a virtual that is local-only, then the state changes to "Changes Pending" but configuration sync breaks.
Conditions:
- ASM provisioned
- high availability (HA) pair
- ASM profile, such as a logging profile is applied to a virtual that is local-only.
Impact:
The state changes to "Changes Pending" but configuration sync breaks.
Workaround:
None
1146377-6 : FastHTTP profiles do not insert HTTP headers triggered by iRules
Links to More Info: BT1146377
Component: Local Traffic Manager
Symptoms:
Virtual servers configured with the FastHTTP profile will not insert HTTP headers even when triggered by iRules.
Conditions:
A virtual server configured with FastHTTP, and an iRule that would insert an HTTP header.
Impact:
The expected headers will not be inserted on packets sent to servers.
Workaround:
None
1144497-5 : Base64 encoded metachars are not detected on HTTP headers
Component: Application Security Manager
Symptoms:
Base64 encoded illegal metachars are not detected.
Conditions:
No specific condition.
Impact:
False negative, illegal characters are not detected and request not blocked.
Workaround:
None
1137993-6 : Violation is not triggered on specific configuration
Links to More Info: BT1137993
Component: Application Security Manager
Symptoms:
The HTTP compliance violation is not triggered for the unparsable requests due to a specific scenario.
Conditions:
A microservice is configured in the security policy.
Impact:
Specific violation is not triggered. A possible false negative.
Workaround:
It is possible to do an irule workaround that checks the length of the URL and issues a custom violation.
1136921-6 : BGP might delay route updates after failover
Links to More Info: BT1136921
Component: TMOS
Symptoms:
The BGP might delay route updates after failover.
Conditions:
- The BGP configured on an High Availability (HA) pair of BIG-IP devices.
- The BGP redistributing kernel routes.
- Failover occurs.
Impact:
New active unit might delay route advertisement up to 15 sec.
New standby unit might delay route withdrawal up to 15 sec.
Workaround:
None
1132981-5 : Standby not persisting manually added session tracking records
Links to More Info: BT1132981
Component: Application Security Manager
Symptoms:
The Session tracking records, with Infinite Block-All period, have an expiration time on the Standby unit after sync.
Conditions:
ASM provisioned
Session Tracking enabled
session tracking records, with Infinite Block-All period, are added
Impact:
Infinite Session Tracking records being removed from standby ASMs.
Workaround:
Use auto-sync DG (instead of manual sync).
After changing the configuration on UI at Security->Application Security: Sessions and Logins: Session Tracking.
You must "Apply Policy" and wait for the DG status to become In-Sync before adding new data-points on UI at Security->Reporting: Application: Session Tracking Status.
1132741-7 : Tmm core when html parser scans endless html tag of size more then 50MB
Links to More Info: BT1132741
Component: Application Security Manager
Symptoms:
Tmm core, clock advanced by X ticks printed
Conditions:
- Dos Application or Bot defense profile assigned to a virtual server
- Single Page Application or Validate After access.
- 50MB response with huge html tag length.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Exclude html parser for url in question.
tmsh modify sys db dosl7.parse_html_excluded_urls value <url>
1128429-7 : Rebooting one or more blades at different times may cause traffic imbalance results High CPU
Links to More Info: BT1128429
Component: Carrier-Grade NAT
Symptoms:
One or more TMMs are consuming more CPU cycles than the other TMMs. The increased CPU usage is caused by a significant number of internal TMM traffic redirections.
Conditions:
- LSN pools enabled.
- The sp-dag configured on the client-side and server-side VLANs (cmp-hash src-ip and cmp-hash dst-ip respectively).
Impact:
Increased TMM CPU usage on one or more TMMs.
Workaround:
- Set up an High Availability (HA) pair of VIPRIONs and make an active VIPRION cluster standby before doing any operation that involves the rebooting, insertion, or removal of one or more blades.
Or if the VIPRION is a stand-alone cluster:
- Stop all external traffic to the VIPRION before rebooting, inserting, or removing one or more blades.
- Restart or reboot all the blades at the same time from the primary, using the following "clsh" command:
"clsh reboot volume <NEW_VOLUME>" or "clsh bigstart restart".
1126841-5 : HTTP::enable can rarely cause cores
Links to More Info: BT1126841
Component: Local Traffic Manager
Symptoms:
The TMM crashes with seg fault.
Conditions:
- SSL profile used.
- The iRule that uses HTTP::enable.
Impact:
The TMM restarts causing traffic interruption.
Workaround:
None
1124733-3 : Unnecessary internal traffic is observed on the internal tmm_bp vlan
Links to More Info: BT1124733
Component: TMOS
Symptoms:
Unnecessary internal traffic can be observed on the internal tmm_bp vlan. It is a UDP broadcast on 62965 port.
Conditions:
Always
Impact:
Unnecessary traffic that does not disrupt normal operation.
Workaround:
None
1123153-5 : "Such URL does not exist in policy" error in the GUI
Component: Application Security Manager
Symptoms:
Unable to create a parameter under Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs ›› URL Parameters
Conditions:
When the policy setting "Differentiate between HTTP/WS and HTTPS/WSS URLs" is set to "Disabled".
Impact:
User is unable to create a Parameter with a URL.
Workaround:
N/A
1121349 : CPM NFA may stall due to lack of other state transition
Links to More Info: BT1121349
Component: Local Traffic Manager
Symptoms:
The CPM NFA string state machines may stall due to missing data.
Conditions:
-- HTTP virtual server with LTM policy and iRule
Impact:
LTM policy rule does not trigger on HTTP URI path condition
Workaround:
Change rule from "HTTP URI path contains" to "HTTP URI full string contains"
1121169-5 : Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use
Links to More Info: BT1121169
Component: TMOS
Symptoms:
On systems where ID1004833 has been fixed, the resizing instructions for /appdata from K74200262 no longer work.
Conditions:
When the jitterentropy-rngd is started by systemd which is the default state of the BIG-IP.
Impact:
A filesystem resize operation may fail with the following error:
# lvreduce --resizefs --size -40G /dev/mapper/vg--db--sda-dat.appdata
Do you want to unmount "/appdata"? [Y|n] y
fsck from util-linux 2.23.2
/dev/mapper/vg--db--sda-dat.appdata is in use.
e2fsck: Cannot continue, aborting.
resize2fs 1.42.9 (28-Dec-2013)
resize2fs: Device or resource busy while trying to open /dev/mapper/vg--db--sda-dat.appdata
Couldn't find valid filesystem superblock.
fsadm: Resize ext3 failed
fsadm failed: 1
Filesystem resize failed.
Workaround:
Unmount /appdata and restart the jitterentropy-rngd, and then retry the resize operation.
1117609-5 : VLAN guest tagging is not implemented for CX4 and CX5 on ESXi
Links to More Info: BT1117609
Component: Local Traffic Manager
Symptoms:
Tagged VLAN traffic is not received by the BIG-IP Virtual Edition (VE).
Conditions:
Mellanox CX4 or CX5 with SR-IOV on VMware ESXi.
Impact:
Host-side tagging is required.
Workaround:
If only one VLAN is required, use host-side tagging and set the VLAN to "untagged" in the BIG-IP guest.
If multiple VLANs are required, use the "sock" driver instead. Edit the /config/tmm_init.tcl file and restart the Virtual Edition (VE) instance. Network traffic is disrupted while the system restarts.
echo "device driver vendor_dev 15b3:1016 sock" >> /config/tmm_init.tcl
CPU utilization may increase as a result of switching to the sock driver.
I know it works for sock driver. This bug was about xnet/mlxvf5 drivers.
In hal/internal folder, I saw the VMWare vendor ID in PciVendor.h file was 0x15ad which looks not correct, so I changed it to 0x15b3.
1117305-8 : The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials
Links to More Info: BT1117305
Component: TMOS
Symptoms:
The /api returns 401 when incorrect Basic Authorization credentials are supplied.
The /api returns 404 when correct Basic Authorization credentials are supplied.
Conditions:
Irrespective of the DB variable "httpd.basic_auth" value set to enable or disable.
Impact:
There is no functional impact, but all other non-existent URIs return a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials, /api should also be invariably exhibiting the same behavior.
Workaround:
None
1117245-5 : Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file
Links to More Info: BT1117245
Component: Application Security Manager
Symptoms:
You only see this message in /var/log/tomcat/liveupdate.log file. No other log messages are written, causing troubleshooting capability with LiveUpdate.
liveupdate.script file is corrupted, live update repository initialized with default schema
This error is emitted during tomcat startup.
/var/log/tomcat/catalina.out
java.io.FileNotFoundException: /usr/share/tomcat/logs/liveupdate.log (Permission denied)
Conditions:
You are running on a version which has a bug fix for ID907025. For more information see https://cdn.f5.com/product/bugtracker/ID907025.html
Impact:
Losing troubleshooting capability with LiveUpdate
Workaround:
chown tomcat:tomcat /var/log/tomcat/liveupdate.log
bigstart restart tomcat
1113753-5 : Signatures might not be detected when using truncated multipart requests
Component: Application Security Manager
Symptoms:
On special cases when sending long requests that include a multipart section, signatures that should be detected in the multipart body might not be detected.
Conditions:
1. WAF-policy is attached to virtual server.
2. Signatures are enabled in the WAF policy.
3. Signatures contain special characters, i.e. ;"=\n
4. Request is longer than the value in max_raw_request_len.
5. Sending a multipart request.
Impact:
Signature is not detected.
Workaround:
None
1112537-6 : LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete.
Links to More Info: BT1112537
Component: TMOS
Symptoms:
Upon attempting to delete a LTM or GTM monitor, the system returns an error similar to the following example, even though the monitor being deleted is no longer in use anywhere:
01070083:3: Monitor /Common/my-tcp is in use.
Conditions:
-- The configuration was loaded from file (for example, as restoring a UCS archive would do).
-- A BIG-IP Administrator deletes all objects using the monitor, and then attempts to delete the monitor itself.
Impact:
LTM or GTM monitor no longer in use anywhere cannot be deleted from the configuration.
Workaround:
Run one of the following sets of commands (depending on the affected module) and then try to delete the monitor again:
tmsh save sys config
tmsh load sys config
tmsh save sys config gtm-only
tmsh load sys config gtm-only
1111149-4 : Nlad core observed due to ERR_func_error_string can return NULL
Links to More Info: BT1111149
Component: Access Policy Manager
Symptoms:
The following symptoms are observed
In /var/log/ltm:
err nlad[17535]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
Nlad core is observed
/var/log/kern.log:Apr 7 03:46:53 <vs name > info kernel: nlad[13119]: segfault at 0 ip <> sp <> error 4.
Conditions:
NLAD core is SIGSEGV - crashing while processing a SSL Certificate via a SAML login.
Impact:
Core results in disruption of APM sessions
Workaround:
None
1110489-4 : TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event
Links to More Info: BT1110489
Component: Access Policy Manager
Symptoms:
Tmm crashes.
/var/log/tmm contains
May 24 18:06:24 sslo.test.local notice panic: ../net/nexthop.c:165: Assertion "nexthop ref valid" failed.
Conditions:
An iRule is applied to a virtual Server containing a ACCESS_ACL_ALLOWED iRule event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1110485-5 : SSL handshake failures with invalid profile error
Links to More Info: BT1110485
Component: Local Traffic Manager
Symptoms:
1. TMM reports SSL handshake failures with reason "hud_ssl_handler:1208: alert(40) invalid profile unknown on VIP"
2. There will be Certificate read errors in the ltm log "reading: Unknown error."
Conditions:
-- The certificates associated with the SSL profile are corrupted by modifying/adding/deleting them manually/Venafi
-- There are frequent unintentional Certificate updates
Impact:
-- The BIG-IP system will not be able process the traffic
-- All traffic to particular virtual servers fails
Workaround:
1. Correct the certificates which are corrupted and make them valid.
2. Deattach/Remove the corresponding SSL profile from all virtual servers to which it is applied.
3. In the GUI open the virtual server and click on update and make sure there are no errors shown on the screen.
4. Now re-apply the SSL profile to the virtual server
1110281-7 : Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable
Links to More Info: BT1110281
Component: Advanced Firewall Manager
Symptoms:
Non-HTTP traffic is not forwarded to the backend server.
Conditions:
- ASM provisioned
- Behavioral DoS profile assigned to a virtual server
- DOSL7::disable and HTTP::disable applied at when CLIENT_ACCEPTED {}
Impact:
Broken webapps with non-HTTP traffic.
Workaround:
Instead of using DOSL7::disable, redirect non-HTTP traffic to a non-HTTP aware virtual server using the iRule command virtual <virtual_server_name>.
1108237-3 : Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM.
Links to More Info: BT1108237
Component: Global Traffic Manager (DNS)
Symptoms:
It is possible for monitor probes to a certain destination to be owned by no GTM device in the sync-group. As a result, no monitoring of the destination will be performed, and the monitored object will be incorrectly marked down with reason "no reply from big3d: timed out".
Conditions:
-- GTM sync-group with multiple GTM devices (including a sync-group that contains only a single GTM server with more than one GTM device in it).
-- Monitors specifying an explicit destination to connect to (e.g. with the property "destination 192.168.1.1:*").
-- The destination of a monitored object (e.g. the IP address of the gtm server) is different from the destination explicitly defined in a monitor assigned to the object.
-- The two mismatching destination values are assigned to different GTM devices in the sync-group for monitoring.
Impact:
Monitored GTM objects may have an incorrect status.
Workaround:
None
1106273-5 : "duplicate priming" assert in IPSECALG
Links to More Info: BT1106273
Component: Advanced Firewall Manager
Symptoms:
This is a specific issue with a complicated firewall/NAT/IPSEC scenario. In this case, when applying changes to a firewall policy in transparent mode, IPSECALG triggers a "duplicate priming" assert
Conditions:
When an IPSec session is established from a device with a source IP which has a firewall policy (transparent mode). As soon as traffic is passed over the new IPSec tunnel, this clash in the rules results in a tmm core.
Impact:
TMM asserts with "duplicate priming" assert.
Traffic disrupted while tmm restarts.
Workaround:
None
1105901-6 : Tmm crash while doing high-speed logging
Links to More Info: BT1105901
Component: TMOS
Symptoms:
Tmm crashes
Conditions:
-- High-speed logging is configured
-- Network instability occurs with the logging pool members
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1102425-1 : F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary
Links to More Info: BT1102425
Component: TMOS
Symptoms:
The secondary blades are inoperative when MCPD is restarted on the primary slot, or the license is installed on the F5OS chassis.
Following are the symptoms:
- Following log message is logged in /var/log/ltm:
mprov:29790:[29790]: 'FPGA change is taking a long time. Unable to start the daemons.' for the secondary slots.
- The presence of the file /var/run/fpga_mcpd_lockfile on the secondary slots.
Conditions:
- Multi-Slot F5OS tenant.
- Restarting MCPD on the primary blade or installing the license from the F5OS chassis.
Impact:
Secondary blades are inoperative.
Workaround:
Execute the following command on the secondary blades that are inoperative:
bigstart restart mcpd
1098609-3 : BD crash on specific scenario
Component: Application Security Manager
Symptoms:
BD crashes while passing traffic.
Conditions:
Specific request criterias that happens while there is a configuration change.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
1090313-5 : Virtual server may remain in hardware SYN cookie mode longer than expected
Links to More Info: BT1090313
Component: TMOS
Symptoms:
A virtual server may remain in hardware SYN cookie mode longer than expected after the SYN flood attack has stopped. The TMSH 'show ltm virtual' command shows that the virtual has already exited SYN Cookie mode, but the SYN packets are still responded from hardware for a few minutes longer.
Conditions:
The problem is a result of a race condition in TMM, so the issue might show up intermittently.
Impact:
Discrepancy between the actual SYN Cookie mode and the reported SYN Cookie mode for a short period of time after a SYN flood attack.
Workaround:
Disable hardware SYN Cookie mode.
1088597-6 : TCP keepalive timer can be immediately re-scheduled in rare circumstances
Links to More Info: BT1088597
Component: Local Traffic Manager
Symptoms:
In rare circumstances, the TCP timer is rescheduled immediately due to the utilization of the interval encompassing also the idle_timeout.
Conditions:
Virtual Server with:
- TCP Profile
- SSL Profile with alert timeout configured
Another way this can occur is by manually deleting connections, which effectively only sets the idle timeout to 0.
Impact:
High CPU utilization potentially leading to reduced performance.
Workaround:
If the alert timeout is not re-enabled in the SSL Profile that should be sufficient.
1084857-6 : ASM::support_id iRule command does not display the 20th digit
Links to More Info: BT1084857
Component: Application Security Manager
Symptoms:
ASM::support_id iRule command does not display the 20th digit.
A support id seen in REST/TMUI that has 20 digits, e.g 13412620314886537617 is displayed as 1341262031488653761 with the iRule command ( the last digit '7' is stripped ).
Conditions:
ASM::support_id iRule command
Impact:
Inability to trace request events using the support id
1083513-4 : BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd
Links to More Info: BT1083513
Component: Application Security Manager
Symptoms:
"Challenge Failure Reason" field in a request event log shows N/A.
Conditions:
The db key has not been changed manually on the system.
Impact:
"Challenge Failure Reason" field is disabled.
Workaround:
Disable the key and re-enable, then save.
tmsh modify sys db botdefense.disable_challenge_failure_reporting value disable
tmsh modify sys db botdefense.disable_challenge_failure_reporting value enable
tmsh save sys config
1083053-4 : Apmd memory grows over time in AD auth scenarios
Links to More Info: BT1083053
Component: Access Policy Manager
Symptoms:
Apmd memory grows over time. It is not a memory leak. It is mainly due to memory fragmentation due to memory sharing among apmd threads.
Conditions:
The access policy in use has Active Directory auth as one of the agents
Impact:
Apmd memory grows over time. After it grows beyond a limit, oom killer might kill apmd thereby lead to a traffic disruption.
Workaround:
None
1082197-5 : RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response
Links to More Info: BT1082197
Component: Global Traffic Manager (DNS)
Symptoms:
Synthetic SOA returned by BIG-IP has the MNAME and RNAME fields reversed, resulting in the wrong values being noted as the primary name server and mailbox of administrator, respectively.
Conditions:
-- Set the failure-rcode-response enabled and failure-rcode-ttl on a down WIP.
-- Perform a DNS query.
-- Observe the SOA.
Impact:
Per RFC (rfc1035) the order of the fields is significant and MNAME must come before RNAME. When reversed, consumers of the synthetic SOA will associate the wrong values with the wrong fields.
1080957-1 : TMM Seg fault while Offloading virtual server DOS attack to HW
Links to More Info: BT1080957
Component: Advanced Firewall Manager
Symptoms:
TMM crashes during virtual server DOS attack scenarios.
Conditions:
-- HSB-equipped hardware platforms.
-- The attack is detected on configured virtual server Dos Vector and trying to offload to hardware.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1078065-5 : The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA.
Links to More Info: BT1078065
Component: Application Security Manager
Symptoms:
The login page shows a blocking page instead of CAPTCHA or shows the blocking page after resolving a CAPTCHA.
Make five (configured in brute force configuration) failed login attempts and you will receive a blocking page.
Blocking Reason: Resource not qualified for injection.
Conditions:
HTML response message has an html page with a length greater than 32000 bytes.
Impact:
Users are blocked after failed login attempts.
Workaround:
Run tmsh modify sys db asm.cs_qualified_urls value <url value>.
1076825-3 : "Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.
Links to More Info: BT1076825
Component: Application Security Manager
Symptoms:
"Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.
Conditions:
Upgrading to v16.1.x from earlier releases.
Impact:
Configuration of "Installation of Automatically Downloaded Updates" is lost and reverts to default.
Workaround:
Manually configure "Installation of Automatically Downloaded Updates" after the upgrade.
1069729-4 : TMM might crash after a configuration change.
Links to More Info: BT1069729
Component: Application Security Manager
Symptoms:
After modifying a dosl7 profile, on rare cases TMM might crash.
Conditions:
Modifying DoSl7 profile attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
1069265 : New connections or packets from the same source IP and source port can cause unnecessary port block allocations.
Links to More Info: BT1069265
Component: Advanced Firewall Manager
Symptoms:
A client opening new TCP connections or sending new UDP packets from the same source IP and source port can cause the allocation of multiple new port blocks even if there are still existing translation endpoints in the current blocks.
Conditions:
All of the following conditions must be met:
- AFM NAT or CGNAT configured with port block allocation.
- In the port-block-allocation settings, a block-lifetime value different from zero.
- A client sending UDP packets or opening TCP connections periodically, always from the same source IP address and source port.
- A protocol profile on the virtual server with an idle timeout lower than the interval between the client packets or new connections.
Impact:
After the first allocated port block becomes zombie, a new port block is allocated for each new client packet or client connection coming from the same source IP / source port, even if there are still available translation endpoints in the allocated non-zombie blocks.
The new blocks keep piling up until the original zombie block timeout expires.
Workaround:
Increase the protocol profile idle-timeout to a value greater than the interval between UDP packets or connections from the client.
1067797 : Trunked interfaces that share a MAC address may be assigned in the incorrect order.
Links to More Info: BT1067797
Component: TMOS
Symptoms:
Interfaces that are trunked together and use the same MAC address may end up in an incorrect order when the system is restarted.
Conditions:
Trunked interfaces that use the same MAC address. On reboot the f5-swap-eth script will incorrectly reorder the affected interfaces.
Impact:
Incorrect ordering could result in a failover or outage.
Workaround:
N/A
1067557-5 : Value masking under XML and JSON content profiles does not follow policy case sensitivity
Component: Application Security Manager
Symptoms:
Value masking is always case sensitive regardless of policy case sensitivity.
Conditions:
- Parse Parameters is unchecked under JSON content profile.
- Value masking section contains element/attribute names under
XML and JSON content profiles.
Impact:
- Value is not masked in a case insensitive manner even when the policy is case insensitive.
Workaround:
None
1064753-6 : OSPF LSAs are dropped/rate limited incorrectly.
Links to More Info: BT1064753
Component: TMOS
Symptoms:
Some LSAs are dropped on BIG-IP with a log similar to:
"LSA is received recently".
Conditions:
Tuning OSPF min LSA arrival has no effect on some LSA handling.
Impact:
OSPF LSAs are dropped/rate limited incorrectly.
Workaround:
N/A
1064725-5 : CHMAN request for tag:19 as failed.
Links to More Info: BT1064725
Component: Local Traffic Manager
Symptoms:
The following log is seen in /var/log/ltm when a qkview is generated:
warning chmand[6307]: 012a0004:4: CHMAN request (from qkview) for tag:19 failed.
or when a tcpdump capture is started:
warning chmand[792]: 012a0004:4: CHMAN request (from bigpcapq33E5-24) for tag:19 failed
or when get a dossier from GUI/CLI:
warning chmand[4319]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed
or when reboot:
warning chmand[8263]: 012a0004:4: CHMAN request (from mcpd) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from DossierValidator) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from LACPD_USER) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed
Conditions:
Any one of the following:
-- Generate a qkview file from the GUI/CLI
-- Start a tcpdump command from the CLI
-- Get a dossier from GUI/CLI
-- Reboot
Impact:
No functional impact.
Workaround:
None
1060477-2 : iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]".
Links to More Info: BT1060477
Component: Access Policy Manager
Symptoms:
Apmd crashes after setting the userName field via an iRule.
Conditions:
1.Setting the userName field:
set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]
2.Getting the sid feild
[ACCESS::session data get session.user.sessionid]
Impact:
APM traffic disrupted while apmd restarts.
Workaround:
Check the username before setting it from iRule.
1060393-3 : Extended high CPU usage caused by JavaScript Obfuscator.
Links to More Info: BT1060393
Component: Fraud Protection Services
Symptoms:
The Obfuscator process (compiler.jar) consumes excessive CPU for an extended period.
Conditions:
FPS is provisioned
OR:
ASM is provisioned
AND:
Bot profile is attached to VS
OR
ASM Policy with brute force feature enabled is attached to VS
OR
DoS profile with Captcha/CSI mitigation is attached to VS
Impact:
High CPU usage on the device.
Workaround:
None
1059573-5 : Variation in a case insensitive value of an operand in LTM policy may fail in some rules.
Links to More Info: BT1059573
Component: Local Traffic Manager
Symptoms:
LTM policy engine compiles a policy into a state machine. If there is a variation of the same case insensitive value for an operand, the state machine may fail to properly build all rules, using this value. An example of a variation is a list of words like "Myself", "myself", "MYself", "mySElf", "MYSELF".
Conditions:
-- LTM policy is configured and attached to a virtual server.
-- The policy has variation in a case insensitive value of an operand.
Impact:
An expected rule does not apply: either a wrong rule is applied, or no rule is applied, causing incorrect traffic processing.
Workaround:
Eliminate variation in any case insensitive value of any operand. For example, replace all variations in the mentioned list with "myself".
1059513-3 : Virtual servers may appear as detached from security policy when they are not.
Links to More Info: BT1059513
Component: Application Security Manager
Symptoms:
When browsing Security >> Overview: Summary page, the virtual servers may appear as detached. The larger the number of virtual servers are, the more likely you are to see all the virtual servers as detached from the security policy.
Conditions:
From a certain amount of virtual servers (20) that are attached to a security policy, the virtual servers may appear as detached from any security policy.
Impact:
Virtual servers are displayed as detached from any security policy, but this is not the case.
Workaround:
None
1049237-6 : Restjavad may fail to cleanup ucs file handles even with ID767613 fix
Links to More Info: BT1049237
Component: Device Management
Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client (such as a BIG-IQ which is out of disk space) does not complete the download.
Since these files remain open, you may see low disk space even after deleting the associated files, and you may see items listed with '(deleted)' in lsof output.
Additionally, on a software version with ID767613 fix, you may see restjavad NullPointerException errors on /var/log/restjavad.*.log.
[SEVERE][1837][23 Sep 2021 10:18:16 UTC][RestServer] java.lang.NullPointerException
at com.f5.rest.workers.FileTransferWorker$3.run(FileTransferWorker.java:230)
at com.f5.rest.common.ScheduleTaskManager$1$1.run(ScheduleTaskManager.java:68)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:473)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1152)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:622)
at java.lang.Thread.run(Thread.java:748)
Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.
Impact:
Low disk space, items listed with '(deleted)' when listed using lsof.
Workaround:
To free the file handles, restart restjavad:
# tmsh restart sys service restjavad
Files that were deleted now have their space reclaimed.
1048949-8 : TMM xdata leak on websocket connection with asm policy without websocket profile
Links to More Info: BT1048949
Component: Application Security Manager
Symptoms:
Excessive memory consumption, tmm core.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Websocket profile isn't attached to the virtual server
- Long lived websocket connection with messages
Impact:
Excessive memory consumption, tmm crash. Traffic disrupted while tmm restarts.
Workaround:
Attach the websocket profile to the virtual server
1048425-6 : Packet tester crashes TMM when vlan external source-checking is enabled
Links to More Info: BT1048425
Component: Advanced Firewall Manager
Symptoms:
TMM SIGFPE Core Assertion "packet must already have an ethernet header".
Conditions:
Run the AFM Packet Tracer when external source-checking is enabled on the VLAN.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable source checking on the vlan.
1046469-4 : Memory leak during large attack
Links to More Info: BT1046469
Component: Anomaly Detection Services
Symptoms:
ADMD daemon memory consumption increases over several days until it causes OOM.
Conditions:
A large DoS attack occurs and is not mitigated.
Impact:
ADMD daemon will get killed and restarted. Due to the restart, the BADoS protection might be disabled for a couple of seconds.
Workaround:
To workaround the issue before installing the fix, ADMD could be monitored by a script and restarted as needed. This is similar to the current behavior, but it will avoid reaching OOM which might affect other daemons.
1044893-4 : Kernel warnings from NIC driver Realtek 8139
Links to More Info: BT1044893
Component: TMOS
Symptoms:
Excessive kernel logs occur from the NIC driver Realtek 8139
Conditions:
-- Realtek 8139 driver is used
-- Packets with partial checksum and protocol IPPROTO_TCP/IPPROTO_UDP arrives
Impact:
The Realtek 8139 driver logs excessive kernel warnings.
1044457-4 : APM webtop VPN is no longer working for some users when CodeIntegrity is enabled.
Links to More Info: BT1044457
Component: Access Policy Manager
Symptoms:
Users are unable to use the BIG-IP VPN in Edge, Internet Explorer, Firefox, and Chrome.
Microsoft believes the issue is because the Network Access webtop is using MSXML 2.0a which is blocked by their desktop policy
Conditions:
-- Attempting to connect to Network Access VPN using Edge, Internet Explorer, Chrome and Firefox.
-- CodeIntegrity is enabled
Impact:
Users are not able to connect to F5 VPN through APM Browser.
Workaround:
Workaround is to use the BIG-IP Edge client.
1044089-5 : ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI.
Links to More Info: BT1044089
Component: TMOS
Symptoms:
Virtual address is reachable even when the virtual server is offline.
Conditions:
The virtual server status is updated to offline by modifying the virtual server and adding an iRule via the GUI.
Impact:
ICMP echo requests are still handled by the virtual address even though the virtual server is marked offline.
Workaround:
Use tmsh to attach the iRule to the virtual server:
tmsh modify ltm virtual <virtual_server_name> rules {<rule_name> }
1041985-5 : TMM memory utilization increases after upgrade★
Links to More Info: BT1041985
Component: Access Policy Manager
Symptoms:
TMM memory utilization increases after upgrading.
The keep-alive interval of the _tmm_apm_portal_tcp default profile is set to a value that is less than the Idle Timeout setting.
Conditions:
-- APM enabled and passing traffic
-- The configuration has a profile that uses or is derived from _tmm_apm_portal_tcp where the keep-alive interval was reduced to 60
Note that this can be encountered any time a tcp profile contains a keep-alive interval setting that is less than the idle timeout.
For more information about the relationship between keep-alive and idle time out, see K13004262: Understanding Idle Timeout and Keep Alive Interval settings in the TCP profile, available at https://support.f5.com/csp/article/K13004262
Impact:
TMM memory may increase while passing traffic.
Workaround:
Change the tcp keep alive interval to the default setting of 1800 seconds.
1040573-5 : REST operation takes a long time when two different users perform tasks in parallel
Links to More Info: BT1040573
Component: TMOS
Symptoms:
It takes excessive time to execute multiple REST(icr) requests in parallel by different users.
Conditions:
Multiple iControl REST operations are performed by different users in parallel.
Impact:
BIG-IP system performance is impacted.
Workaround:
Use only one user to process the multiple requests.
OR
Use an iControl REST transaction containing multiple requests.
1038057-5 : Unable to add a serverssl profile into a virtual server containing a FIX profile
Links to More Info: BT1038057
Component: Service Provider
Symptoms:
You are unable to configure a virtual server to use server SSL encryption with FIX protocol messages.
Conditions:
This is encountered when serverssl needs to be configured for FIX profiles
Impact:
You are unable to assign a server-ssl profile to the virtual server.
Workaround:
None
1034865-6 : CACHE::enable failed on private/no-store content
Links to More Info: BT1034865
Component: Local Traffic Manager
Symptoms:
BIG-IP provides a possibility to cache HTTP responses with RAMCACHE feature. When a response has either "Cache-Control: private" or "Cache-Control: no-store", the CACHE::enable setting allows the content to be cached. This option was removed when a fix to ID 360047 was introduced.
Conditions:
-- A virtual server has a web-acceleration profile without a policy.
-- An iRule has CACHE::enable command, overwriting Cache-Control header's values "no-store" and/or "private".
Impact:
BIG-IP always requests for a response from the origin web server even when a response is cacheable, putting extra load on the origin web server.
1030129-5 : iHealth unnecessarily flags qkview for H701182 with mcp_module.xml
Links to More Info: BT1030129
Component: Application Security Manager
Symptoms:
iHealth unnecessarily flags the uploaded qkview for Heuristic H701182 "Non-ASCII characters removed from Qkview XML files".
Conditions:
Qkview generated from an unit with asm provisioned is uploaded to iHealth
Impact:
Inaccurate Heuristic on iHealth
Workaround:
None.
1030093 : An http2 to http2 virtual connection with translate-address disabled might only use one stream on the server side.
Links to More Info: BT1030093
Component: Local Traffic Manager
Symptoms:
When there is no pool object available, this issue results in only stream ID 1 succeeding to the server-side. All subsequent streams fail.
Conditions:
With the following configuration:
-- client side HTTP2
-- server side HTTP2
-- HTTP2 MRF enabled
-- translate-address disabled
Impact:
Connection only works for stream 1. All other streams fail.
Workaround:
If you set "translate-address enabled" on the virtual server, then all streams work fine.
1028081-3 : [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page
Links to More Info: BT1028081
Component: Access Policy Manager
Symptoms:
1. Users connecting with F5 Access from an Android device see string "function () {[native code]}" in the Logon Page Form 'Username' field.
2. This issue only affects the F5 Access embedded browser. It works fine when connecting from the same Android device using Chrome. F5 Access from iOS is also working fine.
Conditions:
Configure an access policy with modern customization that includes a Logon Page.
Impact:
The string "function () {[native code]}" appears in the Logon Page Form 'Username' field.
Workaround:
This solution is temporal as changes are lost after an upgrade.
steps:
1) create a copy of the original "main.js" file
# cp /var/sam/www/webtop/public/include/js/modern/main.js /var/sam/www/webtop/public/include/js/modern/main.js.origin
2) edit the file using an editor (e.g., vi).
# vi /var/sam/www/webtop/public/include/js/modern/main.js
modify
window.externalAndroidWebHost.getWebLogonUserName to window.externalAndroidWebHost.getWebLogonUserName()
and
window.externalAndroidWebHost.getWebLogonPassword to window.externalAndroidWebHost.getWebLogonPassword()
3) Restart BIG-IP
1026781-5 : Standard HTTP monitor send strings have double CRLF appended
Links to More Info: BT1026781
Component: Local Traffic Manager
Symptoms:
Standard (bigd-based, not In-TMM) HTTP monitors have a double CRLF appended (\r\n\r\n) to the send string. This does not comply with RFC1945 section 5.1 which states requests must terminate with a single CRLF (\r\n). This non-compliant behavior can lead to unexpected results when probing servers.
Conditions:
Standard bigd (not In-TMM) HTTP monitors
Impact:
Servers probed by these non-RFC-compliant HTTP monitors may respond in an unexpected manner, resulting in false negative or false positive monitor results.
Workaround:
There are several workarounds:
1. If running 13.1.0 or later, switch monitoring from bigd-based to In-TMM. In-TMM monitors properly follow RFC1945 and will send only a single CRLF (\r\n)
2. Remain with bigd-based monitoring and configure probed servers to respond to double CRLF (\r\n\r\n) in a desired fashion
Depending on server configuration, a customized send string, even with the double CRLF, may still yield expected responses.
1025089-7 : Pool members marked DOWN by database monitor under heavy load and/or unstable connections
Links to More Info: BT1025089
Component: Local Traffic Manager
Symptoms:
BIG-IP database monitors (mssql, mysql, oracle, postgresql) may exhibit one of the following symptoms:
- Under heavy, sustained load, the database monitoring subsystem may become unresponsive, causing pool members to be marked DOWN and eventually causing the database monitoring daemon (DBDaemon) to restart unexpectedly.
- If the network connection to a monitored database server is unstable (experiences intermittent interruptions, drops, or latency), pool members may be marked DOWN as the result of a momentary loss of connectivity. This is more likely to occur when a database monitor is used to monitor a GTM pool member instead of an LTM pool member, due to differences between how monitors are configured for GTM versus LTM.
Conditions:
These symptoms may occur under the following conditions:
- The database monitoring subsystem may become unresponsive, and the database monitoring daemon (DBDaemon) may restart unexpectedly, if a large number of LTM or GTM pool members are being monitored by database monitors, and/or with short polling intervals ("interval" of 10 seconds or less), or when GTM pool members are monitored by database monitors with a short "probe-timeout" value (10 seconds or less).
- The GTM pool members may be marked DOWN after a single interrupted connection if they are monitored by a database monitor, configured with a short "probe-timeout" value (10 seconds or less) and "ignore-down-response" configured as "disabled" (default).
Impact:
-- High CPU utilization is observed on control plane cores.
-- The database monitoring daemon (DBDaemon) may restart unexpectedly, causing GTM or LTM pool members monitored by a database monitor to be marked DOWN temporarily.
-- GTM or LTM pool members monitored by a database monitor may be marked DOWN temporarily if the network connection to the database server is dropped or times out.
Workaround:
Perform one of the following actions:
-- Configure the database (mssql, mysql, oracle, postgresql) monitor with a "count" value of "1". This prevents the caching or reuse of network connections to the database server between probes. Thus there is no cached connection to time out or get dropped. However, the overhead of establishing the network connection to the database server will be incurred for each probe and will result in generally higher (but more consistent) CPU usage by the database monitoring daemon (DBDaemon).
-- Configure the database monitor "interval" and "timeout" values (for an LTM monitor), or the "interval", "timeout", "probe-attempts", "probe-interval" and "probe-timeout" values (for a GTM monitor) such that multiple failed monitor probes are required before the monitored member is marked DOWN, and with a minimum value of 10 seconds or greater.
Note: A restart of bigd (and consequently the DBDaemon) might be necessary to properly clear any currently stale/stuck database connections.
1024241-5 : Empty TLS records from client to BIG-IP results in SSL session termination
Links to More Info: BT1024241
Component: Local Traffic Manager
Symptoms:
After client completes TLS handshake with BIG-IP, when it sends an empty TLS record (zero-length cleartext), the client BIG-IP SSL connection is terminated.
Conditions:
This is reported on i7800 which has Intel QAT crypto device
The issue was not reported on Nitrox crypto based BIG-IP platforms. Issue is not seen when hardware crypto is disabled.
Impact:
SSL connection termination is seen in TLS clients.
Workaround:
Disable hardware crypto acceleration.
1023889-5 : HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message
Links to More Info: BT1023889
Component: Application Security Manager
Symptoms:
Protocol filter does not suppress WS/WSS server->client message.
Conditions:
- protocol filter is set to HTTP, HTTPS or HTTP/HTTPS
- response logging is set to For All Requests
Impact:
Remote log server receives unexpected messages
Workaround:
None
1017841-3 : Payload manager lacks egress flow control when used through satellite
Links to More Info: BT1017841
Component: Local Traffic Manager
Symptoms:
Payload manager uses HUDEVT_PAUSE_EGRESS which is not supported by most filters and the TCP proxy. This causes payload manager to accept all egress offered regardless of the state of the lower part of the chain, leading to excessive xfrag buffering.
Conditions:
- HTTP virtual server with HTTP compression, ntlm, oneconnect
- Make a request for a very large compressible document through the VIP which results in a chunked response from server. Simulating a congested client allows the lack of flow control to be much more obvious.
Impact:
- The xfrags usage jumps proportionally to the document size requested and slowly declines as the document is transferred.
- Document transfer from server occurs without pause.
1012377-3 : Unable to display/edit 'management route' via GUI
Links to More Info: BT1012377
Component: TMOS
Symptoms:
Unable to display/edit 'management route' via GUI
Conditions:
-- Viewing the management route in the GUI via System -> Platform
-- The management route is configured manually
Impact:
The management route field is blank, and you cannot make changes.
Workaround:
Display/edit the management route via tmsh:
tmsh list sys management-route
tmsh modify sys management-route <settings>
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support website: http://www.f5.com/support/
- The MyF5 website: https://my.f5.com/manage/s/
- The F5 DevCentral website: http://devcentral.f5.com/