Supplemental Document : BIG-IP 17.1.0.2 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.0

BIG-IP Analytics

  • 17.1.0

BIG-IP Link Controller

  • 17.1.0

BIG-IP LTM

  • 17.1.0

BIG-IP PEM

  • 17.1.0

BIG-IP AFM

  • 17.1.0

BIG-IP FPS

  • 17.1.0

BIG-IP DNS

  • 17.1.0

BIG-IP ASM

  • 17.1.0
Updated Date: 08/10/2023

BIG-IP Release Information

Version: 17.1.0.2
Build: 2.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Cumulative fixes from BIG-IP v17.1.0.1 that are included in this release
Known Issues in BIG-IP v17.1.x

Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1185421-8 3-Major   iControl SOAP uncaught exception when handling certain payloads 17.1.0.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
1285173-1 3-Major   Improper query string handling on undisclosed pages 17.1.0.2
1265425-1 3-Major   Improper query string handling on undisclosed pages 17.1.0.2



Cumulative fixes from BIG-IP v17.1.0.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1213305-6 CVE-2023-27378 K000132726, BT1213305 Improper query string handling on undisclosed pages 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4
1204961-1 CVE-2023-27378 K000132726 Improper query string handling on undisclosed pages 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4
1204793-6 CVE-2023-27378 K000132726 Improper query string handling on undisclosed pages 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4
1238321-6 CVE-2022-4304 K000132943 OpenSSL Vulnerability CVE-2022-4304 17.1.0.1
1096373-8 CVE-2023-28742 K000132972, BT1096373 Unexpected parameter handling in BIG3d 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1284969 1-Blocking BT1284969 Adding ssh-rsa key for passwordless authentication 17.1.0.1
1273041-3 1-Blocking BT1273041 Observing config error on R2x00/R4x00 low/high devices while doing tmsh load sys config via performance scripts 17.1.0.1
1226585-1 1-Blocking BT1226585 Some SSL Orchestrator rest endpoints not loading on startup after BIG-IP is rebooted when it is set to CC/STIP mode 17.1.0.1
1238693-1 3-Major BT1238693 Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519 17.1.0.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1267317-6 3-Major BT1267317 Disabling Access and/or WebSSO for flows cause memory leak 17.1.0.1
1235085-1 3-Major BT1235085 Reinitialization of FIPS HSM in BIG-IP tenant. 17.1.0.1

 

Cumulative fix details for BIG-IP v17.1.0.2 that are included in this release

1285173-1 : Improper query string handling on undisclosed pages

Component: Application Visibility and Reporting

Symptoms:
On undisclosed pages, query strings are not processed as expected.

Conditions:
N/A

Impact:
N/A

Workaround:
NA

Fix:
Query strings are processed as expected.

Fixed Versions:
17.1.0.2


1284969 : Adding ssh-rsa key for passwordless authentication

Links to More Info: BT1284969

Component: TMOS

Symptoms:
In FIPS 140-3, SSHD does not support the ssh-rsa key for passwordless authentication.

Conditions:
The system must be in FIPS 140-3 mode.

Impact:
SSHD does not support the ssh-rsa key for passwordless authentication.

Workaround:
None

Fix:
SSHD should support the ssh-rsa key for passwordless authentication.

Fixed Versions:
17.1.0.1


1273041-3 : Observing config error on R2x00/R4x00 low/high devices while doing tmsh load sys config via performance scripts

Links to More Info: BT1273041

Component: TMOS

Symptoms:
The following error occurs which is not expected while doing tmsh load sys config default:
"Invalid attempt to register an n-stage validator, the stage must be greater than the current stage, and within the range 1 to 101 inclusive,  current stage: 7 registered: 5 Unexpected Error: Loading configuration process failed. , retrying 5 more times"

Conditions:
In the Performance test environment, executing a script to load configs fails.

Impact:
Getting Config error and unable to proceed with ptt tests.

Workaround:
Reboot the device.

Fix:
Executing tmsh load sys config fails as vlan tags are not ready by the time in R2x00/R4x00 as tenant restart solves the same.

Fixed Versions:
17.1.0.1


1267317-6 : Disabling Access and/or WebSSO for flows cause memory leak

Links to More Info: BT1267317

Component: Local Traffic Manager

Symptoms:
Disabling Access and/or WebSSO for the flows using iRules causes TMM memory leak.

Conditions:
-- Virtual server with SSO Access profile attached.
-- Virtual server with iRule having WEBSSO::disable
   and/or ACCESS::disable for HTTP_REQUEST event.

Impact:
Continuous memory leak causes system to go out of memory and reboot.

Workaround:
None

Fixed Versions:
17.1.0.1


1265425-1 : Improper query string handling on undisclosed pages

Component: Application Visibility and Reporting

Symptoms:
On undisclosed pages, query strings are not processed as expected.

Conditions:
N/A

Impact:
N/A

Workaround:
NA

Fix:
Query strings are processed as expected.

Fixed Versions:
17.1.0.2


1238693-1 : Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519

Links to More Info: BT1238693

Component: TMOS

Symptoms:
In FIPS 140-3 mode, SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.

Conditions:
System must be in FIPS 140-3 mode.

Impact:
SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.

Workaround:
None

Fix:
SSHD should support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and must reject ED25519.

Fixed Versions:
17.1.0.1


1238321-6 : OpenSSL Vulnerability CVE-2022-4304

Links to More Info: K000132943


1235085-1 : Reinitialization of FIPS HSM in BIG-IP tenant.

Links to More Info: BT1235085

Component: Local Traffic Manager

Symptoms:
During reinitialization of FIPS HSM in BIG-IP tenant, the presence of existing keys is not validated.

Conditions:
When FIPS HSM in BIG-IP tenant is already initialized and keys are created. Then the reinitialization is triggered.

Impact:
When reinitialization triggered, the existing keys are erased without a warning to the user.

Workaround:
Before reinitialization of FIPS HSM in BIG-IP tenant, make sure the existing keys are deleted.
Use following TMSH command to view the current keys:

"show sys crypto fips keys"

Fix:
When the FIPS HSM in BIG-IP tenant reinitialization is triggered, the existing keys are validated and a message is displayed that the keys are available. Delete all the existing keys before reinitialization.

Fixed Versions:
17.1.0.1


1226585-1 : Some SSL Orchestrator rest endpoints not loading on startup after BIG-IP is rebooted when it is set to CC/STIP mode

Links to More Info: BT1226585

Component: TMOS

Symptoms:
Restnoded framework availability monitor times out while waiting for the dependencies(/mgmt/tm/*/** APIs/endpoints registration w.r.t all the provisioned modules) that are initialized during the restjavad startup.

Conditions:
STIP Mode is enabled, hence the below DB variables values are set to true,
tmsh list sys db security.commoncriteria
tmsh list sys db security.commoncriteria.stip

Impact:
Certain functionalities in SSL Orchestrator config GUI are not operational or operational in a limited manner.

Fix:
Now, you can configure a timeout that controls the time period for which restjavad must wait for the initialization to complete before restarting restnoded programmatically; so that, the SSL Orchestrator app finds the dependent rest endpoints that are already registered.

The DB variable Restjavad.Startup.RestnodedRestart.AwaitTimeout was added with the default value set to 1200 seconds.

Fixed Versions:
17.1.0.1


1213305-6 : Improper query string handling on undisclosed pages

Links to More Info: K000132726, BT1213305


1204961-1 : Improper query string handling on undisclosed pages

Links to More Info: K000132726


1204793-6 : Improper query string handling on undisclosed pages

Links to More Info: K000132726


1185421-8 : iControl SOAP uncaught exception when handling certain payloads

Component: TMOS

Symptoms:
iControl Portal/FastCGI server gets terminated or shuts down and restarts again. The server returns the HTTP status line as "500 Internal Server Error"

Conditions:
When certain payloads are sent while making an iControl SOAP request from a SOAP client

Impact:
iControl SOAP services restart

Workaround:
Restrict access to the BIG-IP management interface to trusted users.
https://my.f5.com/manage/s/article/K46122561

Fix:
Payloads are handled as expected

Fixed Versions:
17.1.0.2


1096373-8 : Unexpected parameter handling in BIG3d

Links to More Info: K000132972, BT1096373



Known Issues in BIG-IP v17.1.x


TMOS Issues

ID Number Severity Links to More Info Description
998649-5 2-Critical BT998649 Hostnames that contain a period are logged incorrectly
997793-5 2-Critical K34172543, BT997793 Error log: Failed to reset strict operations; disconnecting from mcpd
994033-4 2-Critical BT994033 The daemon httpd_sam does not recover automatically when terminated
993481-5 2-Critical BT993481 Jumbo frame issue with DPDK eNIC
979045-5 2-Critical BT979045 The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms
967769-3 2-Critical BT967769 During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks
965897-5 2-Critical BT965897 Disruption of mcpd with a segmentation fault during config sync
950201-6 2-Critical BT950201 Tmm core on GCP
945853-6 2-Critical BT945853 Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession
929133-7 2-Critical BT929133 TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'
776117-6 2-Critical BT776117 BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type
767473-3 2-Critical BT767473 SMTP Error: Could not authenticate
758929-8 2-Critical BT758929 Bcm56xxd MIIM bus access failure
756830-7 2-Critical BT756830 BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'
737692-7 2-Critical BT737692 Handle x520 PF DOWN/UP sequence automatically by VE
723109-4 2-Critical   FIPS HSM: SO login failing when trying to update firmware
721591-3 2-Critical BT721591 Java crashes with core during a basic TLS signature test.
1305117-1 2-Critical BT1305117 SSL profile "no-dtlsv1.2" option is left disabled while upgrading from v14.x or v15.x to 17.1.0
1290889-1 2-Critical K000134792, BT1290889 TMM disconnects from processes such as mcpd causing TMM to restart
1286433-2 2-Critical BT1286433 Improve ASM performance for BIG-IP instances running on r2k / r4k appliances
1225789-1 2-Critical BT1225789 The iHealth API is transitioning from SSODB to OKTA
1209709-5 2-Critical BT1209709 Memory leak in icrd_child when license is applied through BIG-IQ
1191137-5 2-Critical BT1191137 WebUI crashes when the localized form data fails to match the expectations
1113609-4 2-Critical BT1113609 GUI unable to load Bot Profiles and tmsh is unable to list them as well.
1105901-6 2-Critical BT1105901 Tmm crash while doing high-speed logging
1093717-5 2-Critical BT1093717 BGP4 SNMP traps are not working.
1067857-8 2-Critical BT1067857 HSB completion time out causes unexpected reboot
1014361-3 2-Critical BT1014361 Config sync fails after provisioning APM or changing BIG-IP license
997561-6 3-Major BT997561 TMM CPU imbalance with GRE/TB and GRE/MPLS traffic
992113-3 3-Major BT992113 Page allocation failures on VIPRION B2250 blades
989501-3 3-Major BT989501 A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus
988745-8 3-Major BT988745 On reboot, 'could not find platform object' errors may be seen in /var/log/ltm
977953-6 3-Major BT977953 Show running config interface CLI could not fetch the interface info and crashes the imi
969737-4 3-Major BT969737 Snmp requests not answered if V2 traps are configured
964125-7 3-Major BT964125 Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.
962477-5 3-Major BT962477 REST calls that modify GTM objects as a user other than admin may take longer than expected
959057-6 3-Major BT959057 Unable to create additional login tokens for the default admin user account
958601-5 3-Major BT958601 In the GUI, searching for virtual server addresses does not match address lists
950153-4 3-Major BT950153 LDAP remote authentication fails when empty attribute is returned
945413-6 3-Major BT945413 Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync
936093-7 3-Major BT936093 Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline
928389-7 3-Major BT928389 GUI becomes inaccessible after importing certificate under import type 'certificate'
922053-3 3-Major BT922053 inaccurate number of trunk members reported by bcm56xxd/bcmLINK
915493-7 3-Major BT915493 imish command hangs when ospfd is enabled
906273-4 3-Major BT906273 MCPD crashes receiving a message from bcm56xxd
894593-3 3-Major BT894593 High CPU usage caused by the restjavad daemon continually crashing and restarting
883149-8 3-Major BT883149 The fix for ID 439539 can cause mcpd to core.
867549-5 3-Major BT867549 LCD touch panel reports "Firmware update in progress" indefinitely
867253-5 3-Major BT867253 Systemd not deleting user journals
838337-9 3-Major BT838337 The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.
804529-4 3-Major BT804529 REST API to /mgmt/tm/ltm/pool/members/stats will fail for some pools
798885-7 3-Major BT798885 SNMP response times may be long when processing requests
778513-5 3-Major BT778513 APM intermittently drops log messages for per-request policies
775845-8 3-Major BT775845 Httpd fails to start after restarting the service using the iControl REST API
762097-6 3-Major BT762097 No swap memory available after upgrading to v14.1.0 and above
760982-4 3-Major BT760982 An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios
759258-8 3-Major BT759258 Instances shows incorrect pools if the same members are used in other pools
757787-6 3-Major BT757787 Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI.
739118-7 3-Major BT739118 Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
721892-3 3-Major BT721892 Pfmand on vCMP guests does not recover after service interruption
715748-4 3-Major BT715748 BWC: Flow fairness not in acceptable limits
673952-8 3-Major BT673952 1NIC VE in high availability (HA) device-group shows 'Changes Pending' after reboot
605966-10 3-Major BT605966 BGP route-map changes may not immediately trigger route updates
566995-5 3-Major BT566995 bgpd might crash in rare circumstances.
554506-4 3-Major K47835034, BT554506 PMTU discovery from management does not work
538283-7 3-Major BT538283 iControl REST asynchronous tasks may block other tasks from running
1312225-1 3-Major BT1312225 System Integrity Status: Invalid with some Engineering Hotfixes
1311613-1 3-Major BT1311613 UCS obtained from F5OS tenant with FPGA causes continuous TMM restarts when loaded to BIG-IP
1305125 3-Major BT1305125 Ssh to localhost not working with ssh-rsa
1302101-1 3-Major BT1302101 Sflow receiver flows are not established at TMM startup on sDAG platforms due to sDAG delay
1301897-4 3-Major BT1301897 DAG transition does not complete when TMM starts in FORCED_OFFLINE mode
1298133-4 3-Major BT1298133 BFD sessions using floating self IP do not work well on multi-blade chassis
1297257-1 3-Major BT1297257 MCPD, incremental sync does not update monitor_instance on BIG-IP 17.1.0
1295353-1 3-Major BT1295353 The vCMP guest is not sending HTTP flow samples to sFlow receiver
1294109-4 3-Major BT1294109 MCP does not properly read certificates with empty subject name
1293193-3 3-Major BT1293193 Missing MAC filters for IPv6 multicast
1288729-2 3-Major BT1288729 Memory corruption due to use-after-free in the TCAM rule management module
1288009-4 3-Major BT1288009 Vxlan tunnel end point routed through the tunnel will cause a tmm crash
1287981-2 3-Major BT1287981 Hardware SYN cookie mode may not exit
1287821-2 3-Major BT1287821 Missing Neuron/TCAM rules
1287649-3 3-Major BT1287649 The qkview qkvcmp (vcmp_module.xml) needs to be updated for F5OS tenancy
1283721-1 3-Major BT1283721 Vmtoolsd memory leak
1253449-4 3-Major BT1253449 After publishing, the draft LTM policy configuration might not be updated (intermittently) into the bigip.conf
1217473-1 3-Major BT1217473 All the UDP traffic is sent to a single TMM
1215613-3 3-Major BT1215613 ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address
1211089-4 3-Major BT1211089 Traffic to IPv6 all nodes address not received by TMM on VE with ixlv driver
1188817 3-Major BT1188817 BIG-IP tenant on F5OS was not allowed to modify VLAN tag value
1186649-1 3-Major BT1186649 TMM keep crashing after vCMP Guest Upgrade to BIG-IP v16.1.3.2
1183901 3-Major   VLAN name greater than 31 characters results in invalid F5OS tenant configuration
1182729-4 3-Major BT1182729 Java connection establishes from BIG-IP to BIG-IQ Management
1181757-7 3-Major BT1181757 BGPD assert when sending an update due to cq_wbuf mishandling
1160805-4 3-Major BT1160805 The scp-checkfp fail to cat scp.whitelist for remote admin
1155861-3 3-Major BT1155861 'Unlicensed objects' error message appears despite there being no unlicensed configuration
1154381-6 3-Major BT1154381 The tmrouted might crash when management route subnet is received over a dynamic routing protocol
1136921-6 3-Major BT1136921 BGP might delay route updates after failover
1134509-5 3-Major BT1134509 TMM crash in BFD code when peers from ipv4 and ipv6 families are in use.
1134057-6 3-Major BT1134057 BGP routes not advertised after graceful restart
1124733-3 3-Major BT1124733 Unnecessary internal traffic is observed on the internal tmm_bp vlan
1124209-5 3-Major BT1124209 Duplicate key objects when renewing certificate using pkcs12 bundle
1117305-8 3-Major BT1117305 The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials
1112537-6 3-Major BT1112537 LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete.
1102425-1 3-Major BT1102425 F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary
1093973-9 3-Major BT1093973 Tmm may core when BFD peers select a new active device.
1090313-5 3-Major BT1090313 Virtual server may remain in hardware SYN cookie mode longer than expected
1082133-4 3-Major   iSeries LCD displays "Host inaccessible or in diagnostic mode"
1077533-6 3-Major BT1077533 BIG-IP fails to restart services after mprov runs during boot.
1070393-2 3-Major BT1070393 The f5_api_com.crt certificate file may be removed by the load sys config command
1067797 3-Major BT1067797 Trunked interfaces that share a MAC address may be assigned in the incorrect order.
1064893-4 3-Major BT1064893 Keymgmtd memory leak occurrs while configuring ca-bundle-manager.
1045277-6 3-Major BT1045277 The /var partition may become 100% full requiring manual intervention to clear space
1044089-5 3-Major BT1044089 ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI.
1040573-5 3-Major BT1040573 REST operation takes a long time when two different users perform tasks in parallel
1040117-4 3-Major BT1040117 BIG-IP Virtual Edition drops UDP packets
1035661-5 3-Major BT1035661 REST Requests return 401 Unauthorized when using Basic Auth
1032001-3 3-Major BT1032001 Statemirror address can be configured on management network or clusterd restarting
1029173-5 3-Major BT1029173 MCPD fails to reply and does not log a valid message if there are problems replicating a transaction to PostgreSQL
1026273-5 3-Major BT1026273 HA failover connectivity using the cluster management address does not work on VIPRION platforms
1022997-5 3-Major BT1022997 TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC)
1020129-5 3-Major BT1020129 Turboflex page in GUI reports 'profile.Features is undefined' error
1016433-3 3-Major BT1016433 URI rewriting is incorrect for "data:" and "javascript:"
1013209-6 3-Major BT1013209 BIG-IP components relying on ca-bundle.crt may stop working after upgrade
1012377-3 3-Major BT1012377 Unable to display/edit 'management route' via GUI
1010341-5 3-Major BT1010341 Slower REST calls after update for CVE-2021-22986
1006857-4 3-Major BT1006857 Adding a source address list to a virtual server in a partition with a non-default route domain fails.
977681-4 4-Minor BT977681 Incorrect error message when changing password using passwd
976517-4 4-Minor BT976517 Tmsh run sys failover standby with a device specified but no traffic group fails
964533-6 4-Minor BT964533 Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.
939757-7 4-Minor BT939757 Deleting a virtual server might not trigger route injection update.
910645-3 4-Minor BT910645 Upgrade error 'Parsing default XML files. Failed to parse xml file'
908005-6 4-Minor BT908005 Limit on log framework configuration size
895669-4 4-Minor BT895669 VCMP host does not validate when an unsupported TurboFlex profile is configured
857045-5 4-Minor BT857045 LDAP system authentication may stop working
838405-5 4-Minor BT838405 Listener traffic-group may not be updated when spanning is in use
753712-5 4-Minor BT753712 Incorrect warning: Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family.
745125-3 4-Minor BT745125 Network Map page Virtual Servers with associated Address/Port List have a blank address.
696363-8 4-Minor BT696363 Unable to create SNMP trap in the GUI
694765-8 4-Minor BT694765 Changing the system's admin user causes vCMP host guest health info to be unavailable
539648-5 4-Minor K45138318, BT539648 Disabled db var Watchdog.State prevents vCMP guest activation.
1314769-1 4-Minor BT1314769 The error "No Access" is displayed when trying to remove Bundle Manager object from list
1301865-4 4-Minor BT1301865 OSPF summary might have incorrect cost when advertised by Standby unit.
1298653 4-Minor BT1298653 In an Active/Standby configuration, if the virtual server destination is modified to that of an existing self IP, it leaves the standby with the old virtual server IP
1283749-1 4-Minor BT1283749 Systemctl start and restart fail to start the vmtoolsd service
1270989-1 4-Minor BT1270989 REST MemcachedClient uses fixed TMM address 127.1.1.2 to connect to memcached
1256777-5 4-Minor BT1256777 In BGP, as-origination interval not persisting after restart when configured on a peer-group.
1252537-4 4-Minor   Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role
1229325-1 4-Minor BT1229325 Unable to configure IP OSPF retransmit-interval as intended
1217297 4-Minor BT1217297 Removal of guestagentd service from the list of services running inside a tenant.
1217077-1 4-Minor BT1217077 Race condition processing network failover heartbeats with timeout of 1 second
1211617-2 4-Minor BT1211617 High CPU utilisation observed during startup when forced BIG-IP system set offline
1209589-5 4-Minor BT1209589 BFD multihop does not work with ECMP routes
1185257-6 4-Minor BT1185257 BGP confederations do not support 4-byte ASNs
1154685 4-Minor BT1154685 Error logged "01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object..." during startup
1136837-5 4-Minor BT1136837 TMM crash in BFD code due to incorrect timer initialization
1121169-5 4-Minor BT1121169 Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use
1105757-6 4-Minor BT1105757 Creating CSR with invalid parameters for basic-constraints, tmsh does not generate meaningful errors
1089005-5 4-Minor BT1089005 Dynamic routes might be missing in the kernel on secondary blades.
1074513-4 4-Minor BT1074513 Traffic class validation does not detect/prevent attempts to add duplicate traffic classes to virtual
1064753-6 4-Minor BT1064753 OSPF LSAs are dropped/rate limited incorrectly.
1044893-4 4-Minor BT1044893 Kernel warnings from NIC driver Realtek 8139
1006449-4 4-Minor BT1006449 The default size of the subagent object cache possibly leading to slow snmp response time and high mcpd CPU use
1003081-5 4-Minor BT1003081 GRE/TB-encapsulated fragments are not forwarded.
1189949-4 5-Cosmetic BT1189949 The TMSH sys core is not displaying help and tab complete behavior
1099621-2 5-Cosmetic BT1099621 DAG context synchronization debug instrumentation


Local Traffic Manager Issues

ID Number Severity Links to More Info Description
752766-4 1-Blocking BT752766 The BIG-IP system might fail to read SFPs after a reboot
1289981 1-Blocking BT1289981 All types of traffic dropped for a tenant when vlan group mode is configured on r2k/r4k platforms
1132801-2 1-Blocking BT1132801 Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured
758491-6 2-Critical BT758491 When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys
632553-7 2-Critical K14947100, BT632553 DHCP: OFFER packets from server are intermittently dropped
1305697-4 2-Critical BT1305697 TMM may crash when performing a full sync, when in-tmm monitors are configured.
1298029-4 2-Critical BT1298029 DB_monitor may end the wrong processes
1282357-3 2-Critical BT1282357 Double HTTP::disable can lead to core in dynamic_tcl_event_mask
1267221-4 2-Critical BT1267221 When TMM starts, Hyper-V shows no RX packets on the ethX interface
1205501-4 2-Critical BT1205501 The iRule command SSL::profile can select server SSL profile with outdated configuration
1154465-2 2-Critical BT1154465 Error attaching few QAT devices to TMM
1146377-6 2-Critical BT1146377 FastHTTP profiles do not insert HTTP headers triggered by iRules
1126093-1 2-Critical   DNSSEC Key creation failure with internal FIPS card.
1124865-2 2-Critical BT1124865 Removal of LAG member from an active LACP trunk on r2k and r4k systems requires tmm restart
1100721-5 2-Critical BT1100721 IPv6 link-local floating self-IP breaks IPv6 query to BIND
1091021-6 2-Critical BT1091021 The BIG-IP system may not take a fail-safe action when the bigd daemon becomes unresponsive.
1087981-1 2-Critical   Tmm crash on "new serverside" assert
1024241-5 2-Critical BT1024241 Empty TLS records from client to BIG-IP results in SSL session termination
996649-7 3-Major BT996649 Improper handling of DHCP flows leading to orphaned server-side connections
985925-5 3-Major BT985925 Ipv6 Routing Header processing not compatible as per Segments Left value.
984897-8 3-Major BT984897 Some connections performing SSL mirroring are not handled correctly by the Standby unit.
976853-1 3-Major BT976853 SNAT pool traffic-group setting may override non-floating self IP's traffic-group
976433-4 3-Major BT976433 Use of OCSP responder may leak X509 store instances
975657-2 3-Major BT975657 With HTTP2 enabled, only partial sorry contents (< 32KB) can be sent to the client via HTTP::respond
967353-8 3-Major BT967353 HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.
966785-5 3-Major BT966785 Rate Shaping stops TCP retransmission
963393-4 3-Major BT963393 Key handle 0 is treated as invalid for NetHSM devices
962913-8 3-Major BT962913 The number of native open connections in the SSL profile is higher than expected
921541-7 3-Major BT921541 When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.
912293-7 3-Major BT912293 Persistence might not work properly on virtual servers that utilize address lists
905477-7 3-Major BT905477 The sdmd daemon cores during config sync when multiple devices configured for iRules LX
891565-3 3-Major BT891565 The Subject Alternative Name (SAN) field in Certificates and Certificate Signing Requests is limited to 4095 bytes
887265-7 3-Major BT887265 BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration
881937-5 3-Major BT881937 TMM and the kernel choose different VLANs as source IPs when using IPv6.
878641-7 3-Major BT878641 TLS1.3 certificate request message does not contain CAs
876569-6 3-Major BT876569 QAT compression codec produces gzip stream with CRC error
867985-7 3-Major BT867985 LTM policy with a 'shutdown' action incorrectly allows iRule execution
851121-8 3-Major BT851121 Database monitor DBDaemon debug logging not enabled consistently
842425-7 3-Major BT842425 Mirrored connections on standby are never removed in certain configurations
842137-7 3-Major BT842137 Keys cannot be created on module protected partitions when strict FIPS mode is set
779137-8 3-Major BT779137 Using a source address list for a virtual server does not preserve the destination address prefix
751451-5 3-Major BT751451 When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles
739475-8 3-Major BT739475 Site-Local IPv6 Unicast Addresses support.
693473-9 3-Major BT693473 The iRulesLX RPC completion can cause invalid or premature TCL rule resumption
1309665-1 3-Major BT1309665 Updating the masquerade address on a traffic-group fails
1309637-1 3-Major BT1309637 Mac masquerade not working after VLAN movement on host interfaces
1306249-2 3-Major BT1306249 Hourly spike in the CPU usage and lasts for fraction of second causing delay in TLS connections
1305609-4 3-Major BT1305609 Missing cluster hearbeart packets in clusterd process and the blades temporarily leave the cluster
1304189-4 3-Major BT1304189 Duplicate SYNs to a mirrored FastL4 virtual may result in connection failures
1302077-1 3-Major BT1302077 Virtual address statistics being counted for different virtual address after changing the destination address of a virtual server
1300925-4 3-Major BT1300925 Shared memory race may cause TMM to core
1292793-4 3-Major BT1292793 FIX protocol late binding flows that are not PVA accelerated may fail
1291565-3 3-Major BT1291565 BIG-IP generates more multicast packets in multicast failover high availability (HA) setup
1284589-1 3-Major BT1284589 HTTP CONNECT request from client is not successful with iRule HTTP::disable discard command
1284261-4 3-Major BT1284261 Constant traffic on DHCPv6 virtual servers may cause a TMM crash.
1281637-2 3-Major BT1281637 When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE
1273161-4 3-Major BT1273161 Secondary blades are unavailable, clusterd is reporting shutdown, and waiting for other blades
1272501-1 3-Major BT1272501 Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure"
1269733-1 3-Major BT1269733 HTTP GET request with headers has incorrect flags causing timeout
1269709-4 3-Major BT1269709 GUI should throw the error when the VS is configured with both vdi and HTTP/2 profiles
1250085-4 3-Major BT1250085 BPDU is not processed with STP passthough mode enable in BIG-IP
1238529-3 3-Major BT1238529 TMM might crash when modifying a virtual server in low memory conditions
1238413-4 3-Major BT1238413 The BIG-IP might fail to update ARL entry for a host in a VLAN-group
1229369-4 3-Major BT1229369 The fastl4 TOS mimic setting towards client may not function
1210469-1 3-Major BT1210469 TMM can crash when processing AXFR query for DNSX zone
1209945-2 3-Major BT1209945 Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs
1205045-6 3-Major BT1205045 WMI monitor does not put pool members into an offline/unchecked state when BIG-IP receives HTTP responses other than 200
1148181-1 3-Major BT1148181 SSL TLS1.3 connection terminates with "empty persist key" error when SSL persistence is enabled and session tickets are disabled
1144117-5 3-Major BT1144117 "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands
1126841-5 3-Major BT1126841 HTTP::enable can rarely cause cores
1121209-3 3-Major BT1121209 MTU value update on VLAN in tenant launched on r2k and r4k systems needs tmm restart
1117609-5 3-Major BT1117609 VLAN guest tagging is not implemented for CX4 and CX5 on ESXi
1112385-6 3-Major BT1112385 Traffic classes match when they shouldn't
1110485-5 3-Major BT1110485 SSL handshake failures with invalid profile error
1107565-3 3-Major BT1107565 SSL Persistence behavior change for TLS1.3 connection between v16.1.0 and v16.1.2.2
1096893-6 3-Major BT1096893 TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection
1088597-6 3-Major BT1088597 TCP keepalive timer can be immediately re-scheduled in rare circumstances
1084965-4 3-Major BT1084965 Low visibility of attack vector
1083621-6 3-Major BT1083621 The virtio driver uses an incorrect packet length
1070957-5 3-Major BT1070957 Database monitor log file backups cannot be rotated normally.
1064725-5 3-Major BT1064725 CHMAN request for tag:19 as failed.
1051153-5 3-Major BT1051153 DHCP fails intermittently when the connection is through BIG-IP.
1037257-1 3-Major BT1037257 SSL::verify_result showing wrong output for revoked cert during Dynamic CRL check
1033537-5 3-Major   Cookie persistence profile only examines the first cookie.
1026781-5 3-Major BT1026781 Standard HTTP monitor send strings have double CRLF appended
1025089-7 3-Major BT1025089 Pool members marked DOWN by database monitor under heavy load and/or unstable connections
1023529-5 3-Major BT1023529 FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory.
1019641-4 3-Major BT1019641 SCTP INIT_ACK not forwarded
1016589-6 3-Major BT1016589 Incorrect expression in STREAM::expression might cause a tmm crash
1002969-6 3-Major BT1002969 Csyncd can consume excessive CPU time
942793-6 4-Minor BT942793 BIG-IP system cannot accept STARTTLS command with trailing white space
932553-7 4-Minor BT932553 An HTTP request is not served when a remote logging server is down
929429-10 4-Minor BT929429 Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed
904537-6 4-Minor BT904537 The csyncd process may keep trying to sync the GeoIP database to a secondary blade
804089-3 4-Minor BT804089 iRules LX Streaming Extension dies with Uncaught, unspecified error event
1314597-3 4-Minor BT1314597 Connection on standby may stay until idle timeout when receiving ICMP error
1304289-1 4-Minor BT1304289 Pool member monitored by both GTM and LTM monitors may be erroneously marked Down
1297521-1 4-Minor BT1297521 Full sync failure for traffic-matching-criteria with port list update on existing object in certain conditions
1281709-4 4-Minor BT1281709 Traffic-group ID may not be updated properly on a TMM listener
1281405-2 4-Minor BT1281405 "fipsutil fwcheck -f" command may not correct result
1280769 4-Minor BT1280769 Fipsutil's fwcheck and fwupdate sub-commands show errors when run on R10920 and R5920 tenant.
1269773-1 4-Minor BT1269773 Convert network-order to host-order for extensions in TLS1.3 certificate request
1253481 4-Minor   Traffic loss observed after reconfiguring Virtual Networks
1251033-1 4-Minor BT1251033 HA is not established between Active and Standby devices when the vwire configuration is added
1240937-4 4-Minor BT1240937 The FastL4 TOS specify setting towards server may not function for IPv6 traffic
1238897-1 4-Minor BT1238897 TMM TCL interpreter's non-TMM "compat" memcasechr broken in 64-bit build
1211189-4 4-Minor BT1211189 Stale connections observed and handshake failures observed with errors
1167609-4 4-Minor BT1167609 The messages msg->ref > 0 are seen in TMM logs with websockets/ASM plugin
1128505-3 4-Minor BT1128505 HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy
1121349 4-Minor BT1121349 CPM NFA may stall due to lack of other state transition
1034865-6 4-Minor BT1034865 CACHE::enable failed on private/no-store content
1030093 4-Minor BT1030093 An http2 to http2 virtual connection with translate-address disabled might only use one stream on the server side.
1011889-7 4-Minor BT1011889 The BIG-IP system does not handle DHCPv6 fragmented traffic properly
979213-7 5-Cosmetic BT979213 Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.
926085-4 5-Cosmetic BT926085 In WebUI node or port monitor test is not possible, but it works in TMSH
490139-8 5-Cosmetic BT490139 Loading iRules from file deletes the last few comment lines


Global Traffic Manager (DNS) Issues

ID Number Severity Links to More Info Description
1267845-5 2-Critical BT1267845 ISC's internal_current function asserted because ifa_name was NULL
1225061-1 2-Critical BT1225061 The zxfrd segfault with numerous zone transfers
1212081-5 2-Critical BT1212081 The zxfrd segfault and restart loop due to incorrect packet processing
1081473-3 2-Critical BT1081473 GTM/DNS installations may observe the mcpd process crashing
958157-6 3-Major BT958157 Hash collisions in DNS rapid-response packet processing
939941-3 3-Major BT939941 Monitor parameter not found error
936417-6 3-Major BT936417 DNS/GTM daemon big3d does not accept ECDH or DH ciphers
918693-6 3-Major BT918693 Wide IP alias validation error during sync or config load
911241-10 3-Major BT911241 The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug
862949-5 3-Major BT862949 ZoneRunner GUI is unable to display CAA records
1289313-1 3-Major BT1289313 Creation of wideip with alias would cause inconsistent zone data across GTM sync group
1281433-1 3-Major BT1281433 Missing GTM probes on GTM server when an external monitor is attached to an additional pool
1273141-1 3-Major BT1273141 GTM pool members are not probed and multiple GTMs are reporting inconsistent status
1269601-1 3-Major BT1269601 Unable to delete monitor while updating DNS virtual server monitor through transaction
1250077-6 3-Major BT1250077 TMM memory leak
1182353-6 3-Major BT1182353 DNS cache consumes more memory because of the accumulated mesh_states
1162221-6 3-Major BT1162221 Probing decision will skip local GTM upon reboot if net interface is not brought up soon enough
1161241-7 3-Major BT1161241 BIND default behavior changed from 9.11 to 9.16
1137217-4 3-Major BT1137217 DNS profile fails to set TC flag for responses containing RRSIG algorithm 13
1111361-5 3-Major BT1111361 Refreshing DNS wide IP pool statistics returns an error
1108237-3 3-Major BT1108237 Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM.
1103477-5 3-Major BT1103477 Refreshing pool member statistics results in error while processing requests
1100197-6 3-Major BT1100197 GTM sends wrong commit_id originator for iqsyncer to do gtm group sync
1094069-4 3-Major BT1094069 iqsyncer will get stuck in a failed state when requesting a commit_id that is not on the target GTM
1083405-6 3-Major BT1083405 "Error connecting to named socket" from zrd
1082197-5 3-Major BT1082197 RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response
1073673-3 3-Major BT1073673 Prevent possible early exit from persist sync
1044873-5 3-Major BT1044873 Deleted GTM link is not removed from virtual server object and causes load failure.
1311169-1 4-Minor BT1311169 DNSSEC response is not signed when failure-rcode-response is enabled and no record is returned
1295565-1 4-Minor BT1295565 BIG-IP DNS not identified in show gtm iquery for local IP
1274385-1 5-Cosmetic BT1274385 BIGIP-DNS GUI delivery summary stats shows incorrect count for "Disabled" GTM listeners


Application Security Manager Issues

ID Number Severity Links to More Info Description
1284081-1 1-Blocking BT1284081 Incorrect Enforcement After Sync
923821-5 2-Critical BT923821 Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack
890037-2 2-Critical BT890037 Rare BD process core
850141-5 2-Critical BT850141 Possible tmm core when using Dosl7/Bot Defense profile
1286621-1 2-Critical   BD crashes when the UMU OOM limit is reached and the request has an authorization bearer header
1282281-5 2-Critical BT1282281 Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns
1217549-4 2-Critical BT1217549 Missed ASM Sync on startup
1132697-5 2-Critical BT1132697 Use of proactive bot defense profile can trigger TMM crash
928997-5 3-Major BT928997 Less XML memory allocated during ASM startup
919917-7 3-Major BT919917 File permission errors during bot-signature installation
902445-4 3-Major BT902445 ASM Policy Event Logging stops working after 'No space in shmem' error disconnection mitigation
890169-6 3-Major BT890169 URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
1307449-1 3-Major BT1307449 ASM remote logging with non-default route domain is broken
1302689-2 3-Major   ASM requests to rechunk payload
1301197-1 3-Major   Bot Profile screen does not load and display large number of pools/members
1298161-1 3-Major   Ts_cookie_add_attrs is not effective with cookies that have non-root path or domain attribute
1297089-1 3-Major   Support Dynamic Parameter Extractions in declarative policy
1295009-2 3-Major   "JSON data does not comply with JSON schema" violation is raised when concurrent requests occur with same JSON data
1292685-4 3-Major   The date-time RegExp pattern through swagger would not cover all valid options
1292645-1 3-Major   False positive CORS violation can occur after upgrading to 17.1.x under certain conditions
1288517-1 3-Major BT1288517 Item filter does not work on /mgmt/tm/asm/tasks/export-suggestions/
1286101-2 3-Major   JSON Schema validation failure with E notation number
1284073-1 3-Major   Cookies are truncated when number of cookies exceed "max_enforced_cookies"
1281397-3 3-Major   SMTP requests are dropped by ASM under certain conditions
1281381-1 3-Major BT1281381 BD fails to load config when the virtual server name is longer then 64 chars
1280813-3 3-Major BT1280813 Illegal URL violation triggered for after upgrade due to due to missing content-profiles in DB
1273997-1 3-Major   BD crashes when the ACCOUNT_ENFORCER_SETTINGS table is empty
1271469-5 3-Major BT1271469 Failed to install ASU file scheduled for install
1270133-1 3-Major   bd crash during configuration update
1250209-1 3-Major BT1250209 The message "ERR: in Graphql disallowed response, pcre is null" appears in BD logs
1239297 3-Major BT1239297 TMM URL web scraping limit not synced to secondary slot 2 in VIPRION chassis
1235337-2 3-Major BT1235337 The 'JSON profile' with 'JSON schema validation' was not created for the body parameter in the OpenAPI URL
1231137-1 3-Major BT1231137 During signature update, Bot signature from one user partition affecting the Bot profile created in another Partition
1229813-4 3-Major BT1229813 The ref schema handling fails with oneOf/anyOf
1225677-4 3-Major BT1225677 Challenge Failure Reason is not functioning in ASM remote logging
1216297-3 3-Major   TMM core occurs when using disabling ASM of request_send event
1211905-3 3-Major BT1211905 Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts"
1210321-2 3-Major BT1210321 Parameters are not created for properties defined in multipart request body when URL include path parameter
1207793-2 3-Major BT1207793 Bracket expression in JSON schema pattern does not work with non basic latin characters
1196537-5 3-Major BT1196537 BD process crashes when you use SMTP security profile
1196185-1 3-Major BT1196185 Policy Version History is not presented correctly with scrolling
1194173-5 3-Major BT1194173 BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value
1190365-1 3-Major BT1190365 OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly
1186401-4 3-Major BT1186401 Using REST API to change policy signature settings changes all the signatures.
1184841-6 3-Major   Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API
1173493-2 3-Major   Bot signature staging timestamp corrupted after modifying the profile
1156889-5 3-Major BT1156889 TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions
1148009-8 3-Major BT1148009 Cannot sync an ASM logging profile on a local-only VIP
1144497-5 3-Major BT1144497 Base64 encoded metachars are not detected on HTTP headers
1137993-6 3-Major BT1137993 Violation is not triggered on specific configuration
1132981-5 3-Major BT1132981 Standby not persisting manually added session tracking records
1132741-7 3-Major BT1132741 Tmm core when html parser scans endless html tag of size more then 50MB
1123157-1 3-Major   Single-page application AJAX does not work properly with page's navigation
1117245-5 3-Major BT1117245 Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file
1098609-3 3-Major BT1098609 BD crash on specific scenario
1085661-6 3-Major BT1085661 Standby system saves config and changes status after sync from peer
1078065-5 3-Major BT1078065 The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA.
1069729-4 3-Major BT1069729 TMM might crash after a configuration change.
1069441-5 3-Major   Cookie without '=' sign does not generate rfc violation
1067557-5 3-Major BT1067557 Value masking under XML and JSON content profiles does not follow policy case sensitivity
1059513-3 3-Major BT1059513 Virtual servers may appear as detached from security policy when they are not.
1048949-8 3-Major BT1048949 TMM xdata leak on websocket connection with asm policy without websocket profile
1023889-5 3-Major BT1023889 HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message
987977-1 4-Minor BT987977 VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation
1311253-1 4-Minor BT1311253 Set-Cookie header has no value (cookie-string) in server-side, due to asm.strip_asm_cookies
1308393-3 4-Minor BT1308393 Export security policy XML format fail with "too large and cannot be exported" message
1300665-1 4-Minor BT1300665 ASMCSD memory leak if tsconfd.loglevel is set for debug level
1284097-1 4-Minor BT1284097 False positive 'Illegal cross-origin request' violation
1245209-1 4-Minor BT1245209 Introspection query violation is reported regardless the flag status
1210569-1 4-Minor BT1210569 User defined signature rule disappears when using high ASCII in rule
1210053-3 4-Minor BT1210053 The cred_stuffing_fail_open Internal Parameter does not cause Leaked Credential violation in case of expiration or error
1189865-5 4-Minor BT1189865 "Cookie not RFC-compliant" violation missing the "Description" in the event logs
1133997-4 4-Minor BT1133997 Duplicate user-defined Signature Set based on untagged signatures is created upon policy import
1123153-5 4-Minor BT1123153 "Such URL does not exist in policy" error in the GUI
1113753-5 4-Minor   Signatures might not be detected when using truncated multipart requests
1099765-1 4-Minor BT1099765 Inconsistent behavior in Violation detection with max parameter enforcement
1084857-6 4-Minor BT1084857 ASM::support_id iRule command does not display the 20th digit
1083513-4 4-Minor BT1083513 BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd
1076825-3 4-Minor BT1076825 "Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.
1030129-5 5-Cosmetic BT1030129 iHealth unnecessarily flags qkview for H701182 with mcp_module.xml


Application Visibility and Reporting Issues

ID Number Severity Links to More Info Description
1294141-1 3-Major BT1294141 ASM Resources Reporting graph displays over 1000% CPU usage


Access Policy Manager Issues

ID Number Severity Links to More Info Description
831737-5 2-Critical BT831737 Memory Leak when using Ping Access profile
1283645-4 2-Critical   Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued
1282769-1 2-Critical   Localdb user can change the password of other user
1282105 2-Critical BT1282105 Assertion response attributes parsing issue after upgrade to BIG-IP 17.1.0
1272537-2 2-Critical BT1272537 TMM high memory due to ping_access_agent
1270501 2-Critical BT1270501 Before upgrade, if log level is configured as debug, then APMD will continuously restarts with coredump
1111149-4 2-Critical BT1111149 Nlad core observed due to ERR_func_error_string can return NULL
1110489-4 2-Critical BT1110489 TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event
1104517-3 2-Critical BT1104517 In SWG explicit proxy, some TCP connections are reset because of inconsistency between sessionDB and local IP2SessionId map
1083053-4 2-Critical BT1083053 Apmd memory grows over time in AD auth scenarios
976553-2 3-Major BT976553 Portal Access: Chrome/Edge browser: cookie transport: sync XMLHttpRequests should not be used in onbeforeunload handlers
967185-3 3-Major BT967185 Increase the size limit of JWT for OAuth
634576-4 3-Major K48181045, BT634576 TMM core in per-request policy
527119-10 3-Major BT527119 An iframe document body might be null after iframe creation in rewritten document.
427094-3 3-Major BT427094 Accept-language is not respected if there is no session context for page requested.
1311601 3-Major BT1311601 JWT is corrupted when the claim value is a custom variable assigned in Variable assign agent
1301853 3-Major BT1301853 Misleading error logs in SAML flow
1298545 3-Major BT1298545 TMM crashes during SAML negotiations with APM configured as SAML SP.
1294993-1 3-Major BT1294993 URL Database download logs are not visible after bigip16.0.1.1
1292141-2 3-Major BT1292141 TMM crash while processing myvpn request
1289009-1 3-Major BT1289009 PA based Hosted content does not add implicit allowed ACL
1273881-3 3-Major BT1273881 TMM crashes while processing traffic on the virtual server
1271341-3 3-Major BT1271341 Unable to use DTLS without TMM crashing
1268521-1 3-Major BT1268521 SAML authentication with the VCS fails when launching the applications/remote desktops from the APM Webtop when multiple RD resources are assigned to the APM Webtop
1251157-1 3-Major BT1251157 Ping Access filter can accumulate connections increasing the memory use
1232977-4 3-Major BT1232977 TMM leaking memory in OAuth scope identifiers when parsing scope lists
1232629-1 3-Major BT1232629 Support to download Linux ARM64 VPN Client in BIG-IP
1224377-1 3-Major BT1224377 Policy Sync fails for a policy when default-all Address Space assigned to Network Access resource
1217365-2 3-Major BT1217365 OIDC: larger id_token encoded incorrectly by APM
1208949-4 3-Major BT1208949 TMM cored with SIGSEGV at 'vpn_idle_timer_callback'
1207821-1 3-Major BT1207821 APM internal virtual server leaks memory under certain conditions
1205029-1 3-Major BT1205029 WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application
1190025-3 3-Major BT1190025 The OAuth process crash
1180365-3 3-Major   APM Integration with Citrix Cloud Connector
1169105-2 3-Major BT1169105 Provide download links on BIG-IP for Linux ARM64 VPN Client
1167985-3 3-Major BT1167985 Network Access resource settings validation errors
1147621-3 3-Major BT1147621 AD query do not change password does not come into effect when RSA Auth agent used
1145989-3 3-Major BT1145989 ID token sub-session variables are not populated
1111397-6 3-Major BT1111397 [APM][UI]Wizard should also allow same patterns as the direct GUI
1070029-3 3-Major BT1070029 GSS-SPNEGO SASL mechanism issue with AD Query to Synology Directory Service
1060477-2 3-Major BT1060477 iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]".
1058873-3 3-Major BT1058873 Configuring source address as "address list" in a virtual server causes APMD to restart
1046401-3 3-Major BT1046401 APM logs shows truncated OCSP URL path while performing OCSP Authentication.
1044457-4 3-Major BT1044457 APM webtop VPN is no longer working for some users when CodeIntegrity is enabled.
1041985-5 3-Major BT1041985 TMM memory utilization increases after upgrade
1039941-4 3-Major BT1039941 The webtop offers to download F5 VPN when it is already installed
936061-4 4-Minor BT936061 Variable session.user.agent missing for Edge Client & F5 Access clients
869541-4 4-Minor BT869541 Series of unexpected <aborted> requests to same URL
349706-5 4-Minor   NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN
1252005-1 4-Minor   VMware USB redirection does not work with DaaS
1224409-1 4-Minor BT1224409 Unable to set session variables of length >4080 using the -secure flag
1218813-6 4-Minor BT1218813 "Timeout waiting for TMM to release running semaphore" after running platform_diag
1195385-1 4-Minor BT1195385 OAuth Scope Internal Validation fails upon multiple providers with same type
1142389-2 4-Minor BT1142389 APM UI report displays error "Error Processing log message ..." when the log contains some special character received in client request
1043249-1 4-Minor BT1043249 Misconfigured CA bundle causes a misleading HTTP error message.
1040829-5 4-Minor BT1040829 Errno=(Invalid cross-device link) after SCF merge
1028081-3 4-Minor BT1028081 [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page


Wan Optimization Manager Issues

ID Number Severity Links to More Info Description
863601-6 2-Critical BT863601 Panic in TMM due to internal mirroring interactions


Service Provider Issues

ID Number Severity Links to More Info Description
1270497-3 2-Critical BT1270497 MRF SIP/ALG Core dump observed while accessing trans_data in sipmsg_register_ingress_register_request_session_reply_common method
1269889-1 2-Critical   LTM crashes are observed while running SIP traffic and pool members are offline
1268373-6 2-Critical BT1268373 MRF flow tear down can fill up the hudq causing leaks
1239901-3 2-Critical BT1239901 LTM crashes while running SIP traffic
1291149-5 3-Major BT1291149 Cores with fail over and message routing
1287313-3 3-Major   SIP response message with missing Reason-Phrase or with spaces are not accepted
1189513-6 3-Major BT1189513 SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header
1156149-5 3-Major BT1156149 Early responses on standby may cause TMM to crash
1038057-5 3-Major BT1038057 Unable to add a serverssl profile into a virtual server containing a FIX profile
1251013-1 4-Minor BT1251013 Allow non-RFC compliant URI characters
1249929-2 4-Minor BT1249929 Diameter MRF sends CER to pool-member even after peer sent DPR and force-offline the pool member
1213469-5 4-Minor BT1213469 MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP is dropped


Advanced Firewall Manager Issues

ID Number Severity Links to More Info Description
609878-8 2-Critical BT609878 Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server
1215161-4 2-Critical BT1215161 A new CLI option introduced to display rule-number for policy, rules and rule-lists
1106273-5 2-Critical BT1106273 "duplicate priming" assert in IPSECALG
1080957-1 2-Critical BT1080957 TMM Seg fault while Offloading virtual server DOS attack to HW
1048425-6 2-Critical BT1048425 Packet tester crashes TMM when vlan external source-checking is enabled
984965-5 3-Major BT984965 While intentionally exiting, sshplugin may invoke functions out of sequence and crash
915221-7 3-Major BT915221 DoS unconditionally logs MCP messages to /var/tmp/mcpd.out
844597-7 3-Major BT844597 AVR analytics is reporting null domain name for a dns query
1307697-2 3-Major   IPI not working on a new device - 401 invalid device error from BrightCloud
1238629-2 3-Major BT1238629 TMM core when client send nxdomain query with BA enabled
1199025-3 3-Major BT1199025 DNS vectors auto-threshold events are not seen in webUI
1196053-4 3-Major BT1196053 The autodosd log file is not truncating when it rotates
1190765-1 3-Major BT1190765 VelOS | Zone Base DDOS | Aggregation, BD | Seeing Entries in sPVA Registers are not getting reset once the attack is completed
1167969-2 3-Major BT1167969 In DoS Profile level, the Flood attack Vectors with TCP and UDP, Hardware offloading is not working as expected
1156753 3-Major   Valid qname DNS query handled as malformed packets in hardware (qnames starting with underscore )
1110281-7 3-Major BT1110281 Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable
1042153-3 3-Major BT1042153 AFM TCP connection issues when tscookie-vlans enabled on server/client side VLAN.
926425-7 4-Minor BT926425 Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
1277641 4-Minor BT1277641 DoS | i-series | After mitigation of bad destination at profile level, bd_hit is not incrementing for host unreachable vector.
1251105-1 4-Minor BT1251105 DoS Overview (non-HTTP) - A null pointer was passed into a function
1215401-2 4-Minor BT1215401 Under Shared Objects, some country names are not available to select in the Address List
1069265 4-Minor BT1069265 New connections or packets from the same source IP and source port can cause unnecessary port block allocations.


Policy Enforcement Manager Issues

ID Number Severity Links to More Info Description
1186925-6 2-Critical BT1186925 When FUA in CCA-i, PEM does not send CCR-u for other rating-groups
1267269-2 3-Major BT1267269 The wr_urldbd crashes and generates a core file
1259489-2 3-Major BT1259489 PEM subsystem memory leak is observed when using PEM::subscriber information
1238249-5 3-Major BT1238249 PEM Report Usage Flow log is inaccurate
1226121-5 3-Major BT1226121 TMM crashes when using PEM logging enabled on session
1207381 3-Major BT1207381 PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored
1190353-4 3-Major BT1190353 The wr_urldbd BrightCloud database downloading from a proxy server is not working
1174085-7 3-Major BT1174085 spmdb_session_hash_entry_delete releases the hash's reference
1093357-6 3-Major BT1093357 PEM intra-session mirroring can lead to a crash
1020041-7 3-Major   "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs


Carrier-Grade NAT Issues

ID Number Severity Links to More Info Description
1096317-6 3-Major BT1096317 SIP msg alg zombie flows
1128429-7 4-Minor BT1128429 Rebooting one or more blades at different times may cause traffic imbalance results High CPU
1016045-5 4-Minor BT1016045 OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows.


Fraud Protection Services Issues

ID Number Severity Links to More Info Description
1060393-3 3-Major BT1060393 Extended high CPU usage caused by JavaScript Obfuscator.


Anomaly Detection Services Issues

ID Number Severity Links to More Info Description
1211297-1 2-Critical BT1211297 Handling DoS profiles created dynamically using iRule and L7Policy
1046469-4 3-Major BT1046469 Memory leak during large attack


Device Management Issues

ID Number Severity Links to More Info Description
996129-6 3-Major BT996129 The /var partition is full as cleanup of files on secondary is not executing
717174-6 3-Major BT717174 WebUI shows error: Error getting auth token from login provider
563144-4 3-Major BT563144 Changing the system's admin user causes many errors in the REST framework.
1196477-8 3-Major BT1196477 Request timeout in restnoded
1049237-6 4-Minor BT1049237 Restjavad may fail to cleanup ucs file handles even with ID767613 fix


iApp Technology Issues

ID Number Severity Links to More Info Description
842193-7 3-Major BT842193 Scriptd coring while running f5.automated_backup script


Protocol Inspection Issues

ID Number Severity Links to More Info Description
1122205-2 3-Major BT1122205 The 'action' value changes when loading protocol-inspection profile config


In-tmm monitors Issues

ID Number Severity Links to More Info Description
1287045-4 3-Major BT1287045 In-TMM monitor may mark pool member offline despite its response matches Receive Disable String
1211985-6 3-Major BT1211985 BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring
1019261-5 3-Major BT1019261 In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile.


SSL Orchestrator Issues

ID Number Severity Links to More Info Description
1253621 2-Critical BT1253621 Remote logging SSL Orchestrator Audit logs when running in the Appliance mode
1303185-6 3-Major BT1303185 Large numbers of URLs in url-db can cause TMM to restart
1289417-2 3-Major BT1289417 SSL Orchestrator SEGV TMM core
1289365-4 3-Major BT1289365 The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode
1294709-2 4-Minor BT1294709 SSL Orchestrator ICAP service changes do not propagate to TMSH (GUI/CLI)


F5OS Messaging Agent Issues

ID Number Severity Links to More Info Description
1295113-1 3-Major   LACP Mode is always ACTIVE even though it is configured PASSIVE on the Host on R2x00/R4x00/R5x00/R10x00
1289997-2 3-Major BT1289997 Tenant clustering fails when adding a lower number slot to Tenant

 

Known Issue details for BIG-IP v17.1.x

998649-5 : Hostnames that contain a period are logged incorrectly

Links to More Info: BT998649

Component: TMOS

Symptoms:
Sylog-ng uses the hostname (machine name) and truncates it starting at the first '.' (period). This results in hostnames that contain a period being logged incorrectly (for example, 'my.hostname' is logged as 'my' by syslog-ng).
Additionally, hostnames are being truncated in bootmarker logs and the ltm, apm, apm, ipsec, saas, and fw_log that are sourced from TMM.

Three sub-bugs BZ1076909, BZ1076921, BZ1080317 are created and BZ998649 is the base bug for tracking the above three issues.

Conditions:
Hostname contains a period '.' (For example 'my.hostname').

Impact:
Some logs that go directly to syslog-ng use a truncated hostname. Logs sourced from TMM uses truncated hostname.

Workaround:
None.


997793-5 : Error log: Failed to reset strict operations; disconnecting from mcpd

Links to More Info: K34172543, BT997793

Component: TMOS

Symptoms:
After rebooting the device you are unable to access the GUI. When checking the LTM logs in the SSH/console, it repeatedly prompts an error: tmm crash.

Failed to reset strict operations; disconnecting from mcpd.

Conditions:
-- APM provisioned.
-- Previous EPSEC packages that are still residing on the system from earlier BIG-IP versions are installed upon boot.

Impact:
Mcpd fails to fully load and the device fails to come up fully, and it cannot pass traffic.

An internal timer might cause the installation to be aborted and all daemons to be restarted through bigstart restart. Traffic is disrupted while tmm restarts.

Workaround:
You can recover by restarting the services. Traffic will be disrupted while tmm restarts:

1. Stop the overdog daemon first by issuing the command:
   systemctl stop overdog.

2. Restart all services by issuing the command:
   bigstart restart.

3. Wait for 10 to 20 mins until EPSEC packages are successfully installed and mcpd successfully starts.

4. Start the overdog daemon after the system is online
   systemctl start overdog.


997561-6 : TMM CPU imbalance with GRE/TB and GRE/MPLS traffic

Links to More Info: BT997561

Component: TMOS

Symptoms:
When handling unidirectional GRE traffic, a lack of inner payload entropy can lead to CPU pinning.

In some circumstances, handling this traffic should not require maintaining state across TMMs.

Conditions:
This occurs with GRE/TB (transparent ethernet bridging) and GRE/MPLS traffic.

Impact:
TMM utilization across CPUs is imbalanced, which can impact overall device performance.

Workaround:
None


996649-7 : Improper handling of DHCP flows leading to orphaned server-side connections

Links to More Info: BT996649

Component: Local Traffic Manager

Symptoms:
When there are multiple client-side flows tied to a single server-side DHCP flow, timeout handling on the client-side flows is incorrect and might lead to a server-side flow getting orphaned. This results in traffic from the server not making its way back to the client.

Conditions:
Regular DHCP virtual server in use.

Impact:
Traffic is not passed to the client.

Workaround:
None.


996129-6 : The /var partition is full as cleanup of files on secondary is not executing

Links to More Info: BT996129

Component: Device Management

Symptoms:
The system does not boot because the /var partition is full.

Conditions:
This may be observed on multi-blade vCMP guests and hosts, as well as on multi-blade tenants.

Impact:
The partition housing /var/config/ may become 100% full, impacting future disk IO operation and it may cause unexpected traffic disruption.

Workaround:
None


994033-4 : The daemon httpd_sam does not recover automatically when terminated

Links to More Info: BT994033

Component: TMOS

Symptoms:
APM policy redirecting users to incorrect domain, the httpd_sam daemon not running.

Conditions:
Daemon httpd_sam stopped with the terminate command.

Impact:
APM policy performing incorrect redirects.

Workaround:
Restart the daemons httpd_apm and httpd_sam.


993481-5 : Jumbo frame issue with DPDK eNIC

Links to More Info: BT993481

Component: TMOS

Symptoms:
TMM crashes

Conditions:
-- TMM is using DPDK driver with Cisco eNIC
-- TMM receives jumbo sized packet

Impact:
Traffic disrupted while TMM restarts.

Workaround:
- Use a different driver such as sock.
- Do not use or accept jumbo frames, use the following TMSH command to set the MTU to less than or equal to 1500:
tmsh modify net vlan external mtu 1500


992113-3 : Page allocation failures on VIPRION B2250 blades

Links to More Info: BT992113

Component: TMOS

Symptoms:
Page allocation failure warnings in kern.log similar to the following example:

kswapd0: page allocation failure: order:2, mode:0x104020

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B2250 (A112)

but its other triggering conditions are not yet understood.

Impact:
The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.


989501-3 : A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus

Links to More Info: BT989501

Component: TMOS

Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might fall or drop off of PCI bus, resulting in the BIG-IP system not being able to process traffic. If this happens, a daemon_heartbeat failsafe gets triggered instead of dataplane_inoperable_t action.

Conditions:
The conditions that lead to HSB to fall off of PCI bus are unknown at this time.

Impact:
The BIG-IP system unable to pass traffic and a failover is triggered.

Workaround:
Reboot the device or the blade to recover from the situation and monitor for re-occurrence. If it happens again, it could indicate potential underlying hardware issue.


988745-8 : On reboot, 'could not find platform object' errors may be seen in /var/log/ltm

Links to More Info: BT988745

Component: TMOS

Symptoms:
During a reboot, several error messages are logged in /var/log/ltm:

-- err mcpd[9401]: 01070710:3: Database error (0), get_platform_obj: could not find platform object - sys/validation/Platform.cpp, line 188.

-- err chmand[6578]: 012a0003:3: hal_mcp_process_error: result_code=0x1070710 for result_operation=eom result_type=eom

Conditions:
This occurs when either of the following conditions is met:
-- A fresh installation of a BIG-IP system.
-- A reboot after forcing the mcpd process to reload the BIG-IP configuration,

Impact:
There is no functional impact to these error messages.

Workaround:
None.


987977-1 : VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation

Links to More Info: BT987977

Component: Application Security Manager

Symptoms:
Remote logging message, violation_details field, includes XML document for VIOL_HTTP_RESPONSE_STATUS even though it is configured not to do so (Learn/Alarm/Block are all disabled) with VIOL_HTTP_RESPONSE_STATUS violation.

Conditions:
When all the following conditions are met

-- Response status code is not one of 'Allowed Response Status Codes'.
-- Learn/Alarm/Block flags are disabled with 'Illegal HTTP status in response'.
-- Logging profile is configured for remote storage.
-- Storage format is comma-separated.
-- Both violation_details and violations fields are set.

Impact:
Remote logging server receives inaccurate message.

Workaround:
None


985925-5 : Ipv6 Routing Header processing not compatible as per Segments Left value.

Links to More Info: BT985925

Component: Local Traffic Manager

Symptoms:
Packet should forward the packet with the route header unmodified when Segments Left is 0 (zero). It performs as expected when Segments Left is non-zero by dropping the packet and sending an ICMP error.

Conditions:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.

Impact:
With Next Header field in IP header being Routing Header for IPv6, BIG-IP system fails to forward the ICMPv6 Echo Request packet to server, rather, it drops the packet.

Workaround:
None


984965-5 : While intentionally exiting, sshplugin may invoke functions out of sequence and crash

Links to More Info: BT984965

Component: Advanced Firewall Manager

Symptoms:
The sshplugin process used by the AFM module may continually restart and deposit a large number of core-dump files, displaying a SIGSEGV Segmentation fault.

In the file /var/log/sshplugin.start, errors may be logged including these lines:

shmget name:/var/run/tmm.mp.sshplugin18, key:0xeb172db6, size:7, total:789184 : Invalid argument
tm_register failed: Bad file descriptor

Conditions:
-- AFM provisioned and in use.
-- Heavy system load makes problem more likely.

Impact:
-- Extra processing load from relaunching sshplugin processes.
-- The large number of core files might fill up /var/core.

Workaround:
First, attempt a clean process restart:

    # bigstart restart sshplugin

If that is not effective, rebooting the entire system may clear the condition.


984897-8 : Some connections performing SSL mirroring are not handled correctly by the Standby unit.

Links to More Info: BT984897

Component: Local Traffic Manager

Symptoms:
Some of the connections performing SSL mirroring do not advance through TCP states as they should on the Standby unit.

Additionally, these connections do not get removed from the connection table of the Standby unit when the connections close. Instead, they linger on until the idle timeout expires.

Conditions:
A virtual server configured to perform SSL connection mirroring.

Impact:
Should the units fail over, some connections may not survive as expected.

Additionally, given a sufficient load and a long idle timeout, this could cause unnecessary TMM memory utilization on the Standby unit.

Workaround:
None.


979213-7 : Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.

Links to More Info: BT979213

Component: Local Traffic Manager

Symptoms:
Upon reviewing the performance graphs in the GUI, you may notice significant spikes in the Throughput(bits) and Throughput(packets) graphs.

The spikes may report unrealistically high levels of traffic.

Note: Detailed throughput graphs are not affected by this issue.

Conditions:
This issue occurs when the following conditions are met:

-- The BIG-IP device is a physical system.
-- TMM was restarted on the system.
-- At some point, at least one interface was up on the system and recorded some traffic.

Impact:
This issue is purely cosmetic but might cause concern when reviewing the performance graphs.

Workaround:
None.


979045-5 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms

Links to More Info: BT979045

Component: TMOS

Symptoms:
After installing an Engineering Hotfix version of BIG-IP v14.1.0 or later, certain BIG-IP hardware systems. The Trusted Platform Module (TPM), status is showing as INVALID.

Conditions:
This may occur:
-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
   - ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
   - ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
   - ID963017 (https://cdn.f5.com/product/bugtracker/ID963017.html)
-- The issue is observed only on the following platforms:
   - i11600 / i11800
   - i11400-DS / i11600-DS / i11800-DS

Impact:
The TPM status INVALID indicates that the system integrity is compromised when it is actually valid.

Workaround:
None.


977953-6 : Show running config interface CLI could not fetch the interface info and crashes the imi

Links to More Info: BT977953

Component: TMOS

Symptoms:
The confd command 'show running-config' does not display interface information if nsm and bgpd are the only processes running.

If you run 'show running-config interface', imi crashes.

Conditions:
1. nsm and bgpd are the daemons running.
2. Run the "show running-config" command

Impact:
Imish cannot retrieve interface information from the show running-config command.

Workaround:
* Enable OSPF. For example,

  # tmsh modify /net route-domain 0 routing-protocol add { BGP OSPFv3 }

  # ps -ef | egrep -i ospf
  root 11954 4654 0 11:25 ? S 0:00 ospf6d%0


977681-4 : Incorrect error message when changing password using passwd

Links to More Info: BT977681

Component: TMOS

Symptoms:
When using the 'passwd' utility from the command line to change a user password, the error message on why the new password is not accepted is wrong.
Instead of the actual reason why the new password is not accepted, the following message is printed:

"passwd.bin: Have exhausted maximum number of retries for service"

Conditions:
- Using the 'passwd' utility from the command line to change a user password.

- The new password is not accepted according to the configured tmsh auth password-policy.

Impact:
The real reason why the new password is not accepted is masked by the default error message:

"passwd.bin: Have exhausted maximum number of retries for service"

Workaround:
Instead of using the command line 'passwd' utility, change the user password using tmsh.
With tmsh, the real reason why a new password is not accepted is printed accurately:

root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify auth password root
changing password for root
new password: default
confirm password: default
01070366:3: Bad password (root): BAD PASSWORD: it is too simplistic/systematic


Or, when using the 'passwd' utility from the command line, it's still possible to find the actual reason why the new password isn't accepted in the /var/log/ltm log file.


976853-1 : SNAT pool traffic-group setting may override non-floating self IP's traffic-group

Links to More Info: BT976853

Component: Local Traffic Manager

Symptoms:
A non-floating self IP fails to respond to ARP on the standby system.

Conditions:
An LTM SNAT translation address has been created which matches a non-floating self IP on the system, and the SNAT is configured in a floating traffic group.

Impact:
A standby device does not respond to ARP requests for floating IP addresses. If a SNAT is configured on the same IP as a non-floating self-ip on the standby, ARP responses will be disabled for that self-ip.

Even after deleting the snat, or configuring it for another IP, ARP response for that self-ip will remain disabled.

The effect of this will be that other IP devices will be unable to communicate with the self-ip after the ARP entry times out.

For example:


-- BIG-IP does not respond to ARP requests for the non-floating self-ip
-- ConfigSync no longer working (if the affected self IP is the ConfigSync address)
-- Health check traffic fails

Note that simply deleting the SNAT translation will not restore service to the self-ip.

Workaround:
Delete the SNAT address, and then move the self-ip back to the non-floating traffic group, and disable and re-enable the arp setting.

    tmsh create ltm virtual-address <self-ip> arp enabled traffic-group traffic-group-local-only
    tmsh modify ltm virtual-address <self-ip> arp disabled
    tmsh delete ltm virtual-address <self-ip>


Alternatively, after deleting SNAT translation, reboot the device (or restart tmm). When using this approach on multi-blade chassis devices, all blades need to be restarted.


976553-2 : Portal Access: Chrome/Edge browser: cookie transport: sync XMLHttpRequests should not be used in onbeforeunload handlers

Links to More Info: BT976553

Component: Access Policy Manager

Symptoms:
Error message in browser console:

Uncaught DOMException: Failed to execute 'send' on VM41 cache-fm.js:618
'XMLHttpRequest': Failed to load ''https://appportal.omo.nl/private/fm/volatile.html': Synchronous XHR in page dismissal. See https://www.chromestatus.com/feature/4664843055398912 for more details.

Conditions:
Setting and/or getting cookies in onbeforeunload/onunload handlers defined by the web-application.

Impact:
Web-application does not function as expected. Behavior varies, depending on web-application control flow.

Workaround:
Important: This workaround will work until later versions of Chrome and Edge Browser are released. You can refer to the release notes for these browsers to determine when functionality is removed.


Use an iRule to allow sync requests from onbeforeunload, onunload, and other page dismissal events.

This is intended to inject into responses from the BIG-IP virtual server header, Origin-Trial, using a token obtained from the Google Chrome developer console. This token allows for use of synchronous requests in page dismissal events. It should work for Chrome and Microsoft Edge browsers where such sync requests are disabled now.

To obtain the token you need to use the following iRule with your virtual server:

1. Go to the Chrome Origin Trials page:
https://developers.chrome.com/origintrials/#/trials/active.

2. Click the 'REGISTER' button to the right of 'Allow Sync XHR In Page Dismissal'.

3. Enter the origin of your virtual server and other information:
https://domain_of_your_virtual_server.

4. Click REGISTER.

By doing this, you obtain a token to use in place of the token provided in the following iRule.

Note: For additional info about Origin Trials and how they work:
https://github.com/GoogleChrome/OriginTrials/blob/gh-pages/developer-guide.md


when HTTP_RESPONSE_RELEASE {
      HTTP::header insert Origin-Trial Aq5OZcJJR3m8XG+qiSXO4UngI1evq6n8M33U8EBc+G7XOIVzB3hlNq33EuEoXZQEt30Yv2W6YgFelr2aGUkmowQAAABieyJvcmlnaW4iOiJodHRwczovLzEwLjE5Mi4xNTIuMzk6NDQzIiwiZmVhdHVyZSI6IkFsbG93U3luY1hIUkluUGFnZURpc21pc3NhbCIsImV4cGlyeSI6MTU5ODk5NzIyMX0=
}


976517-4 : Tmsh run sys failover standby with a device specified but no traffic group fails

Links to More Info: BT976517

Component: TMOS

Symptoms:
The tmsh run /sys failiover standby device <device> command fails and returns an error if no traffic-group is specified:

Syntax Error: There is no failover device with a name (/Common/bigip2.localhost).

Conditions:
Two or more BIG-IPs configured with high availability (HA)

Impact:
You are required to specify all the traffic groups you want to failover to a peer.

Workaround:
For each traffic group that you want to failover to a peer run the tmsh run /sys failover standby.

For example if you want to fail over both traffic groups traffic-group-1 and traffic-group-2 to failover to bigip2.localhost, run the following:

tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-1

tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-2

If you want the device to be standby for all traffic groups but you don't care what device takes over as active, run the following command (note there is no traffic-group nor device):

tmsh run /sys failover standby


976433-4 : Use of OCSP responder may leak X509 store instances

Links to More Info: BT976433

Component: Local Traffic Manager

Symptoms:
The use of OCSP responder may cause X509 certificate store instances to be leaked, eventually causing memory pressure.

Conditions:
OCSP responder configured.

Impact:
Memory usage grows over time which eventually can lead to traffic disruption

Workaround:
None


975657-2 : With HTTP2 enabled, only partial sorry contents (< 32KB) can be sent to the client via HTTP::respond

Links to More Info: BT975657

Component: Local Traffic Manager

Symptoms:
Partial content (<= max allowed "write-size" in HTTP2 profile i.e. 32KB) can be sent to client via the HTTP:respond iRule command.

Conditions:
-- HTTP2 enabled on virtual server
-- Content sent by the iRule exceeds 32KB

Impact:
Client fails to receive the whole content


969737-4 : Snmp requests not answered if V2 traps are configured

Links to More Info: BT969737

Component: TMOS

Symptoms:
SNMP requests are not answered except the ones sent to the localhost ip address.

Conditions:
V2 traps are configured, for example:

tmsh modify sys snmp v2-traps add { ...

Impact:
SNMP external requests fail

Workaround:
Move all traps configured under 'v2-traps' to 'traps' in the configuration


967769-3 : During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks

Links to More Info: BT967769

Component: TMOS

Symptoms:
Tmm crashes and restarts. The following panic message is found in /var/log/tmm:

    notice panic: ../dev/hsb/if_hsb.c:6129: Assertion "HSB lockup, see ltm and tmm log files" failed.

Conditions:
-- Running on a platform that incorporates 'HiGig MAC' network interfaces.
-- Some error or glitch is detected on the high-speed bus (HSB).
-- Software commands a reset of the HSB and interface hardware.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


967353-8 : HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.

Links to More Info: BT967353

Component: Local Traffic Manager

Symptoms:
Client receives no response along with a connection reset by the BIG-IP system.

Conditions:
-- HTTP profile is enabled on the BIG-IP system.
-- Server sends HTTP response with one or more header field names separated with the trailing colon by a space.

Impact:
HTTP responses that should be delivered to the client by the proxy are not being sent out.

Workaround:
None


967185-3 : Increase the size limit of JWT for OAuth

Links to More Info: BT967185

Component: Access Policy Manager

Symptoms:
Currently, the allowed payload size for JWT is 4K. Users whose claims of length exceed the limit are unable to authenticate.

Conditions:
OAuth is configured with JWT.

Impact:
Users whose claims of length are more than the limit are unable to authenticate.


966785-5 : Rate Shaping stops TCP retransmission

Links to More Info: BT966785

Component: Local Traffic Manager

Symptoms:
When rate shaping is applied to a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.

Conditions:
This issue occurs when both of the following conditions are met:

-- Virtual server configured with a rate shaping.
-- Standard type of virtual server.

Impact:
The BIG-IP system does not retransmit unacknowledged data segments.

Workaround:
None


965897-5 : Disruption of mcpd with a segmentation fault during config sync

Links to More Info: BT965897

Component: TMOS

Symptoms:
The mcpd process on the peer device fails with a segfault, restarts and then segfaults again in a loop

Numerous messages may be logged in the "daemon" logfile of the following type:

emerg logger[2020]: Re-starting mcpd

Conditions:
-- High availability (HA) configuration
-- A port-and-address list configuration is changed to be only an address list
-- A config sync occurs

Impact:
Continuous restarts of mcpd process on the peer device.

Workaround:
One possible measure for getting the peer-machine "mcpd" out of its failure mode is to command the still-functioning system to push a "full" config sync to the appropriate device group. Doing this twice consecutively may be necessary.

  # tmsh run /cm config-sync force-full-load-push to-group APPROPRIATE-DEVICE-GROUP


964533-6 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.

Links to More Info: BT964533

Component: TMOS

Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.

Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.

Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.

There is no impact other than additional log entries.

Workaround:
None.


964125-7 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.

Links to More Info: BT964125

Component: TMOS

Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.

There is more then one avenue where node statistics would be queried.

The BIG-IP Dashboard for LTM from the GUI is one example.

Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.

Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.


963393-4 : Key handle 0 is treated as invalid for NetHSM devices

Links to More Info: BT963393

Component: Local Traffic Manager

Symptoms:
HTTPS pool members are marked down when they are up.

Conditions:
-- SafeNet HSM configured
-- HTTPS monitor uses the safenet keys
-- The key handle generated by the HSM is 0

Impact:
Pool members are marked down because bigd cannot connect to the pool member using the Safenet HSM key.

Workaround:
Use in-TMM monitors as an alternative to bigd monitors.


962913-8 : The number of native open connections in the SSL profile is higher than expected

Links to More Info: BT962913

Component: Local Traffic Manager

Symptoms:
The number of native open connections in the SSL profile shows a value that is higher than expected.

Conditions:
SSL renegotiation is enabled. Other conditions are unknown.

Impact:
The SSL stats are incorrectly reading higher than expected.

Workaround:
Disable SSL renegotiation.


962477-5 : REST calls that modify GTM objects as a user other than admin may take longer than expected

Links to More Info: BT962477

Component: TMOS

Symptoms:
After performing a REST call to modify a GTM object, subsequent requests may take longer than expected to complete. Delays of 800-1000ms are possible for a brief time after a GTM object is modified.

Conditions:
Modifying a GTM object with a user other than "admin". When a device is part of a GTM sync group.

Impact:
Slower than expected REST performance. Scripts that perform a series of modifications and subsequent queries could be heavily impacted.

Workaround:
Use the admin account or use transactions.


959057-6 : Unable to create additional login tokens for the default admin user account

Links to More Info: BT959057

Component: TMOS

Symptoms:
When remote user authentication is configured, BIG-IP systems apply maximum active login token limitation of 100 to the default admin user account.

Conditions:
Remote Authentication is configured

Impact:
Unable to create more than 100 tokens for admin when remote authentication is configured


958601-5 : In the GUI, searching for virtual server addresses does not match address lists

Links to More Info: BT958601

Component: TMOS

Symptoms:
In the GUI, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address list that contains an address that matches that search string, those virtual servers will not show up in the search results.

Similarly, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address that matches the search string, but are using a port list, those virtual servers will not show up in the search results.

Conditions:
-- Using Address Lists or Port lists with a virtual server.
-- Using the GUI to search for virtual servers based on address.

Impact:
Virtual servers that should match a search are not found.

Workaround:
None.


958157-6 : Hash collisions in DNS rapid-response packet processing

Links to More Info: BT958157

Component: Global Traffic Manager (DNS)

Symptoms:
DNS rapid-response (FastDNS) packet processing may cause unexpected traffic drops.

Conditions:
- DNS rapid-response is enabled in a DNS profile:

ltm profile dns dns {
    enable-rapid-response yes
}

Note: This issue is more likely to occur on systems with a lower number of TMMs.

Impact:
Unexpected traffic drops


950201-6 : Tmm core on GCP

Links to More Info: BT950201

Component: TMOS

Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.

TMM panic with this message in a tmm log file:

panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.

Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141

-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.


Note: Using either workaround has a performance impact.


950153-4 : LDAP remote authentication fails when empty attribute is returned

Links to More Info: BT950153

Component: TMOS

Symptoms:
LDAP/AD Remote authentication fails and the authenticating service may crash.

The failure might be intermittent.

Conditions:
LDAP/AD server SearchResEntry includes attribute with empty or NULL value.

This can be seen in tcpdump of the LDAP communication in following ways

1. No Value for attribute . Example in tcpdump taken on affected user :

vals: 1 item
        AttributeValue:

2. 1. NULL Value for attribute . Example in tcpdump taken on affected user :

vals: 1 item
    AttributeValue: 00

Impact:
Logging in via the GUI will fail silently
Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log

The logs will be similar to :

info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000]
info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0

Workaround:
There is no Workaround on the LTM side.

For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue


945853-6 : Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession

Links to More Info: BT945853

Component: TMOS

Symptoms:
TMM crashes during a configuration change.

Conditions:
This occurs under the following conditions:

-- Create/modify/delete multiple virtual servers in quick succession.

-- Perform back-to-back config loads / UCS loads containing a large number of virtual server configurations.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


945413-6 : Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync

Links to More Info: BT945413

Component: TMOS

Symptoms:
The BIG-IP system constantly downloads the certificate bundle if the CA-bundle manager config includes a URL.

Symptoms are different depending on if BIG-IP systems is in a manual or automatic sync device group.

Manual sync device groups will not stay in sync.

Automatic sync device groups will constantly sync.

Conditions:
The CA-bundle manager is configured.

Impact:
The keymgmtd and mcpd process gets into a loop that causes constant config changes and if the ca-bundle-manager includes a URL, the BIG-IP system constantly downloads the bundle.


942793-6 : BIG-IP system cannot accept STARTTLS command with trailing white space

Links to More Info: BT942793

Component: Local Traffic Manager

Symptoms:
When an SMTPS profile is applied on a virtual server and the SMTP client sends a STARTTLS command containing trailing white space, the BIG-IP system replies with '501 Syntax error'. The command is then forwarded to the pool member, which can result in multiple error messages being sent to the SMTP client.

Conditions:
-- A virtual server is configured with an SMTPS profile.
-- The SMTP client sends a STARTTLS command with trailing spaces.

Impact:
The SMTP client is unable to connect to the SMTP server.

Workaround:
Use an SMTP client that does not send a command containing trailing white space.


939941-3 : Monitor parameter not found error

Links to More Info: BT939941

Component: Global Traffic Manager (DNS)

Symptoms:
While trying to update a monitor in the GUI, there is an error:

01020036:3: The requested monitor parameter (/Common/my_https_mon 2 RECV_STATUS_CODE=) was not found.

Conditions:
-- The GTM Monitor is created in TMSH.
-- Attempt to modify it via the GUI.

Impact:
You are unable to update monitor values using the GUI.

Workaround:
Use tmsh to modifythese monitor values.


939757-7 : Deleting a virtual server might not trigger route injection update.

Links to More Info: BT939757

Component: TMOS

Symptoms:
When multiple virtual servers share the same virtual address, deleting a single virtual server might not trigger a route injection update.

Conditions:
-- Multiple virtual servers sharing the same destination address
-- One of the virtual servers is deleted

Impact:
The route remains in the routing table.

Workaround:
Disable and re-enable the virtual address after deleting a virtual server.


936417-6 : DNS/GTM daemon big3d does not accept ECDH or DH ciphers

Links to More Info: BT936417

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS/GTM big3d daemon does not accept ECDH or DH ciphers.

Conditions:
Connections to big3d with ECDH or DH ciphers.

Impact:
ECDH/DH ciphers do not work with big3d.

Workaround:
Re-generate big3d cert and key with EC parameters.


936093-7 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline

Links to More Info: BT936093

Component: TMOS

Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.

Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.

Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.

Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:

/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr

This can be accomplished using a command such as:

truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr


936061-4 : Variable session.user.agent missing for Edge Client & F5 Access clients

Links to More Info: BT936061

Component: Access Policy Manager

Symptoms:
When connecting with Edge Client & F5 Access clients the BIG-IP APM session variable session.user.agent is missing from APM sessions.

Conditions:
BIG-IP APM
Edge Client & F5 Access clients

Impact:
Session variable session.user.agent cannot be used for BIG-IP APM Access Policy logic flows

Workaround:
An iRule can be used to generate a like session variable. For example:

# This event fires once per session
when ACCESS_SESSION_STARTED {
  log local0. "Setting User-Agent based on HTTP data - [HTTP::header User-Agent]"
  ACCESS::session data set session.custom.client.useragent [HTTP::header User-Agent]
  #Use this variable in the VPE to make some decision
}


932553-7 : An HTTP request is not served when a remote logging server is down

Links to More Info: BT932553

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide an option to sanitize HTTP traffic via the http_security profile. When the profile is configured to alarm on a violation, it is possible that a connection to the violating client is reset if a remote logging server is marked down.

Conditions:
-- A BIG-IP system has an HTTP profile and and an http_security profile with the alarm option set.
-- A remote logging server is configured via a BIG-IP pool.
-- The pool has a monitor that marks all the pool members down.
-- A request with an HTTP violation is processed and triggers an alarm configured in the http_security profile.

Impact:
-- A TCP connection to a client is reset by the BIG-IP system.
-- The web page may not render, or may not render as expected.
-- Data are not delivered to a server with a POST request.

Workaround:
None.


929429-10 : Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed

Links to More Info: BT929429

Component: Local Traffic Manager

Symptoms:
Whenever you create Oracle or SQL (mssql, mysql or postgresql) database monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.

Conditions:
-- Create an Oracle or SQL database LTM monitor.
-- Add a pool member to the Oracle or SQL database monitor created.
-- Platform FIPS is licensed.

Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.

Workaround:
None.


929133-7 : TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'

Links to More Info: BT929133

Component: TMOS

Symptoms:
VLANs with a name that that start with "eth" will cause tmm to fail and restart.

Conditions:
Vlan name that starts with "eth"

Impact:
Since tmm fails to start, the BIG-IP cannot serve traffic.

Workaround:
Rename all vlans that start with "eth"


928997-5 : Less XML memory allocated during ASM startup

Links to More Info: BT928997

Component: Application Security Manager

Symptoms:
Smaller total_xml_memory is selected during ASM startup.

For example, platforms with 32GiB or more RAM should give ASM 1GiB of XML memory, but it gives 450MiB only. Platform with 16MiB should give ASM 450MiB but it gives 300MiB.

Conditions:
Platforms with 16GiB, 32GiB, or more RAM

Impact:
Less XML memory allocated

Workaround:
Use this ASM internal parameter to increase XML memory size.

additional_xml_memory_in_mb

For more details, refer to the https://support.f5.com/csp/article/K10803 article.


928389-7 : GUI becomes inaccessible after importing certificate under import type 'certificate'

Links to More Info: BT928389

Component: TMOS

Symptoms:
After importing a new certificate, httpd goes down and the GUI becomes inaccessible.

Conditions:
Upload new certificate using Import-type 'Certificate' option.

Impact:
The GUI is inaccessible as soon as you import a new device certificate using import-type 'Certificate'.

Workaround:
Manually copy the matching key to /config/httpd/conf/ssl.key/server.key and restart apache (bigstart restart httpd)

If you do not have the matching key, generate a new key/cert pair from the command line by following K9114


926425-7 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts

Links to More Info: BT926425

Component: Advanced Firewall Manager

Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection continue to be unsupported until hardware SYN cookies are disabled.

Conditions:
SYN Cookie activated on Neuron-capable platforms:
  + VIPRION B4450N blade
  + BIG-IP iSeries devices (ix800) except the i850, ix2800, and ix4800:
     -- BIG-IP i5800 Series
     -- BIG-IP i7800 Series
     -- BIG-IP i11800 Series
     -- BIG-IP i15800 Series

Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.

Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options are not taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.

Workaround:
You can use any of the following to clear the HSB issue:
-- Restart neurond.
-- Restart TMM,
-- Reboot the device.


926085-4 : In WebUI node or port monitor test is not possible, but it works in TMSH

Links to More Info: BT926085

Component: Local Traffic Manager

Symptoms:
When attempting to test a newly created Pool Member monitor, node address field is disabled, you cannot enter a node address. This prevents from using the Test operation to test this type of monitor in the WebUI.

Conditions:
-- Create a new Pool Member monitor (not a Node Address monitor). For example, HTTP, HTTPS, FTP, TCP, or Gateway ICMP.
-- With the monitor configuration displayed in the WebUI, click the Test tab.
-- View the Address field, and try to run the test.

Impact:
The Address field is disabled, with *.* in the field. You cannot enter a node address. The test fails with following message:

invalid monitor destination of *.*:80.
invalid monitor destination of *.*:443. (:port used to test)

Workaround:
Run either of the following TMSH commands:

-- tmsh run ltm monitor <type> <name> destination <IP address>:<port>
-- tmsh modify ltm monitor <type> <name> destination *:*

For example, for HTTP:
-- tmsh run ltm monitor http my_http destination <IP address>:<port>
-- tmsh modify ltm monitor http my_http destination *:*

For example, for HTTPS:
-- tmsh run ltm monitor https my_https destination <IP address>:<port>
-- tmsh modify ltm monitor https my_https destination *:*


923821-5 : Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack

Links to More Info: BT923821

Component: Application Security Manager

Symptoms:
When mitigated action is set to CSI followed by captcha for credential stuffing attack, captcha is not triggered even after successful CSI challenge.

Conditions:
1) Mitigated action is set to CSI followed by captcha for credential stuffing attack.
2) Credential stuffing attack occurs.
3) CSI challenge is success.

Impact:
Captcha is not triggered leading to less than configured mitigation action for credential stuffing attack.

Workaround:
None


922053-3 : inaccurate number of trunk members reported by bcm56xxd/bcmLINK

Links to More Info: BT922053

Component: TMOS

Symptoms:
The "bcmLINK" process (sometimes referred to as "bcm56xxd") may fail with a segmentation fault and be restarted, leaving behind a core-dump file for "bcmLINK".

An error message may be logged about the condition "max_mbrs > 0".

Conditions:
-- occurs in multi-blade VIPRION system with trunked interfaces
-- precise trigger is not known

Impact:
Momentary disruption of traffic handling by TMM.

Workaround:
None known.


921541-7 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.

Links to More Info: BT921541

Component: Local Traffic Manager

Symptoms:
The HTTP session initiated by curl hangs.

Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
   + B4450N (A114)
   + i4000 (C115)
   + i10000 (C116/C127)
   + i7000 (C118)
   + i5000 (C119)
   + i11000 (C123)
   + i11000 (C124)
   + i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.

Impact:
Connection hangs, times out, and resets.

Workaround:
Use software compression.


919917-7 : File permission errors during bot-signature installation

Links to More Info: BT919917

Component: Application Security Manager

Symptoms:
When you install Bot-Sig IM file through LU, /var/log/ltm shows file permission errors.

Cannot open lock file (/var/run/config_lock), permission denied.

Cannot open command history file (/root/.tmsh-history-root), Permission denied : framework/CmdHistoryFile.cpp, line 92.

Conditions:
Installing bot-signature.

Impact:
If MCPD restart or box reboot immediately after bot-signature installation without following other configuration change, then the bot-signature installation is reverted.

Workaround:
Any configuration change in LTM that follows the bot-signature installation prevents it from being reverted.


918693-6 : Wide IP alias validation error during sync or config load

Links to More Info: BT918693

Component: Global Traffic Manager (DNS)

Symptoms:
DB validation exception occurs during GTM config sync or config load:

01070734:3: Configuration error: DB validation exception, unique constraint violation on table (gtm_wideip_alias) object ID (1 /Common/alias.test.com www.test.com). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:gtm_wideip_alias status:13)
Unexpected Error: Loading configuration process failed.

Conditions:
-- A wideip alias is moved from one wideip to another
-- GTM sync occurs, or a gtm config is loaded manually.

This issue can occur any time a GTM config is loaded or synchronised where the new configuration has a wideip with an alias, which is already configured on a different wideip in the existing in-memory GTM configuration.

Impact:
You are unable to load config or full sync from peer GNS/GTM.

Workaround:
Follow this procedure:
1. Delete the wide IP alias on the destination device.
2. Try the sync or load config operation again.


915493-7 : imish command hangs when ospfd is enabled

Links to More Info: BT915493

Component: TMOS

Symptoms:
Running the imish command hangs when ospfd is enabled.

Conditions:
-- Dynamic routing enabled.
-- The ospfd protocol is enabled.
-- Running the imish command.

Impact:
The imish operation hangs.

Workaround:
Restart the ospfd daemon.


915221-7 : DoS unconditionally logs MCP messages to /var/tmp/mcpd.out

Links to More Info: BT915221

Component: Advanced Firewall Manager

Symptoms:
Excessive and large DoS debug messages associated with tmsh commands and stat queries are logged to /var/tmp/mcpd.out which is not log-rotated.

Conditions:
-- AFM is provisioned.
-- DoS queries executed via tmsh.

Impact:
Disk space is consumed on the filesystem for /var/tmp, which can eventually lead to follow-on failures when the disk fills up.

Workaround:
Delete or purge /var/tmp/mcpd.out.


912293-7 : Persistence might not work properly on virtual servers that utilize address lists

Links to More Info: BT912293

Component: Local Traffic Manager

Symptoms:
-- Connections to the virtual server might hang.
-- Increased tmm CPU utilization.

Conditions:
-- A virtual server is configured with a traffic-matching-criteria that utilizes a source-address-list and/or destination-address-list.

-- The virtual server utilizes certain persistence one of the following persistence types:
  + Source Address (but not hash-algorithm carp)
  + Destination Address (but not hash-algorithm carp)
  + Universal
  + Cookie (only cookie hash)
  + Host
  + SSL session
  + SIP
  + Hash (but not hash-algorithm carp)

Impact:
-- High tmm CPU utilization.
-- Stalled connections.

Workaround:
Enable match-across-virtuals in the persistence profile.

Note: Enabling match-across-virtuals might might affect the behavior of other virtual servers in the configuration that utilize persistence.


911241-10 : The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug

Links to More Info: BT911241

Component: Global Traffic Manager (DNS)

Symptoms:
The iqsyncer utility leaks memory.

Conditions:
-- There is a large bigip_gtm.conf.
-- The log.gtm.level is set to debug.

Impact:
The iqsyncer utility exhausts memory and is killed.

Workaround:
Do not set log.gtm.level equal to or higher than debug.


910645-3 : Upgrade error 'Parsing default XML files. Failed to parse xml file'

Links to More Info: BT910645

Component: TMOS

Symptoms:
After upgrading BIG-IP APM, multiple error messages appear in /var/log/ltm:

-- err mcpd[5352]: 010713cf:3: Parsing default XML files. Failed to parse xml file (/var/sam/www/client/customization-source/Common/modern/secure_access_client/default_secure_access_client.xml) because Failed to stat file (/var/sam/www/client/customization-source/Common/modern/secure_access_client/default_secure_access_client.xml) errno(2) strerror(No such file or directory)
-- err mcpd[5352]: 010713cf:3: Parsing default XML files. Failed to parse xml file (/var/sam/www/client/customization-source/Common/modern/resource_app_tunnel/default_resource_app_tunnel.xml) because Failed to stat file (/var/sam/www/client/customization-source/Common/modern/resource_app_tunnel/default_resource_app_tunnel.xml) errno(2) strerror(No such file or directory)

Conditions:
-- APM configuration.
-- Upgrade the BIG-IP system to v15.1.0 or newer.

Impact:
These are benign messages that do not indicate a functional issue. There is no impact; the system works correctly.

The errors occur when the upgraded BIG-IP APM configuration attempts to load resource definitions for the modern customization schema. However, by design, the modern customization schema does not define resources. Only the standard customization schema defines resources found under '/var/sam/www/client/customization-source/Common/standard/'.

Workaround:
None.


908005-6 : Limit on log framework configuration size

Links to More Info: BT908005

Component: TMOS

Symptoms:
While the system config is loading, you see numerous error messages:

-- err errdefsd[26475]: 01940010:3: errdefs: failed to add splunk destination.
-- err errdefsd[585]: 01940015:3: errdefs: failure publishing errdefs configuration.

Conditions:
This can occur during a log-config update/load that has numerous log-config objects configured.

Impact:
System does not log as expected.

Workaround:
None


906273-4 : MCPD crashes receiving a message from bcm56xxd

Links to More Info: BT906273

Component: TMOS

Symptoms:
Under rare circumstances, the Broadcom switch daemon bcm56xxd, can send more then one message at a time to MCPD.
This can cause MCPD to either fail immediately or have it hang and be terminated by sod 5 minutes later.

One of the messages being sent is in response to a link status change. The second message is a reply to a query, for instance a query for l2 forward statistics.

Conditions:
- BIG-IP with a Broadcom switch.
- Link status change is available.
- MCPD sends a query to bcm56xxd, that is, for l2 forward statistics.

Impact:
MCPD failure and restarts causing a failover.

Workaround:
None


905477-7 : The sdmd daemon cores during config sync when multiple devices configured for iRules LX

Links to More Info: BT905477

Component: Local Traffic Manager

Symptoms:
The iRules LX workspaces belong on only one device in a Device Service Cluster (DSC). If you have the same iRules LX workspace configured on multiple devices and then perform a config sync operation, the sdmd daemon cores.

Conditions:
-- Multiple devices configured with the same iRules LX workspace in a DSC.
-- Change one of the devices such that the configuration requires a config sync.
-- Perform the config sync.

Impact:
The sdmd daemon cores. Although having multiple devices configured with the same iRules LX workspace is an incorrect configuration, sdmd should not core.

Workaround:
When the iRules LX workspace is correctly configured, i.e., on only one device in a DSC, there is no need to config sync, so this issues does not occur.


904537-6 : The csyncd process may keep trying to sync the GeoIP database to a secondary blade

Links to More Info: BT904537

Component: Local Traffic Manager

Symptoms:
The most common symptom is when csyncd repeatedly syncs the GeoIP files and loads the GeoIP database, causing a large number of Clock advanced messages on all tmms.

Repeated log messages similar to the following are reported when a secondary slot logs into the primary slot to load the sys geoip database:

-- info sshd(pam_audit)[17373]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=x.x.x.x attempts=1 start="Wed Apr 29 13:50:49 2020".
-- notice tmsh[17401]: 01420002:5: AUDIT - pid=17401 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys geoip.

Conditions:
-- VIPRION or vCMP guests.
-- Either of the following:
   - First installing the GeoIP database if the /shared/GeoIP/v2 directory does not exist.
   - When a new blade is installed into a chassis.

Impact:
Repeated logs of Clock advanced messages.

Workaround:
Run the command:
 clsh bigstart restart csyncd


902445-4 : ASM Policy Event Logging stops working after 'No space in shmem' error disconnection mitigation

Links to More Info: BT902445

Component: Application Security Manager

Symptoms:
ASM event logging stops working.

Conditions:
This can occur during normal ASM operation. It occurs after ASM executes 'No space in shmem' error disconnection mitigation, and this error is logged.

Impact:
ASM Policy Event Logging stop working; new event is not saved.

Workaround:
Restart asmlogd and pabnagd:
pkill asmlogd
pkill pabnagd


895669-4 : VCMP host does not validate when an unsupported TurboFlex profile is configured

Links to More Info: BT895669

Component: TMOS

Symptoms:
There is no validation error for when unsupported TurboFlex profiles are configured on vCMP hosts for relevant platforms. Due to this lack of validation, it can result in incorrect FPGA firmware being loaded on the host and thus a guest may fail to start or reboot constantly.

Conditions:
(1) Provision vCMP on the host and deploy 2x guests with 4 cores
(2) On the vCMP host, manually change TurboFlex profile type to be one that it does not support.

Impact:
Incorrect FPGA firmware is loaded on the host, which can cause problems with the data plane on the guest.

Workaround:
Only use supported turboflex profiles.


894593-3 : High CPU usage caused by the restjavad daemon continually crashing and restarting

Links to More Info: BT894593

Component: TMOS

Symptoms:
Restjavad may become unstable if the amount of memory required by the daemon exceeds the value allocated for its use.

Conditions:
The memory required by the restjavad daemon may grow significantly in system configurations with either a high volume of device statistics collection (AVR provisioning), or a with relatively large number of LTM objects managed by the REST framework (SSL Orchestrator provisioning).

Impact:
The overall system performance is degraded during the continuous restart of the restjavad daemon due to a relatively high CPU usage.

Workaround:
Please don't apply the workarounds below if encountering issues after upgrade to 14.1.5.1-, 15.1.7-, 16.1.3.1- and 17.0.0.1 and you already have restjavad.useextramb set to true. If you have low restjavad memory under these conditions it is likely you are encountering a problem caused by the behaviour change introduced in ID 1025261 ( https://cdn.f5.com/product/bugtracker/ID1025261.html ). The linked article has suggestions on how to mitigate the issue.

If you have restjavad.usextramb set to false and need more memory after upgrade to a version above you will also need to set provision.restjavad.extramb to a sensible value as well as the commands below - typically something like 384 + 80% of MIN (provision.extramb | 2500), so 1984 MB for example below.
That's a high value and it may be possible to set it lower eg it may be worth trying 384 + 20% of MIN(provision.extramb|2500) which is 784 MB for example beneath. You can try different values quite quickly by changing provision.restjavad.extramb and restarting restjavad which should only effect availability of REST API for a few seconds. Generally 384 MB should be seen as the minimum.

Increase the memory allocated for the restjavad daemon (e.g., 2 GB), by running the following commands in a BIG-IP terminal.
 
tmsh modify sys db restjavad.useextramb value true
tmsh modify sys db provision.extramb value 2000
bigstart restart restjavad
Note changing provision.extramb is service effecting and systems may take several minutes to return to a state they could handle traffic. It also needs to be set on each peer of a service cluster.

Note this may lead to impact on multi-module systems with ASM as approximately only 50-60% of provision.extramb value would be allocated as extra host memory and restjavad may take up to 80% of provision.extramb. It also lowers the ASM specific host allocation resulting in some tighter memory constraints on ASM daemons. Try to use the smallest value that works.


891565-3 : The Subject Alternative Name (SAN) field in Certificates and Certificate Signing Requests is limited to 4095 bytes

Links to More Info: BT891565

Component: Local Traffic Manager

Symptoms:
When creating a Certificate Signing Request (CSR) or when creating or using a Certificate (CRT), there is a limit of 4096 bytes in the Subject Alternative Names (SAN) field.

Since one byte is reserved, the value entered into that field cannot exceed 4095 bytes.

Note that if the SAN list is so long that it causes the entire SSL handshake (ie, all handshake messages combined) to exceed 32K, then the handshake will be aborted with the code "hs msg overflow" - see K40902150 for further details.

Conditions:
- Generation of a Certificate Signing Request with a large SAN list.
(or)
 - Use of a client-ssl profile with a virtual server, where an associated certificate contains a large SAN field

Impact:
Very long SAN values cannot be used

Workaround:
- Create multiple certificates, where each certificate has a sufficiently short SAN list, then create client-ssl profiles for each cert+key, then assign all of those profiles to the same virtual server.

- Reduce the length of the Subject Alternative Name field, if possible by collapsing multiple entries into one by using wildcards, for example '*.example.com', rather than 'one.example.com;two.example.com'


890169-6 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.

Links to More Info: BT890169

Component: Application Security Manager

Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.

Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.

Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.

Workaround:
None.


890037-2 : Rare BD process core

Links to More Info: BT890037

Component: Application Security Manager

Symptoms:
The BD process crashes leaving a core dump. ASM restarts happening failover.

Conditions:
Traffic load to some extent, but beside that we do not know the conditions leading to this.

Impact:
Failover, traffic disturbance.

Workaround:
None


887265-7 : BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration

Links to More Info: BT887265

Component: Local Traffic Manager

Symptoms:
When booting to a boot location for the first time, the system does not come on-line.

Conditions:
-- There is a large configuration.
-- VLAN failsafe is configured, and the failsafe-action is something other than failover.
-- The BIG-IP system is an appliance.

Impact:
BIG-IP processes continually restart (VLAN failsafe-action failover-restart-tm), or the BIG-IP system continually reboots (VLAN failsafe-action reboot)

Workaround:
Either disable VLAN failsafe or set the failsafe-action to failover during an upgrade.


883149-8 : The fix for ID 439539 can cause mcpd to core.

Links to More Info: BT883149

Component: TMOS

Symptoms:
Mcpd cores during config sync.

Conditions:
This has only been observed once. The device was going from standby to active, and the connection between the BIG-IP peers stalled out.

Impact:
Mcpd cores. Traffic disrupted while mcpd restarts.

Workaround:
NA


881937-5 : TMM and the kernel choose different VLANs as source IPs when using IPv6.

Links to More Info: BT881937

Component: Local Traffic Manager

Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, can use a MAC and IPv6 source address from different VLANs.

Conditions:
-- Multiple VLANs configured with IPv6 addresses.
-- Multiple routes to the same destination, either the same or more specific, default routes, etc., that cover the traffic destination.
-- Changes are made to routes that cause the traffic to the destination to shift from one VLAN and gateway to another. This can be typically observed with dynamic routing updates.
- The db key snat.hosttraffic is set to disable.

Impact:
Traffic to the destination may fail because the incorrect source IPv6/MAC address is used, which might cause monitor traffic to fail.

Workaround:
tmsh list sys db snat.hosttraffic
tmsh modify sys db snat.hosttraffic value enable
tmsh save sys config


878641-7 : TLS1.3 certificate request message does not contain CAs

Links to More Info: BT878641

Component: Local Traffic Manager

Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4

Conditions:
TLS1.3 and client authentication

Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected


876569-6 : QAT compression codec produces gzip stream with CRC error

Links to More Info: BT876569

Component: Local Traffic Manager

Symptoms:
When an HTTP compression profile is enabled on BIG-IP platforms with Intel QuickAssist Technology (Intel QAT) compression accelerators, gzip errors are produced.

Conditions:
This occurs when the following conditions are met:

-- The following platforms with Intel QAT are affected:
   + 4450 blades
   + i4600/i4800
   + i10600/i10800
   + i7600/i7800
   + i5600/i5800
   + i11600/i11800
   + i11400/i11600/i11800
   + i15600/i15800

-- The compression.qat.dispatchsize variable is set to any of the following values:
   + 65535
   + 32768
   + 16384
   + 8192

-- The size of the file being compressed is a multiple of the compression.qat.dispatchsize value, for exampld:

   + 65355*32768
   + 8192*32768

Impact:
Clients cannot decompress the compressed file because there is an invalid gzip footer.

Workaround:
Disable hardware compression and use software compression.


869541-4 : Series of unexpected <aborted> requests to same URL

Links to More Info: BT869541

Component: Access Policy Manager

Symptoms:
Series of unexpected <aborted> requests to same URL

Conditions:
Web-app using special code pattern in JavaScript.

For example:

     loc = window.location;

     obj = {}

     for (i in loc) {
        obj[i] = loc[i];
     }

Impact:
Page load is aborted

Workaround:
Following iRule can be used with customized SPECIFIC PAGE_URL value:

when REWRITE_REQUEST_DONE {
  if {
    [HTTP::path] ends_with "SPECIFIC_PAGE_URL"
  } {

    # log "URI=([HTTP::path])"
    # Found the file we wanted to modify

    REWRITE::post_process 1
    set do_fix 1
  }
}

when REWRITE_RESPONSE_DONE {
  if {[info exists do_fix]} {
    unset do_fix

    set strt [string first {<script>try} [REWRITE::payload]]

    if {$strt > 0} {
      REWRITE::payload replace $strt 0 {
        <script>
          (function () {
            var dl = F5_Deflate_location;
            F5_Deflate_location = function (o) {
              if (o.F5_Location) Object.preventExtensions(o.F5_Location)
              return dl(o);
            }
          })()
        </script>
      }
    }
  }
}


867985-7 : LTM policy with a 'shutdown' action incorrectly allows iRule execution

Links to More Info: BT867985

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide manipulation tools over a connection with an LTM policy and/or iRule. LTM policy takes precedence over iRules and has an option to shutdown a connection based on satisfied conditions. When a connection is closing, an iRule should not be executed under the same conditions.

Conditions:
-- The BIG-IP system has a virtual server with an LTM policy and an iRule.
-- The LTM policy has action 'shutdown connection' under certain conditions.
-- The iRule has an event which is triggered under the same conditions.

Impact:
The iRule is executed before the connection is being reset.

Workaround:
None.


867549-5 : LCD touch panel reports "Firmware update in progress" indefinitely

Links to More Info: BT867549

Component: TMOS

Symptoms:
After a software upgrade that includes an LCD firmware update, the LCD touch panel may remain stuck reporting an error indefinitely / for longer than 30 minutes:
Firmware update in Progress may take up to 30 minutes.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have one of the following BIG-IP platforms:
 * i850
 * i2x00
 * i4x00
 * i5x00
 * i7x00
 * i10x00
 * i11x00
 * i15x00
 * HRC-i2x00
 * HRC-i5x00
 * HRC-i10x00

-- You perform a software upgrade that updates the firmware on the LCD touch panel, e.g. upgrading from BIG-IP v13.1.x to BIG-IP v14.1.x or newer.

Impact:
The system is functional, but the LCD displays the firmware update screen indefinitely. The LCD cannot be used while it is frozen on the firmware update warning screen.

Workaround:
Important: Before attempting this workaround, check that there are no indications the system is still performing a firmware update (such as a terminal prompt), and that the following messages can be found in /var/log/ltm after the most recent boot:

notice chmand[6302]: 012a0005:5: firmware update succeeded.
notice chmand[6302]: 012a0005:5: Firmware check finished.

These messages indicates that the firmware update has finished, and the LCD is displaying the warning screen in error, so it is safe to perform the workaround.

Reboot the BIG-IP system to return the LCD to normal operation.

After a reboot of the BIG-IP operating system, the LCD touch panel should be responsive.


867253-5 : Systemd not deleting user journals

Links to More Info: BT867253

Component: TMOS

Symptoms:
When setting 'SystemMaxUse' to any value, systemd does not honor this limit, and the specified size is exceeded.

Conditions:
Using a non-TMOS user account with external authentication permission.

Note: Systemd-journald is configured to create a user journal for every remote user that logs into the BIG-IP system.

Impact:
Journald filling up the file system. These journals are allocated with a minimum size of 4MiB and are not removed when the log entries age-out.

Workaround:
Option 1:
To immediately free up space, manually remove per-user journal logs from the following location:
  /var/log/journal/*/user-*

Option 2:
To prevent the system from creating these journal files going forward:

1. Edit /etc/systemd/journald.conf and add the following at the bottom of the file:
  SplitMode=none

2. Restart systemd-journal service
  # systemctl restart systemd-journald

3. Delete the existing user journal files from /var/log
  # rm /var/log/journal/*/user-*

Note:
-- You must apply this workaround separately to each blade of a VIPRION or vCMP guest running on a VIPRION.
-- You must reapply this workaround after performing software installations.


863601-6 : Panic in TMM due to internal mirroring interactions

Links to More Info: BT863601

Component: Wan Optimization Manager

Symptoms:
The Traffic Management Microkernel suddenly restarts due to a SIGSEGV segmentation fault.

Conditions:
-- APM is being used.
-- Connection mirroring is being used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid configuring connection mirroring when APM is being used.


862949-5 : ZoneRunner GUI is unable to display CAA records

Links to More Info: BT862949

Component: Global Traffic Manager (DNS)

Symptoms:
Attempting to manage a CAA record via the GUI shows an error:

Resolver returned no such record.

Conditions:
-- Navigate to DNS :: Zones :: ZoneRunner :: Resource Record List :: Search All Records.
-- Click on record of type CAA.

Impact:
Unable to update CAA records via the GUI.

Workaround:
You can use either of the following workarounds:

-- Manually edit the BIND configuration.
-- Delete the record and create a new one with the desired changes.


857045-5 : LDAP system authentication may stop working

Links to More Info: BT857045

Component: TMOS

Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.

In /var/log/daemon.log, you may see the following:

warning systemd[1]: nslcd.service failed

Conditions:
Nslcd daemon crashed, and it fails to restart.

Impact:
System authentication stops working until nslcd is restarted.

Workaround:
Manually restart nslcd daemon:

systemctl start nslcd



nslcd can be reconfigured to restart automatically and create core files when it crashes, though these changes will be lost across software installs (and is not backed up as part of a UCS archive):

1. Run "systemctl edit nslcd", which will open a text editor (by default, nano).

2. In the text editor, add these contents:

[Service]

# Allow core files
LimitCORE=infinity
# Try to keep auth daemon running, even if it crashes
Restart=always

3. Exit the text editor and save the file

4. Check the output of "systemctl status nslcd" for any warnings/errors from systemd as a result of editing the file; there should not be any.

5. Restart nslcd:
   systemctl restart nslcd


851121-8 : Database monitor DBDaemon debug logging not enabled consistently

Links to More Info: BT851121

Component: Local Traffic Manager

Symptoms:
Debug logging in the database monitor daemon (DBDaemon) for database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle) is enabled on a per-monitor basis.
When a ping is initiated for a particular monitor with debug logging enabled in the monitor configuration, debug logging in DBDaemon is enabled.
When a ping is initiated for a particular monitor with debug logging disabled in the monitor configuration, debug logging in DBDaemon is disabled.
When monitoring database pool members with a mix of monitors with debug logging enabled versus disabled, the result can be that debug logging in DBDaemon is enabled and disabled at times which do not correspond to all actions related to a specific database monitor, or pool members monitored by that monitor.
In addition, debug messages logging internal DBDaemon state related to the management of the full collection of monitored objects, active threads, and other may not be logged consistently.

Conditions:
-- Using multiple database health monitors (Microsfot SQL, MySQL, PostgreSQL, Oracle).
-- Enabling debug logging on one or more database health monitors, but not all.

Debug logging for database health monitors is enabled by configuring the "debug" property of the monitor with a value of "yes".
Debug logging is disabled by configuring the "debug" property with a value of "no" (default).

# tmsh list ltm monitor mysql mysql_example debug
ltm monitor mysql mysql_example {
    debug yes
}

Impact:
Logging of database monitor activities by DBDaemon may be inconsistent and incomplete, impeding efforts to diagnose issues related to database health monitors.

Workaround:
When attempting to diagnose database health monitor issues with DBDaemon debug logging, enable debug logging for ALL database monitors currently in use.
Once diagnostic data collection is completed, disable debug logging for all database monitors currently configured/in use.


850141-5 : Possible tmm core when using Dosl7/Bot Defense profile

Links to More Info: BT850141

Component: Application Security Manager

Symptoms:
Tmm crashes.

Conditions:
-- Dosl7/Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- An asynchronous iRule is attached to the virtual server

OR:
-- Device ID feature is enabled, and the current request requires a complex Device ID generation.
-- The connection is closed before the response arrives.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


844597-7 : AVR analytics is reporting null domain name for a dns query

Links to More Info: BT844597

Component: Advanced Firewall Manager

Symptoms:
AVR analytics is reporting null domain name for a DNS query if DNS DoS profile is attached to a virtual server, but the profile does not have the matching type vector enabled to the query type.

Conditions:
-- DNS DoS profile is attached to a virtual server.
-- The query type in the DNS query does not match an enabled DNS vector on the DNS profile.

Impact:
DNS domain name is reported as NULL

Workaround:
Enable the matching type vector on the DNS DoS profile.


842425-7 : Mirrored connections on standby are never removed in certain configurations

Links to More Info: BT842425

Component: Local Traffic Manager

Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.

Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.

Impact:
Leaking connections on the standby system.

Workaround:
You can use either of the following workarounds:

-- Use auto-lasthop with mirrored connections.

-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.


842193-7 : Scriptd coring while running f5.automated_backup script

Links to More Info: BT842193

Component: iApp Technology

Symptoms:
When the iApp, f5.automated_backup, script is terminated due to the max-script-run-time, the script still continues and finishes, sometimes with scriptd coring and posting error messages in /var/log/ltm:

-- info logger[17173]: f5.automated_backup iApp autobackup: STARTED
-- info logger[17175]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs GENERATING

-- err scriptd[13532]: 014f0004:3: script has exceeded its time to live, terminating the script <------ after 20 secs, it continues even after the scriptd core.

-- notice sod[3235]: 01140041:5: Killing /usr/bin/scriptd pid 13532.
-- warning sod[3235]: 01140029:4: high availability (HA) daemon_heartbeat scriptd fails action is restart.
-- info logger[19370]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs SAVED LOCALLY
(/var/local/ucs)
-- info logger[19372]: f5.automated_backup iApp autobackup: FINISHED

Conditions:
Configure the iApp application with f5.automated_backup template to do auto-backup at regular intervals.

Impact:
Scriptd core.

Workaround:
Increasing the sys scriptd max-script-run-time higher then the default of 300 seconds might be helpful if the higher timeout allows the script to complete.

For example, if the script is saving a UCS and the save takes 400 seconds, then increasing the max-script-run-time to 430 seconds would allow the script to finish and would work around this issue.


842137-7 : Keys cannot be created on module protected partitions when strict FIPS mode is set

Links to More Info: BT842137

Component: Local Traffic Manager

Symptoms:
When the Hardware Security Module (HSM) FIPS mode is set to FIPS 140-2 Level 3 protection, new keys cannot be created in the module's protected partition.

Note: Although FIPS grade Internal HSM (PCI card) is validated by the Marvell company at FIPS 140-2 Level 3, the BIG-IP system is not 140-2 Level 3 validated.

Conditions:
-- FIPS 140-2 Level 3 protection is configured on a NetHSM partition.
-- You attempt to create a FIPS key using that partition.

Impact:
New Keys cannot be create.

Workaround:
Follow these steps to generate a new NetHSM key called 'workaround' and install it into the BIG-IP config:

1. Generate the key:

[root@bigip1::Active:Standalone] config # fipskey.nethsm --genkey -o workaround -c module
WARNING: fipskey.nethsm will soon be deprecated for use with Thales. Please switch to using tmsh commands instead.
tmsh commands...

Generate Key:
tmsh create sys crypto key <key_name> security-type nethsm [gen-certificate|gen-csr] ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate CSR for existing key:
tmsh create sys crypto csr <csr_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate Self-Signed Certificate for existing key:
tmsh create sys crypto cert <cert_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Delete Key:
tmsh delete sys crypto key <keyname>


str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=2048 embedsavefile="workaround" plainname="workaround" digest=sha256]
key generation parameters:
 operation Operation to perform generate
 application Application pkcs11
 protect Protected by module
 verify Verify security of key yes
 type Key type RSA
 size Key size 2048
 pubexp Public exponent for RSA key (hex)
 embedsavefile Filename to write key to workaround
 plainname Key name workaround
 x509country Country code
 x509province State or province
 x509locality City or locality
 x509org Organisation
 x509orgunit Organisation unit
 x509dnscommon Domain name
 x509email Email address
 nvram Blob in NVRAM (needs ACS) no
 digest Digest to sign cert req with sha256

Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622
Starting synchronisation, task ID 5de83486.6e9e32d7f367eaf4
Directory listing failed: No such file or directory


2. Confirm the presence of the key with the label 'workaround':

[root@bigip1::Active:Standalone] config # nfkminfo -l

Keys with module protection:

 key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622 `workaround'

Keys protected by cardsets:
...


3. Install the key:

[root@bigip1::Active:Standalone] config # tmsh install sys crypto key workaround from-nethsm


4. Install the public certificate:

[root@bigip1::Active:Standalone] config # tmsh install sys crypto cert workaround from-local-file /config/ssl/ssl.crt/workaround


838405-5 : Listener traffic-group may not be updated when spanning is in use

Links to More Info: BT838405

Component: TMOS

Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.

Conditions:
Spanning is disabled or enabled on a virtual address.

Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.

Depending on the configuration, virtual server may or may not forward the traffic when expected.

Workaround:
Enable/Disable spanning together with changing a traffic-group (both options have to be changed simultaneously):

> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-2 spanning disabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled


838337-9 : The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.

Links to More Info: BT838337

Component: TMOS

Symptoms:
In 2019, Brazil cancelled DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP system's time zone database needs to be updated to reflect this change.

Conditions:
None.

Impact:
BIG-IP systems configured to use "America/Sao_Paul" (or other applicable Brazilian localities) will still apply DST. Hence time will spring forward and backward on previously designated dates.

This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, etc. will use incorrect time.

Note: You can inspect the time changes your system is due to apply by running the following command from the BIG-IP system's advanced shell (bash):

zdump -v <timezone>

For example:

zdump -v America/Sao_Paulo

Workaround:
As a workaround, you can set the BIG-IP system's time zone to that of a different country with the same UTC offset and already not observing DST.

For example, instead of using "America/Sao_Paul", you could use "America/Buenos_Aires" to obtain the same result.


831737-5 : Memory Leak when using Ping Access profile

Links to More Info: BT831737

Component: Access Policy Manager

Symptoms:
The memory usage by pingaccess keeps going up when sending request with expired session cookie to a virtual server with PingAccess Profile.

Conditions:
1. BIG-IP virtual server that contains PingAccess Profile.
2. Request sent with expired session cookie.

Impact:
Memory leak occurs in which ping access memory usage increases.


804529-4 : REST API to /mgmt/tm/ltm/pool/members/stats will fail for some pools

Links to More Info: BT804529

Component: TMOS

Symptoms:
GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats may fail with error 404

Conditions:
This impacts pools which start with the letter 'm'. This because those endpoints contain objects with incorrect selflinks

For example
1. Query to below pool (that starts with letter 'm') will work as it contains the right selflink
       - Pool: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats"
       - selfLink: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats?ver=x.x.x.x"

2. Query to below pool (that does NOT start with letter 'm') may not work as it contains the wrong selflink
       - Pool: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats"
       - selfLink: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats?ver=x.x.x.x"
         
In above example you will notice the word 'members' shows up expectedly in selflink for case 2

Impact:
You may see errors with GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats

Workaround:
You may use the following workarounds

1. Use /mgmt/tm/ltm/pool/members/stats, which does return the pool member stats for every pool

2. For each pool member in /mgmt/tm/ltm/pool, issue a GET for:

/mgmt/tm/ltm/pool/<pool>/members/<member>/stats


804089-3 : iRules LX Streaming Extension dies with Uncaught, unspecified error event

Links to More Info: BT804089

Component: Local Traffic Manager

Symptoms:
You are using a virtual with an ilx profile generated from an iRules LX Streaming extension and observed the following error or similar.
  
Sep 05 09:16:52 pid[5850] Error: Uncaught, unspecified "error" event. (ETIMEDOUT)
Sep 05 09:16:52 pid[5850] at ILXFlow.emit (events.js:163:17)
Sep 05 09:16:52 pid[5850] at ILXFlowWrap.ilxFlowErrorCb [as onIlxError] (/var/sdm/plugin_store/plugins/<pluginName>/extensions/<workspaceName>/node_modules/f5-nodejs/lib/ilx_flow.js:108:10)

Conditions:
Virtual server with an ilx profile generated from an iRules LX Streaming extension. The problem is aggravated if a web-acceleration profile is configured.

Impact:
Traffic may be disrupted until the sdmd daemon has respawned another node.js process.


798885-7 : SNMP response times may be long when processing requests

Links to More Info: BT798885

Component: TMOS

Symptoms:
SNMP queries to the BIG-IP system may take longer (up to 15% more time) to process on BIG-IP systems with large configurations. mcpd CPU usage increases by a small amount (up to 10%) during these queries.

Conditions:
-- Large configuration.
-- Using SNMP to query statistics on the BIG-IP system.

Impact:
A small increase in response time to SNMP requests to the BIG-IP. Some SNMP queries might fail due to timeouts. mcpd CPU usage is slightly elevated while processing these queries.

Workaround:
If the responses to SNMP queries are taking too long, MCPD and SNMPD may overburden the control plane. It may be necessary to lengthen the timeout and retry values used by the SNMP client. It may also be helpful to trim what is queried, for example, not repetitively walking large tables like the Virtual Server or LTM Pool Member tables for statistics.


779137-8 : Using a source address list for a virtual server does not preserve the destination address prefix

Links to More Info: BT779137

Component: Local Traffic Manager

Symptoms:
Configuring a network virtual server with a source address list causes the system to treat the virtual server as a host.

Conditions:
-- Configure a source address list on the virtual server.
-- Configure a network address for the destination of the virtual server (not an address list).

Impact:
Traffic does not flow to the virtual server as expected.

Workaround:
See K58807232


778513-5 : APM intermittently drops log messages for per-request policies

Links to More Info: BT778513

Component: TMOS

Symptoms:
APM may intermittently drop log messages, leading to missing information on policy execution or other events.

Conditions:
This might occur under either of the following conditions:

 -- Using APM per-request policies, or ACCESS::log iRule commands.
 -- APM is configured to use multiple log destinations (such as: local-db and local-syslog).

Impact:
Administrator may fail to report certain logging events, hindering troubleshooting or auditing efforts.

Workaround:
No workaround is possible.

When reviewing APM logs, keep in mind that during periods of high activity (greater than 100 log messages in 1-to-2 seconds) that the system may drop some log messages.


776117-6 : BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type

Links to More Info: BT776117

Component: TMOS

Symptoms:
The BIG-IP Virtual Edition's virtio driver is incompatible with the Q35 machine type.

Conditions:
-- BIG-IP Virtual Edition with the virtio driver.
-- Setting the machine type to Q35 on the hypervisor.

Impact:
The BIG-IP will not use the virtio driver, using the sock (or unic, in versions prior to 14.1.0) driver instead.


775845-8 : Httpd fails to start after restarting the service using the iControl REST API

Links to More Info: BT775845

Component: TMOS

Symptoms:
After restarting httpd using the iControl REST API, httpd fails to start, even with a subsequent restart of httpd at the command line.

Similar to the following example:

config # restcurl -u admin:admin /tm/sys/service -X POST -d '{"name":"httpd", "command":"restart"}'
{
  "kind": "tm:sys:service:restartstate",
  "name": "httpd",
  "command": "restart",
  "commandResult": "Stopping httpd: [ OK ]\r\nStarting httpd: [FAILED]\r\n(98)Address already in use: AH00072: make_sock: could not bind to address n.n.n.n:n\nno listening sockets available, shutting down\nAH00015: Unable to open logs\n"
}

config # tmsh restart sys service httpd
Stopping httpd: [ OK ]
Starting httpd: [FAILED]

Conditions:
Restarting httpd service using iControl REST API.

Impact:
Httpd fails to start.

Workaround:
To recover from the failed httpd state, you can kill all instances of the httpd daemon and start httpd:

killall -9 httpd

tmsh start sys service httpd


767473-3 : SMTP Error: Could not authenticate

Links to More Info: BT767473

Component: TMOS

Symptoms:
When using a "sys smtp-server" object (System >> Configuration >> Device >> SMTP) to configure an SMTP mail server, mail may be rejected by the remote SMTP server, and clicking on the "Test Connection" button returns "SMTP Error: Could not authenticate"

Conditions:
The remote SMTP server requires TLS1.2 or higher.

Impact:
Unable to send mail for BIG-IP features that make use of the 'sys smtp-server' object, such as AVR and ASM reports.

Workaround:
Configure the BIG-IP to relay mail through a locally administered SMTP server that allows TLS 1.0 connections.


762097-6 : No swap memory available after upgrading to v14.1.0 and above

Links to More Info: BT762097

Component: TMOS

Symptoms:
After an upgrade to v14.1.0 or higher, swap memory may not be mounted. TMM or other host processes may restart due to lack of memory.

Conditions:
-- System is upgraded to v14.1.0 or above.

-- System has RAID storage.

Impact:
May lead to low or out-of-memory condition. The Linux oom killer may terminate processes, possibly affecting service.

Typically management activities may be impacted, for example, a sluggish GUI (config utility) or tmsh sessions.

Workaround:
Mount the swap volume with correct ID representing the swap device.

Perform the following steps on the system after booting into the affected software version:

1. Get the correct ID (RAID device number (/dev/md<number>)):
blkid | grep swap

Note: If there is no RAID device number, perform the procedure detailed in the following section.

2. Check the device or UUID representing swap in /etc/fstab.

3. If swap is not represented with the correct ID, modify the /etc/fstab swap entry to point to the correct device.

4. Enable the swap:
swapon -a

5. Check swap volume size:
swapon -s


If the blkid command shows there is no UUID associated with the swap RAID device, use the following procedure:

1. Generate a random UUID:
uuidgen

2. Make sure swap is turned off:
swapoff -a

3. Recreate the swap partition with UUID generated in step 1:
mkswap -U <uuid_from_step_1> <raid_device_from_step_1>

4. Run blkid again to make sure that you now have a UUID associated with the raid device:
blkid | grep swap

5. edit fstab and find the line
      <old_value> swap swap defaults 0 0

6. Replace the old value, whether it was an incorrect UUID or a device name, with the UUID generated in step 1, for example:
      UUID=8b35b30b-1076-42bb-8d3f-02acd494f2c8 swap swap defaults 0 0


760982-4 : An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios

Links to More Info: BT760982

Component: TMOS

Symptoms:
Soft out reset does not work for the default route.

Conditions:
-- BGP enabled
-- A route configuration change is made and 'clear ip bgp <IP-addr> soft in/out' is executed

Impact:
A default-route is not propagated in Network Layer Reachability Information (NLRI) by 'soft out' request.

Workaround:
None


759258-8 : Instances shows incorrect pools if the same members are used in other pools

Links to More Info: BT759258

Component: TMOS

Symptoms:
Monitor 'Instances' tab shows incorrect pools if the same members are used in other pools.

Conditions:
Steps to Reproduce:

1. Create custom monitor or use system default.
2. Assign that monitor to a test pool.
3. Navigate to Local Traffic :: Monitors, click the test monitor, then select the Instances tab.

Impact:
The test pool is displayed, as well any other pools that use the same member or members (but with other monitors assigned).

Workaround:
None.


758929-8 : Bcm56xxd MIIM bus access failure

Links to More Info: BT758929

Component: TMOS

Symptoms:
Bcm56xxd daemon running on certain BIG-IP devices might experience MIIM bus access failure. The system posts a message similar to the following in the ltm log:

 info bcm56xxd: 012c0016:6: MiimTimeOut:soc_miim_write, timeout (id=0xc9 addr=0x1f data=0x0000)

Conditions:
Using one of the following platforms:
  + VIPRION B2250 Blade (A112)
  + VIPRION B2150 Blade (A113)
  + VIPRION B4300 Blade (A108)
  + BIG-IP 5250v
  + BIG-IP 7200S
  + BIG-IP i5600
  + BIG-IP i5820
  + BIG-IP i7800

Impact:
The affected BIG-IP system fails to pass traffic. If configured for high availability (HA) and the HA connection has not been disrupted, failover occurs.

Workaround:
Reboot the affected BIG-IP platform / VIPRION blade.


758491-6 : When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys

Links to More Info: BT758491

Component: Local Traffic Manager

Symptoms:
For Thales:
The ltm/log shows SSL handshake failures with similar lines (this is for Diffie-Hellman Key Exchange):

-- warning bigip1 tmm1[28813] 01260013 SSL Handshake failed for TCP 192.0.2.1:5106 -> 192.0.2.200:5607
-- warning bigip1 tmm1[28813] 01260009 Connection error: ssl_hs_vfy_sign_srvkeyxchg:13583: sign_srvkeyxchg (80)
-- debug bigip1 tmm1[28813] 01260036 FIPS acceleration device error: fips_poll_completed_reqs: req: 4 status: 0x1 : Cancel
-- err bigip1 pkcs11d[26259] 01680002 Key table lookup failed. error.

After enabling pkcs11d debug, the pkcs11d.debug log shows:

-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_CLASS
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_CLASS matches
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_ID
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_ID does not match <===


For Safenet:
-- warning tmm1[17495]: 01260009:4: Connection error: ssl_hs_vfy_sign_srvkeyxchg:13544: sign_srvkeyxchg (80)
-- warning tmm1[17495]: 01260013:4: SSL Handshake failed for TCP 10.1.1.11:6009 -> 10.1.1.201:443
-- err pkcs11d[5856]: 01680002:3: Key table lookup failed. error.

Conditions:
1. Keys were created on earlier versions of BIG-IP software, no matter if using tmsh (Safenet) or using fipskey.nethsm (Thales, Safenet) and the device was upgraded to 14.1.0 or later.

2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm (Thales). For Safenet, fipskey.nethsm was deprecated in 14.0.0.

Impact:
SSL handshake failures.

Workaround:
There are two workarounds:
-- Re-create the keys using tmsh command.

IMPORTANT: This workaround is suitable for deployments that are new and not in production.


-- Re-import the keys from nethsm using:
tmsh install sys crypto key <key_label> from-nethsm


You can find the key_label here:
-- The rightmost string in the output of the Thales command:
nfkminfo -l

-- The string after label= in the 'cmu list' command for Safenet.


757787-6 : Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI.

Links to More Info: BT757787

Component: TMOS

Symptoms:
When creating a new rule or modifying an existing rule in a LTM/AFM Policy policy using the WebUI, the operation fails and an error similar to the following example is returned:

Transaction failed:010715bd:3: The parent folder is owned by application service (/Common/MyPolicy.app/MyPolicy), the object ownership cannot be changed to ().

Conditions:
-- The LTM/AFM Policy belongs to an Application Service (iApp).
-- The modification is attempted via the WebUI.

Impact:
Unable to make changes to existing LTM/AFM Policies.

Workaround:
Use the tmsh utility to make the necessary modifications to the LTM/AFM Policy. For example, the following command modifies an existing rule:

tmsh modify ltm policy myapp.app/Drafts/myapp_l7policy rules modify { 0 { conditions modify { 0 { http-method equals values { GET POST } } } } }


756830-7 : BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'

Links to More Info: BT756830

Component: TMOS

Symptoms:
The BIG-IP system may fail source translation for connections matching a virtual server that has connection mirroring enabled and source port selection set to 'preserve strict'.

Conditions:
Connections match a virtual server that has following settings:

- Connection mirroring is enabled.
- Source Port set to 'Preserve Strict'.

In addition, CMP hash selection (DAG mode) on the corresponding VLANs is set to 'Default DAG'.

Impact:
Source translation may fail on BIG-IP system, leading to client connection failures.

Workaround:
You can try either of the following:

-- Do not use the Source Port setting of 'Preserve Strict'.

-- Disable connection mirroring on the virtual server.


753712-5 : Incorrect warning: Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family.

Links to More Info: BT753712

Component: TMOS

Symptoms:
An incorrect warning message is given when the inline source/dest address is changed:

-- warning mcpd[6927]: 01071859:4: Warning generated : Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family.

Conditions:
This occurs after you create a traffic-matching-criteria (port-list, address-list) with different source and destination addresses.

Impact:
An incorrect and confusing warning message is given. This warning does not affect traffic processing. It is inadvertently triggered when reading the configuration of the traffic matching profile. Virtual servers should continue to work, and the config should load as expected, despite the warning.

Workaround:
None


752766-4 : The BIG-IP system might fail to read SFPs after a reboot

Links to More Info: BT752766

Component: Local Traffic Manager

Symptoms:
SFP interfaces are reported as missing:
# tmsh show net interface 2.0
--------------------------------------------------------
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
                In Out In Out
--------------------------------------------------------
2.0 miss 0 0 0 0 0 0 none

sys ha-status will report tmm ready-for-world as failed:
  # tmsh show sys ha-status
  -------------------------------------------------------------------------
  Sys::HA Status
  Feature Key Action Fail
  -------------------------------------------------------------------------
  ready-for-world tmm none yes
  ready-for-world tmm1 none yes
  ready-for-world tmm2 none yes
  ready-for-world tmm3 none yes
  ready-for-world tmm4 none yes
  ready-for-world tmm5 none yes

Conditions:
This has been seen on the i15800 and i11000 series BIG-IP platforms immediately after the system boots.

Impact:
The BIG-IP system does not become ready after a reboot.

Workaround:
Mitigation if the system is in this state, restart tmm:
# tmsh restart sys service tmm


751451-5 : When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles

Links to More Info: BT751451

Component: Local Traffic Manager

Symptoms:
If there are HTTPS monitor objects that were created using BIG-IP software v12.x, when the BIG-IP is upgraded directly to v14.0.0 or later, the operation automatically creates server SSL profiles for the HTTPS monitors as needed. Those server SSL profile objects do not have 'no-tlsv1.3' included in their 'options' configuration.

Conditions:
-- Having HTTPS monitors configured in v12.x before upgrading.
-- Directly upgrading from v12.x to v14.0.0 or later

Impact:
TLSv1.3 gets enabled on the server SSL profiles.

Workaround:
-- To avoid this issue, upgrade from v12.x to v13.x, and then upgrade to v14.0.0 or later


-- To mitigate this issue, modify the affected profile to disable TLSv1.3.


745125-3 : Network Map page Virtual Servers with associated Address/Port List have a blank address.

Links to More Info: BT745125

Component: TMOS

Symptoms:
On the Local Traffic > Network Map page, some virtual servers have a blank address.

Conditions:
An address list or port list is associated with the virtual server

Impact:
The Network Map will display a blank address field.


739475-8 : Site-Local IPv6 Unicast Addresses support.

Links to More Info: BT739475

Component: Local Traffic Manager

Symptoms:
No reply to Neighbor Advertisement packets.

Conditions:
Using FE80::/10 addresses in network.

Impact:
Cannot use FE80::/10 addressees in network.

Workaround:
N/A


739118-7 : Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration

Links to More Info: BT739118

Component: TMOS

Symptoms:
Changing existing self IP addresses in bigip_base.conf file directly. After uploading the changed configuration file, BIG-IP routing service provides out of date Self IP route information to dependent services.

Conditions:
- Self IP address is configured on the BIG-IP system.
- Manually change the IP address of a self IP in bigip_base.conf file.
- Load changed configuration via tmsh.

Impact:
Different services have different route information:
-- tmsh table - has the old route.
-- Dynamic routing - hHas the old and new routes.
-- Kernel table - has the new route.

Workaround:
There are two workarounds, preventive and corrective.
Preventive:
Do not manually change self IP addresses in bigip_base.conf file. It is not recommended way to add/change BIG-IP configuration. Use GUI or tmsh instead.

Corrective:
If the altered BIG-IP configuration file has already been loaded, then use the GUI or tmsh, to delete the changed self IP address, and then create a self IP address with old IP address and delete it as well. Now, all the affected routes should be removed.


737692-7 : Handle x520 PF DOWN/UP sequence automatically by VE

Links to More Info: BT737692

Component: TMOS

Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that is passed to the BIG-IP-VE). If an x520 device's PF is set down and then up, tmm does not recover traffic on that interface.

Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.

Impact:
VE does not process any traffic on that VF.

Workaround:
Reboot VE.


723109-4 : FIPS HSM: SO login failing when trying to update firmware

Component: TMOS

Symptoms:
After FIPS device initialization when trying to update the FIPS firmware. It may fail on SO login.

Conditions:
When trying to update FIPS firmware.

Impact:
This will not be able to upgrade the FIPS firmware.

Workaround:
None


721892-3 : Pfmand on vCMP guests does not recover after service interruption

Links to More Info: BT721892

Component: TMOS

Symptoms:
If pfmand on a vCMP host shuts down and starts back up, pfmand running on any of the vCMP guests loses connection and does not recover.

Conditions:
- vCMP host and guest(s) both have pfmand.healthstatus set to "enable"
- pfmand on the host shuts down and starts up again. This can sometimes occur due to re-licensing on the host.

Impact:
Pfmand on vCMP guests loses connection:

warning pfmand[20332]: 01660005:4: No connection to hypervisor.

Workaround:
Rebooting the vCMP host will allow the pfmand connection to be be re-established.


721591-3 : Java crashes with core during a basic TLS signature test.

Links to More Info: BT721591

Component: TMOS

Symptoms:
Java crashes with core.

Conditions:
This is a random crash and there are no known conditions for reproducing it.

Impact:
This crash occurs randomly during normal operation and has following impact:
-- Stats are not available.
-- Server health does not improve with mitigation.
-- Valid traffic never reaches the backend.

Workaround:
-- Restart the Java service with "bigstart restart restjavad" or "tmsh restart sys service restjavad".
-- Restart the BIG-IP system.


717174-6 : WebUI shows error: Error getting auth token from login provider

Links to More Info: BT717174

Component: Device Management

Symptoms:
Occasionally, the BIG-IP Admin Utility TMUI fails to function correctly and produces the following error:
Error getting auth token from login provider.

This occurs when the BIG-IP REST Daemon restjavad fails to start up properly.

Conditions:
This error most often occurs on the first or second boot after upgrade, and more often on Virtual Edition BIG-IP platforms running on oversubscribed or slow hypervisors.

Impact:
TMUI and any other BIG-IP system components that rely on REST Workers such as: OpenID Connect key rotation discovery, portions of the TMOS Web Configuration Utility, and Guided Configuration (AGC and WGC) fail to function properly.

Workaround:
Restarting the BIG-IP REST daemons restjavad and restnoded will usually correct the problem. To do so, connect to the SSH console and issue the following two commands:

bigstart restart restjavad
bigstart restart restnoded


715748-4 : BWC: Flow fairness not in acceptable limits

Links to More Info: BT715748

Component: TMOS

Symptoms:
Flow fairness for BWC dynamic policy instance has reduced.

Conditions:
The flow fairness is up to 50%. It is expected to be within 25%.

Impact:
Flow fairness of BWC dynamic policy across sessions is not as expected.


696363-8 : Unable to create SNMP trap in the GUI

Links to More Info: BT696363

Component: TMOS

Symptoms:
Trying to create a SNMP trap may fail in the GUI with the following error message: An error has occurred while trying to process your request.

Conditions:
-- Trap destinations are configured using the GUI: When trap destinations are configured in the GUI, the trap name is generated using the destination IP address.
-- Traps of the same destination address were previously created and deleted.

Impact:
GUI parameter checking does not work as expected. BIG-IP Administrator is unable to create a SNMP trap session.

Workaround:
To work around this issue when using the GUI, remove all traps that have the same destination address as the new one that failed. Then re-add your destination.

Tip: You can use tmsh to create/delete/modify SNMP traps, which enables viewing of the generated names, making it easier to understand what error has occurred.


694765-8 : Changing the system's admin user causes vCMP host guest health info to be unavailable

Links to More Info: BT694765

Component: TMOS

Symptoms:
On the host, 'tmsh show vcmp health' does not display guest info.

The iControl REST log at /var/log/icrd contains entries similar to the following:

 notice icrd_child[32206]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.

Conditions:
Change the default admin user.

Note: You change the default admin user by following the steps in the Article K15632: Disabling the admin and root accounts using the BIG-IP Configuration utility or the Traffic Management Shell: https://support.f5.com/csp/article/K15632.

Impact:
Many REST APIs do not function, and functionality such as vCMP guest health that depend on REST fails.

Workaround:
Rename the default system admin to 'admin'.

Note: If you are using the default 'admin' account, make sure you change the password as well.


693473-9 : The iRulesLX RPC completion can cause invalid or premature TCL rule resumption

Links to More Info: BT693473

Component: Local Traffic Manager

Symptoms:
RPC completion will attempt to resume the RPC iRule execution when there is subsequent iRule activity on the flow - CLIENT/SERVER_CLOSED, for instance, which keeps the flow alive and blocks in an iRule event.

Conditions:
Blocking the iRule event When an RPC call is outstanding and the flow is aborted.

Impact:
It will cause the iRule event blocking when RPC call is outstanding and the flow is aborted

Workaround:
None


673952-8 : 1NIC VE in high availability (HA) device-group shows 'Changes Pending' after reboot

Links to More Info: BT673952

Component: TMOS

Symptoms:
When Virtual Edition (VE) is configured for 1NIC, you will see the following logs on reboot indicating that configuration has been loaded from file:

 notice tmsh[12232]: 01420002:5: AUDIT - pid=12232 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all base
 notice tmsh[12392]: 01420002:5: AUDIT - pid=12392 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all

Conditions:
- VE configured in 1NIC mode.
- Unit booted either through reboot or power on.

Impact:
This is unlikely to have any impact if the VE is in standalone mode but could result in an unexpected config if the configuration files differ.

If the VE is part of a device-group, then this will result in a commit id update and the units will show 'Changes pending'.

Workaround:
None.


634576-4 : TMM core in per-request policy

Links to More Info: K48181045, BT634576

Component: Access Policy Manager

Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.

Conditions:
APM or SWG per-request policy with reject ending.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


632553-7 : DHCP: OFFER packets from server are intermittently dropped

Links to More Info: K14947100, BT632553

Component: Local Traffic Manager

Symptoms:
With a DHCP relay virtual server, OFFER packets from DHCP server are intermittently not forwarded to the client and dropped on BIG-IP system.

Conditions:
It is not known exactly what triggers this condition, but it occurs intermittently when the DHCP relay virtual server is in use.

Impact:
Client machines joining the network do not receive DHCP OFFER messages.

Workaround:
Manually delete the serverside to force it to be recreated by the next DHCP request.

For example, if the flow to the DHCP server 10.0.66.222 is broken, issue the following tmsh command:

tmsh delete sys connection ss-server-addr 10.0.66.222 cs-server-port 67


609878-8 : Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server

Links to More Info: BT609878

Component: Advanced Firewall Manager

Symptoms:
When loose-init is set, which has the implicit semantics of "every ACK packet can create a connection". Hence, there is never a "Bad ACK" to drop. This behavior is expected as per design, so while enabling this option one should aware of the side effects it will cause.

Conditions:
This issue will be seen when loose-init is enabled on the fastL4 profile and when the box is flooded with asymmetric ACK packets (or) Bad-Acks.

Impact:
Enabling loose initiation may make it more vulnerable to denial of service attacks.

Workaround:
When loose-init is set in the fastL4 profile, we need to turn on connection-limits on the virtual and also Eviction Policy to prevent flow-table exhaustion.


605966-10 : BGP route-map changes may not immediately trigger route updates

Links to More Info: BT605966

Component: TMOS

Symptoms:
When a route-map is used to filter BGP advertisements, changes to the route-map that affect the filtered routes may not trigger an update to the affected routes.

Conditions:
BGP in use with a route-map filtering advertisements.

Impact:
BGP table may not reflect route-map changes until "clear ip bgp" is executed.

Workaround:
Run "clear ip bgp <neighbor>".


566995-5 : bgpd might crash in rare circumstances.

Links to More Info: BT566995

Component: TMOS

Symptoms:
Under unspecified conditions and in rare cases, bgpd might crash. Although bgpd restarts right away, routing table might be impacted.

Conditions:
The conditions under which this occurs are not known.

Impact:
This might impact routing table and reachability.

Workaround:
None known.


563144-4 : Changing the system's admin user causes many errors in the REST framework.

Links to More Info: BT563144

Component: Device Management

Symptoms:
The iControl REST log at /var/log/icrd will have entries similar to the following:

 notice icrd_child[32206]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.

Conditions:
Change the default admin user, for example, by following the steps in the Article K15632: Disabling the admin and root accounts using the BIG-IP Configuration utility or the Traffic Management Shell: https://support.f5.com/csp/article/K15632.

Impact:
Many REST APIs do not function, and functionality that depends on REST fails.

Workaround:
There is no workaround. You must use the default admin in order for iControl REST calls to work.


554506-4 : PMTU discovery from management does not work

Links to More Info: K47835034, BT554506

Component: TMOS

Symptoms:
You encounter connectivity issues to management interface.

Conditions:
MTU on the intermediate route is less than the management interface's MTU and the response packets have the DF flag set.

Impact:
Connectivity issues to management interface.

Workaround:
None.

Note: Although there is no workaround for this module, you can disable auto last hop and configure a default gateway to avoid this issue.

For more information see K52592992: Overview of the Auto Last Hop feature on the management interface, available at
https://support.f5.com/csp/article/K52592992.


539648-5 : Disabled db var Watchdog.State prevents vCMP guest activation.

Links to More Info: K45138318, BT539648

Component: TMOS

Symptoms:
If a vCMP guest user disables the watchdog using the db variable Watchdog.State, then the vCMP guest does not reach a running state as reported by the vCMP host.

Conditions:
This occurs when the user sets sys db Watchdog.State value disable.

Impact:
vCMP guest fails to be operational.

Workaround:
Do not change the Watchdog.State db variable. The vCMP host requires the watchdog to monitor the guest health.


538283-7 : iControl REST asynchronous tasks may block other tasks from running

Links to More Info: BT538283

Component: TMOS

Symptoms:
If an iControl REST asynchronous task is running, other iControl REST queries (synchronous or asynchronous) will wait until the asynchronous task completes before executing. If the asynchronous task is long-running, subsequent requests will block for a long time.

Conditions:
-- Executing an iControl REST task asynchronously.
-- Performing further iControl REST tasks (synchronous or asynchronous) while the asynchronous task is still running.

Impact:
Potential (and unexpected) long wait times while running a task asynchronously.

Workaround:
None.


527119-10 : An iframe document body might be null after iframe creation in rewritten document.

Links to More Info: BT527119

Component: Access Policy Manager

Symptoms:
Cannot use certain page elements (such as the Portal Access menu) in Google Chrome, and it appears that JavaScript has not properly initialized, and results in JavaScript errors on the following kinds of code:
    iframe.contentDocument.write(html)
    iframe.contentDocument.close()
    <any operation with iframe.contentDocument.body>

Conditions:
-- The body of a dynamically created iframe document might be initialized asynchronously after APM rewriting.

-- Using the Chrome browser.

Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access. For example, one of applications known to contain such code and fail after APM rewriting is TinyMCE editor.

Workaround:
Revert rewriting of the document.write call with a post-processing iRule.

The workaround iRule will be unique for each affected application.


490139-8 : Loading iRules from file deletes the last few comment lines

Links to More Info: BT490139

Component: Local Traffic Manager

Symptoms:
Loading iRules from the iRules file deletes the last few comment lines immediately preceding the closing bracket.

Conditions:
This occurs when loading an iRule file containing a comment after the last closing brace and then upgrading to a known affected version

Impact:
Although the comments are removed, this does not affect iRule functionality.

Workaround:
Add comments in places other than immediately above the closing bracket.


427094-3 : Accept-language is not respected if there is no session context for page requested.

Links to More Info: BT427094

Component: Access Policy Manager

Symptoms:
Localization settings are determined when the session is created.
As a result, when the user logs out, there is user context left for APM to determine what language to present to the user.
So, when user is using the localized logon page, after the refresh it turns to the default language.

Conditions:
After configuring the preferred language, When refreshing login page twice, language is changed to default Eng.

Impact:
APM page doesn't load the preferred language after refreshing twice.

Workaround:
N/A


349706-5 : NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN

Component: Access Policy Manager

Symptoms:
Network access sends 1.1.1.1 as X-VPN-serer-IP and Edge client reserves this IP for PPP communication with APM server.

Conditions:
-- VPN is configured on BIG-IP.
-- Edge Client/webtop is used to connect to VPN.

Impact:
If VPN is connected:
1. The user may not access the 1.1.1.1 address from the client machine.
2. if 1.1.1.1 is used as a dns server ip in Network Access configuration, DNS resolution may fail on the client machine.

Workaround:
NA


1314769-1 : The error "No Access" is displayed when trying to remove Bundle Manager object from list

Links to More Info: BT1314769

Component: TMOS

Symptoms:
The error "No Access" is displayed when trying to remove a Bundle Manager object from the list using GUI.

Conditions:
When the checkbox next to the Bundle Manager is checked and clicks the Delete button at the bottom of the page, then "No Access" error appears.

Impact:
Unable to delete a Bundle Manager.

Workaround:
The issue has following two workarounds:
- Click on the Bundle Manager and click Delete at the bottom.
or
- Delete the Bundle Manager from TMSH CLI.


1314597-3 : Connection on standby may stay until idle timeout when receiving ICMP error

Links to More Info: BT1314597

Component: Local Traffic Manager

Symptoms:
When a pool member server returns an ICMP error, connections will persist on standby while they have been terminated on active.

Conditions:
When an ICMP error such as port unreachable is returned by a pool member, the packet will be dropped by the standby while the active will process it immediately and terminate the connection.

Impact:
The connection will stay on the standby until the idle timeout expires.

Workaround:
Lower idle timeout will reduce the time before it vanishes.


1312225-1 : System Integrity Status: Invalid with some Engineering Hotfixes

Links to More Info: BT1312225

Component: TMOS

Symptoms:
After installing an Engineering Hotfix,
when to attempt to verify the TPM system integrity with either the "tpm-status" or "tmsh run sys integrity status-check" command, the following error massage may appear:
System Integrity Status: Invalid

Running the "tpm-status" command with a Verbosity of 1 (or greater) reveals the following detail:

Verifying system integrity...
...
The signature in 17 is valid
Output wrong commandline parameters
cmdline is *ro ima_hash=sha256 mce=ignore_ce *
The pcr value in 17 is invalid.
...
System Integrity Status: Invalid

Conditions:
This may occur if the Engineering Hotfix contains changes which cause the following packages to be included in the Engineering Hotfix ISO:
-- sirr-tmos
-- tboot
But the Engineering Hotfix ISO does not contain the following package:
-- nash-initrd

The contents of the Engineering Hotfix ISO can be checked using the 'isoinfo' utility:

isoinfo -Rf -i <path/to/Hotfix-*.iso> | grep -e sirr -e tboot -e nash

Impact:
The TPM System Integrity Status is shown as Invalid.
This may incorrectly suggest that system integrity has been compromised.


1311613-1 : UCS obtained from F5OS tenant with FPGA causes continuous TMM restarts when loaded to BIG-IP

Links to More Info: BT1311613

Component: TMOS

Symptoms:
--TMM restarts continuously after loading UCS taken from the F5OS tenant with FPGA hardware.

Conditions:
The UCS is taken from F5OS tenant with FPGA hardware (VELOS, r5k, r10k), and loaded to a BIG-IP system (VE, vCMP guest, Hardware)

Impact:
Migrations or moving configurations across dissimilar platforms will not be successful.

Workaround:
Delete this file: /config/tmm_velocity_init.tcl

Use the following example command:
rm -fv /config/tmm_velocity_init.tcl


1311601 : JWT is corrupted when the claim value is a custom variable assigned in Variable assign agent

Links to More Info: BT1311601

Component: Access Policy Manager

Symptoms:
OAuth bearer SSO is configured with "generate JWT", and the JWT includes claims which take "custom variable" as claim value and string as claim type.
The JWT is corrupted where the custom variable is populated in Variable assign agent in the VPE, for some values of custom variable, for example, Keliihokulanileikulamanakeanuenueohaleakala Anders.

Conditions:
- OAuth bearer SSO configured with Generate JWT.
- Add custom variable as claim value, for example, %{session.custom.test} which is populated in Variable assign agent in the VPE.

Impact:
The JWT token with garbage is added, which later impacts failure of token validation causing failures in accessing applications.

Workaround:
As unsecure custom variable is added and returned to variable assign agent.
Add the custom variable as a normal string in claim value and claim type as string instead of adding to Variable assign agent.


1311253-1 : Set-Cookie header has no value (cookie-string) in server-side, due to asm.strip_asm_cookies

Links to More Info: BT1311253

Component: Application Security Manager

Symptoms:
Set-Cookie header has no value (cookie-string) in server-side.

Conditions:
- asm.strip_asm_cookies is enabled.
- Cookie header from client has TS cookie(s) that are the only cookie.

Impact:
Cookie header without value (cookie-string) is sent to server-side

Workaround:
Use an iRule to delete Cookie header in the server-side.


1311169-1 : DNSSEC response is not signed when failure-rcode-response is enabled and no record is returned

Links to More Info: BT1311169

Component: Global Traffic Manager (DNS)

Symptoms:
DNS response is not signed for DNSSEC zone for DNSSEC request.

Conditions:
1. A DNSSEC zone exists.
2. Return Code on Failure is enabled and SOA Negative Caching TTL is set to 0.
3. A query hits that wideIP and does not get a pool member selected.

Impact:
DNS response is not signed.

Workaround:
SOA Negative Caching TTL set to a number larger than 0.


1309665-1 : Updating the masquerade address on a traffic-group fails

Links to More Info: BT1309665

Component: Local Traffic Manager

Symptoms:
Updating the masquerade address on a traffic-group does not work when the VLAN is moved between interfaces.

Conditions:
-- MAC masquerade is enabled on a traffic group with a floating IP.
-- The VLAN is moved to a different interface on the host

Impact:
Following a failover, the floating IP address is unreachable.

Workaround:
Delete the masquerade MAC and reconfigure it.


1309637-1 : Mac masquerade not working after VLAN movement on host interfaces

Links to More Info: BT1309637

Component: Local Traffic Manager

Symptoms:
Connectivity to the floating IP via the masquerade MAC fails when the VLAN is moved across interfaces.

Conditions:
-- BIG-IP is configured with a floating IP on a traffic group
-- MAC masquerade is enabled
-- The VLAN is assigned to a different interface

Impact:
Connectivity to the floating IP address fails following a failover.

Workaround:
After the VLAN movement, delete and reconfigure the MAC masquerade.


1308393-3 : Export security policy XML format fail with "too large and cannot be exported" message

Links to More Info: BT1308393

Component: Application Security Manager

Symptoms:
Extremely large policies may fail to export in XML format.

Conditions:
This is caused when an extremely large security policy is exported in XML format.

Impact:
The policy cannot be exported in XML format.

Workaround:
The policy may be exported in Binary or JSON format.


1307697-2 : IPI not working on a new device - 401 invalid device error from BrightCloud

Component: Advanced Firewall Manager

Symptoms:
IPI update is failing with below error:
 
iprepd|ERR|Jun 09 15:52:59.261|9847|getipfile failed with status code: 401: Unauthorized: Invalid or missing credentials OEM, Device, or UID
iprepd|ERR|Jun 09 15:52:59.261|9847|Error code 1029: InvalidUserCredentials
iprepd|ERR|Jun 09 15:52:59.261|9847|Server message: Invalid Device (f5#ipintelligence-c130 from 202.187.110.1)

Conditions:
Only IPI update will stop working.

Impact:
IPI stop working.

Workaround:
No workaround


1307449-1 : ASM remote logging with non-default route domain is broken

Links to More Info: BT1307449

Component: Application Security Manager

Symptoms:
Starting v17.1 ASM remote logging with non-default route domain does not work anymore.

The bd.log reports errors like this one:
---
BD_MISC|ERR |Jun 06 08:39:35.615|21037|LoggingAccount.cpp:4323|getaddrinfo error: unknown name or service
---

Conditions:
-- ASM provisioned
-- ASM remote logging with non-default route domain configured

Impact:
Remote logging with non-default route domain does not work anymore.

Workaround:
Use ASM remote logging with default route domain


1306249-2 : Hourly spike in the CPU usage and lasts for fraction of second causing delay in TLS connections

Links to More Info: BT1306249

Component: Local Traffic Manager

Symptoms:
1. Hourly spike in CPU usage.
2. TMM IDLE enforcer gets activated.

Conditions:
When DHE is enabled in the cipher suite for the SSL Profile.

Impact:
TMM Idel enforcer gets activated and causes a delay in TLS traffic and CPU Usage goes high.

Workaround:
None


1305697-4 : TMM may crash when performing a full sync, when in-tmm monitors are configured.

Links to More Info: BT1305697

Component: Local Traffic Manager

Symptoms:
TMM may crash when performing a full sync, when in-tmm monitors are configured.

Conditions:
- in-tmm monitors are configured
- full sync is performed

Impact:
Unexpected failover, traffic disruption may occur.

Workaround:
Disable in-tmm monitors, and avoid performing a full sync.


1305609-4 : Missing cluster hearbeart packets in clusterd process and the blades temporarily leave the cluster

Links to More Info: BT1305609

Component: Local Traffic Manager

Symptoms:
If two ore more clusterd processes experience a long HAL timeout communiating with chmand, then either of those clusterd process will report a lack of cluster hearbeart packets and one or more blades will leave the cluster.

Here are two example log messages that will occur when this issue is encountered.

   # slot 3 marking itself as failed because of a partition event where the hb timeout only occurred on the mgmt_bp interface.
    err clusterd[21260]: 013a0004:3: Marking slot 3 SS_FAILED due to partition detected on mgmt_bp from peer 4 to local 3

    # slot 2 marking slot 1 as failed due to a lack of cluster packets from slot1 on both mgmt and tmm bp interfaces.
    err clusterd[29069]: 013a0004:3: Local slot 2: not getting clusterd pkts from slot 1; timed out on mgmt_bp and tmm_bp after 10 seconds. Marking peer slot 1 SS_FAILED

These messages are not unique to this bug. There are other bugs and conditions that can cause clusterd to stop sending/receiving heartbeat packets.

Conditions:
1) Multi-blade chassis with a minimum of 5 blades. More blades increases the chances of encountering this bug.

2) A condition that causes long HAL delays between clusterd and chmand. One condition of long HAL delays that is specific to 14.1.x and prior is a full config sync. However that condition was fixed in 15.1.0 and higher with the changes for Bug721020 and Bug746122.

Impact:
A blade will temporarily leave the cluster but then re-join unless bug1273161 or something similar also occurs.

If the # of blades leaving the cluster causes the number of online blades to be less then the min-up-members, min-up-members-enabled is set to 'yes' and the chassis is Active a failover will occur.

Workaround:
N/A


1305125 : Ssh to localhost not working with ssh-rsa

Links to More Info: BT1305125

Component: TMOS

Symptoms:
The password prompt is not displayed when trying ssh to localhost.

Conditions:
1. Create test_user,

# tmsh create auth user test_user password abcde shell bash session-limit -1 partition-access replace-all-with { all-partitions { role admin } }
# tmsh save sys config

2. Try login localhost using test_user,

config # ssh test_user@localhost
config # --->!!!!! no password prompt shown up

Impact:
SSH to localhost will not work.

Workaround:
Ssh-rsa key was deprecated on 17.1.0,1 and need to replace/copy ECDSA key to ssh_known_hosts.

Replacing the RSA key in ssh_known_hosts with the ECDSA key.

sed -ie '/^localhost/s//#&/' /config/ssh/ssh_known_hosts; echo "locahost,localhost.localdomain $(cat /config/ssh/ssh_host_ecdsa_key.pub)" >> /config/ssh/ssh_known_hosts


1305117-1 : SSL profile "no-dtlsv1.2" option is left disabled while upgrading from v14.x or v15.x to 17.1.0

Links to More Info: BT1305117

Component: TMOS

Symptoms:
Starting from 16.0.0, given DTLSv1.2 support, "no-dtlsv1.2" option is newly available on SSL profile. Default value is "no-dtlsv1.2" option enabled.

While upgrading from older version to 16.0.0 or later, by default "no-dtlsv1.2" option is to be automatically enabled with following notification message.

> bigip1 warning mcpd[XXXX]: 0107185a:4: Warning generated, for version 16.0.0 or greater : /Common/[SSL-profile-name], default option no-dtlsv1.2 set.

However, when user directly upgrades from v14.x/v15.x to v17.1.0, "no-dtlsv1.2" option may not be automatically enabled on SSL profile.

Conditions:
- roll-forward upgrade from v14.x/v15.x to v17.1.0. upgrade from v16.x to v17.1.0 is not affected.

- custom client|server-ssl profile configured on pre-upgrade version v14.x/v15.x

Impact:
After upgrade to 17.1.0, "no-dtlsv1.2" option may not be enabled on SSL profile.

Workaround:
After upgrade to 17.1.0, manually enable "no-dtlsv1.2" option.


1304289-1 : Pool member monitored by both GTM and LTM monitors may be erroneously marked Down

Links to More Info: BT1304289

Component: Local Traffic Manager

Symptoms:
A GTM or LTM pool member may occasionally be marked Down in error if it is being monitored by the same type of monitor with the same name as another LTM or GTM pool member with the same address and port.

Conditions:
This may occur if all of the following conditions are true:
-- A pool member for one module (GTM or LTM) has the same address and port as a pool member for a different module (LTM or GTM).
-- Both pool members are monitored by a monitor of one of the following types:
   -- Microsoft SQL
   -- MySQL
   -- Oracle
   -- PostgreSQL
   -- lDAP
   -- Radius
   -- Radius-Accounting
   -- Scripted
   -- SIP
   -- WAP
-- Both pool members are monitored by monitors of the same type (from the list above).
-- Both monitors have the same name (exact match).

Impact:
A GTM or LTM pool member may occasionally be marked Down in error.

Workaround:
To work around this issue, assign different names to GTM versus LTM health monitors of the same time (from the list of types above) that are used to monitor pool members for different modules with the same address and port values.


1304189-4 : Duplicate SYNs to a mirrored FastL4 virtual may result in connection failures

Links to More Info: BT1304189

Component: Local Traffic Manager

Symptoms:
If a duplicate SYN arrives on a connection before the SYN/ACK is processed and the connection is pushed into PVA, when it is evicted from PVA it may stop passing traffic and be reset with the RST cause "Handshake Timeout".

Conditions:
- PVA enabled
- Mirroring enabled
- Duplicate SYNs on the network

Impact:
Connection will stop passing traffic and resets when they are evicted from PVA.

Workaround:
Perform one of the following as a workaround:

- Disable PVA
- Disable mirroring
- Modify sys db tm.fastl4_ack_mirror value to Disable
- Modify sys db tm.fastl4_mirroring_taciturn value to Enable.


1303185-6 : Large numbers of URLs in url-db can cause TMM to restart

Links to More Info: BT1303185

Component: SSL Orchestrator

Symptoms:
TMM continuously restarts during startup.

Conditions:
This was seen when the url-db had about 64K glob URLs. Most of the globs were of the form "*foo*".

Impact:
TMM is unusable.

Workaround:
Large numbers of globs that start with the below should be OK:
   ".*://"
   ".*://.*\\."
Note that there should be no other special glob characters, so ".*://www.evil.com" would be OK but ".*://www.evil.com*" might not be.


1302689-2 : ASM requests to rechunk payload

Component: Application Security Manager

Symptoms:
ASM requests TMM to rechunk payload in following scenarios:
- Content-Length header was not found on response headers.
- Response with headers only.

Conditions:
Content-Length header is missing during response.

Impact:
Transfer-Encoding: chunked header is being added to response.

Workaround:
In case response connection: close header exists, user can configure internal parameter is_disable_rechunk, then ASM would not ask to rechunk response.


1302101-1 : Sflow receiver flows are not established at TMM startup on sDAG platforms due to sDAG delay

Links to More Info: BT1302101

Component: TMOS

Symptoms:
No sflow data is sent.

Conditions:
Either configure a valid sflow receiver and restart the tmm or, configure a valid sflow receiver reachable via dynamic route on non sDAG platforms and restart the tmm.

Impact:
Sflow data is dropped.

Workaround:
Modify the receiver configuration (any field, including description). This allows triggering an update which will get sflow working.


1302077-1 : Virtual address statistics being counted for different virtual address after changing the destination address of a virtual server

Links to More Info: BT1302077

Component: Local Traffic Manager

Symptoms:
After modifying the destination address of a virtual server to a new address, the virtual address statistics for subsequent traffic are still being tracked in the original virtual address.

Conditions:
-- Create the virtual server with a destination address
-- Change the destination address of a virtual server to new address

Impact:
Incorrect statistics will fail to reflect actual virtual address load.

Workaround:
None


1301897-4 : DAG transition does not complete when TMM starts in FORCED_OFFLINE mode

Links to More Info: BT1301897

Component: TMOS

Symptoms:
When TMM restarts with force-offline enabled, it comes up waiting for a dag_transition. It never completes because CDP proxy never comes up due to no active traffic group in FORCE_OFFLINE mode.

Conditions:
Restarting TMM with force-offline enabled.

Impact:
Tenants show high CPU and idle enforcer constantly starting or exiting.

Workaround:
None


1301865-4 : OSPF summary might have incorrect cost when advertised by Standby unit.

Links to More Info: BT1301865

Component: TMOS

Symptoms:
OSPF summary might have incorrect cost when advertised by Standby unit.

Conditions:
- Other protocol redistribution into OSPF causing a summary route injection.

Impact:
Undesired traffic flow towards Standby unit.

Workaround:
Redistribute a summary route from static:

Use:
!
router ospf 1
 redistribute static metric-type 1
 network 10.10.10.0.32 0.0.0.255 area 0
!
ip route 192.168.0.0/16 Null


Instead of:
!
router ospf 1
 redistribute bgp metric-type 1
 network 10.10.10.0.32 0.0.0.255 area 0
 summary-address 192.168.0.0/16


1301853 : Misleading error logs in SAML flow

Links to More Info: BT1301853

Component: Access Policy Manager

Symptoms:
In a successful SAML Authentication, some unrelated and misleading errors are logged. For example, although there is no Artifact involved, you may see the below message:

Failed to retrieve SAMLArtifact_b64 for SAML Agent:

Conditions:
Universal conditional statements written to handle different use cases of SAML authentication such as POST or ARTIFACT bindings unintentionally prints few error logs.

Impact:
Errors logs are misleading.

Workaround:
None


1301197-1 : Bot Profile screen does not load and display large number of pools/members

Component: Application Security Manager

Symptoms:
Bot Defense profile menu fails to display (it appears trying to load but it does not load).

Conditions:
Large number of pools, for example 2500 pools, and members configured on the box.

Impact:
Bot Profile screen cannot be loaded.

Workaround:
None


1300925-4 : Shared memory race may cause TMM to core

Links to More Info: BT1300925

Component: Local Traffic Manager

Symptoms:
TMM may core while managing shared memory segments.

Conditions:
Issue is observed during TMM startup.

Impact:
Rare shared memory related TMM cores.

Workaround:
None


1300665-1 : ASMCSD memory leak if tsconfd.loglevel is set for debug level

Links to More Info: BT1300665

Component: Application Security Manager

Symptoms:
ASMCSD memory size continue to grow and consumes all the available memory and triggers OOM-Killer.

Conditions:
- Debug level set with tsconfd.loglevel

- Changes on policies

Impact:
Memory leak that eventually triggers OOM-Killer.

Workaround:
- Do not set debug with tsconfd.loglevel to avoid the memory leak.

- Restart ASMCSD to clear the memory if the memory leak has been created and the system suffers from memory pressure.


1298653 : In an Active/Standby configuration, if the virtual server destination is modified to that of an existing self IP, it leaves the standby with the old virtual server IP

Links to More Info: BT1298653

Component: TMOS

Symptoms:
Virtual server destination IP will not be in sync in an Active standby setup.

Conditions:
Virtual server should be first created using the floating IP, so it will be synced between active and standby. On the active, now modify the destination IP with the self IP of active. The configuration change will be accepted but the changes will not be synced.

Impact:
If there is a failover, connections will fail.

Workaround:
Ensure virtual server destination IP is not the same as self IP.


1298545 : TMM crashes during SAML negotiations with APM configured as SAML SP.

Links to More Info: BT1298545

Component: Access Policy Manager

Symptoms:
TMM crashes while passing SAML traffic.

Conditions:
SAML is configured as a SP and performing negotiations.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None


1298161-1 : Ts_cookie_add_attrs is not effective with cookies that have non-root path or domain attribute

Component: Application Security Manager

Symptoms:
Add_cookie_attributes bd internal is not effective with TS cookie if the server cookie has non-root path attribute or domain attribute.

Conditions:
The server cookie has non-root path or domain attribute.

Impact:
An internal parameter configuration is not working in a specific condition which can create some issues.

Workaround:
Https://community.f5.com/t5/technical-articles/irule-to-set-samesite-for-compatible-clients-and-remove-it-for/ta-p/278650


1298133-4 : BFD sessions using floating self IP do not work well on multi-blade chassis

Links to More Info: BT1298133

Component: TMOS

Symptoms:
BFD sessions using floating self IP do not work well on multi-blade chassis. In an event of failure on a standby unit sessions might become unstable on an active unit.

Conditions:
- Multi-blade VIPRION chassis configured in high availability (HA) setup.
- BFD sessions configured from floating self IPs.
- Standby blade experiences any sort of failure. For example, tmm/tmrouted crash; cmp transistion.

Impact:
Standby blade might start sending BFD packets causing BFD session flaps on an active unit.

Workaround:
Restart tmrouted on a blade that is incorrectly sending BFD packets.


1298029-4 : DB_monitor may end the wrong processes

Links to More Info: BT1298029

Component: Local Traffic Manager

Symptoms:
If there are a lot of LTM or GTM database monitors in use, then the DB_monitor process may, in extremely rare circumstances, inadvertently end the processes that are not intended to be stopped.

Conditions:
Many database monitors, frequent PID reuse. This should be extremely rare.

Impact:
Some linux processes may unexpectedly end.

Workaround:
Preiodically clean up with PID files:

find /var/run/ -iname \*SQL__* -mtime +1 -exec rm -vf '{}' ';'

and/or increase the number of available Linux PIDs:

echo 4194304 > /proc/sys/kernel/pid_max


1297521-1 : Full sync failure for traffic-matching-criteria with port list update on existing object in certain conditions

Links to More Info: BT1297521

Component: Local Traffic Manager

Symptoms:
Performing a full configuration sync with traffic-matching-criteria (TMC) under specific conditions fails with errors similar to:

err mcpd[5781]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[5781]: 01071488:3: Remote transaction for device group /Common/HA to commit id 41 7225526260779940326 /Common/cugLB-B08-1.com 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..

Conditions:
This may occur on a full-load config sync (not an incremental sync)
Both Active and Standby on sync already
- a traffic-matching-criteria is attached to a virtual server
- the traffic-matching-criteria is using a port-list
- Update the port list (Add new port in the existing list)
Ex:
tmsh modify net port-list /Common/<> { ports replace-all-with { 80 { } 83 { } 84 { } } port-lists none }

Assume port list already with 80,83 and adding new port 84 in the list.

NOTE: No issue observed when we try to update the list with removing the port from the list.

Impact:
Unable to sync configurations.


1297257-1 : MCPD, incremental sync does not update monitor_instance on BIG-IP 17.1.0

Links to More Info: BT1297257

Component: TMOS

Symptoms:
The peer unit incorrectly shows the state of pool members.

Conditions:
When pool member is forced offline and enabled again, standby device remains in offline state.

Impact:
Pool members are marked with a state of "offline".

Workaround:
Remove/re-add the monitor.


1297089-1 : Support Dynamic Parameter Extractions in declarative policy

Component: Application Security Manager

Symptoms:
When a policy is exported in JSON format, the dynamic parameter extractions configuration is not exported to the policy file and when it is imported back into the policy, the dynamic extraction configuration is lost.

Conditions:
Policy contains Dynamic parameter extraction and it is exported in JSON format.

Impact:
Dynamic extraction configuration is lost.

Workaround:
Export the policy in xml or binary format.


1295565-1 : BIG-IP DNS not identified in show gtm iquery for local IP

Links to More Info: BT1295565

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP DNS is not identified in show gtm iquery for local IP.

Conditions:
The connection between local big3d and gtmd gets backlogged;
or
The connection between local big3d and gtmd gets reset.

Impact:
TMSH show gtm iquery does not show correct server type.

Workaround:
Restart big3d.


1295353-1 : The vCMP guest is not sending HTTP flow samples to sFlow receiver

Links to More Info: BT1295353

Component: TMOS

Symptoms:
The vCMP clusters without configured slot-specific management-IP addresses will report 0.0.0.0 for: sFlow (Agent Address) resulted in missing HTTP flow samples to sFlow receiver.

Conditions:
- vCMP guest deployed on a chassis with only Cluster IP set, and no individual blade IP addresses configured.
- Configured with an available sFlow receiver.

Impact:
No monitoring information as there were no HTTP flow samples.

Workaround:
- Configure cluster blade IP addresses. For example, to set the slot-specific management IP address on a vCMP guest which runs on a single slot, use a command similar to the following:

tmsh modify sys cluster default members { 1 { address 198.51.100.2 } }

- The HTTP flow samples will be available on a vCMP guest.


1295113-1 : LACP Mode is always ACTIVE even though it is configured PASSIVE on the Host on R2x00/R4x00/R5x00/R10x00

Component: F5OS Messaging Agent

Symptoms:
For an LACP interface configured on the platform LACP mode is always shown as ACTIVE even though it is configured as PASSIVE on the platform.

Conditions:
When the LACP interface is configured on the platform and associated with a VLAN and a tenant is launched with the same VLAN.

Impact:
This is more of a show issue, There is no impact on the datapath or functionality as LACP mode is a configuration used when LACP protocol is running. For a tenant on Rx00 platforms, LACP protocol runs on the platform but not in the tenant.

Workaround:
None


1295009-2 : "JSON data does not comply with JSON schema" violation is raised when concurrent requests occur with same JSON data

Component: Application Security Manager

Symptoms:
JSON schema validation fails when concurrent requests occur with the same JSON data.

Conditions:
Concurrent HTTP requests contain the same JSON data.

Impact:
JSON schema validation fails.

Workaround:
None


1294993-1 : URL Database download logs are not visible after bigip16.0.1.1

Links to More Info: BT1294993

Component: Access Policy Manager

Symptoms:
DB download happens at regular intervals or if explicitly requested by the user. Download status should be visible as part of apm logs and those are missing.

Conditions:
Version 16.0.1 or newer

Impact:
Database download status information will be unknown.


1294709-2 : SSL Orchestrator ICAP service changes do not propagate to TMSH (GUI/CLI)

Links to More Info: BT1294709

Component: SSL Orchestrator

Symptoms:
After changing settings for an existing ICAP service and deploying through SSL Orchestrator, the new changes are not reflected in the ICAP profiles visible through either the GUI or tmsh.

Conditions:
Trying to change settings for an existing ICAP service using SSL Orchestrator

Impact:
You are unable to change ICAP service settings through SSL Orchestrator.

Workaround:
Before deploying the changes, first click "Preview Merge Config". Than after clicking "Deploy", tick the additional "Overwrite Changes" box, and click "Deploy".


1294141-1 : ASM Resources Reporting graph displays over 1000% CPU usage

Links to More Info: BT1294141

Component: Application Visibility and Reporting

Symptoms:
The ASM resources graph which is present under Security > Reporting > ASM Resources > CPU Utilization displays over 1000% CPU usage when ASM is under load. The unit is percentage so it should be below 100.

Conditions:
- ASM should be under load and utilizing most of CPU cycles.

Impact:
Reporting graph displays incorrect percent value.

Workaround:
None


1294109-4 : MCP does not properly read certificates with empty subject name

Links to More Info: BT1294109

Component: TMOS

Symptoms:
A certificate that is not a CA certificate that does not have subject populated is valid if it contains subject alternative name, but missing subject is treated as invalid.

Conditions:
- Create a certificate with an empty subject by setting the
 subject alternative name.

Impact:
MCP does not show certificate details and GUI details suggest that the certificate is self-signed.

Workaround:
None


1293193-3 : Missing MAC filters for IPv6 multicast

Links to More Info: BT1293193

Component: TMOS

Symptoms:
Certain drivers are missing MAC filters for multicast preventing TMM from receiving messages sent to All Nodes and All Routers addresses.

Conditions:
- BIG-IP VE
- Using TMM's IAVF or IXLV driver

Impact:
TMM does not receive multicast messages and traffic sent to All Nodes and All Routers, dropping potentially vital packets.

Workaround:
None


1292793-4 : FIX protocol late binding flows that are not PVA accelerated may fail

Links to More Info: BT1292793

Component: Local Traffic Manager

Symptoms:
FastL4 connections with late binding enabled typically used for FIX protocol can stall or hang if they are evicted from PVA and not re-offloaded.

Conditions:
- Late binding enabled on a FastL4 flow. The flow is not accelerated, and if the flow recieves approximately 50 packets, then it will hang. Captures would show packets ingressing to the BIG-IP and not being forwarded to the peer.

Impact:
Connection may stall.

Workaround:
Disable late binding. If late binding cannot be disabled, then
 disable pva-flow-aging and pva-flow-evict to avoid the issue.


1292685-4 : The date-time RegExp pattern through swagger would not cover all valid options

Component: Application Security Manager

Symptoms:
Some valid hours option would not match the Regular Expression (RegExp).

Conditions:
Creating a policy using swagger file and uploading a swagger file which contains parameter in date time format.

Impact:
Valid hours options 10 and 19 would not match the RegExp.

Workaround:
Manually fix the regular expression in the parameter
from:
'^([12]\d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01]))T(0\d|2[0-3]):([0-5]\d):([0-5]\d)(\.\d+)?(Z|((\+|-)(0\d|2[0-3]):([0-5]\d)))$'
to:
'^([12]\d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01]))T(0\d|1\d|2[0-3]):([0-5]\d):([0-5]\d)(\.\d+)?(Z|((\+|-)(0\d|1\d|2[0-3]):([0-5]\d)))$'


1292645-1 : False positive CORS violation can occur after upgrading to 17.1.x under certain conditions

Component: Application Security Manager

Symptoms:
CORS violation can start appearing after upgrading to 17.1.x.

Conditions:
1) CORS violation is enabled.
2) CORS configuration is done with port 80 on a particular URL.
3) Request with URL from step 2 which BIG-IP receives, is of HTTPS type.

Impact:
Requests with HTTPS protocol can get blocked with CORS violation.

Workaround:
Change configured CORS port to 443 for URLs that receive HTTPS traffic.


1292141-2 : TMM crash while processing myvpn request

Links to More Info: BT1292141

Component: Access Policy Manager

Symptoms:
TMM crashes while processing traffic on the virtual server.

Conditions:
Network Access resource is configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1291565-3 : BIG-IP generates more multicast packets in multicast failover high availability (HA) setup

Links to More Info: BT1291565

Component: Local Traffic Manager

Symptoms:
BIG-IP generates additional high availability (HA) multicast packets when the device name is changed.

Running the following commands shows the duplicate multicast entries on mgmt:mgmt interface on /var/log/sodlog file
# /usr/bin/cmd_sod get info

Conditions:
-- BIG-IPs configured with Multicast failover .
-- The self-device name is changed.

Impact:
BIG-IP multiplies the number of multicast packets when the device name is changed.

Workaround:
Restarting the sod would remove the duplicate multicast entries.
#bigstart restart sod


1291149-5 : Cores with fail over and message routing

Links to More Info: BT1291149

Component: Service Provider

Symptoms:
Seg faults for an active unit in an high availability (HA) pair when it goes to standby.

Conditions:
- Generic message routing is in use.
- high availability (HA) pairs
- This issue is observed when generic messages are in flight when fail over happens but there is some evidence that it can happen without fail over.

Impact:
This is a memory corruption issue, the effects are unpredictable and may not become visible for some time, but in testing seg faults leading to a core were observed in the device going to standby within 10-25s of the device failing over. This happened roughly for about 50% of the time but the effect will be sensitive to memory layout and other environmental perturbations.

Workaround:
None


1290889-1 : TMM disconnects from processes such as mcpd causing TMM to restart

Links to More Info: K000134792, BT1290889

Component: TMOS

Symptoms:
When tunnels are in use on the BIG-IP, TMM may lose its connection to MCPD and exit and restart. At the time of the restart, a log message similar to the following will be seen in /var/log/ltm:

crit tmm6[19243]: 01010020:2: MCP Connection expired, exiting

When this occurs, in a default configuration, no core file is generated.

TMM may also disconnect unexpectedly from other services (i.e. tmrouted).

TMM may also suddenly fail to match traffic for existing virtual server connections against a connection flow. This could result in traffic stalling and timing out.

Conditions:
-- An IPsec, GRE or IPIP tunnel is in use.

Impact:
-- Traffic disrupted while tmm restarts.
-- Sudden poor performance

Workaround:
Do not use tunnels.


1289997-2 : Tenant clustering fails when adding a lower number slot to Tenant

Links to More Info: BT1289997

Component: F5OS Messaging Agent

Symptoms:
If an existing Tenant is expanded to a new blade with a blade slot lower than any blade slot the Tenant is already running on, the Tenant can fail to cluster after a tenant reboot.

Conditions:
An existing Tenant is expanded to a new blade with a blade slot lower than any blade slot the Tenant is already running on.

Impact:
The Tenant can intermittently fail to cluster after a Tenant reboot.

Workaround:
In the partition CLI, set the tenant to provisioned, then back to deployed.


1289981 : All types of traffic dropped for a tenant when vlan group mode is configured on r2k/r4k platforms

Links to More Info: BT1289981

Component: Local Traffic Manager

Symptoms:
On r2k/r4k platforms, the tenant traffic stops working when any of the vlan-group modes [ translucent, transparent, opaque] is configured.

Removing the vlan-group mode configuration restores the traffic.

Conditions:
Configuring any of vlan group modes [transparent, translucent or opaque] on r2k/r4k.

Impact:
Traffic to tenant stops working and all the traffic to tenant is dropped.

Workaround:
Remove the vlan-group group configuration.


1289417-2 : SSL Orchestrator SEGV TMM core

Links to More Info: BT1289417

Component: SSL Orchestrator

Symptoms:
TMM crashes while passing SSL Orchestrator traffic.

Conditions:
This can occur when a service is added or when an existing connector node configuration is freed.

Impact:
TMM crash occurs. Traffic disrupted while TMM restarts. This issue occurs intermittently.

Workaround:
None


1289365-4 : The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode

Links to More Info: BT1289365

Component: SSL Orchestrator

Symptoms:
The Proxy Select agent in the per-request policy does not select the pool or upstream proxy in explicit proxy mode. This prevents SSL Orchestrator or BIG-IP from forwarding the egress data to the upstream proxy.

Conditions:
- Proxy Select agent is used in the per-request policy.
- Proxy Select agent is set to explicit proxy mode.
- Flow is set to be bypassed using per-req policy agents such as IP Based SSL Bypass Set or dynamic bypass based on SSL profiles.

Impact:
SSL Orchestrator or BIG-IP does not forward any egress data to the upstream proxy.


1289313-1 : Creation of wideip with alias would cause inconsistent zone data across GTM sync group

Links to More Info: BT1289313

Component: Global Traffic Manager (DNS)

Symptoms:
Loss of resource record.

Conditions:
-- Creation of a wideip with alias
and
-- synchronize-zone-files is set to yes

Impact:
Loss of resource record.

Workaround:
Set synchronize-zone-files to no.


1289009-1 : PA based Hosted content does not add implicit allowed ACL

Links to More Info: BT1289009

Component: Access Policy Manager

Symptoms:
Unable to download the hosted content from Portal Access.

Conditions:
ACLs with a default deny or reject rule

Impact:
Hosted content files are denied by ACL

Workaround:
Add 2 L4 ACLs similar to the rules below:
apm acl /Common/allow-hostedcontent {
   acl-order 20
   entries {
       {
           action allow
           dst-end-port 8080
           dst-start-port 8080
           dst-subnet ::1/128
           log packet
           protocol 6
           src-subnet 0.0.0.0/0
       }

       {
           action allow
           dst-end-port 8080
           dst-start-port 8080
           dst-subnet 127.1.1.0/24
           log packet
           protocol 6
           src-subnet 0.0.0.0/0
       }
   }


1288729-2 : Memory corruption due to use-after-free in the TCAM rule management module

Links to More Info: BT1288729

Component: TMOS

Symptoms:
- TMM crashes.
- Neuron client errors may be found in /var/log/ltm.

Conditions:
Platform with Neuron/TCAM support (BIG-IP iSeries).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1288517-1 : Item filter does not work on /mgmt/tm/asm/tasks/export-suggestions/

Links to More Info: BT1288517

Component: Application Security Manager

Symptoms:
Filter is not applied for export suggestions task.

Conditions:
Having a policy with suggestions. try to export in declarative format:

restcurl -u admin:admin /mgmt/tm/asm/tasks/export-suggestions/ -d '{"policyReference":{"link":"https://localhost/mgmt/tm/asm/policies/uaDQEF3ndTdKkawROqwQow"},"filter":"status eq 'accept'","inline":true}'

Impact:
You are unable to get filtered suggestions in a declarative format.

Workaround:
None


1288009-4 : Vxlan tunnel end point routed through the tunnel will cause a tmm crash

Links to More Info: BT1288009

Component: TMOS

Symptoms:
Tmm generates a core file and restarts

Conditions:
A vxlan tunnel is configured and there is a route for the remote end point via the tunnel itself

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not route the tunnel endpoint through the tunnel.


1287981-2 : Hardware SYN cookie mode may not exit

Links to More Info: BT1287981

Component: TMOS

Symptoms:
-- Virtual server reports SYN cookie mode is "full hardware" even after a SYN flood has stopped.
-- The virtual_server_stat tmstat table columns sc_mode0,sc_mode1 show "FRS" and the syncookies.hwsyncookie_inst column is greater than zero, even after a SYN flood has stopped.

Conditions:
-- Platform with Neuron/TCAM support.
-- AFM is not provisioned.

Impact:
-- SYN/ACK responses that include a SYN cookie are generated by HW even after a SYN flood attacked has stopped.
-- SYN pkts are not seen by the virtual server.

Workaround:
Set the pvasyncookies.preferhwlmode BigDB variable to "true".


1287821-2 : Missing Neuron/TCAM rules

Links to More Info: BT1287821

Component: TMOS

Symptoms:
- Neuron/TCAM rules are missing for a virtual server that has a rule based feature activated.
- /var/log/ltm has the following error :

Apr 12 02:31:14 bigip1 err tmm5[23326]: 01010331:3: Neuron client neuron_app_dyn_tcam failed with rule add(request full)

Conditions:
- On platforms with Neuron/TCAM support.
- A single virtual server requires more than 16 rules.

Impact:
Features that rely on the Neuron/TCAM rules are not fully offloaded to hardware and thus fall back to software.

Workaround:
None


1287649-3 : The qkview qkvcmp (vcmp_module.xml) needs to be updated for F5OS tenancy

Links to More Info: BT1287649

Component: TMOS

Symptoms:
F5OS tenants running TMOS is full of error messages in vcmp_module.xml.

Conditions:
- F5OS tenants running TMOS.

Impact:
Tenants will not collect some troubleshooting information while collecting troubleshooting information through qkview.

Workaround:
None


1287313-3 : SIP response message with missing Reason-Phrase or with spaces are not accepted

Component: Service Provider

Symptoms:
BIG-IP drops SIP response messages that are missing the Reason-Phrase.

Conditions:
A SIP response message in this format
SIP/2.0 424 \r\n
are dropped
If the message has a reason text
 Status-Line = SIP-Version SP Status-Code SP Reason-Phrase CRLF
Like this
SIP/2.0 404 Not Found\r\n
then it would not be dropped

Impact:
Connectivity issue.

Workaround:
None


1287045-4 : In-TMM monitor may mark pool member offline despite its response matches Receive Disable String

Links to More Info: BT1287045

Component: In-tmm monitors

Symptoms:
Despite response matching monitor's Receive Disable String, pool member may by marked offline by the in-TMM monitor while the BIGD monitor would mark it as available/disabled. It is particularly likely if the matched pattern is located in the front of the pool member's response data.

Conditions:
-- HTTP, HTTP2, or TCP monitor is used.
-- In-TMM monitor is enabled.
-- Both Receive String and Receive Disable String are provided.

Impact:
Pool member is marked offline while it should be marked available/disabled by the in-TMM monitor.

Workaround:
Use BIGD instead of in-TMM monitor.


1286621-1 : BD crashes when the UMU OOM limit is reached and the request has an authorization bearer header

Component: Application Security Manager

Symptoms:
BD crashes when the UMU OOM limit is reached and the request includes an authorization bearer header.

Conditions:
- UMU OOM limit is reached
- The request has authorization bearer header

Impact:
Traffic disrupted while bd restarts.

Workaround:
None


1286433-2 : Improve ASM performance for BIG-IP instances running on r2k / r4k appliances

Links to More Info: BT1286433

Component: TMOS

Symptoms:
ASM performance has regressed on BIG-IP instances running on r2k / r4k appliances (since F5OS release 1.3.0)

Conditions:
BIG-IP instance running on r2k / r4k
ASM traffic flowing through BIG-IP

Impact:
Improvement in ASM performance.

Workaround:
None (because this change is an improvement that alleviates performance regression)


1286101-2 : JSON Schema validation failure with E notation number

Component: Application Security Manager

Symptoms:
An unexpected JSON Schema validation failure is seen with E notation number.

Conditions:
The E notation is without a dot.

For example, the following trigger this issue:

- 0E-8
- 0e-8

But, the following do not trigger this issue:

- 0.0E-8
- 0.0e-8

The problematic E notation number is used in object value, and the object is under an array, and the object is not the last member of the array.

Impact:
False positive.

Workaround:
Use E notation with a dot or disable schema validation violation.


1284589-1 : HTTP CONNECT request from client is not successful with iRule HTTP::disable discard command

Links to More Info: BT1284589

Component: Local Traffic Manager

Symptoms:
When you use HTTP::disable discard command, proxy connect/ connection to server is not established.

Conditions:
-> Basic HTTP VS
-> iRule
when HTTP_REQUEST {
HTTP::disable discard
node <ip port>
}

Impact:
HTTP CONNECT requests from clients hangs.

Workaround:
Use HTTP::disable command


1284261-4 : Constant traffic on DHCPv6 virtual servers may cause a TMM crash.

Links to More Info: BT1284261

Component: Local Traffic Manager

Symptoms:
TMM may crash/core if there is a constant stream of DHCP traffic from the server towards the clients, not allowing a connection timeout.

Conditions:
Constant stream of traffic coming from DHCP server not allowing a connection timeout.

Very aggressive lease settings causing constant lease refresh may be a configuration example leading to the problem.

Impact:
Failover/crash.


1284097-1 : False positive 'Illegal cross-origin request' violation

Links to More Info: BT1284097

Component: Application Security Manager

Symptoms:
Under the right configurations, an HTTP request with an HTTPS origins header may get blocked for 'Illegal cross-origin request' violation.

Conditions:
A request that is sent to a virtual server with an HTTP port, that has an Origin header with HTTPS value, will trigger the violation under the following conditions:
1) 'Illegal cross-origin request' violation is enabled.
2) In Security ›› Application Security : Security Policies : Policies List ›› Auto_Security_Policy_Services ›› Headers ›› Host Names -> is configured with the Origin header value.
3) The URL to where the request is sent has 'Enforce on ASM' in 'HTML5 Cross-Domain Request' configuration enabled.

Impact:
'Illegal cross-origin request' violation is reported in version 17.1.x unlike version 16.1.x with the same configurations and the same traffic.

Workaround:
Add HTTPS protocol and Origin name to the desired URL in 'Allowed Origins' that is located in 'HTML5 Cross-Domain Request'


1284081-1 : Incorrect Enforcement After Sync

Links to More Info: BT1284081

Component: Application Security Manager

Symptoms:
In some scenarios, configuration updates are not sent to the enforcer which can cause unexpected enforcement.

Conditions:
A large configuration is synchronized to a device.

Impact:
Incorrect policy enforcement.

Workaround:
1) Apply each policy individually on the affected devices/blades
or
2) Restart ASM on the affected devices and blades


1284073-1 : Cookies are truncated when number of cookies exceed "max_enforced_cookies"

Component: Application Security Manager

Symptoms:
When request contains more cookies than configured in "max_enforced_cookies", and if parameter "strip_asm_cookies" is enabled, then cookie header is truncated and not all cookies reach the server.

Conditions:
- ASM is provisioned.
- Request contains more cookies than configured in "max_enforced_cookies".
- Parameter "strip_asm_cookies" is enabled.

Impact:
Not all cookies reach server.

Workaround:
Disable internal parameter "strip_asm_cookies".

Disabling the database key makes the behavior similar to the behavior in BIG-IP version 14, for more information see article K30023210.

If the old behavior prior to BIG-IP version 14 is not desired, on top of disabling the sys db key, use the solution that is used to apply with versions prior to BIG-IP version 14 that is an iRule to remove TS cookie from server-side. For more information, see article K66438993.


1283749-1 : Systemctl start and restart fail to start the vmtoolsd service

Links to More Info: BT1283749

Component: TMOS

Symptoms:
Because of a non-existent dependency, systemctl start and restart failed to start the vmtoolsd service.

Following is the reported error:

# systemctl restart vmtoolsd.service
Failed to restart vmtoolsd.service: Unit not found.

systetmctl stop is not affected.

Conditions:
BIG-IP VE on VMware.

Impact:
Unable to start/restart the vmtoolsd service.

Workaround:
Systemctl restart --ignore-dependencies vmtoolsd.service

or

systemctl start --ignore-dependencies vmtoolsd.service


1283721-1 : Vmtoolsd memory leak

Links to More Info: BT1283721

Component: TMOS

Symptoms:
The Vmtoolsd service leaks memory on VMware BIG-IP VE guests when the Disk Type is IDE or any disk type other than SCSI.

Conditions:
VMware BIG-IP VE guest
Disk type of IDE or another type that is not SCSI.

Impact:
The VE will eventually run out of memory.

Workaround:
1. Create the file /etc/vmware-tools/tools.conf and add the following to the file:

[guestinfo]

# disable scan for disk device info
diskinfo-report-device=false


2. Restart the vmtoolsd service:

systemctl restart --ignore-dependencies vmtoolsd.service

NB "guestinfo" must be in lower case. The workaround will not work if any letter is not lower case including the following "guestInfo" which was the reported workaround in https://github.com/vmware/open-vm-tools/issues/452


1283645-4 : Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued

Component: Access Policy Manager

Symptoms:
The WebView based End Point Inspection does not work in Mac Edge Client.

Conditions:
When using Edge Client on MacOS "Ventura" 13.3 Beta2 and later.

Impact:
Affected MacOS Edge client is unable to proceed with establishing the VPN connection.

Workaround:
Use the browser-based VPN. Note that there are some limitations if you are using your VPN in the AutoConnect mode and in the Blocked mode; it means the system cannot access the external network until you are disconnected.

The issue is not fixed in the BIG-IP versions 14.1.5.5, 16.1.3.5, and 17.1.0.2 releases. Refer to the KB article K000134990 for recommended actions.


1282769-1 : Localdb user can change the password of other user

Component: Access Policy Manager

Symptoms:
The user was able to change the password for another user in the logon page, when local DB authentication was used.

Conditions:
-- At least one user in the local DB instance is forced to change the password
-- the virtual server is tied in with the trusted CA certificates (that is, it would not happen if the virtual server for the SSL-VPN is associated with self-signed certificates).

Impact:
User authentication based on local DB will be impacted.

Workaround:
None


1282357-3 : Double HTTP::disable can lead to core in dynamic_tcl_event_mask

Links to More Info: BT1282357

Component: Local Traffic Manager

Symptoms:
Adding HTTP::disable for the second time, causes scb->f_invoke_disabled to be set a second time while HTTP_DISABLED is queued from the first HTTP::disable, thus breaking HTTP's assumptions about the behavior of the flag. This later causes HTTP to attempt to resume HTTP_DISABLED again after it has already been executed.

Conditions:
->Basic http configuration
-> iRule
when CLIENT_ACCEPTED {
    set collects 0
    TCP::collect
}
when CLIENT_DATA {
    if { $collects eq 1 } {
        HTTP::disable
        HTTP::disable
    }
    TCP::release
    TCP::collect
    incr collects
}
when HTTP_REQUEST {
    log local0. "Request"
    }
when HTTP_DISABLED {
    log local0. "Disabled"
}

Impact:
BIG-IP crashes on a CONNECT request from client.

Workaround:
Make sure to avoid adding a second HTTP::disable.


1282281-5 : Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns

Links to More Info: BT1282281

Component: Application Security Manager

Symptoms:
Roll forward upgrade fails.

The following error message in /ts/log/ts_debug.log and WAF enforcement is not complete:

----------------------------------------------------------------------
Can't locate object method "id_field" via package "F5::ASMConfig::Entity::ThreatCampaign" (perhaps you forgot to load "F5::ASMConfig::Entity::ThreatCampaign"?) at /usr/local/share/perl5/F5/ImportExportPolicy/Binary.pm line 2171.
----------------------------------------------------------------------

Conditions:
- Roll forward upgrade when there is a policy that has unapplied changes and Threat Campaigns.

Impact:
Incorrect enforcement until workaround is applied.

Workaround:
Perform an apply policy operation on all policies.


1282105 : Assertion response attributes parsing issue after upgrade to BIG-IP 17.1.0

Links to More Info: BT1282105

Component: Access Policy Manager

Symptoms:
During SAML Authentication while TMM parses the assertion to extract the attributes and its respective values, all the attributes values are combined into a single string with '|' as separator and are assigned to a single variable leaving remaining ones empty.

Conditions:
When the incoming attributes, in the assertion, are considered as multi-valued attributes, all the values of attributes are combined to form a single valued attribute in order to store in the SessionDB.

Impact:
All the session variables related to assertion attributes are assigned and stored incorrectly.

Workaround:
None


1281709-4 : Traffic-group ID may not be updated properly on a TMM listener

Links to More Info: BT1281709

Component: Local Traffic Manager

Symptoms:
A few virtual servers may belong to incorrect traffic-group after a full sync or when mcp transaction is performed.

Conditions:
- The BIG-IP High Availability (HA) is configured with full load on sync.
- Traffic-group is changed on a virtual-address belonging to multiple virtuals.
- Sync happens, leaving the device receiving a sync in an incorrect state.

OR

An MCP transaction that is updating a virtual-address along with a profile change on a virtual-server is executed.

Impact:
Listeners may not belong to a correct traffic group and the the traffic is not forwarded.

Workaround:
Use an incremental sync. Do not use MCP transactions.


1281637-2 : When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE

Links to More Info: BT1281637

Component: Local Traffic Manager

Symptoms:
A RST_STREAM is observed from BIG-IP to server after receiving response from server.

Conditions:
- HTTP/2 full proxy configuration.
- Server to send a DATA_FRAME with END_STREAM flag with a delay.

Impact:
Once the server gets around to process the RST_STREAM, it stops accepting new requests on that connection.

Workaround:
None


1281433-1 : Missing GTM probes on GTM server when an external monitor is attached to an additional pool

Links to More Info: BT1281433

Component: Global Traffic Manager (DNS)

Symptoms:
Incorrect probe behavior when an external monitor is attached to an additional pool.

Conditions:
On a GTM sync group, try to attach an external monitor to an additional pool.

Impact:
Incorrect GTM server monitoring.

Workaround:
None


1281405-2 : "fipsutil fwcheck -f" command may not correct result

Links to More Info: BT1281405

Component: Local Traffic Manager

Symptoms:
The "fipsutil fwcheck -f" command output shows as "Firmware upgrade available." even though now Firmware upgrade is not needed.

Conditions:
All FIPS platforms.

Impact:
Only a display issue with no functional impact. If we try to make a firmware upgrade, it may not work.

Workaround:
Use the command without the "-f" option like "fipsutil fwcheck".


1281397-3 : SMTP requests are dropped by ASM under certain conditions

Component: Application Security Manager

Symptoms:
When virus check is enabled on SMTP security profile, sometimes ASM drops the request even though no violation is reported.

Conditions:
- SMTP security profile is configured and applied with virus check on.
- ICAP server is configured

Impact:
ASM sometimes drops valid SMTP requests even when no violation is reported.

Workaround:
None


1281381-1 : BD fails to load config when the virtual server name is longer then 64 chars

Links to More Info: BT1281381

Component: Application Security Manager

Symptoms:
A virtual server name longer than 64 characters causes ASM to restart repeatedly.

Conditions:
A Virtual server name longer than 64 characters.

Impact:
Repeated ASM restarts (ASM restarts in loop).

Workaround:
Virtual server should be shorter than 64 character


1280813-3 : Illegal URL violation triggered for after upgrade due to due to missing content-profiles in DB

Links to More Info: BT1280813

Component: Application Security Manager

Symptoms:
Illegal URL violation is triggered for valid/Allowed URLs.

Conditions:
NA

Impact:
Illegal violation for allowed URL, content profile for that URL is not seen in PLC.PL_OBJECT_CONTENT_PROFILES DB.

Workaround:
- Delete the problematic URL from Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs.
- Recreate the URL again.
- Apply the policy.


1280769 : Fipsutil's fwcheck and fwupdate sub-commands show errors when run on R10920 and R5920 tenant.

Links to More Info: BT1280769

Component: Local Traffic Manager

Symptoms:
When the two commands fwcheck and fwupdate are run, they will not be successful and throw error messages.

bigip#fipsutil fwcheck
ERROR: Failed to parse firmware version: CNN35XX-NFBE-FW-2.08-12
ERROR: Firmare version check failed.
bigip#

Conditions:
When the commands fwcheck and fwupdate are run on R10920 and R5920 fips tenant.

Impact:
No functional impact. Only ignorable error messages displayed.

Workaround:
Do not run these two commands on R10920 and R5920 fips tenant.

To know the present firmware from tenant use "fipsutil info".

To update the firmware on HSM card, do it from host system.


1277641 : DoS | i-series | After mitigation of bad destination at profile level, bd_hit is not incrementing for host unreachable vector.

Links to More Info: BT1277641

Component: Advanced Firewall Manager

Symptoms:
This is specific to iseries platform.
bd related DoS stats are incrementing but SPVA stat of bd_hit is not incremented.

Conditions:
Sending an ipv6 host unreachable traffic to iseries.

Impact:
You can see the dos stats but not in spva stats.

Workaround:
You can see the stats in dos table.


1274385-1 : BIGIP-DNS GUI delivery summary stats shows incorrect count for "Disabled" GTM listeners

Links to More Info: BT1274385

Component: Global Traffic Manager (DNS)

Symptoms:
Statistics >> Module Stats >> DNS >> Delivery >> Summary - shows the incorrect count for "Disabled" GTM listeners.

Conditions:
One or more virtual servers (which may or may not be GTM (DNS) listeners) exist on the BIG-IP device which are in a disabled state.

These virtual servers incorrectly count towards the count of "Disabled" virtual servers in the GTM Listeners statistics.

Impact:
Unexpected "Disabled" count in the GTM Listeners line in the DNS stats table (in any of the columns)


1273997-1 : BD crashes when the ACCOUNT_ENFORCER_SETTINGS table is empty

Component: Application Security Manager

Symptoms:
BD crashes when the ACCOUNT_ENFORCER_SETTINGS table is empty

Conditions:
ACCOUNT_ENFORCER_SETTINGS table is empty

Impact:
Traffic disrupted while bd restarts.

Workaround:
None


1273881-3 : TMM crashes while processing traffic on the virtual server

Links to More Info: BT1273881

Component: Access Policy Manager

Symptoms:
TMM crashes while processing traffic on the virtual server.

Conditions:
Network Access resource is configured.

Impact:
TMM crashes leading to disruption in traffic flow.

Workaround:
None


1273161-4 : Secondary blades are unavailable, clusterd is reporting shutdown, and waiting for other blades

Links to More Info: BT1273161

Component: Local Traffic Manager

Symptoms:
On a multi-slot chassis, VCMP guest, or F5OS tenant, clusterd can enter a shutdown state causing some slots to become unavailable.

The event that can cause this is called a partition and occurs when clusterd stops receiving heartbeat packets from a slot over the mgmt_bp interface but is still receiving them over the tmm_bp interface.

Here is the error that is logged when this occurs:

Mar 17 10:38:28 localhost err clusterd[4732]: 013a0004:3: Marking slot 1 SS_FAILED due to partition detected on mgmt_bp from peer 2 to local 1

When this occurs, clusterd enters a shutdown state and at times will never recover.

Here is an example, tmsh show sys cluster command where clusterd is in the shutdown yet waiting state:

-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 172.0.0.160/23
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 2
Primary Selection Time 03/17/23 10:38:30

  ----------------------------------------------------------------------------------
  | Sys::Cluster Members
  | ID Address Alt-Address Availability State Licensed HA Clusterd Reason
  ----------------------------------------------------------------------------------
  | 1 :: :: unknown enabled false unknown shutdown ShutDown: default/1 waiting for blade 2
  | 2 :: :: available enabled true standby running Run

Conditions:
Multi-slot chassis, VCMP guest, or F5OS tenant.
A blade determines there is a partition where it's receiving cluster packets over the tmm+bp interface but not the mgmt_bp interface.

Impact:
The unavailable slots/blades will not accept traffic.

Workaround:
Running tmsh show sys cluster will report the primary slot and all slot statuses.

For all blades reporting shutdown or less likely initializing and "waiting for blade(s)" restart clusterd on that slot with bigstart restart clusterd. Ensure you do not restart clusterd on the primary slot.


1273141-1 : GTM pool members are not probed and multiple GTMs are reporting inconsistent status

Links to More Info: BT1273141

Component: Global Traffic Manager (DNS)

Symptoms:
GTM pool members are not probed and multiple GTMs in the same GTM syncgroup report inconsistent status.

Conditions:
1. Create a GTM pool with a pool member disabled.
2. Create another GTM pool with same monitor and pool member as in the previous GTM pool.

Impact:
GTM pool members are marked incorrect status and inconsistent across GTMs.

Workaround:
Use the following command:

# tmsh modify gtm global-settings general monitor-disabled-objects yes

or

Use a unique monitor names for pools that has disabled pool members.


1272537-2 : TMM high memory due to ping_access_agent

Links to More Info: BT1272537

Component: Access Policy Manager

Symptoms:
Tmm memory steadily increases, due to ping_access_agent

Conditions:
-- Ping access feature configured;
-- The initial ping agent request receives a response with generic custom status code 477 (which means agent repeats agent request with request body).

Impact:
Connectivity issues with Virtual IP addresses and broken services as memory increases over time which could result in an out-of-memory condition and HA action.

Workaround:
None


1272501-1 : Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure"

Links to More Info: BT1272501

Component: Local Traffic Manager

Symptoms:
Application failures with reset-cause: "F5RST: HTTP redirect rewrite failure".

Conditions:
-- BIG-IP versions 16.0 and above.
-- HTTPS virtual server with redirect-rewrite of HTTP profile set to 'matching'.

Impact:
Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure".

Workaround:
If the URI cannot be parsed, do not configure the rewrite option so that the Location header passes through untouched.


1271469-5 : Failed to install ASU file scheduled for install

Links to More Info: BT1271469

Component: Application Security Manager

Symptoms:
Live Update installation scheduled for installation for any specific day at time 12:01 AM to 12:14 AM will fail.

Conditions:
- ASU file installation scheduled at 12:01 AM to 12:14 AM (not automatic or manual installation).

Impact:
BIG-IP will not get latest ASU file updates.

Workaround:
Set the installation time after 12:15 AM.


1271341-3 : Unable to use DTLS without TMM crashing

Links to More Info: BT1271341

Component: Access Policy Manager

Symptoms:
When DTLS is used, TMM gets crashed.

tm virtual /Common/VS_access.unisa.edu.au-4433 {
creation-time 2023-02-10:17:43:01
destination /Common/130.220.255.195:4433
ip-protocol udp
last-modified-time 2023-03-08:15:43:30
mask 255.255.255.255
profiles {
/Common/SSL_access.unisa.edu.au-20230208 <----clientssl
context clientside
}
/Common/UniSA_Oauth_Lab {
context clientside
}
/Common/ppp { }
/Common/udp { }
}
serverssl-use-sni disabled
source 0.0.0.0/0
translate-address enabled
translate-port enabled
}

Conditions:
NA

Impact:
TMM core has been seen.

Workaround:
Due to dynamic record sizing being enabled. So tx_min gets set to 0. This eventually results in tx_len being 0 as well and leads to the loop.

allow-dynamic-record-sizing should be disabled in the client-ssl.


For instance

ltm profile client-ssl /Common/SSL_access.unisa.edu.au-20230208 {
    allow-dynamic-record-sizing disabled


1270989-1 : REST MemcachedClient uses fixed TMM address 127.1.1.2 to connect to memcached

Links to More Info: BT1270989

Component: TMOS

Symptoms:
The RESTcurl command "restcurl -u admin:admin /mgmt/tm/access/session/kill-sessions" returns a "no route to host" error.

Conditions:
Run RESTcurl commands from a vCMP guest to try to kill the session.

Impact:
Attempting to kill sessions returns a 400 - "no route to host error" error.

Workaround:
None


1270501 : Before upgrade, if log level is configured as debug, then APMD will continuously restarts with coredump

Links to More Info: BT1270501

Component: Access Policy Manager

Symptoms:
If access policy log level is configured to debug and proceeds with upgrading the software, rebooting the BIG-IP, or restarting the APM, then coredump is observed from APMD process while starting.

Conditions:
1. Configure the HTTP connection and request timeouts in HTTP authentication using TMSH.
2. Access policy log level is configured to debug.
3. Upgrading the software, rebooting the BIG-IP, or restarting the APMD.

Impact:
APMD will reboot continuously with coredump.

Workaround:
Configure the access policy log level to other than debug.


1270497-3 : MRF SIP/ALG Core dump observed while accessing trans_data in sipmsg_register_ingress_register_request_session_reply_common method

Links to More Info: BT1270497

Component: Service Provider

Symptoms:
TMM generates core file while MRF SIP handles register request.

Conditions:
- SIP ALG configuration with SNAT.

Impact:
TMM generates core file while running SIP traffic with ALG configuration. Traffic is disrupted.

Workaround:
None


1270133-1 : bd crash during configuration update

Component: Application Security Manager

Symptoms:
bd crash occurred during the configuration update.

Conditions:
This issue occurs during configuration update.

Impact:
bd crash that causes failover in High Availability (HA) pair. Intermittent offline with standalone system.

Workaround:
None


1269889-1 : LTM crashes are observed while running SIP traffic and pool members are offline

Component: Service Provider

Symptoms:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer

Conditions:
- When all pool members are offline or there are no pool members in the pool.

Impact:
TMM is inoperative while reloading after crash.

Workaround:
Avoid use of the following pick_host, particularly the use of carp:

MR::message pick_host peer <peer-object-name> [carp <carp-key>]


1269773-1 : Convert network-order to host-order for extensions in TLS1.3 certificate request

Links to More Info: BT1269773

Component: Local Traffic Manager

Symptoms:
The network-order length is sent as argument instead of host-order length.

Conditions:
- A signature algorithms extension is present in the certificate request message from the server.

Impact:
Handshake fails with illegal parameter alert.

Workaround:
None


1269733-1 : HTTP GET request with headers has incorrect flags causing timeout

Links to More Info: BT1269733

Component: Local Traffic Manager

Symptoms:
The 504 Gateway Timeout pool member responses are generated from a Microsoft webserver handling HTTP/2 requests.

The tcpdump shows that the HTTP/2 stream sends the request without an appropriate End Stream flag on the Headers packet.

Conditions:
The server has to provide settings with max-frame-size small enough to force BIG-IP to split the headers across multiple HTTP/2 frames, otherwise this issue does not occur.

Impact:
The HTTP GET request causing timeout.

Workaround:
None


1269709-4 : GUI should throw the error when the VS is configured with both vdi and HTTP/2 profiles

Links to More Info: BT1269709

Component: Local Traffic Manager

Symptoms:
As the VDI profile is currently not supported in the HTTP/2 environment for which there is no warning message on the BIG-IP GUI about this limitation.

Conditions:
When both VDI Profile and HTTP/2 Profile is attached to the VS.

Impact:
The customer wants this error to be displayed on the BIGIP GUI if vdi and http/2 profiles both are attached to the VS together.

Workaround:
None


1269601-1 : Unable to delete monitor while updating DNS virtual server monitor through transaction

Links to More Info: BT1269601

Component: Global Traffic Manager (DNS)

Symptoms:
Unable to delete monitor while updating DNS virtual server monitor through transaction.

Following message displays:

Command added to the current transaction
Command added to the current transaction
transaction failed: 01070083:3: Monitor /Common/tcp_test is in use.

Conditions:
Using transaction of updating the virtual server monitor and deleting the earlier monitor which was untagged currently.

Following is an example:

echo 'create cli transaction; modify /gtm server generc_serv_test virtual-servers modify { test { monitor none }}; delete /gtm monitor tcp tcp_test; submit cli transaction' | tmsh

Impact:
Unable to delete the monitor.

Workaround:
None


1268521-1 : SAML authentication with the VCS fails when launching the applications/remote desktops from the APM Webtop when multiple RD resources are assigned to the APM Webtop

Links to More Info: BT1268521

Component: Access Policy Manager

Symptoms:
User fails to authenticate when VMware VDI with SAML authentication is used with multiple RD resources assigned to Webtop.

Conditions:
1. Webtop is used to connect to a remote desktop.
2. Multiple VCS servers are used.
3. SAML authentication is configured in remote desktop SSO configuration.

Impact:
Remote desktop is not opened.

Workaround:
None


1268373-6 : MRF flow tear down can fill up the hudq causing leaks

Links to More Info: BT1268373

Component: Service Provider

Symptoms:
TMM Memory leaks are observed when MRF flows were torn down at once and the hud queue was full.

Conditions:
When the message queue becomes full.

Impact:
TMM memory leak

Workaround:
None


1267845-5 : ISC's internal_current function asserted because ifa_name was NULL

Links to More Info: BT1267845

Component: Global Traffic Manager (DNS)

Symptoms:
Named restarting.

Conditions:
- MCPD is down, resulting the service restart.
- The slot interfaces are down.
- During restart named unable to find the interface and asserting.

Impact:
No Impact, this issue occurs when the services are restarting.

Workaround:
None


1267269-2 : The wr_urldbd crashes and generates a core file

Links to More Info: BT1267269

Component: Policy Enforcement Manager

Symptoms:
The wr_urldbd crashes and generates a core file.

Conditions:
The munmap function does cross mapping boundaries and it does not fail if the requested unmap contains unmapped memory, i.e. the unmapped segment does not have to be fully mapped

Impact:
Service is interrupted for few minutes and classification does not happen.

Workaround:
None


1267221-4 : When TMM starts, Hyper-V shows no RX packets on the ethX interface

Links to More Info: BT1267221

Component: Local Traffic Manager

Symptoms:
BIG-IP Virtual Edition (VE) running on a Hyper-V host, when TMM starts, it sets the NIC queue count. When this happens, due to a bug in Hyper-V, ingress packets are no longer received on the data plane interfaces.

Packets egressed from TMM are being correctly sent to peer devices on the network.

Conditions:
- After upgrading from BIG-IP version 12, none of the data plane interfaces show ingress counters incrementing and no traffic is seen on the interface. The Management interface works properly.

Impact:
The data plane interfaces does not show ingress counters incrementing and no traffic is seen on the interface.

Workaround:
In Hyper-V manager, save the machine state and then start it back up or use a legacy network adapter.


1259489-2 : PEM subsystem memory leak is observed when using PEM::subscriber information

Links to More Info: BT1259489

Component: Policy Enforcement Manager

Symptoms:
TMM may show a higher memory allocation in the PEM category observed in the memory_usage_stat table.

Conditions:
- PEM is provisioned.

- PEM iRules are used that access PEM::session or PEM::subscriber information.

Impact:
TMM can have excessive memory consumption.

Workaround:
None


1256777-5 : In BGP, as-origination interval not persisting after restart when configured on a peer-group.

Links to More Info: BT1256777

Component: TMOS

Symptoms:
When as-origination interval is configured on a peer-group the setting might not survive a process restart or configuration reload.

Conditions:
- When as-origination interval is configured on a peer-group.

Impact:
The as-origination interval resets to default (15s) after a process restart or configuration reload.

Workaround:
None


1253621 : Remote logging SSL Orchestrator Audit logs when running in the Appliance mode

Links to More Info: BT1253621

Component: SSL Orchestrator

Symptoms:
In the Appliance mode, access to the advanced shell(bash)/root is removed. In this scenario, SSL Orchestrator writes audit logs to the local file system which is inaccessible in this mode.

Conditions:
BIG-IP system running in the appliance mode.

Impact:
You cannot access SSL Orchestrator Audit logs as the access to shell is restricted.

Workaround:
Configure syslog to write logs from the ssloAudit.log file to the remote logging server.

1. Run the syslog server on the remote destination
2. Log in to tmsh by entering the following command:

tmsh

3. Modify syslog configuration to write the audit logs to syslog server using UDP protocol

modify sys syslog include 'source s_sslo_audit { file("/var/log/restnoded/ssloAudit.log" follow_freq(1) flags(no-parse)); }; destination d_to_secure_syslog { syslog(<remote-server-ip> transport(udp) port(514) ); }; log { source(s_sslo_audit);destination(d_to_secure_syslog); };'

4. To save the configuration, enter the following command:

save /sys config

5. For BIG-IP systems in a high availability (HA) configuration, perform a ConfigSync to synchronize the changes to the other devices in the device group.


1253481 : Traffic loss observed after reconfiguring Virtual Networks

Component: Local Traffic Manager

Symptoms:
The traffic exiting from the tenant is being forwarded to an incorrect virtual network.

Conditions:
Reconfigure Virtual-wire by removing the current configured Virtual networks and adding another pair of virtual networks in one step and commit it.

Impact:
NTI Identifier is populated incorrectly causing traffic loss.

Workaround:
Remove the existing Virtual Networks. Commit the changes. Now reconfigure the Virtual networks and commit again.


1253449-4 : After publishing, the draft LTM policy configuration might not be updated (intermittently) into the bigip.conf

Links to More Info: BT1253449

Component: TMOS

Symptoms:
Publishing LTM draft policy and "save config" operations are not atomic, hence there exists a race condition. When the latter happens first, then the issue is observed otherwise the LTM draft policy is successfully updated into the bigip.conf file.

Conditions:
- Execute the command "tmsh load /sys config current-partition" or the existing system configuration is loaded from bigip.conf after publishing the draft LTM policy.

Impact:
Published LTM draft policies are reverted to the draft state.

Workaround:
Perform any of the below-mentioned steps immediately after successfully publishing an LTM draft policy:

- Execute the command "tmsh save /sys config current-partition" on the BIG-IP shell.

or

Execute curl -sku $COLON_SEPARATED_USERNAME_PASSWORD https://$HOST/mgmt/tm/sys/config/ -X POST -H "Content-type: application/json" -d '{"command":"save"}'

or

Execute curl -sku $COLON_SEPARATED_USERNAME_PASSWORD https://$HOST/mgmt/tm/util/bash -X POST -H "Content-type: application/json" -d '{"command":"run", "utilCmdArgs":"-c \"tmsh save sys config current-partition\""}'


1252537-4 : Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role

Component: TMOS

Symptoms:
The Resource Admin role has reboot and shutdown options are available in GUI but unavailable in TMSH.

Conditions:
- Resource Admin accessing reboot and shutdown options in TMSH.

Impact:
Limited availability, forces Resource Admin to use GUI.

Workaround:
Resource admin can still use GUI to initiate a reboot or shutdown.


1252005-1 : VMware USB redirection does not work with DaaS

Component: Access Policy Manager

Symptoms:
User is unable to access a USB device connected to the client machine in remote desktop using an APM VDI and VMware DaaS setup.
Note: This works as expected if a VCS server is used.

Conditions:
1. VMware DaaS setup is used
2. APM VDI desktop resource is accessed from native client or desktop

Impact:
USB device is not available.

Workaround:
None.


1251157-1 : Ping Access filter can accumulate connections increasing the memory use

Links to More Info: BT1251157

Component: Access Policy Manager

Symptoms:
The maximum HTTP header count value for ping access is 128. The connection to the backend is aborted if there are more than 128 headers.

Conditions:
- Ping access is configured.
- The HTTP header count is more than 128.

Impact:
Connection is aborted by the BIG-IP, users are unable to access the backend.

Workaround:
None


1251105-1 : DoS Overview (non-HTTP) - A null pointer was passed into a function

Links to More Info: BT1251105

Component: Advanced Firewall Manager

Symptoms:
In BIG-IP version all 15.1 builds, when protected object filter is selected in Security > DoS overview page, it displays following error:

Error : DoS Overview (non-HTTP) - A null pointer was passed into a function

Schema changes updated in BIG-IP version 15.1.8 which added context_name and context_type to the mcp_network_attack_data_stat_t structure used to report DoS attack stats.

The MCP code that fills in these fields in the structure when responding to the stats request was not inculded, thus an attempt to get the stats, result in detection of a NULL pointer.

Conditions:
Configure a protection profile.
Create a protected object by attaching the protection profile.
Select protected object filter in DoS Overview (non-HTTP) page.

Impact:
This issue avoids usage of GUI partially.

Workaround:
None


1251033-1 : HA is not established between Active and Standby devices when the vwire configuration is added

Links to More Info: BT1251033

Component: Local Traffic Manager

Symptoms:
Active and Standby shows disconnected since the HA packets are not exchanged resulting in failure to establish HA.

Conditions:
Condition occurs only when the vwire configs are added to the tenant.

Impact:
-- HA fails to establish, Active and Standby shows disconnected.
-- Config sync between the Active and Standby is not established.

Workaround:
HA exchange packets or failover packets mode should be set to default mode.


1251013-1 : Allow non-RFC compliant URI characters

Links to More Info: BT1251013

Component: Service Provider

Symptoms:
The MRF Parser fails if the URIs are not as per RFC.
It is required to not validate against the RFC for proper URI formatting, required message headers, and usage of defined method names.

Conditions:
- SIP URIs are not formatted as per RFC.

Impact:
MRF parser allows URI formats which are not comply with RFC.

Workaround:
None


1250209-1 : The message "ERR: in Graphql disallowed response, pcre is null" appears in BD logs

Links to More Info: BT1250209

Component: Application Security Manager

Symptoms:
The following message can appear in BD logs during response enforcement:

"ERR: in Graphql disallowed response, pcre is null"

Conditions:
Two different GraphQL profiles assigned to two different URLs, one of the profiles has "Block Error Responses" enabled, the other does not.

Impact:
Error message in BD logs.

Workaround:
None


1250085-4 : BPDU is not processed with STP passthough mode enable in BIG-IP

Links to More Info: BT1250085

Component: Local Traffic Manager

Symptoms:
- Connected interfaces under a VLAN.
- Bridge Protocol Data Unit (BPDU) is not transmitted through BIG-IP which is in passthrough mode.
- Can see DST MAC STP (Mac: 01:80:c2:00:00:00) IN packets and missing OUT packets in TCP dump.
- No packet drop for DST MAC PVST (MAC:01:00:0C:CC:CC:CD) and VTP (MAC:01:00:0C:CC:CC:CC).
  tshark -nnr < .pcap >

Conditions:
- Platforms C117, C115, C112, and C113

Impact:
BPDU packets will not passthrough other devices if BIG-IP is in the middle of the topology with passthrough mode enabled.

Workaround:
None


1250077-6 : TMM memory leak

Links to More Info: BT1250077

Component: Global Traffic Manager (DNS)

Symptoms:
TMM leaks memory for Domain Name System Security Extensions (DNSSEC) requests.

Conditions:
DNSSEC signing process is unable keep pace with the incoming DNSSEC requests.

Impact:
TMM memory utilization increases over time and could crash due to Out of Memory (OOM) issue.

Workaround:
None


1249929-2 : Diameter MRF sends CER to pool-member even after peer sent DPR and force-offline the pool member

Links to More Info: BT1249929

Component: Service Provider

Symptoms:
If Disconnect Peer Action is configured to force-offline and when server peer sends Disconnect Peer Request (DPR), then MRF force-offline the pool-member as expected. However, MRF continues to send CER towards pool member, which means MRF is trying to connect the forced-offline peer and also it sends DPR towards pool member.

Conditions:
In diameter session profile, Disconnect Peer Action is configured to force-offline.

Impact:
Unnecessary CER and DPR messages towards down pool member.

Workaround:
Set auto-initialization to disabled in diameter peer if it does agree with the requirement.


1245209-1 : Introspection query violation is reported regardless the flag status

Links to More Info: BT1245209

Component: Application Security Manager

Symptoms:
The "GraphQL Introspection Query" violation is reported even though introspection queries are allowed.

Conditions:
In the GraphQL profile "Allow Introspection Queries" and "Maximum Query Cost" should be enabled.

Impact:
The "GraphQL Introspection Query" violation is reported while the "Allow Introspection Queries" flag is enabled.

Workaround:
None


1240937-4 : The FastL4 TOS specify setting towards server may not function for IPv6 traffic

Links to More Info: BT1240937

Component: Local Traffic Manager

Symptoms:
The ip-tos-to-server setting in a FastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a serverside flow. There are three special values mimic, pass-through, and specify.

The "specify" setting causes the TMM to set the egress TOS to the specific value configured from GUI for that connflow.

The IPv6 serverside egress TOS is not set to the expected "specify" value. No issue is observed with IPv4 connflow.

Conditions:
- FastL4 profile with ip-tos-to-client set to "specify" with value.
-Connflow is IPv6.

Impact:
The IPv6 serverside egress TOS is not set to the expected value.

Workaround:
None


1239901-3 : LTM crashes while running SIP traffic

Links to More Info: BT1239901

Component: Service Provider

Symptoms:
LTM crashes are observed while running SIP traffic.

Conditions:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer

Impact:
TMM is inoperative while reloading after crash.

Workaround:
Avoid use of the following pick_host, particularly the use of carp:

MR::message pick_host peer <peer-object-name> [carp <carp-key>]


1239297 : TMM URL web scraping limit not synced to secondary slot 2 in VIPRION chassis

Links to More Info: BT1239297

Component: Application Security Manager

Symptoms:
Web scraping requests will pass even when the threshold is reached in High Availability (HA) configuration. Some packets are blocked, while some others are passed.

Conditions:
Configure web scraping micro services in high availability (HA) mode in some F5 hardware. Send web scraping requests and check if they are blocked.

Impact:
Web scraping requests can pass even when the requests threshold is reached.

Workaround:
None


1238897-1 : TMM TCL interpreter's non-TMM "compat" memcasechr broken in 64-bit build

Links to More Info: BT1238897

Component: Local Traffic Manager

Symptoms:
The TMM's base TCL interpreter (tmm_tcl) is used both in TMM and in non-TMM environments like APMD. The TMM has it's own implementation of memcasechr which is preferred to the "compat" implementation in the TCL interpreter itself as TMM statically links tmm_tcl while non-TMM usage is dynamically linked.

Conditions:
Following VPE rule does not work (option -nocase):

expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}

Impact:
The memcasechr is broken in 64-bit build.

Following VPE rule does not work (option -nocase):

expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}

Workaround:
Change the VPE rule to the following:

expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}


1238629-2 : TMM core when client send nxdomain query with BA enabled

Links to More Info: BT1238629

Component: Advanced Firewall Manager

Symptoms:
NXDOMAIN queries are causing TMM crash when we have to validate the resolver or resolver cache type enabled.

Conditions:
TMM core when client sends nxdomain query with BA and DNS cache enabled.

Impact:
NXDOMAIN vector will not work when BA/BD enabled.

Workaround:
None


1238529-3 : TMM might crash when modifying a virtual server in low memory conditions

Links to More Info: BT1238529

Component: Local Traffic Manager

Symptoms:
Messages similar to the following are seen in the LTM log:
Feb 1 14:17:09 BIG-IP err tmm[1139]: 01010008:3: Listener config update failed for /Common/virtual: ERR:ERR_MEM

TMM restarts and writes a core file.

Conditions:
- Low memory available in TMM.
- A virtual server modification is made.

Impact:
Traffic is interrupted while TMM writes a core file and restarts.

Workaround:
None


1238413-4 : The BIG-IP might fail to update ARL entry for a host in a VLAN-group

Links to More Info: BT1238413

Component: Local Traffic Manager

Symptoms:
ARP requests through a transparent or translucent VLAN-group might fail.

The command "tmsh show net arp" displays the VLAN as the VLAN-group rather than a child VLAN. This symptom might be intermittent.

Conditions:
- A transparent or translucent VLAN-group is configured.

- ARP requests passing through the VLAN-group.

- Higher gaps (approximately 9 hours) in layer 2 traffic seen by the BIG-IP from the target of the ARP request.

Impact:
ARP resolution failure.

Workaround:
Create a monitor on the BIG-IP to monitor the target of the ARP resolution. This will ensure that layer 2 traffic is seen by the BIG-IP from that host, keeping the ARL entries current.


1238249-5 : PEM Report Usage Flow log is inaccurate

Links to More Info: BT1238249

Component: Policy Enforcement Manager

Symptoms:
PEM Report Usage Flow log for Flow-duration-seconds and Flow-duration-milli-seconds sometimes report incorrectly.

Conditions:
- HSL logging is configured.

Impact:
The statistics for flow duration report longer than the actual, this can result in showing incorrect data and can impact the policy behaviour.

Workaround:
None


1235337-2 : The 'JSON profile' with 'JSON schema validation' was not created for the body parameter in the OpenAPI URL

Links to More Info: BT1235337

Component: Application Security Manager

Symptoms:
The 'JSON profile' with 'JSON schema validation' was not created for the OpenAPI parameters with 'body' location and has 'schema' definitions in case the 'schema' type is 'array' (if the type is 'object' and the 'JSON profile' is created properly).

Conditions:
OpenAPI parameter with 'body' location having schema type 'array'.

Impact:
Some OpenAPI parameters will not include JSON content profile validation.

Workaround:
JSON content profile with JSON schema validation can be created manually after creating a security policy from the OpenAPI file.


1232977-4 : TMM leaking memory in OAuth scope identifiers when parsing scope lists

Links to More Info: BT1232977

Component: Access Policy Manager

Symptoms:
It is observed that oauth_parse_scope fails to increment the index then storing discrete scope identifiers into the output array. Thus all scope identifiers are stored in element 0 and all but the last element parsed are leaked.

Conditions:
OAuth functionality, scope comparisons happen if a scope is provided in request.

Impact:
Failure of High Availability (HA) due to memory issues in TMM over time.

Workaround:
None


1232629-1 : Support to download Linux ARM64 VPN Client in BIG-IP

Links to More Info: BT1232629

Component: Access Policy Manager

Symptoms:
Unable to download the Linux ARM64 VPN Client from a BIG-IP system.

Conditions:
Downloading and installing the Linux RM64 VPN client.

Impact:
No support to download Linux ARM64 VPN Client in BIG-IP.

Workaround:
None


1231137-1 : During signature update, Bot signature from one user partition affecting the Bot profile created in another Partition

Links to More Info: BT1231137

Component: Application Security Manager

Symptoms:
Signature update is not allowed.

Conditions:
- In Security > Bot Defense > Bot Defense Profiles, when the field Signature Staging upon Update is set to Enabled.

Impact:
None

Workaround:
Set the field Signature Staging upon Update to Disabled.


1229813-4 : The ref schema handling fails with oneOf/anyOf

Links to More Info: BT1229813

Component: Application Security Manager

Symptoms:
In JSON schema validation, it fails in handling of a ref schema that is referenced from multiple places under oneOf/anyOf.

Conditions:
Using oneOf or anyOf, a ref schema is referenced multiple times from oneOf/anyOf section.

Impact:
JSON schema validation fails and request gets blocked.

Workaround:
Change schema structure so that the single ref schema is not referenced from multiple places under oneOf/anyOf.


1229369-4 : The fastl4 TOS mimic setting towards client may not function

Links to More Info: BT1229369

Component: Local Traffic Manager

Symptoms:
The ip-tos-to-client setting in a fastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a clientside flow. There are two special values - 'mimic' and 'pass-through'.

The mimic setting causes tmm to set the egress TOS to the value seen on the last ingress packet for that connflow.

In affected versions of BIG-IP, this is not set correctly, and behaves like pass-through (uses the TOS value seen arriving on the serverside flow)

Conditions:
FastL4 profile with ip-tos-to-client set to "mimic" (shown as the value 65534 in tmsh)

Impact:
The clientside egress TOS is not set to the expected value

Workaround:
Use an irule to set IP::tos to the desired value. Note that processing every packet with an irule will incur a performance penalty.


1229325-1 : Unable to configure IP OSPF retransmit-interval as intended

Links to More Info: BT1229325

Component: TMOS

Symptoms:
The CLI configuration of OSPF retransmit-interval results in error when retransmit-interval value is less than 5 seconds.

Conditions:
- Configure IP OSPF retransmit-interval.

Impact:
The CLI error even when IP OSPF retransmit-interval value is within range.

Workaround:
None


1226121-5 : TMM crashes when using PEM logging enabled on session

Links to More Info: BT1226121

Component: Policy Enforcement Manager

Symptoms:
TMM may crash when using PEM logging.

Conditions:
When a sessions has PEM logging enabled on it:
pem global-settings subscriber-activity-log

Impact:
TMM crashes and restarts, losing all prior connection.

Workaround:
Disabling PEM logging on sessions will avoid the issue.


1225789-1 : The iHealth API is transitioning from SSODB to OKTA

Links to More Info: BT1225789

Component: TMOS

Symptoms:
The iHealth is switching to OKTA from using SSODB for authentication. The ihealth-api.f5.com and api.f5.com are replaced by ihealth2-api.f5.com and identity.account.f5.com.

Conditions:
- Authentication

Impact:
Qkview file will not be uploaded to iHealth automatically.

Workaround:
Qkview file must be uploaded manually to iHealth.


1225677-4 : Challenge Failure Reason is not functioning in ASM remote logging

Links to More Info: BT1225677

Component: Application Security Manager

Symptoms:
Challenge Failure Reason is not functioning in ASM remote logging.

Conditions:
Using ASM remote logging.

Impact:
Lack of logging information in ASM remote logger.

Workaround:
None


1225061-1 : The zxfrd segfault with numerous zone transfers

Links to More Info: BT1225061

Component: Global Traffic Manager (DNS)

Symptoms:
the zxfrd restart loop with cores occasionally.

Conditions:
Numerous dns express zones are doing zone transfers at the same time.

Impact:
he zxfrd restart loops or cores.

Workaround:
Do not add large number of DNS express zones at the same time and also reduce the total number of DNS express zones.


1224409-1 : Unable to set session variables of length >4080 using the -secure flag

Links to More Info: BT1224409

Component: Access Policy Manager

Symptoms:
Secure Session Variables are limited to 4k length in the access filter, unable to set variables of length >4080 using the "ACCESS::session data set -secure". On trial an error "Operation not supported" gets raised in LTM.

Conditions:
The limit imposed on the maximum URI in CL1416175 in 2015 restricts setting secure session variables greater than 4K in size.

Impact:
Customers have the requirement of setting variables more than 6K in length, but due to internal limits imposed on the session variables they are unable to capture them in the session.

Workaround:
None


1224377-1 : Policy Sync fails for a policy when default-all Address Space assigned to Network Access resource

Links to More Info: BT1224377

Component: Access Policy Manager

Symptoms:
Following error is observed during policy sync:
01b70105:3: System built-in APM resource address-space (/Common/default-all) cannot be modified.

Conditions:
Network Access resource has "default-all" address-space.

Impact:
Policy Sync failure.

Workaround:
Remove the 'default-all' address space from the network access configuration, sync the policy, then add it back on the source and destination devices.


1218813-6 : "Timeout waiting for TMM to release running semaphore" after running platform_diag

Links to More Info: BT1218813

Component: Access Policy Manager

Symptoms:
The platform_diag might not complete properly leaving TMM in an inoperational state. The 'bigstart restart' is required to recover.

Conditions:
Running platform_diag tool on a platform licensed with URL filtering.

Impact:
Unable to run platform_diag tool. TMM remains inoperative.

Workaround:
Open /etc/bigstart/scripts/urldb and modify the dependency list to be:


# wait for processes we are dependent on
depend ${service} mcpd running 1 ${start_cnt}
require ${service} urldbmgrd running 1 ${start_cnt}
require ${service} tmm running 1 ${start_cnt}

Then restart urldb:

> bigstart restart urldb


1217549-4 : Missed ASM Sync on startup

Links to More Info: BT1217549

Component: Application Security Manager

Symptoms:
In few deployment environments, if a device is configured to be part of a device-group before the ASM startup has finished initializing, then it may miss the initial sync from its peer, and not re-request it until another event happens in the system.

Conditions:
Devices are in an auto-sync ASM enabled device-group and a new device is brought into the device-group while initializing the device settings.

Impact:
The devices are out of sync until another action occurs and the sync is requested again.

Workaround:
Restarting ASM on the affected device or causing another sync event will resolve the issue.


1217473-1 : All the UDP traffic is sent to a single TMM

Links to More Info: BT1217473

Component: TMOS

Symptoms:
BIG-IP dataplane's VMXNET3 driver implementation is missing the Receive Side Scaling (RSS) support for the User Datagram Protocol (UDP) available as part of the VMXNET3 version 4.

Conditions:
BIG-IP VE instance is running on a VMWare host and handling UDP traffic.

Impact:
The traffic distribution does not happen evenly across all TMMs but rather all of the UDP traffic is sent to a single TMM.

Workaround:
None


1217365-2 : OIDC: larger id_token encoded incorrectly by APM

Links to More Info: BT1217365

Component: Access Policy Manager

Symptoms:
APM Websso decrypts id_token incorrectly when OIDC id_token is larger than ~5mb. The generated token size can be larger when the user belongs to many groups.

Conditions:
1) configure BIG-IP as oauth client and Resource server and Authorization server as Azure AD
2) configure Azure AD such that it sends a large token.
)access policy start -> oauth client ->scope ->allow
3)create a oauth bearer sso in "passthrough" mode and send token on 4xx response
4)attach sso to access policy
5)attach the access policy to the virtual server

Impact:
Access to applications will fail due to incorrect processing of the access token.

Workaround:
None


1217297 : Removal of guestagentd service from the list of services running inside a tenant.

Links to More Info: BT1217297

Component: TMOS

Symptoms:
Guestagentd services will be running inside a tenant deployed on VELOS or rseries platform.

Conditions:
Install a tenant on VELOS or rseries platform.

Impact:
No impact

Workaround:
NA


1217077-1 : Race condition processing network failover heartbeats with timeout of 1 second

Links to More Info: BT1217077

Component: TMOS

Symptoms:
Unexpected failover or log messages similar to the following:
sod[1234]: 010c0083:4: No failover status messages received for 1.100 seconds, from device bigip02(192.0.0.1) (unicast: -> 192.0.0.2)

Conditions:
- HA configuration network failover configured
- DB variable 'failover.nettimeoutsec' set to a value of 1 second.

Impact:
A failover event could impact traffic flow.

Workaround:
Following recommended practices of configuring network failover addresses using both the Management IP and Self IP addresses will reduce the chances of initiating a failover. Log messages may still be observed.

Setting the DB variable 'failover.nettimeoutsec' to a value of 2 or greater should avoid the issue.


1216297-3 : TMM core occurs when using disabling ASM of request_send event

Component: Application Security Manager

Symptoms:
When adding an iRule to disable ASM on request_send event, the TMM core occurs.

Conditions:
ASM is provisioned and attached to policy.
Add iRule that disables ASM and HTTP on HTTP_REQUEST_SEND event.

Impact:
TMM cores, system is down.

Workaround:
Remove the iRule, or disable ASM for all events of the URL.


1215613-3 : ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address

Links to More Info: BT1215613

Component: TMOS

Symptoms:
In var/log/ltm following error log is available:

0107146f:3: Self-device config sync address cannot reference the non-existent Self IP (10.155.119.13); Create it in the /Common folder first.

Conditions:
- In High Availability (HA) system ConfigSync-IP is set to IPv6 management address.
[root@00327474-bigip1:Standby:Disconnected] config # tmsh list cm device | grep -iE 'cm device|configsync-ip'
cm device 00327474-bigip1.lucas {
    configsync-ip 10.155.119.12
cm device 00327474-bigip2.lucas {
    configsync-ip 2001:dead:beef::13 <<-------


- Modifying the ConfigSync-IP to IPv4.

tmsh modify cm device 00327474-bigip2.lucas configsync-ip 10.155.119.13

Impact:
Device is not able to configure the ConfigSync-IP for IPv4 once IPv6 is configured.

Workaround:
None


1215401-2 : Under Shared Objects, some country names are not available to select in the Address List

Links to More Info: BT1215401

Component: Advanced Firewall Manager

Symptoms:
Users can create a shared object list to define countries to block traffic from. On searching a name, a list will be shown from which the user can choose and add it to the address list.

There is a limit of only 8 entries in the drop-down menu to choose from.

Some countries are not shown in this list due to the ordering of entries returned from the database.

Conditions:
DOS is enabled

Impact:
As some countries are not available to select, they cannot be included in the Address List to block traffic.

Workaround:
Instead of the country (which is not available to select), all the regions within the country can be added to the block list. This is very cumbersome and error-prone as the list of regions should be known that are configurable in BIG IP.


1215161-4 : A new CLI option introduced to display rule-number for policy, rules and rule-lists

Links to More Info: BT1215161

Component: Advanced Firewall Manager

Symptoms:
If a large number of rules and rule-lists are configured, it takes more than 10 minutes to display the output with rule-numbers.
Ex:
tmsh - "list security firewall rule-list"
icrd - "restcurl -u admin /tm/security/firewall/rule-list"

AFM service discovery of BIG-IP fails in BIG-IQ when upgraded to a newer version.

Conditions:
- AFM license is enabled
- Large number of rules and rule-lists are configured

Impact:
AFM service discovery from BIG-IQ fails on upgrade.

Workaround:
-


1213469-5 : MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP is dropped

Links to More Info: BT1213469

Component: Service Provider

Symptoms:
BIG-IP does not translate the SDP or via headers IP with listener IP for an outbound call which causes it to drop the 200 OK response.

Conditions:
In SIP ALG, the INVITE request contains an FQDN Route header.

Impact:
Media pinholes are not created for INVITE.

Workaround:
In the SIP_REQUEST event, a specific Route header could be removed and Insert it again in the SIP_REQUEST_SEND event before sending the request out. For example,

when SIP_REQUEST {
    set pd_route_hdr_count [SIP::header count Route]
    set pd_route_unset 0
    set pd_route [SIP::header Route]

    if {[SIP::method] == "INVITE" && ($pd_route_hdr_count equals 1) && $pd_route contains "sip:someclient.site.net;lr" } then {
SIP::header remove "Route"
set pd_route_unset 1
    }
}

when SIP_REQUEST_SEND {

if {[SIP::method] == "INVITE" && ($pd_route_unset == 1)} {
SIP::header insert "Route" $pd_route
    }
}


1212081-5 : The zxfrd segfault and restart loop due to incorrect packet processing

Links to More Info: BT1212081

Component: Global Traffic Manager (DNS)

Symptoms:
The zxfrd is in restart loop and cores.

Conditions:
During the no transfer of zone, the zxfrd is cored when performing the packet processing.

Impact:
DNS express does not work properly.

Workaround:
None


1211985-6 : BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring

Links to More Info: BT1211985

Component: In-tmm monitors

Symptoms:
When configured with a high number of In-TMM monitors and a high portion are configured as either Reverse monitors or as monitors using the Receive Disable field, the BIG-IP may not mark Nodes and Pool Members DOWN immediately once the configured timeout lapses for non-responsive targets.

Conditions:
This may occur when both:
- In-TMM monitoring is enabled through sys db bigd.tmm.
- A portion of the monitors are configured as Reverse monitors or use the Receive Disable field.

Impact:
Non-Responsive Nodes or Pool Members may not be marked DOWN.

Workaround:
You can work around this issue by disabling In-TMM monitoring, at the expense of decreased monitoring performance (higher CPU usage by the bigd daemon).


1211905-3 : Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts"

Links to More Info: BT1211905

Component: Application Security Manager

Symptoms:
Unable to import the XML format policy.

Conditions:
Having an XML policy with violation_rating_counts elements.

Impact:
Unable to import XML policy.

Workaround:
1) Remove the elements from an exported policy file.

sed -i '/<violation_rating_counts\/>/d' *xml

2) Import the policy again.


1211617-2 : High CPU utilisation observed during startup when forced BIG-IP system set offline

Links to More Info: BT1211617

Component: TMOS

Symptoms:
When BIG-IP is restarted, TMM0 is consuming extremely high CPU.

Conditions:
When set to offline (sys failover offline) and the configuration saved, it happens when BIG-IP is restarted.

Impact:
Box is slow to respond. The impact is minor because the box is in offline state.

Workaround:
None


1211297-1 : Handling DoS profiles created dynamically using iRule and L7Policy

Links to More Info: BT1211297

Component: Anomaly Detection Services

Symptoms:
Persistant connections with HTTP requests that may switch according to dynamic change of DoS policy (using iRule or L7Policy) can cause a TMM crash.

Conditions:
A request arrives to BIG-IP and is waiting to be served (it is delayed using iRule), however, if the DoS profile is unbound during that time from the virtual server and a dynamic DoS profile change decision is made, it could potentially cause the request to be incorrectly associated with a context that has already been freed.

Impact:
In few scenarios, when DoS policy is changed during connection lifetime, TMM might crash.

Workaround:
None


1211189-4 : Stale connections observed and handshake failures observed with errors

Links to More Info: BT1211189

Component: Local Traffic Manager

Symptoms:
SSL handshake fails.
Invalid or expired certificates are being used in the handshake.

Conditions:
- When the certificates in BIG-IP are expired and being renewed remotely.
- When the clientssl or serverssl profiles are dynamically being attached to a virtual server through iRule.

Impact:
SSL handshake fails.
Vitual server (SSL Profiles) use old or expired certificates.

Workaround:
Restart the TMM or BIG-IP to resolve the issue temporarily (until next expiry time of the certificates).


1211089-4 : Traffic to IPv6 all nodes address not received by TMM on VE with ixlv driver

Links to More Info: BT1211089

Component: TMOS

Symptoms:
Traffic sent to the IPv6 all nodes multicast address is not seen by TMM.

Conditions:
A virtual environment utilizing TMM's ixlv driver.
Traffic is sent to the IPv6 all nodes multicast address.

Impact:
TMM fails to receive and process traffic to the IPv6 all nodes multicast address.

Workaround:
None


1210569-1 : User defined signature rule disappears when using high ASCII in rule

Links to More Info: BT1210569

Component: Application Security Manager

Symptoms:
WebUI display is empty.

Conditions:
When the configured rule has high ASCII (greater than 127) value.

Impact:
Unable to see the rule in webUI.

Workaround:
Use the following steps:

1. Navigate to Security > Options > Application Security > Attack Signatures.

2. Create a new signature in Advanced Edit Mode. After setting, confirm the setting value with the developer tool.

3. Add it to the signature set (backed by actual signature detection confirmation).

4. Remove the old signatures from signature set.


1210469-1 : TMM can crash when processing AXFR query for DNSX zone

Links to More Info: BT1210469

Component: Local Traffic Manager

Symptoms:
TMM crash with SIGABRT and multiple log messages with "Clock advanced by" messages.

Conditions:
Client querying AXFR to a virtual server or wideip listener that has DNSX enabled in the DNS profile and has a large amount of DNSX zones with a large amount of resource records.

Impact:
TMM cores and runs slow with "Clock advanced by" messages.

Workaround:
Disable zone transfer for the DNS profile associated with the virtual server.


1210321-2 : Parameters are not created for properties defined in multipart request body when URL include path parameter

Links to More Info: BT1210321

Component: Application Security Manager

Symptoms:
Security policy parameters are not created for OpenAPI schema properties in multipart request body section.

Conditions:
Request body defined for URL that include path parameter.

Impact:
Some parameters defined by OpenAPI file will not be created in security policy.

Workaround:
Missed parameters should be created manually through GUI, REST, or TMSH.


1210053-3 : The cred_stuffing_fail_open Internal Parameter does not cause Leaked Credential violation in case of expiration or error

Links to More Info: BT1210053

Component: Application Security Manager

Symptoms:
In case of Leaked Credential server error, there is an internal parameter to raise Leaked Credentials Violation:
cred_stuffing_fail_open (default value is not to raise violation)
Changing the internal parameter value does not trigger the violation.

Conditions:
- ASM is provisioned.
- WAF Policy is attached to virtual server with Credential Stuffing enabled.
- Internal Parameter cred_stuffing_fail_open is set to 0.
- A server error (or timeout) occurred during leaked credential check.

Impact:
Leaked Credential violation is not raised.

Workaround:
None


1209945-2 : Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs

Links to More Info: BT1209945

Component: Local Traffic Manager

Symptoms:
In a case where traffic is not properly egressing a BIG-IP tenant running on rSeries or VELOS platforms, if any TMM log file contains any line with the text "notice SEP: Tx completion failed", that tenant VM may need to be manually restarted. The BIG-IP is unable to detect the traffic degradation automatically and recover or fail-over; the user must manually intervene to restart the tenant.

Conditions:
This is specific to rSeries and VELOS platforms, and does not affect other BIG-IP platforms or virtual editions.

Egress traffic from the affected tenant may appear to be degraded or non-functional. There may be a high number of transmit packet drops.

Check the tenant TMM log files for any line containing the text "notice SEP: Tx completion failed" (which may include additional trailing text). The log files of concern reside in the tenant at paths:
/var/log/tmm*

Impact:
Egress traffic may be severely degraded until the tenant with the offending log messages is manually restarted.

Workaround:
Restart the tenant VM by moving the tenant from deployed -> provisioned -> deployed in the partition or system ConfD command line interface.

Alternatively, issue the "reboot" command from the tenant bash shell.


1209709-5 : Memory leak in icrd_child when license is applied through BIG-IQ

Links to More Info: BT1209709

Component: TMOS

Symptoms:
The memory use for icrd_child may slowly increase, eventually leading to an OOM condition.

Conditions:
License applied through BIG-IQ.

Impact:
Higher than normal control-plane memory usage, possible OOM related crash.

Workaround:
Periodically kill the icrd_child processes. The restjavad will restart them automatically.


1209589-5 : BFD multihop does not work with ECMP routes

Links to More Info: BT1209589

Component: TMOS

Symptoms:
BFD multihop does not work with ECMP routes. TMMs are unable to agree on session ownership and dropping the session after 30 seconds.

Conditions:
On a multi-TMM box, configure BFD multihop peer reachable over ECMP route.

Impact:
BFD multihop does not work with ECMP routes and BFD session is getting dropped every 30 seconds.

Workaround:
None


1208949-4 : TMM cored with SIGSEGV at 'vpn_idle_timer_callback'

Links to More Info: BT1208949

Component: Access Policy Manager

Symptoms:
TMM cores.

Conditions:
Network Access is in use.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None


1207821-1 : APM internal virtual server leaks memory under certain conditions

Links to More Info: BT1207821

Component: Access Policy Manager

Symptoms:
Memory leaks are observed while passing traffic in the internal virtual server used for APM.

Client/Backend is slow in responding to packets from the BIG-IP. Congestion is observed on the network which prompts BIG-IP to throttle egress.

Conditions:
- Traffic processing in the internal virtual server used for APM.

Impact:
TMM memory grows over time, this will lead to out of memory for TMM and eventual restart. Traffic is disrupted when TMM restarts.

Workaround:
None


1207793-2 : Bracket expression in JSON schema pattern does not work with non basic latin characters

Links to More Info: BT1207793

Component: Application Security Manager

Symptoms:
Pattern matching in JSON schema has an issue of unable to match string in a specific pattern expression.

Conditions:
When all the following conditions are satisfied:

- a non-basic latin character is in bracket expression []
- the bracket expression is led by ^ or followed by $
- there is at least one character just before or after bracket expression

Following are examples for pattern that has issue:
- /^[€]1/
- /1[€]$/

The bracket would have multiple characters in real scenario.


Following are examples for patterns that do not have the issue:
- /^[€]/
- /[€]1/
- /^€1/

Impact:
The JSON content profile fails matching legitimate JSON token with JSON schema, resulting a false positive.

Workaround:
None


1207381 : PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored

Links to More Info: BT1207381

Component: Policy Enforcement Manager

Symptoms:
From the following example, a PEM policy rule flow filter
 matches the traffic from any source address and any port, to any destination address and port 81 (the port number is an example):

Source Address    Source Port     VLAN     Destination Address      Destination Port
0.0.0.0/0         0               ANY      0.0.0.0/0                81

When the rule is updated through the GUI or CLI to match traffic from any source address and any port, to any destination address and any port:

Source Address    Source Port     VLAN     Destination Address      Destination Port
0.0.0.0/0         0               ANY      0.0.0.0/0                0

The updated rule is correctly saved into the configuration as shown by the GUI and the CLI, but the new flow filter does not filter the traffic as expected.

The actual flow filter being applied is still the one from the previous version of the policy rule (destination port 81 in the example).

Conditions:
An existing PEM policy rule flow filter that is updated through GUI or CLI selecting Source Port '0' ('any') and/or destination port '0' ('any').

Impact:
The updated flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule.

Workaround:
- Restart TMM to make the updated flow filter effective.

or

- Remove the flow filter altogether instead of replacing it with a filter like '0.0.0.0/0:0 --> 0.0.0.0/0:0' .
The intended result is the same: the rule will catch all traffic.

or

- Create a new additional rule with port number 0 and place in higher precedence (under the same policy).
    - For example, rule with precedence 10 allow flow for port 80 (instead of modifying this rule) and
    - Create a new rule with precedence 9 to allow flow for port "0" and delete the old rule.


1205501-4 : The iRule command SSL::profile can select server SSL profile with outdated configuration

Links to More Info: BT1205501

Component: Local Traffic Manager

Symptoms:
Under few circumstances, an iRule selected server SSL profile can send previously configured certificate to the peer.

Conditions:
The iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made to the profile.

Impact:
The TLS handshake may use an outdated certificate that does not match the current configuration, potentially leading to handshake failures.

Workaround:
Terminate all traffic running on the virtual servers that are using the iRule command for the update to take effect.

or

Do not make changes to a profile that is actively being used by the iRule command.


1205045-6 : WMI monitor does not put pool members into an offline/unchecked state when BIG-IP receives HTTP responses other than 200

Links to More Info: BT1205045

Component: Local Traffic Manager

Symptoms:
With no credentials, WMI monitor status still displays "UP".

Conditions:
With no credentials or stale/expired credentials, the WMI monitor stats displays "UP".

Impact:
The user is misinformed about the status of the WMI monitor.

Workaround:
None


1205029-1 : WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application

Links to More Info: BT1205029

Component: Access Policy Manager

Symptoms:
In some cases of WEBSSO same token is sent to different sessions in the backend.

Conditions:
WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application

Impact:
Situations where JWTs (via WEBSSO / OAuth Bearer profile) are being sent downstream for requests which belong to a different user. The problem seems to be related to when these requests share the same client IP address. This is a big problem when clients are using NAT themselves to mask different users/sessions behind the same IP address.


1199025-3 : DNS vectors auto-threshold events are not seen in webUI

Links to More Info: BT1199025

Component: Advanced Firewall Manager

Symptoms:
No option to see DNS auto-threshold event logs from webUI.

Conditions:
- DNS profile configured with fully automatic mode.

Impact:
DNS auto-threshold event logs are not visible from webUI.

Workaround:
None


1196537-5 : BD process crashes when you use SMTP security profile

Links to More Info: BT1196537

Component: Application Security Manager

Symptoms:
The BD process may crash when an SMTP security profile is attached to a virtual server, and the SMTP request is sent to the same virtual server.

Conditions:
- SMTP security profile is attached to VS
- SMTP request is sent to VS

Impact:
Intermittent BD crash

Workaround:
N/A


1196477-8 : Request timeout in restnoded

Links to More Info: BT1196477

Component: Device Management

Symptoms:
The below exception can be observed in restnoded log

Request timeout., stack=Error: [RestOperationNetworkHandler] request timeout.
At ClientRequest. <anonymous> (/usr/share/rest/node/src/infrastructure/restOperationNetworkHandler.js:195:19)

Conditions:
When BIG-IP is loaded with a heavy configuration.

Impact:
SSL Orchestrator deployment will not be successful.

Workaround:
1. mount -o remount,rw /usr
2. In getDefaultTimeout : function() at /usr/share/rest/node/src/infrastructure/restHelper.js

replace 60000 with required required timeout.
3. bigstart restart restnoded
4. mount -o remount /usr


1196185-1 : Policy Version History is not presented correctly with scrolling

Links to More Info: BT1196185

Component: Application Security Manager

Symptoms:
When higher version history is available, then modal window becomes scrollable, and gets distorted.

Conditions:
- Apply Policy multiple times.
- Open Policy Version History in General Settings ->
Version -> Date Link.

Impact:
Policy history modal window gets distorted.

Workaround:
None


1196053-4 : The autodosd log file is not truncating when it rotates

Links to More Info: BT1196053

Component: Advanced Firewall Manager

Symptoms:
The autodosd file size increasing continuously irrespective of log rotation occurring every hour.

Conditions:
- DOS profiles (at Device/VS) configured with fully automatic, autodosd daemon will calculate the thresholds periodically and updates the log file with relevant logs.

Impact:
Logs are not truncated as expected. The autodosd log file size continue to increase even though it is rotated every hour.

Workaround:
Restarting autodosd daemon will truncate the log file content to zero.


1195385-1 : OAuth Scope Internal Validation fails upon multiple providers with same type

Links to More Info: BT1195385

Component: Access Policy Manager

Symptoms:
The Claim Validation in OAuth Scope Fails when two Azure providers with different tenant ID are provided in the JWT provider list such that, the non-expected provider comes first and expected one comes later. Once failure is logged OAuth flow is redirected to Deny Page.

Conditions:
When the list of providers are sent to TMM for Signature Validation the invalid provider is sent back as response indicating that it has passed the signature validation for the access_token that has been acquired in previous steps.

There are chances where Azure as AS might be using same key ID (kid) for different tenants, so in such cases even the invalid provider passes the signature validation.

In general practice, Claim Validation Comes after Signature Validation, when the invalid provider is sent back from TMM it fails Claim Validation in APMD.

Impact:
The policy rule displays the deny page.

Workaround:
None


1194173-5 : BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value

Links to More Info: BT1194173

Component: Application Security Manager

Symptoms:
Attack signature check is not run on normalised parameter value.

Conditions:
- A parameter with location configured as a cookie is present
  in the parameters list.
- Request contains the explicit parameter with URL encoded
  base64 padding value.

Impact:
- Attack signature not detected.

Workaround:
None


1191137-5 : WebUI crashes when the localized form data fails to match the expectations

Links to More Info: BT1191137

Component: TMOS

Symptoms:
In the Chinese BIG-IP, when multicast rate limit field is checked (enabled) and updated, the webUI is crashing.

Conditions:
On the Chinese BIG-IP:
- Navigate to the System Tab > Configuration.
- In Configuration, select Local Traffic > General.
- In Multicast Section, enable Maximum Multicast Rate Checkbox and click on Update.

Impact:
Chinese BIG-IP webUI is crashing.

Workaround:
None


1190765-1 : VelOS | Zone Base DDOS | Aggregation, BD | Seeing Entries in sPVA Registers are not getting reset once the attack is completed

Links to More Info: BT1190765

Component: Advanced Firewall Manager

Symptoms:
In VELOS platform, the ideal timeout for HW entries is 5 mins(Hw eviction timeout). However, when you delete the VS/Zone configuration it will initiate the eviction immediately(Software eviction). In this case, the eviction does not happen as expected and causes the entry to continue to stay at sPVA for some time.

Conditions:
This issue happens when we configure Zone based DDOS with Aggregation or BD in VELOS platform.

Impact:
This issue causes the sPVA entries to stay for 5 minutes(Ideal eviction timeout) even after the Corresponding Zone configuration is deleted.

Workaround:
Not available


1190365-1 : OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly

Links to More Info: BT1190365

Component: Application Security Manager

Symptoms:
The method used by ASM enforcer to serialize an OpenAPI object configured with "style:form", "explode:true", and "type:object" is not functioning as expected.

Conditions:
Repeated occurrences of parameter names in the query string with "type:object/explode:true/style:form" configured OpenAPI file.

Impact:
The violation "JSON data does not comply with JSON schema" is raised due to the repeated parameters from the query string with "array" configuration.

Workaround:
None


1190353-4 : The wr_urldbd BrightCloud database downloading from a proxy server is not working

Links to More Info: BT1190353

Component: Policy Enforcement Manager

Symptoms:
Downloading BrightCloud database is not working with the proxy.

Conditions:
BrightCloud database download through Proxy management.

Impact:
URL categorization disruption as database not getting downloaded.

Workaround:
None


1190025-3 : The OAuth process crash

Links to More Info: BT1190025

Component: Access Policy Manager

Symptoms:
The Oauth process crashes and you may observe the following log in /var/log/messages

Nov 4 06:24:56 <hostname> notice logger[16306]: Started writing core file: /var/core/oauth.bld0.175.14.core.gz for PID 20854

Conditions:
Unknown

Impact:
OAuth stopped working.


1189949-4 : The TMSH sys core is not displaying help and tab complete behavior

Links to More Info: BT1189949

Component: TMOS

Symptoms:
The help and tab complete options are not displayed when TMSH sys core commands are executed.

Conditions:
For example, execute following commands:

tmsh sys core modify tmm-manage ?

tmsh sys core modify tmm-manage TABC

Impact:
The help and tab complete options are not displayed.

Workaround:
None


1189865-5 : "Cookie not RFC-compliant" violation missing the "Description" in the event logs

Links to More Info: BT1189865

Component: Application Security Manager

Symptoms:
When a request is blocked due to "Cookie not RFC-compliant' violation, the description field in the request log details is shown as "N/A" instead of having the description (for example "Invalid equal sign preceding cookie name" or "Invalid space in cookie name").

Conditions:
The violation is blocked due to "Cookie not RFC-compliant" violation and we are looking at the request log details.

Impact:
The description is empty and we can't know what is the problem with the request.


1189513-6 : SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header

Links to More Info: BT1189513

Component: Service Provider

Symptoms:
The SIP MRF failed to extract the SDP data and not created media flow pinholes, if SDP Multipurpose Internet Mail Extensions (MIME) multipart body is not generated with content-length header.

Conditions:
An INVITE message contained a MIME multipart payload and body parts miss content-length header.

Impact:
Media flow pinholes are not created.

Workaround:
None


1188817 : BIG-IP tenant on F5OS was not allowed to modify VLAN tag value

Links to More Info: BT1188817

Component: TMOS

Symptoms:
When attempting to change the VLAN tag through TMSH on a tenant on the F5OS platform, the change will be declined with the message: "Modifying VLAN and attributes within a guest system is not supported on the deployed host system."

Conditions:
When attempting to change the VLAN tag through TMSH on a tenant on the F5OS platform.

Impact:
The attempt is declined.

Workaround:
Change the VLAN tag from the F5OS UI.


1186925-6 : When FUA in CCA-i, PEM does not send CCR-u for other rating-groups

Links to More Info: BT1186925

Component: Policy Enforcement Manager

Symptoms:
When Final Unit Action (FUA) in CCA-i, the traffic is immediately blocked for that rating-group.
But, PEM does not send CCR-u for other rating-groups any more, which causes all other rating-groups traffic to pass through.
If FUA in CCA-u, everything works as expected.

Conditions:
When FUA received in in CCA-i.

Impact:
PEM receives FUA redirect first and ignores further requests.

Workaround:
Use iRule to remove FUA in CCA-i.


1186649-1 : TMM keep crashing after vCMP Guest Upgrade to BIG-IP v16.1.3.2

Links to More Info: BT1186649

Component: TMOS

Symptoms:
TMM process keeps crashing after vCMP Guest Upgrade to BIG-IP v16.1.3.2.

Conditions:
Hosts running BIG-IP versions lower than 14.1.0, Guests running BIG-IP versions greater than 16.0.x.

Impact:
BIG-IP vCMP Guest will be down.

Workaround:
Downgrade to previous version, or upgrade the vCMP hypervisor to a higher version.


1186401-4 : Using REST API to change policy signature settings changes all the signatures.

Links to More Info: BT1186401

Component: Application Security Manager

Symptoms:
When you use iControl REST to modify the signatures associated with a policy, the modifications are applied to all the signatures.

Conditions:
-- Create a policy named 'test'

-- Associate a signature set like "SQL Injection Signatures" to the policy
  For example, remove the "Generic Detection Signatures (High/Medium Accuracy)" set

-- Look at the low-risk signatures associated with the policy
 Commmand:
     curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' | jq . | head


-- Turn off staging for these signatures:
  Commands:
      curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": false }' -X PATCH | jq . | head
      curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": true }' -X PATCH | jq . | head

-- The "totalItems" shows that 187 signatures were changed

Impact:
The user was unable to leverage the REST API to make the desired changes to the ASM signature policy.

Workaround:
Add 'inPolicy eq true' to the filter
  Command :
      curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low+and+inPolicy+eq+true' -d '{ "performStaging": false }' -X PATCH | jq . | head


1185257-6 : BGP confederations do not support 4-byte ASNs

Links to More Info: BT1185257

Component: TMOS

Symptoms:
The BGP confederations do not support 4-byte AS numbers. Only 2-byte ASNs are supported.

Conditions:
Using BGP confederations.

Impact:
Unable to configure 4-byte AS number under BGP confederation.

Workaround:
None


1184841-6 : Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API

Component: Application Security Manager

Symptoms:
Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API.

Conditions:
- ASM-Sync enabled
- Auto-Sync enabled
- Updating URL through REST API

Impact:
Configuration will be de-synced.

Workaround:
Use TMUI to update configuration.


1183901 : VLAN name greater than 31 characters results in invalid F5OS tenant configuration

Component: TMOS

Symptoms:
VLAN name 32 characters or longer results in invalid BIG-IP tenant configuration, and mcpd errors.

01070712:3: Internal error, object is not in a folder: type: vlan id: /Common/this_is_a_very_long_vlan_name_32

On F5OS-C tenants, mcpd, devmgmtd and lind restart in a loop.

Conditions:
VLAN with a name that is 32 characters or longer is assigned to a BIG-IP tenant.

Impact:
-- Invalid configuration
-- mcpd errors
-- Blank VLAN name in webUI of tenant

Workaround:
Use shorter VLAN names, with a maximum of 31 characters.


1182729-4 : Java connection establishes from BIG-IP to BIG-IQ Management

Links to More Info: BT1182729

Component: TMOS

Symptoms:
A TCP connection establishes from BIG-IP to BIG-IQ.

Conditions:
When refreshing the stats, BIG-IP also fetches the stats from BIG-IQ, to fetch the stats from BIG-IQ, a Java connection establishes from BIG-IP to BIG-IQ.

Here, the BIG-IQ is discovered in the BIG-IP. If BIG-IP is not discovered in BIG-IQ, there the issue does not exist.

Impact:
An extra Java connection is listed under netstat.

Workaround:
Updating the property "rest.common.device.automatic.refresh.enabled" to "true" from /etc/rest.BIG-IP.properties, the connection does not establish from BIG-IP to BIG-IQ.

Note: We do not have a workaround for SSL Orchestrator. Workaround is not applicable for SSL Orchestrator.


1182353-6 : DNS cache consumes more memory because of the accumulated mesh_states

Links to More Info: BT1182353

Component: Global Traffic Manager (DNS)

Symptoms:
DNS cache consumes more memory and the mesh_states are accumulated quickly.

Conditions:
Mixed queries with rd flag set and cd flag set/unset.

Impact:
TMM runs out of memory.


1181757-7 : BGPD assert when sending an update due to cq_wbuf mishandling

Links to More Info: BT1181757

Component: TMOS

Symptoms:
BGPD might trip an assert when sending an update due to buffer space mishandling.

Conditions:
No straightforward way to reproduce it. It requires a specific update layout to get triggered.

At a minimum you need 2 BGP peers (the more the better) sending at least 800 prefixes each (need to fill around 4096 bytes when sending a withdrawn update - 5 bytes/prefix + headers).
Also, send at least 800 prefixes towards these peers. Adding as-path prepending and/or communities when sending these routes towards remote peers will greatly increase the chances of hitting the problem.

Impact:
BGPD may get crash or core rarely.

Workaround:
None


1180365-3 : APM Integration with Citrix Cloud Connector

Component: Access Policy Manager

Symptoms:
* Configure Citrix cloud connector instead of Citrix Delivery controller to publish apps and desktops from the cloud configured using DaaS.
* Apps/Desktop will not be published.

Conditions:
* When Citrix cloud connector is used to publish apps instead of Citrix Delivery controller, once the user clicks on the App/Desktop, the cloud connector sends an empty response.
* Hence user will not be able to publish any apps/ Desktop.

Impact:
Users will not be able to publish any Apps/Desktops in webtop which are published through Citrix Cloud Connector.


1174085-7 : spmdb_session_hash_entry_delete releases the hash's reference

Links to More Info: BT1174085

Component: Policy Enforcement Manager

Symptoms:
multiple references accessing and trying to modify the same entry

Conditions:
when failover from active to stand by while stalling the connection

Impact:
Illegal access of the memory.

Workaround:
NA


1173493-2 : Bot signature staging timestamp corrupted after modifying the profile

Component: Application Security Manager

Symptoms:
Bot signature timestamp is not accurate.

Conditions:
Have a bot signature "A" in staging, record the timestamp.
Using webUI, set another bot signature "B" to be in staging and click Save.
The time stamp on "A" is updated and shows the year 1970 in webUI.

Impact:
Can not verify from when the signature was in staging.

Workaround:
Use TMSH, instead of webUI, to update the profile.


1169105-2 : Provide download links on BIG-IP for Linux ARM64 VPN Client

Links to More Info: BT1169105

Component: Access Policy Manager

Symptoms:
No download links are available in the welcome page in BIG-IP for Linux ARM64 VPN Client.

Conditions:
- Login to BIG-IP.

Impact:
None

Workaround:
None


1167985-3 : Network Access resource settings validation errors

Links to More Info: BT1167985

Component: Access Policy Manager

Symptoms:
When trying to add "0.0.0.0/1" under the IPV4 LAN Address Space and in a Network Access resource, the UI would throw such error:
"Invalid IP or Hostname"
 
When trying to add DNS Exclude Address Space starting with an underscore (such as "_ldap._tcp.dc._msdcs.test.lan"), the UI would throw such error:
01b7005b:3: APM Network Access (/Common/test) DNS name (_ldap._tcp.dc._msdcs.test.lan) is not a valid domain name

Conditions:
Use a Network Access resource in split tunneling mode.
Add "0.0.0.0/1" under the IPV4 LAN Address Space
Add DNS Exclude Address Space starting with an underscore

Impact:
Administrators could not correctly configure some network access resource settings.


1167969-2 : In DoS Profile level, the Flood attack Vectors with TCP and UDP, Hardware offloading is not working as expected

Links to More Info: BT1167969

Component: Advanced Firewall Manager

Symptoms:
In Multiblade platforms which support high number of TMM threads, bigger per HSB rate limit values are received and it is causing the hardware to not trigger offload, even though the attack traffic matching the configured rate limits.

Conditions:
This occurs only in the platforms which supports high number of TMMs (more than 20).

Impact:
Hardware offload for the Flood attack vectors will not trigger as expected.

Workaround:
None


1167609-4 : The messages msg->ref > 0 are seen in TMM logs with websockets/ASM plugin

Links to More Info: BT1167609

Component: Local Traffic Manager

Symptoms:
With web security enabled and ASM policies attached to virtual server, in an unknown scenario, msg->ref > 0 are appearing in TMM logs.

Conditions:
-- ASM is provisioned
-- ASM policy attached to virtual server
-- Web security configured

Impact:
The /var/log/tmm files may be flooded with the messages.

Workaround:
None


1162221-6 : Probing decision will skip local GTM upon reboot if net interface is not brought up soon enough

Links to More Info: BT1162221

Component: Global Traffic Manager (DNS)

Symptoms:
Resources will be marked timed out.

Conditions:
iQuery connection between local gtmd and big3d is not established before probing decision is made.

Impact:
Resources be marked DOWN unexpectedly.

Workaround:
Modify max-synchronous-monitor-requests to a new value which will trigger probing decision re-evaluation.


1161241-7 : BIND default behavior changed from 9.11 to 9.16

Links to More Info: BT1161241

Component: Global Traffic Manager (DNS)

Symptoms:
The default behavior of BIND configurations for minimal-responses and dnssec-validation is changed in BIND 9.16 and leaving the issues for existing test cases and expected behavior.

Conditions:
Upgrade BIND package from version 9.11.36 to 9.16.27.

Impact:
Behavior change for minimal-responses and dnssec-validation.

Workaround:
None


1160805-4 : The scp-checkfp fail to cat scp.whitelist for remote admin

Links to More Info: BT1160805

Component: TMOS

Symptoms:
Attempt SCP file to BIG-IP:
/shared/images
root user success
remote admin user fails, following is an example:
sinkhole3:~$ scp test.iso apiuser@10.201.69.106:/shared/images
Password:
cat: /co: No such file or directory
cat: fig/ssh/scp.whitelist: No such file or directory
"/shared/images/test.iso": path not allowed

Conditions:
-- Running BIG-IP version with fix for ID 1097193.
-- Create remote admin user.
-- Use SCP command to transfer a file to remote admin user path.

Impact:
SCP command is not working for the remote admin users.

Workaround:
None


1156889-5 : TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions

Links to More Info: BT1156889

Component: Application Security Manager

Symptoms:
When using bot-defense profile with a browser verification and performing redirect actions, there is a memory leak in TMM.

Conditions:
- The bot-defense profile with "Verify After Access" or "Verify Before Access" browser verification is configured.
- Surfing using a browser, during grace period (5 Minutes after config change) to a non-qualified URL, or configuring "Validate Upon Request" in "Cross Domain Requests" configuration, and configuring A and B as "Related Site Domains".
- Surfing using a browser from Domain A to Domain B.

Impact:
Degraded performance, potential eventual out-of-memory.

Workaround:
None


1156753 : Valid qname DNS query handled as malformed packets in hardware (qnames starting with underscore )

Component: Advanced Firewall Manager

Symptoms:
'DNS malformed' DoS vector drops valid DNS queries for qnames that begin with an underscore character.

Conditions:
DoS is being offloaded in hardware.

Impact:
Legitimate DNS queries are dropped by the DoS engine.

Workaround:
-- Disable hardware DoS acceleration for all vectors (dos.forceswdos).

or:

-- Disable this specific DoS vector.

-- In some cases, if the request is sent from a known valid IP, you can also add this IP address to a whitelist; however, this will bypass all DoS vectors for this IP address.


1156149-5 : Early responses on standby may cause TMM to crash

Links to More Info: BT1156149

Component: Service Provider

Symptoms:
TMM cores with an early response and retransmit mechanism and has also happened during a failover event.

Conditions:
If the response of the request message reaches before the request on standby box.

Impact:
Causes a failover while TMM is restarting.

Workaround:
None


1155861-3 : 'Unlicensed objects' error message appears despite there being no unlicensed configuration

Links to More Info: BT1155861

Component: TMOS

Symptoms:
Following error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.

Conditions:
- The primary blade disabled manually using the following TMSH command:

modify sys cluster default members { 1 { disabled } }

Impact:
Failed to load the license on disabled slot from primary slot.

Workaround:
Execute the following command on disabled slot:
 
bigstart restart mcpd

Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.

or

Execute command "reloadlic" which reloads the license into the current MCPD object.


1154685 : Error logged "01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object..." during startup

Links to More Info: BT1154685

Component: TMOS

Symptoms:
Database error (13) will be logged in /var/log/ltm during startup:

err mcpd[]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:private_mac_addr_freelist status:13 - EdbCfgObj.cpp, line 127.

Conditions:
-- 15.1.8 or later 15.1.x

Impact:
It is a cosmetic error and observed only once during startup.

Workaround:
None


1154465-2 : Error attaching few QAT devices to TMM

Links to More Info: BT1154465

Component: Local Traffic Manager

Symptoms:
Crypto and compression were yielding low throughput when considered more than 32 vCPUs.

Conditions:
A variable was not thread safe and hence not proper.

Impact:
Less throughput.

Workaround:
None


1154381-6 : The tmrouted might crash when management route subnet is received over a dynamic routing protocol

Links to More Info: BT1154381

Component: TMOS

Symptoms:
The tmrouted might crash when management route subnet is received over a dynamic routing protocol.

Conditions:
- Management route subnet is received over a dynamic routing protocol.
- Multi-bladed VIPRION.
- Blade failover or IP address change occurs.

Impact:
Dynamic routes are lost during tmrouted restart.

Workaround:
Do not advertise a management subnet over a dynamic routing protocol towards BIG-IP. Use route-map to suppress incoming update.


1148181-1 : SSL TLS1.3 connection terminates with "empty persist key" error when SSL persistence is enabled and session tickets are disabled

Links to More Info: BT1148181

Component: Local Traffic Manager

Symptoms:
SSL TLS1.3 handshake fails.

Conditions:
- TLS1.3 should be enabled in the clientssl profile.
- session ticket should be disabled in the clientssl profile.
- Persistence should be enabled in the virtual server.

Impact:
TLS1.3 SSL handhshakes will fail.

Workaround:
Either disabling persistence in the virtual server or enabling session-ticket in the clientssl profile


1148009-8 : Cannot sync an ASM logging profile on a local-only VIP

Links to More Info: BT1148009

Component: Application Security Manager

Symptoms:
If an ASM profile, such as a logging profile is applied to a virtual that is local-only, then the state changes to "Changes Pending" but configuration sync breaks.

Conditions:
- ASM provisioned
- high availability (HA) pair
- ASM profile, such as a logging profile is applied to a virtual that is local-only.

Impact:
The state changes to "Changes Pending" but configuration sync breaks.

Workaround:
None


1147621-3 : AD query do not change password does not come into effect when RSA Auth agent used

Links to More Info: BT1147621

Component: Access Policy Manager

Symptoms:
When RSA auth along with AD query is used the Negotiate login page checkbox "Do not change password" is not working as expected.

Even though "Do not change password" is checked the AD query is receiving F5_challenge post parameter with earlier RSA auth agent OTP content, And PSO criteria would not meet.

So when they click on "logon", it states 'The domain password change operation failed. Your new password must be more complex to meet domain password complexity requirements' and prompts for the fields "New password" and "verify password" again.

Conditions:
RSA Auth with OTP along with AD query agent with the negotiate logon page.

Impact:
User readability/experience even though "Do not change password" is checked it prompts as if user entered the logon credentials.

Workaround:
If you click on "logon" again in the Negotiate page, it goes to the webtop (next agent) with the previous logon or last logon credentials.


1146377-6 : FastHTTP profiles do not insert HTTP headers triggered by iRules

Links to More Info: BT1146377

Component: Local Traffic Manager

Symptoms:
Virtual servers configured with the FastHTTP profile will not insert HTTP headers even when triggered by iRules.

Conditions:
A virtual server configured with FastHTTP, and an iRule that would insert an HTTP header.

Impact:
The expected headers will not be inserted on packets sent to servers.

Workaround:
None


1145989-3 : ID token sub-session variables are not populated

Links to More Info: BT1145989

Component: Access Policy Manager

Symptoms:
When refresh token is used, ID token sub-session variables are not populated.

Conditions:
- Configured APM as OAuth Client in per-request policy.
- OIDC is enabled.
- After token expires and refresh token is used to fetch new token (grant_type=refresh_token).

Impact:
The sub-session variables related to the ID token are not populated when APM per-request policy uses a refresh token to request a new access token and ID token.

Workaround:
None


1144497-5 : Base64 encoded metachars are not detected on HTTP headers

Links to More Info: BT1144497

Component: Application Security Manager

Symptoms:
Base64 encoded illegal metachars are not detected.

Conditions:
No specific condition.

Impact:
False negative, illegal characters are not detected and request not blocked.

Workaround:
None


1144117-5 : "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands

Links to More Info: BT1144117

Component: Local Traffic Manager

Symptoms:
The "More data required" TCL error may occur and the connection may be terminated prematurely when using the 'HTTP::payload' or 'HTTP::payload length' commands.

Conditions:
Using the 'HTTP::payload' or 'HTTP::payload length' TCL commands.

Impact:
Some HTTP transactions might fail.

Workaround:
Do not use the 'HTTP::payload' or 'HTTP::payload length' TCL commands.


1142389-2 : APM UI report displays error "Error Processing log message ..." when the log contains some special character received in client request

Links to More Info: BT1142389

Component: Access Policy Manager

Symptoms:
Following message is displayed in APM Access Report:
"Error Processing log message. Original log_msg in database"

Conditions:
Checking APM Access Report while accessing VPN.

Impact:
Unable to see correct log messages in APM Access Report.

Workaround:
None


1137993-6 : Violation is not triggered on specific configuration

Links to More Info: BT1137993

Component: Application Security Manager

Symptoms:
The HTTP compliance violation is not triggered for the unparsable requests due to a specific scenario.

Conditions:
A microservice is configured in the security policy.

Impact:
Specific violation is not triggered. A possible false negative.

Workaround:
It is possible to do an irule workaround that checks the length of the URL and issues a custom violation.


1137217-4 : DNS profile fails to set TC flag for responses containing RRSIG algorithm 13

Links to More Info: BT1137217

Component: Global Traffic Manager (DNS)

Symptoms:
DNS express sends a malformed response when UDP size limit is set to 512.

Conditions:
The UDP size limit is set to exactly 512 and a zone that is signed with algorithm 13 (ECDSA Curve P-256 with SHA-256), the DNS express responds with a malformed packet.

Impact:
Malformed DNS express responses is received when UDP size limit set to exactly 512 and a zone is signed with algorithm 13.

Workaround:
None


1136921-6 : BGP might delay route updates after failover

Links to More Info: BT1136921

Component: TMOS

Symptoms:
The BGP might delay route updates after failover.

Conditions:
- The BGP configured on an High Availability (HA) pair of BIG-IP devices.
- The BGP redistributing kernel routes.
- Failover occurs.

Impact:
New active unit might delay route advertisement up to 15 sec.
New standby unit might delay route withdrawal up to 15 sec.

Workaround:
None


1136837-5 : TMM crash in BFD code due to incorrect timer initialization

Links to More Info: BT1136837

Component: TMOS

Symptoms:
TMM crashes in BFD code due to incorrect timer initialization.

Conditions:
- BFD configured
- Multi-bladed system
- One of blades experiences failure.

Impact:
Crash or core.

Workaround:
None.


1134509-5 : TMM crash in BFD code when peers from ipv4 and ipv6 families are in use.

Links to More Info: BT1134509

Component: TMOS

Symptoms:
TMM crashes in BFD code when peers from ipv4 and ipv6 families are in use.

Conditions:
- BFD configured
- Mixed IPv4 and IPv6 peers.

Impact:
Crash or core

Workaround:
None.


1134057-6 : BGP routes not advertised after graceful restart

Links to More Info: BT1134057

Component: TMOS

Symptoms:
The BGP routes not advertised after a graceful restart.

Conditions:
The BGP with graceful restart configured.

Impact:
The BGP routes not advertised after graceful restart.

Workaround:
None


1133997-4 : Duplicate user-defined Signature Set based on untagged signatures is created upon policy import

Links to More Info: BT1133997

Component: Application Security Manager

Symptoms:
A duplicate user-defined Signature Set is created upon policy import when the Set has a filter using untagged signatures.

Conditions:
A policy using a user-defined Signature Set with a filter using untagged signatures is exported.

Impact:
A duplicate user-defined Signature Set is created upon policy import.

Workaround:
Modify the policy to use the original Signature Set, and then delete the duplicated Signature Set.


1132981-5 : Standby not persisting manually added session tracking records

Links to More Info: BT1132981

Component: Application Security Manager

Symptoms:
The Session tracking records, with Infinite Block-All period, have an expiration time on the Standby unit after sync.

Conditions:
ASM provisioned
Session Tracking enabled
session tracking records, with Infinite Block-All period, are added

Impact:
Infinite Session Tracking records being removed from standby ASMs.

Workaround:
Use auto-sync DG (instead of manual sync).

After changing the configuration on UI at Security->Application Security: Sessions and Logins: Session Tracking.

You must "Apply Policy" and wait for the DG status to become In-Sync before adding new data-points on UI at Security->Reporting: Application: Session Tracking Status.


1132801-2 : Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured

Links to More Info: BT1132801

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.

For BIG-IP versions earlier than v17.0.0, this issue has been addressed under ID912517.

Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.

Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).


1132741-7 : Tmm core when html parser scans endless html tag of size more then 50MB

Links to More Info: BT1132741

Component: Application Security Manager

Symptoms:
Tmm core, clock advanced by X ticks printed

Conditions:
- Dos Application or Bot defense profile assigned to a virtual server
- Single Page Application or Validate After access.
- 50MB response with huge html tag length.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Exclude html parser for url in question.
tmsh modify sys db dosl7.parse_html_excluded_urls value <url>


1132697-5 : Use of proactive bot defense profile can trigger TMM crash

Links to More Info: BT1132697

Component: Application Security Manager

Symptoms:
TMM crash

Conditions:
This causes under a rare traffic environment, and while using a proactive bot defense profile.

Impact:
The unit goes offline temporarily or failover.

Workaround:
Remove all proactive bot defense profiles from virtuals.


1128505-3 : HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy

Links to More Info: BT1128505

Component: Local Traffic Manager

Symptoms:
The ORBIT framework added HUDEVT_ACCEPTED handling through hud_orbit_accepted_handling. This allows ORBIT to move releasing HUDEVT_ACCEPTED from the filter to ORBIT, HTTP adopted this new feature.

When HTTP is disabled, HUDEVT_ACCEPTED handling is explicitly disabled by HTTP when going into passthru, subsequent enabling of HTTP does not restore this handling. If this sequence happens prior to the first HTTP request, then HUDEVT_ACCEPTED is released prematurely up the chain, thus the server-side connection may be established before the first request is processed. Attempts to manipulate the LB criteria at that point may fail due to the criteria being locked, this may result in the connection being RST with an "Address in use" reset cause.

Conditions:
-- HTTP Virtual server
-- HTTP::disable is called from CLIENT_ACCEPTED and the subsequently re-enabled before the first request arrives at HTTP in CLIENTSSL_HANDSHAKE

Impact:
Connection is reset with "Address in use" reset cause.

Workaround:
None


1128429-7 : Rebooting one or more blades at different times may cause traffic imbalance results High CPU

Links to More Info: BT1128429

Component: Carrier-Grade NAT

Symptoms:
One or more TMMs are consuming more CPU cycles than the other TMMs. The increased CPU usage is caused by a significant number of internal TMM traffic redirections.

Conditions:
- LSN pools enabled.
- The sp-dag configured on the client-side and server-side VLANs (cmp-hash src-ip and cmp-hash dst-ip respectively).

Impact:
Increased TMM CPU usage on one or more TMMs.

Workaround:
- Set up an High Availability (HA) pair of VIPRIONs and make an active VIPRION cluster standby before doing any operation that involves the rebooting, insertion, or removal of one or more blades.

Or if the VIPRION is a stand-alone cluster:

- Stop all external traffic to the VIPRION before rebooting, inserting, or removing one or more blades.

- Restart or reboot all the blades at the same time from the primary, using the following "clsh" command:
"clsh reboot volume <NEW_VOLUME>" or "clsh bigstart restart".


1126841-5 : HTTP::enable can rarely cause cores

Links to More Info: BT1126841

Component: Local Traffic Manager

Symptoms:
The TMM crashes with seg fault.

Conditions:
- SSL profile used.
- The iRule that uses HTTP::enable.

Impact:
The TMM restarts causing traffic interruption.

Workaround:
None


1126093-1 : DNSSEC Key creation failure with internal FIPS card.

Component: Local Traffic Manager

Symptoms:
You are unable to create dnssec keys that use the internal FIPS HSM.

When this issue happens the following error messages appear in /var/log/gtm

Jul 20 04:37:47 localhost failed to read password encryption key from the file /shared/fips/nfbe0/pek.key_1, error 40000229
Jul 20 04:37:47 localhost.localdomain err gtmd[28729]: 011a0312:3: Failed to initiate session with FIPS card.
Jul 20 04:37:47 localhost.localdomain err gtmd[28729]: 011a0309:3: Failed to create new DNSSEC Key Generation /Common/abcd:1 due to HSM error.

Conditions:
-- Internal FIPS card present.
-- Clean installation from an installation ISO file.
-- DNSSKEY creation using internal FIPS card.

Impact:
DNSSEC deployments with internal FIPS HSMs are impacted.

Workaround:
Change the /shared/fips directory permissions.
Ex: chmod 700 /shared/fips


1124865-2 : Removal of LAG member from an active LACP trunk on r2k and r4k systems requires tmm restart

Links to More Info: BT1124865

Component: Local Traffic Manager

Symptoms:
Removal of LAG member from an active LACP trunk stops the traffic flow to the tenant launched on R2x00/R4x00 based appliances.

Conditions:
Removal of LAG member from an active LACP trunk on R2x00 and R4x00 appliances.

Impact:
Traffic flow gets impacted and the system misses the packets routed onto the LACP trunk from where the LAG member was removed.

Workaround:
- Remove the LAG member using the confd CLI
- Restart tmm on all tenants that are associated with the trunk


1124733-3 : Unnecessary internal traffic is observed on the internal tmm_bp vlan

Links to More Info: BT1124733

Component: TMOS

Symptoms:
Unnecessary internal traffic can be observed on the internal tmm_bp vlan. It is a UDP broadcast on 62965 port.

Conditions:
Always

Impact:
Unnecessary traffic that does not disrupt normal operation.

Workaround:
None


1124209-5 : Duplicate key objects when renewing certificate using pkcs12 bundle

Links to More Info: BT1124209

Component: TMOS

Symptoms:
Duplicate key objects are getting created while renewing the certificate using the pkcs12 bundle command.

Conditions:
When the certificate and key pair is present at the device and the pkcs12 command is executed to renew it.

Impact:
1) If the certificate and key pair is attached to the profile then certificate renewal is failing.

2) Duplicate key objects are getting created.

Workaround:
Delete the existing cert and key pair, and then execute the pkcs12 bundle command.


1123157-1 : Single-page application AJAX does not work properly with page's navigation

Component: Application Security Manager

Symptoms:
When a single-page application is enabled and the page's own navigation is triggered during the display of CAPTCHA, the CAPTCHA frame disappears.

Conditions:
-- Single-page application is enabled in ASM.
-- The single-page application's code performs its own navigation on top of the displayed CAPTCHA.

Impact:
ASM end users may not be able to pass the CAPTCHA challenge and therefore will not be able to access the application.

Workaround:
None


1123153-5 : "Such URL does not exist in policy" error in the GUI

Links to More Info: BT1123153

Component: Application Security Manager

Symptoms:
Unable to create a parameter under Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs ›› URL Parameters

Conditions:
When the policy setting "Differentiate between HTTP/WS and HTTPS/WSS URLs" is set to "Disabled".

Impact:
User is unable to create a Parameter with a URL.

Workaround:
N/A


1122205-2 : The 'action' value changes when loading protocol-inspection profile config

Links to More Info: BT1122205

Component: Protocol Inspection

Symptoms:
The "action" values for signatures and compliances in Protocol Inspection profiles change when a new config or UCS file is loaded.

Conditions:
Use case 1:

a) Create a protocol-inspection profile.
  GUI: Security  ›› Protocol Security : Inspection Profiles
  -> Click "Add" >> "New"
    1. Fill in the Profile Name field (pi_diameter in my example).
    2. Services: pick "DIAMETER".
    3. In the table for SYSTEM CHECKS, tick the checkboxes of all the items.
    4. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".
    5. In the table of signatures and compliances for DIAMETER, tick the checkboxes of all the items.
    6. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".
    7. Click "Commit Changes to System".

b) Check the current config via tmsh. Confirm there is no line with "action".
  # tmsh list security protocol-inspection profile pi_diameter

c) Copy the result of the command in step b.

d). Delete the profile.
  # tmsh delete security protocol-inspection profile pi_diameter

e). Load the config.
  # tmsh
  (tmos) # load sys config from-terminal merge
  (tmos) # save sys config
  Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change.

f) Check the config via tmsh. The action value has changed.
  (tmos) # list security protocol-inspection profile pi_diameter

Use case 2:

a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances.
b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase.
c) tmsh load sys config default.
d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf.

Use case 3: Restore configuration by loading UCS/SCF after RMA.

Use case 4: Perform mcpd forceload for some purpose.

Use case 5: Change VM memory size or number of core on hypervisor.

Impact:
Some of the signatures and compliance action values are changed

Workaround:
Workaround for use case 1:
Follow the work-around mention below when you want to load the ips profile configuration from the terminal.
 
a) Create a protocol-inspection profile.
  GUI: Security ›› Protocol Security: Inspection Profiles
  -> Click "Add" >> "New" >> ips_testing

b) Check the current config via tmsh.
  # tmsh list security protocol-inspection profile ips_testing all-properties
 
c) Copy the result of the command in step b.
 
d) Delete the profile.
  # tmsh delete security protocol-inspection profile ips_testing
 
e) Load the config.
  # tmsh
  (tmos) # load sys config from-terminal merge
  (tmos) # save sys config
 
  Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change.
 
f) Check the config via tmsh using all-properties
  (tmos) # list security protocol-inspection profile ips_testing all-properties
 
Workaround for use case 2:
 
a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances.
b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase
c) tmsh load sys config default
d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
e) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf

Workaround for use case 3:

a) Load the ucs/scf config file twice.
   tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf

Workaround for use case 4, 5:
 
a) Before performing any of the operations of Use case 4, 5 save the config.
   tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase
 
b) Once the operation in use cases are done then perform the load operation.
   tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf


1121349 : CPM NFA may stall due to lack of other state transition

Links to More Info: BT1121349

Component: Local Traffic Manager

Symptoms:
When processing LTM policy rules as they apply to the incoming data, the CPM (Centralized Policy Matching) the state machine may incorrectly process the pattern, resulting in some of the policy rules not being applied

Conditions:
-- HTTP virtual server with LTM policy and iRule that triggers on "HTTP URI path contains" some value

Impact:
LTM policy rule does not trigger when it would be expected to

Workaround:
Change rule from "HTTP URI path contains" to "HTTP URI full string contains"


1121209-3 : MTU value update on VLAN in tenant launched on r2k and r4k systems needs tmm restart

Links to More Info: BT1121209

Component: Local Traffic Manager

Symptoms:
Updating the MTU on a VLAN in a BIG-IP tenant requires a tmm restart.

Conditions:
Tenants launched on R2x00 or R4x00 appliances and configured to use Jumbo Frames.

Impact:
Jumbo frames feature support impacted.

Workaround:
- Update the MTU value on the VLAN via the tenant's CLI (tmsh) or UI.
- Restart tmm.


1121169-5 : Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use

Links to More Info: BT1121169

Component: TMOS

Symptoms:
On systems where ID1004833 has been fixed, the resizing instructions for /appdata from K74200262 no longer work.

Conditions:
When the jitterentropy-rngd is started by systemd which is the default state of the BIG-IP.

Impact:
A filesystem resize operation may fail with the following error:

# lvreduce --resizefs --size -40G /dev/mapper/vg--db--sda-dat.appdata
Do you want to unmount "/appdata"? [Y|n] y
fsck from util-linux 2.23.2
/dev/mapper/vg--db--sda-dat.appdata is in use.
e2fsck: Cannot continue, aborting.

resize2fs 1.42.9 (28-Dec-2013)
resize2fs: Device or resource busy while trying to open /dev/mapper/vg--db--sda-dat.appdata
Couldn't find valid filesystem superblock.
fsadm: Resize ext3 failed
  fsadm failed: 1
  Filesystem resize failed.

Workaround:
Unmount /appdata and restart the jitterentropy-rngd, using the following commands:

umount /appdata
systemctl restart jitterentropy-rngd

Then retry the resize operation.


1117609-5 : VLAN guest tagging is not implemented for CX4 and CX5 on ESXi

Links to More Info: BT1117609

Component: Local Traffic Manager

Symptoms:
Tagged VLAN traffic is not received by the BIG-IP Virtual Edition (VE).

Conditions:
Mellanox CX4 or CX5 with SR-IOV on VMware ESXi.

Impact:
Host-side tagging is required.

Workaround:
If only one VLAN is required, use host-side tagging and set the VLAN to "untagged" in the BIG-IP guest.

If multiple VLANs are required, use the "sock" driver instead. Edit the /config/tmm_init.tcl file and restart the Virtual Edition (VE) instance. Network traffic is disrupted while the system restarts.

echo "device driver vendor_dev 15b3:1016 sock" >> /config/tmm_init.tcl

CPU utilization may increase as a result of switching to the sock driver.

I know it works for sock driver. This bug was about xnet/mlxvf5 drivers.
In hal/internal folder, I saw the VMWare vendor ID in PciVendor.h file was 0x15ad which looks not correct, so I changed it to 0x15b3.


1117305-8 : The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials

Links to More Info: BT1117305

Component: TMOS

Symptoms:
The /api returns 401 when incorrect Basic Authorization credentials are supplied.
The /api returns 404 when correct Basic Authorization credentials are supplied.

Conditions:
Irrespective of the DB variable "httpd.basic_auth" value set to enable or disable.

Impact:
There is no functional impact, but all other non-existent URIs return a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials, /api should also be invariably exhibiting the same behavior.

Workaround:
None


1117245-5 : Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file

Links to More Info: BT1117245

Component: Application Security Manager

Symptoms:
You only see this message in /var/log/tomcat/liveupdate.log file. No other log messages are written, causing troubleshooting capability with LiveUpdate.

liveupdate.script file is corrupted, live update repository initialized with default schema


This error is emitted during tomcat startup.

/var/log/tomcat/catalina.out
java.io.FileNotFoundException: /usr/share/tomcat/logs/liveupdate.log (Permission denied)

Conditions:
You are running on a version which has a bug fix for ID907025. For more information see https://cdn.f5.com/product/bugtracker/ID907025.html

Impact:
Losing troubleshooting capability with LiveUpdate

Workaround:
chown tomcat:tomcat /var/log/tomcat/liveupdate.log
bigstart restart tomcat


1113753-5 : Signatures might not be detected when using truncated multipart requests

Component: Application Security Manager

Symptoms:
On special cases when sending long requests that include a multipart section, signatures that should be detected in the multipart body might not be detected.

Conditions:
1. WAF-policy is attached to virtual server.
2. Signatures are enabled in the WAF policy.
3. Signatures contain special characters, i.e. ;"=\n
4. Request is longer than the value in max_raw_request_len.
5. Sending a multipart request.

Impact:
Signature is not detected.

Workaround:
None


1113609-4 : GUI unable to load Bot Profiles and tmsh is unable to list them as well.

Links to More Info: BT1113609

Component: TMOS

Symptoms:
If there are 10s of bot defense profiles that all have hundreds of staged signatures, the GUI nor tmsh will be able to list the Bot Profiles.

Conditions:
Tens of bot defense profiles that have 100s of staged signatures.

Impact:
-- Unable to edit bot profiles in the GUI.
-- Unable to save to config files or UCS

Workaround:
Remove staging for bot-signatures.


1112537-6 : LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete.

Links to More Info: BT1112537

Component: TMOS

Symptoms:
Upon attempting to delete a LTM or GTM monitor, the system returns an error similar to the following example, even though the monitor being deleted is no longer in use anywhere:

01070083:3: Monitor /Common/my-tcp is in use.

Conditions:
-- The configuration was loaded from file (for example, as restoring a UCS archive would do).

-- A BIG-IP Administrator deletes all objects using the monitor, and then attempts to delete the monitor itself.

Impact:
LTM or GTM monitor no longer in use anywhere cannot be deleted from the configuration.

Workaround:
Run one of the following sets of commands (depending on the affected module) and then try to delete the monitor again:

tmsh save sys config
tmsh load sys config

tmsh save sys config gtm-only
tmsh load sys config gtm-only


1112385-6 : Traffic classes match when they shouldn't

Links to More Info: BT1112385

Component: Local Traffic Manager

Symptoms:
Traffic classes may match when they should not.

Conditions:
* Fix for ID1074505 is present (without that fix this bug is hidden).
* Traffic class uses none (or equivalently all 0s) for source-address.

Impact:
Traffic is not categorized properly.

Workaround:
Specify a source address, e.g.

ltm traffic-class /Common/blah {
    source-address 1.1.1.1
    source-mask none
   ...
}

Note that because the mask is none this won't have any effect (other than working around this bug).


1111397-6 : [APM][UI]Wizard should also allow same patterns as the direct GUI

Links to More Info: BT1111397

Component: Access Policy Manager

Symptoms:
Device wizard fails if certain string is used as access policy name:

- access policy name that fails: abc_1234_wxyz
- access policy name that works: abc-1234-wxyz

An error can be found in the log:
ERROR SAWizard.SACreateAccessPolicy:error - java.sql.SQLException: General error: 01020036:3: The requested Access Profile /common/abc_1234_wxyz was not found. in statement [DELETE FROM profile_access WHERE name = ?]

Conditions:
Using certain string patterns when creating an access policy via the wizard (specifically the underscore character)

Impact:
The wizard fails and throws errors

Workaround:
None


1111361-5 : Refreshing DNS wide IP pool statistics returns an error

Links to More Info: BT1111361

Component: Global Traffic Manager (DNS)

Symptoms:
Refreshing the wide IP pool statistics results in the error message 'An error has occurred while trying to process your request'.

Conditions:
Go to "Statistics > Module Statistics > DNS > GSLB > Wide IPs > Statistic Pools", and click "Refresh".

Impact:
No results are returned, and the error message 'An error has occurred while trying to process your request' is displayed.

Workaround:
N/A.


1111149-4 : Nlad core observed due to ERR_func_error_string can return NULL

Links to More Info: BT1111149

Component: Access Policy Manager

Symptoms:
The following symptoms are observed

In /var/log/ltm:
err nlad[17535]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.

Nlad core is observed
/var/log/kern.log:Apr 7 03:46:53 <vs name > info kernel: nlad[13119]: segfault at 0 ip <> sp <> error 4.

Conditions:
NLAD core is SIGSEGV - crashing while processing a SSL Certificate via a SAML login.

Impact:
Core results in disruption of APM sessions

Workaround:
None


1110489-4 : TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event

Links to More Info: BT1110489

Component: Access Policy Manager

Symptoms:
Tmm crashes.
/var/log/tmm contains
May 24 18:06:24 sslo.test.local notice panic: ../net/nexthop.c:165: Assertion "nexthop ref valid" failed.

Conditions:
An iRule is applied to a virtual Server containing a ACCESS_ACL_ALLOWED iRule event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1110485-5 : SSL handshake failures with invalid profile error

Links to More Info: BT1110485

Component: Local Traffic Manager

Symptoms:
1. TMM reports SSL handshake failures with reason "hud_ssl_handler:1208: alert(40) invalid profile unknown on VIP"

2. There will be Certificate read errors in the ltm log "reading: Unknown error."

Conditions:
-- The certificates associated with the SSL profile are corrupted by modifying/adding/deleting them manually/Venafi

-- There are frequent unintentional Certificate updates

Impact:
-- The BIG-IP system will not be able process the traffic
-- All traffic to particular virtual servers fails

Workaround:
1. Correct the certificates which are corrupted and make them valid.

2. Deattach/Remove the corresponding SSL profile from all virtual servers to which it is applied.

3. In the GUI open the virtual server and click on update and make sure there are no errors shown on the screen.

4. Now re-apply the SSL profile to the virtual server


1110281-7 : Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable

Links to More Info: BT1110281

Component: Advanced Firewall Manager

Symptoms:
Non-HTTP traffic is not forwarded to the backend server.

Conditions:
- ASM provisioned
- Behavioral DoS profile assigned to a virtual server
- DOSL7::disable and HTTP::disable applied at when CLIENT_ACCEPTED {}

Impact:
Broken webapps with non-HTTP traffic.

Workaround:
Instead of using DOSL7::disable, redirect non-HTTP traffic to a non-HTTP aware virtual server using the iRule command virtual <virtual_server_name>.


1108237-3 : Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM.

Links to More Info: BT1108237

Component: Global Traffic Manager (DNS)

Symptoms:
It is possible for monitor probes to a certain destination to be owned by no GTM device in the sync-group. As a result, no monitoring of the destination will be performed, and the monitored object will be incorrectly marked down with reason "no reply from big3d: timed out".

Conditions:
-- GTM sync-group with multiple GTM devices (including a sync-group that contains only a single GTM server with more than one GTM device in it).

-- Monitors specifying an explicit destination to connect to (e.g. with the property "destination 192.168.1.1:*").

-- The destination of a monitored object (e.g. the IP address of the gtm server) is different from the destination explicitly defined in a monitor assigned to the object.

-- The two mismatching destination values are assigned to different GTM devices in the sync-group for monitoring.

Impact:
Monitored GTM objects may have an incorrect status.

Workaround:
None


1107565-3 : SSL Persistence behavior change for TLS1.3 connection between v16.1.0 and v16.1.2.2

Links to More Info: BT1107565

Component: Local Traffic Manager

Symptoms:
The BIG-IP system resets TLS 1.3 connections when the client-hello contains a session-ID.

Conditions:
-- Virtual server has ssl persistence enabled
-- TLS 1.3 is used
-- The client-hello message contains a session-ID.

Impact:
Traffic uses TLS 1.3 and SSL persistence is disrupted.

Workaround:
None


1106273-5 : "duplicate priming" assert in IPSECALG

Links to More Info: BT1106273

Component: Advanced Firewall Manager

Symptoms:
This is a specific issue with a complicated firewall/NAT/IPSEC scenario. In this case, when applying changes to a firewall policy in transparent mode, IPSECALG triggers a "duplicate priming" assert

Conditions:
When an IPSec session is established from a device with a source IP which has a firewall policy (transparent mode). As soon as traffic is passed over the new IPSec tunnel, this clash in the rules results in a tmm core.

Impact:
TMM asserts with "duplicate priming" assert.
Traffic disrupted while tmm restarts.

Workaround:
None


1105901-6 : Tmm crash while doing high-speed logging

Links to More Info: BT1105901

Component: TMOS

Symptoms:
Tmm crashes

Conditions:
-- High-speed logging is configured
-- Network instability occurs with the logging pool members

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1105757-6 : Creating CSR with invalid parameters for basic-constraints, tmsh does not generate meaningful errors

Links to More Info: BT1105757

Component: TMOS

Symptoms:
A similar error as below is observed:
Key management library returned bad status: -45, No Error

Conditions:
Always observed.

Impact:
The error thrown is not meaningful hence it is difficult to identify the invalid parameters.

Workaround:
N/A


1104517-3 : In SWG explicit proxy, some TCP connections are reset because of inconsistency between sessionDB and local IP2SessionId map

Links to More Info: BT1104517

Component: Access Policy Manager

Symptoms:
Some clients' TCP connections are reset with an error "cl sm driver error (Illegal value)" when the BIG-IP system is in this error state.

Conditions:
SWG explicit proxy is configured.

Impact:
Some clients are unable to access a service.

Workaround:
Disable sessionDB mirroring on both active and standby
# tmsh modify sys db statemirror.mirrorsessions value disable
# tmsh save sys config

Restart tmm on standby
# bigstart restart tmm


1103477-5 : Refreshing pool member statistics results in error while processing requests

Links to More Info: BT1103477

Component: Global Traffic Manager (DNS)

Symptoms:
Pool member statistics aren't displayed and the page shows an error message 'An error has occurred while trying to process your request'.

Conditions:
-- A GTM pool is configured with one or more pool members.
-- The 'Refresh' button or the timer is used to fetch the pool member statistics again.

Impact:
Refresh does not work as expected.

Workaround:
Although the refresh button or refresh timer is broken, you can refresh the page to see updated statistics.


1102425-1 : F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary

Links to More Info: BT1102425

Component: TMOS

Symptoms:
The secondary blades are inoperative when MCPD is restarted on the primary slot, or the license is installed on the F5OS chassis.

Following are the symptoms:

- Following log message is logged in /var/log/ltm:

mprov:29790:[29790]: 'FPGA change is taking a long time. Unable to start the daemons.' for the secondary slots.

- The presence of the file /var/run/fpga_mcpd_lockfile on the secondary slots.

Conditions:
- Multi-Slot F5OS tenant.
- Restarting MCPD on the primary blade or installing the license from the F5OS chassis.

Impact:
Secondary blades are inoperative.

Workaround:
Execute the following command on the secondary blades that are inoperative:
bigstart restart mcpd


1100721-5 : IPv6 link-local floating self-IP breaks IPv6 query to BIND

Links to More Info: BT1100721

Component: Local Traffic Manager

Symptoms:
A IPv6 link-local floating self-IP breaks IPv6 query to BIND.

Conditions:
1. Create a DNS record in BIND.
2. Create an IPv6 floating self-IP (for example, 2002::139) and place it into traffic-group-1.
3. Create an IPv6 DNS listener using the newly created self-IP (2002::139).
So far a DNS query should be answered properly by BIND and TMM.
4. Create a dummy IPv6 floating self-IP using a link-local IP (for example, fe80::4ff:0:0:202) and place it into traffic-group-1.
Now, the DNS query from outside will be timed out.

Impact:
DNS requests will get timed out.

Workaround:
None


1100197-6 : GTM sends wrong commit_id originator for iqsyncer to do gtm group sync

Links to More Info: BT1100197

Component: Global Traffic Manager (DNS)

Symptoms:
GTM may occasionally send the wrong commit_id_originator to other sync group members, causing a full sync to occur instead of an incremental one.

The following message may be seen in the /var/log/gtm log

   "Unable to do incremental sync, reverting to full load for device group /Common/gtm"

Conditions:
Frequent GTM group syncs.

Impact:
Unnecessary GTM full sync when an incremental sync would have been more efficient.

Workaround:
None


1099765-1 : Inconsistent behavior in Violation detection with max parameter enforcement

Links to More Info: BT1099765

Component: Application Security Manager

Symptoms:
Request with JSON body with more than 600 params causes the event log to show incorrect violations

Conditions:
-- 'Maximum params' configured to 600 in JSON profile
-- 'Maximum array length' configured to 'Any'
-- A request occurs that contains more than 600 parameters in the body in JSON format.

Impact:
No violation for passing max params given in event log, although the maximum number of allowed parameters was exceeded.

Workaround:
None


1099621-2 : DAG context synchronization debug instrumentation

Links to More Info: BT1099621

Component: TMOS

Symptoms:
The BIG-IP system lacks instrumentation for the exchange of tmm DAG state over the statemirror channels between high availability (HA) peers running on VELOS.

Conditions:
-- High availability (HA) pair running on VELOS

Impact:
When average application response latency increases and health checks flap and the DAG is suspected, instrumentation is unavailable.

Workaround:
None


1098609-3 : BD crash on specific scenario

Links to More Info: BT1098609

Component: Application Security Manager

Symptoms:
BD crashes while passing traffic.

Conditions:
Specific request criterias that happens while there is a configuration change.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None


1096893-6 : TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection

Links to More Info: BT1096893

Component: Local Traffic Manager

Symptoms:
When route metrics are applied by the TCP filter to a connection initiated by a syncookie, TCP sets the effective MSS for packetization, thereafter the egress_mtu will be set as per the route metrics entry, if present. The packets falling between the effective MSS and the lowered egress_mtu end up being unexpectedly IP-fragmented.

Conditions:
SYN cookies enabled and activated. A route metrics PMTU entry for the destination address that is smaller than the VLAN's egress MTU.

Impact:
Application traffic can fail or see disruption due to unexpected IP fragmentation.

Workaround:
Disable syn cookies (Reference: https://support.f5.com/csp/article/K80970950).

Alternatively, you can apply a lower static MTU to the interface.


1096317-6 : SIP msg alg zombie flows

Links to More Info: BT1096317

Component: Carrier-Grade NAT

Symptoms:
The SIP msg alg can disrupt the expiration of a connflow in a way that it stays alive forever.

Conditions:
SIPGmsg alg with suspending iRule commands attached.

Impact:
Zombie flow, which cannot be expired anymore.

Workaround:
Restart TMM.


1094069-4 : iqsyncer will get stuck in a failed state when requesting a commit_id that is not on the target GTM

Links to More Info: BT1094069

Component: Global Traffic Manager (DNS)

Symptoms:
Too many GTM sync requests are exchanged with the devices and and the config sync may fail sometimes.

Conditions:
DNS/GTM licensed devices are configured in a sync Group. The requested commit_id is not present anymore on the target GTM device.

Impact:
Sync operations are extremely slow (5-8 minutes for a pool to show up) which may fail sometimes. Excessive network traffic.

Workaround:
None


1093973-9 : Tmm may core when BFD peers select a new active device.

Links to More Info: BT1093973

Component: TMOS

Symptoms:
Tmm cores.

Conditions:
-- BFD is in use
-- the active/owner BFD device changes

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1093717-5 : BGP4 SNMP traps are not working.

Links to More Info: BT1093717

Component: TMOS

Symptoms:
BGP4 SNMP traps are not working and returning snmpwalk result of "BGP4-MIB::bgp = No Such Object available on this agent at this OID" or similar errors for all OIDs under the .1.3.6.1.2.1.15 MIB.

Conditions:
--Perform any BGP related event and check for snmp traps.
--Run snmpwalk -Of -Os -v 2c -c <community_name> localhost .1.3.6.1.2.1.15

Impact:
No BGP monitoring.

Workaround:
None


1093357-6 : PEM intra-session mirroring can lead to a crash

Links to More Info: BT1093357

Component: Policy Enforcement Manager

Symptoms:
TMM crashes while passing PEM traffic

Conditions:
-- PEM mirroring enabled and passing traffic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1091021-6 : The BIG-IP system may not take a fail-safe action when the bigd daemon becomes unresponsive.

Links to More Info: BT1091021

Component: Local Traffic Manager

Symptoms:
You may observe LTM monitors malfunctioning on your system. For instance, you may notice some probes are not sent out on the network, and some monitored objects are showing the wrong status.

Conditions:
-- The bigd daemon consists of multiple processes (which you can determine by running "ps aux | grep bigd").

-- One or more of the processes (but not all of them) become disrupted for some reason and stop serving heartbeats to the sod daemon.

Under these conditions, sod will not take any fail-safe action and the affected bigd processes will continue running impaired, potentially indefinitely.

Impact:
LTM monitoring is impacted.

Workaround:
If you suspect this issue is occurring in your system, you can resolve it by killing all bigd processes using the following command:

pgrep -f 'bigd\.[0-9]+' | xargs kill -9

However, this does not prevent the issue from manifesting again in the future if the cause for bigd's disruption occurs again.

Monitoring may become further disrupted as bigd restarts, and a failover may occur depending on your specific configuration.

Another work around is to set only one bigd if that is possible.
modify sys db bigd.numprocs value 1
If only a single bigd is available, sod will detect when it is down.


1090313-5 : Virtual server may remain in hardware SYN cookie mode longer than expected

Links to More Info: BT1090313

Component: TMOS

Symptoms:
A virtual server may remain in hardware SYN cookie mode longer than expected after the SYN flood attack has stopped. The TMSH 'show ltm virtual' command shows that the virtual has already exited SYN Cookie mode, but the SYN packets are still responded from hardware for a few minutes longer.

Conditions:
The problem is a result of a race condition in TMM, so the issue might show up intermittently.

Impact:
Discrepancy between the actual SYN Cookie mode and the reported SYN Cookie mode for a short period of time after a SYN flood attack.

Workaround:
Disable hardware SYN Cookie mode.


1089005-5 : Dynamic routes might be missing in the kernel on secondary blades.

Links to More Info: BT1089005

Component: TMOS

Symptoms:
Dynamic routes might be missing in the kernel on secondary blades.

Conditions:
- Long VLAN names (16+ characters).
- MCPD unable to load configuration from binary database (software update/forceload was performed).

Impact:
Kernel routes are missing on secondary blades.

Workaround:
Restart tmrouted on the affected secondary blade. Note, this will also briefly affect TMM dynamic routes.
<bigstart restart tmrouted>


1088597-6 : TCP keepalive timer can be immediately re-scheduled in rare circumstances

Links to More Info: BT1088597

Component: Local Traffic Manager

Symptoms:
In rare circumstances, the TCP timer is rescheduled immediately due to the utilization of the interval encompassing also the idle_timeout.

Conditions:
Virtual Server with:

- TCP Profile
- SSL Profile with alert timeout configured

Another way this can occur is by manually deleting connections, which effectively only sets the idle timeout to 0.

Impact:
High CPU utilization potentially leading to reduced performance.

Workaround:
If the alert timeout is not re-enabled in the SSL Profile that should be sufficient.


1087981-1 : Tmm crash on "new serverside" assert

Component: Local Traffic Manager

Symptoms:
TMM cores with "new serverside" assert.

Conditions:
This can occur while passing UDP traffic while tmm is under memory pressure.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1085661-6 : Standby system saves config and changes status after sync from peer

Links to More Info: BT1085661

Component: Application Security Manager

Symptoms:
After running config sync from an Active to a Standby device, the sync status is in SYNC for a short period time.
After a while, it automatically goes to Changes Pending status.

The same symptom was reported via ID698757 and fixed in earlier versions, but the same can happen via different scenario.

Conditions:
Create an ASM policy and let the system determining language encoding from traffic.

Impact:
The high availability (HA) configuration goes out of SYNC.

Workaround:
To prevent the issue from happening, you can manually configure language encoding


1084965-4 : Low visibility of attack vector

Links to More Info: BT1084965

Component: Local Traffic Manager

Symptoms:
The DoS vector FIN 'Only Set' is not triggered and causes lack of visibility of the attack vector.

Conditions:
-- Using BIG-IP Virtual Edition

Impact:
There is reduced visibility of possible attacks on the BIG-IP.

Workaround:
Check 'drop_inv_pkt' with the tmctl table, "tmm/ndal_rx_stats".


1084857-6 : ASM::support_id iRule command does not display the 20th digit

Links to More Info: BT1084857

Component: Application Security Manager

Symptoms:
ASM::support_id iRule command does not display the 20th digit.

A support id seen in REST/TMUI that has 20 digits, e.g 13412620314886537617 is displayed as 1341262031488653761 with the iRule command ( the last digit '7' is stripped ).

Conditions:
ASM::support_id iRule command

Impact:
Inability to trace request events using the support id


1083621-6 : The virtio driver uses an incorrect packet length

Links to More Info: BT1083621

Component: Local Traffic Manager

Symptoms:
In some cases, tmm might drop network packets.

In rare circumstances, this might trigger tmm to crash.

Conditions:
BIG-IP Virtual Edition using the virtio driver. You can see this in /var/log/tmm ("indir" is zero):
  notice virtio[0:5.0]: cso: 1 tso: 0 lro: 1 mrg: 1 event: 0 indir: 0 mq: 0 s: 1

Impact:
Tmm might drop packets.

In rare circumstances, this might trigger tmm to crash. Traffic disrupted while tmm restarts.

Workaround:
None


1083513-4 : BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd

Links to More Info: BT1083513

Component: Application Security Manager

Symptoms:
"Challenge Failure Reason" field in a request event log shows N/A.

Conditions:
The db key has not been changed manually on the system.

Impact:
"Challenge Failure Reason" field is disabled.

Workaround:
Disable the key and re-enable, then save.

tmsh modify sys db botdefense.disable_challenge_failure_reporting value disable
tmsh modify sys db botdefense.disable_challenge_failure_reporting value enable
tmsh save sys config


1083405-6 : "Error connecting to named socket" from zrd

Links to More Info: BT1083405

Component: Global Traffic Manager (DNS)

Symptoms:
After an mcpd restart, zrd may not be able to re-establish a connection to named. This shows up in the /var/log/gtm file or in the GUI with a message similar to the following:

err zrd[27809]: 01150306:3: Error connecting to named socket 'Connection refused'.
(or)
err zrd[16198]: 01150306:3: Error connecting to named socket 'Connection timed out'.

Conditions:
After an mcpd restart

Impact:
Looking up or modifying zone records may fail.

Workaround:
Restart zrd and named

tmsh restart sys service zrd named


1083053-4 : Apmd memory grows over time in AD auth scenarios

Links to More Info: BT1083053

Component: Access Policy Manager

Symptoms:
Apmd memory grows over time. It is not a memory leak. It is mainly due to memory fragmentation due to memory sharing among apmd threads.

Conditions:
The access policy in use has Active Directory auth as one of the agents

Impact:
Apmd memory grows over time. After it grows beyond a limit, oom killer might kill apmd thereby lead to a traffic disruption.

Workaround:
None


1082197-5 : RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response

Links to More Info: BT1082197

Component: Global Traffic Manager (DNS)

Symptoms:
Synthetic SOA returned by BIG-IP has the MNAME and RNAME fields reversed, resulting in the wrong values being noted as the primary name server and mailbox of administrator, respectively.

Conditions:
-- Set the failure-rcode-response enabled and failure-rcode-ttl on a down WIP.
-- Perform a DNS query.
-- Observe the SOA.

Impact:
Per RFC (rfc1035) the order of the fields is significant and MNAME must come before RNAME. When reversed, consumers of the synthetic SOA will associate the wrong values with the wrong fields.


1082133-4 : iSeries LCD displays "Host inaccessible or in diagnostic mode"

Component: TMOS

Symptoms:
On rare occasions, when booting up an iSeries BIG-IP system, the LCD may continuously display "Host inaccessible or in diagnostic mode" for an extended period of time

Conditions:
This can occur when booting up an iSeries BIG-IP system.

Impact:
LCD is unusable until the system is rebooted.

Workaround:
Wait 5 minutes.
If the LCD is still displaying "Host inaccessible or in diagnostic mode" after this time period, reboot the BIG-IP system.


1081473-3 : GTM/DNS installations may observe the mcpd process crashing

Links to More Info: BT1081473

Component: Global Traffic Manager (DNS)

Symptoms:
1) The mcpd process may crash, potentially leading to failover/momentary traffic disruption while system components restart

2) Log entries refering to the 'iqsyncer' module similar to the following may be observed prior to the crash

notice mcpd[32268]: 01070751:5: start_transaction received without previous end_transaction - connection 0x62773308 (user %iqsyncer)
notice mcpd[6269]: 010714a0:5: Sync of device group /Common/gtm to commit id 17072 7051583675817774674 /Common/abcd.xyz 0 from device %iqsyncer complete.
notice mcpd[6269]: 01070418:5: connection 0x64c0c008 (user %iqsyncer) was closed with active requests

3) Log entries similar to the following may be observed indicating failure and restart in the mcpd component:

err icr_eventd[11664]: 01a10003:3: Receive MCP msg failed: Can't recv, status: 0x1020046
warning snmpd[8096]: 010e0004:4: MCPD query response exceeding 270 seconds.
err icr_eventd[11664]: 01a10003:3: Receive MCP msg failed: Can't recv, status: 0x1020046
notice sod[9497]: 01140041:5: Killing /usr/bin/mcpd pid 12325.
warning sod[9497]: 01140029:4: high availability (HA) daemon_heartbeat mcpd fails action is restart.
crit tmsh[31348]: 01420001:2: The connection to mcpd has been lost, try again. : framework/RemoteMcpConn.cpp, line 74
crit tmsh[31434]: 01420001:2: The connection to mcpd has been lost, try again. : framework/RemoteMcpConn.cpp, line 74
info sod[9497]: 010c0009:6: Lost connection to mcpd - reestablishing.
err mysqlhad[17260]: 014e0006:3: MCP Failure: 1.

Conditions:
DNS/GTM installation with syncgroup members actively exchanging configuration items.

The issue happens rarely unless a lot of configuration changes occur on one of the syncgroup members, which needs to be carried over.

Impact:
Traffic disrupted while mcpd restarts.

Workaround:
None


1080957-1 : TMM Seg fault while Offloading virtual server DOS attack to HW

Links to More Info: BT1080957

Component: Advanced Firewall Manager

Symptoms:
TMM crashes during virtual server DOS attack scenarios.

Conditions:
-- HSB-equipped hardware platforms.
-- The attack is detected on configured virtual server Dos Vector and trying to offload to hardware.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1078065-5 : The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA.

Links to More Info: BT1078065

Component: Application Security Manager

Symptoms:
The login page shows a blocking page instead of CAPTCHA or shows the blocking page after resolving a CAPTCHA.

Make five (configured in brute force configuration) failed login attempts and you will receive a blocking page.

Blocking Reason: Resource not qualified for injection.

Conditions:
HTML response message has an html page with a length greater than 32000 bytes.

Impact:
Users are blocked after failed login attempts.

Workaround:
Run tmsh modify sys db asm.cs_qualified_urls value <url value>.


1077533-6 : BIG-IP fails to restart services after mprov runs during boot.

Links to More Info: BT1077533

Component: TMOS

Symptoms:
Very occasionally, after mprov runs after a reboot the BIG-IP may fail to start with logs similar to the following:

bigip1 info mprov:7459:[7459]: 'admd failed to stop.'
bigip1 err mprov:7459:[7459]: 'admd failed to stop, provisioning may fail.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
...
bigip1 err mcpd[5584]: 01071392:3: Background command '/usr/bin/mprov.pl --quiet --commit asm avr host tmos ui ' failed. The command was signaled.

Conditions:
Occurs rarely after a reboot.

Impact:
The BIG-IP is unable to finish booting.

Workaround:
Reboot the BIG-IP again.


1076825-3 : "Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.

Links to More Info: BT1076825

Component: Application Security Manager

Symptoms:
"Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.

Conditions:
Upgrading to v16.1.x from earlier releases.

Impact:
Configuration of "Installation of Automatically Downloaded Updates" is lost and reverts to default.

Workaround:
Manually configure "Installation of Automatically Downloaded Updates" after the upgrade.


1074513-4 : Traffic class validation does not detect/prevent attempts to add duplicate traffic classes to virtual

Links to More Info: BT1074513

Component: TMOS

Symptoms:
Tmm crashes after adding a traffic class.

Conditions:
-- Virtual server with two traffic classes
-- A third traffic class is added via tmsh

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1073673-3 : Prevent possible early exit from persist sync

Links to More Info: BT1073673

Component: Global Traffic Manager (DNS)

Symptoms:
When a new GTM is added to the Sync group, it takes a significant amount of time, and the newly added GTM won't become ready.

Conditions:
-- GTMs in a cluster with a large number of persist records
-- A new GTM device is added

Impact:
Clients of the BIG-IP GTM do not receive an answer, and application failures may occur.

Workaround:
None


1070957-5 : Database monitor log file backups cannot be rotated normally.

Links to More Info: BT1070957

Component: Local Traffic Manager

Symptoms:
Debug log files used by the BIG-IP database monitor daemon (DBDaemon) do not exhibit the log-rotation behavior of other BIG-IP log files.
- The active DBDaemon log file is /var/log/DBDaemon-0.log
- DBDaemon log file size is limited to approximately 5MB. DBDaemon log files are backed up/rotated upon reaching this size.
- Exactly 9 (nine) DBDaemon log file backups are retained (/var/log/DBDaemon-0.log.[1-9])
- DBDaemon log file backups are not compressed.
- DBDaemon log file backup/rotation behavior is not user-configurable.

Conditions:
This issue applies when using BIG-IP database monitors:
-- mssql
-- mysql
-- oracle
-- postrgresql

Impact:
-- DBDaemon log file backups may consume more space under /var/log than desired.
-- When troubleshooting database monitor issues, DBDaemon log file rotation may occur so rapidly that older DBDaemon events may be lost, limiting the ability to capture meaningful diagnostic data.

Workaround:
It may be possible to work around this issue by periodically archiving DBDaemon log files, such as in a script with the following core functionality:
pushd /var/log;tar -czf DBDaemon_$(date +%Y%m%d%H%M).tgz DBDaemon-0.log*;popd


1070393-2 : The f5_api_com.crt certificate file may be removed by the load sys config command

Links to More Info: BT1070393

Component: TMOS

Symptoms:
The BIG-IP downloads an f5_api_com.crt certificate file when a production BIG-IP license is installed, but a subsequent "load sys config" reverts to the pre-certificate config, and deletes (tidies up) the file.

Conditions:
-- Activate a BIG-IP license in either the GUI or tmsh (this causes the f5 API certificate to be downloaded and installed into the config)
-- Run 'tmsh load sys config'
-- Observe that the f5_api_com.crt object is no longer present in the BIG-IP config.

Impact:
F5_api_com.crt certificate file is not present on the BIG-IP system.

Workaround:
- Ensure that "tmsh save sys config" is run after installing a new BIG-IP license.

- If the certificate has been removed from the BIG-IP configuration, but is still present in the filesystem, you can import it with the expected name (f5_api_com.crt): "tmsh create sys file ssl-cert f5_api_com.crt source-path file:///config/ssl/ssl.crt/f5_api_com.crt"

- If the certificate has been lost, you can re-activate the license, to cause a new API certificate to be pulled down from the F5 license server.


1070029-3 : GSS-SPNEGO SASL mechanism issue with AD Query to Synology Directory Service

Links to More Info: BT1070029

Component: Access Policy Manager

Symptoms:
Active Directory queries may fail.

Conditions:
-- Users/Services are configured in Synology Directory Service (Non Microsoft based Active Directory Service)
-- Active Directory Query Configuration on BIG-IP

Impact:
User authentication based on AD Query agent will be impacted.

Workaround:
None


1069729-4 : TMM might crash after a configuration change.

Links to More Info: BT1069729

Component: Application Security Manager

Symptoms:
After modifying a dosl7 profile, on rare cases TMM might crash.

Conditions:
Modifying DoSl7 profile attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A


1069441-5 : Cookie without '=' sign does not generate rfc violation

Component: Application Security Manager

Symptoms:
If a request includes a Cookie header that only contains the name of the cookie without an equal sign (=) and a corresponding value, it might not result in a violation as expected according to the RFC (Request for Comments) specifications.

Conditions:
-Set Cookie not RFC-compliant to 'Block'
-Request with Cookie header with name only, for example 'Cookie:a'

Impact:
The request is not blocked.


1069265 : New connections or packets from the same source IP and source port can cause unnecessary port block allocations.

Links to More Info: BT1069265

Component: Advanced Firewall Manager

Symptoms:
A client opening new TCP connections or sending new UDP packets from the same source IP and source port can cause the allocation of multiple new port blocks even if there are still existing translation endpoints in the current blocks.

Conditions:
All of the following conditions must be met:

- AFM NAT or CGNAT configured with port block allocation.

- In the port-block-allocation settings, a block-lifetime value different from zero.

- A client sending UDP packets or opening TCP connections periodically, always from the same source IP address and source port.

- A protocol profile on the virtual server with an idle timeout lower than the interval between the client packets or new connections.

Impact:
After the first allocated port block becomes zombie, a new port block is allocated for each new client packet or client connection coming from the same source IP / source port, even if there are still available translation endpoints in the allocated non-zombie blocks.
The new blocks keep piling up until the original zombie block timeout expires.

Workaround:
Increase the protocol profile idle-timeout to a value greater than the interval between UDP packets or connections from the client.


1067857-8 : HSB completion time out causes unexpected reboot

Links to More Info: BT1067857

Component: TMOS

Symptoms:
A bad_tlp_status message closely follows a completion_time_out_status message in the /var/log/sel file, Following is an example:
CPU 0 PCI/DMI Error B:D.F 0:3.2: corerrsts: bad_tlp_status
CPU 0 PCI/DMI Error B:D.F 0:3.2: rperrsts: error_fatal_nonfatal_received
CPU 0 PCI/DMI Error B:D.F 0:3.2: rperrsts: non_fatal_error_messages_received
CPU 0 PCI/DMI Error B:D.F 0:3.2: uncerrsts: completion_time_out_status

Conditions:
This issue is known to occur on the following platforms:

- i2600
- i2800
- i4600
- i4800

Impact:
The device unexpectedly reboots.

Workaround:
None


1067797 : Trunked interfaces that share a MAC address may be assigned in the incorrect order.

Links to More Info: BT1067797

Component: TMOS

Symptoms:
Interfaces that are trunked together and use the same MAC address may end up in an incorrect order when the system is restarted.

Conditions:
Trunked interfaces that use the same MAC address. On reboot the f5-swap-eth script will incorrectly reorder the affected interfaces.

Impact:
Incorrect ordering could result in a failover or outage.

Workaround:
N/A


1067557-5 : Value masking under XML and JSON content profiles does not follow policy case sensitivity

Links to More Info: BT1067557

Component: Application Security Manager

Symptoms:
Value masking is always case sensitive regardless of policy case sensitivity.

Conditions:
- Parse Parameters is unchecked under JSON content profile.
- Value masking section contains element/attribute names under
  XML and JSON content profiles.

Impact:
- Value is not masked in a case insensitive manner even when the policy is case insensitive.

Workaround:
None


1064893-4 : Keymgmtd memory leak occurrs while configuring ca-bundle-manager.

Links to More Info: BT1064893

Component: TMOS

Symptoms:
Keymgmtd leaks memory and the RES/RSS value increases over time.

Same issue can be observed using top -p `pidof keymgmtd` or tmctl proc_pid_stat proc_name=keymgmtd -s proc_name,vsize,rss monitor keymgmtd resident memory size.

Conditions:
Configure sys crypto ca-bundle-manager to periodically update the ca bundle on the system.

Impact:
If keymgmtd causes a system wide out of memory condition, this could cause a traffic disruption, if mcpd is chosen to be killed.

Workaround:
N/A


1064753-6 : OSPF LSAs are dropped/rate limited incorrectly.

Links to More Info: BT1064753

Component: TMOS

Symptoms:
Some LSAs are dropped on BIG-IP with a log similar to:
"LSA is received recently".

Conditions:
Tuning OSPF min LSA arrival has no effect on some LSA handling.

Impact:
OSPF LSAs are dropped/rate limited incorrectly.

Workaround:
N/A


1064725-5 : CHMAN request for tag:19 as failed.

Links to More Info: BT1064725

Component: Local Traffic Manager

Symptoms:
The following log is seen in /var/log/ltm when a qkview is generated:

warning chmand[6307]: 012a0004:4: CHMAN request (from qkview) for tag:19 failed.

or when a tcpdump capture is started:

warning chmand[792]: 012a0004:4: CHMAN request (from bigpcapq33E5-24) for tag:19 failed

or when get a dossier from GUI/CLI:

warning chmand[4319]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed

or when reboot:

warning chmand[8263]: 012a0004:4: CHMAN request (from mcpd) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from DossierValidator) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from LACPD_USER) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed

Conditions:
Any one of the following:

-- Generate a qkview file from the GUI/CLI
-- Start a tcpdump command from the CLI
-- Get a dossier from GUI/CLI
-- Reboot

Impact:
No functional impact.

Workaround:
None


1060477-2 : iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]".

Links to More Info: BT1060477

Component: Access Policy Manager

Symptoms:
Apmd crashes after setting the userName field via an iRule.

Conditions:
1.Setting the userName field:

set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]

2.Getting the sid feild
[ACCESS::session data get session.user.sessionid]

Impact:
APM traffic disrupted while apmd restarts.

Workaround:
Check the username before setting it from iRule.


1060393-3 : Extended high CPU usage caused by JavaScript Obfuscator.

Links to More Info: BT1060393

Component: Fraud Protection Services

Symptoms:
The Obfuscator process (compiler.jar) consumes excessive CPU for an extended period.

Conditions:
FPS is provisioned

OR:
ASM is provisioned
AND:
Bot profile is attached to VS
OR
ASM Policy with brute force feature enabled is attached to VS
OR
DoS profile with Captcha/CSI mitigation is attached to VS

Impact:
High CPU usage on the device.

Workaround:
None


1059513-3 : Virtual servers may appear as detached from security policy when they are not.

Links to More Info: BT1059513

Component: Application Security Manager

Symptoms:
When browsing Security >> Overview: Summary page, the virtual servers may appear as detached. The larger the number of virtual servers are, the more likely you are to see all the virtual servers as detached from the security policy.

Conditions:
From a certain amount of virtual servers (20) that are attached to a security policy, the virtual servers may appear as detached from any security policy.

Impact:
Virtual servers are displayed as detached from any security policy, but this is not the case.

Workaround:
None


1058873-3 : Configuring source address as "address list" in a virtual server causes APMD to restart

Links to More Info: BT1058873

Component: Access Policy Manager

Symptoms:
APMD continue to restart with a denied message.

The following errors are logged in /var/log/apm:

01490000:5: ha_util.cpp func: "getTgInfoByVAddrName()" line: 292 Msg: MCP query failed (error 0x1020036)

01490000:3: DeviceHA.cpp func: "checkApmTrafficGroup()" line: 35 Msg: high availability (HA) util returns err 3

01490000:3: ApmD.cpp func: "main_loop()" line: 851 Msg: Check APM traffic group failed

Conditions:
The source or destination address is configured as "address list" in at least one virtual server configured to use APM.

Impact:
Unable to connect to the BIG-IP.

Workaround:
Do not use "address list" while configuring the source or destination IP address of a virtual server that has an access policy attached.


1051153-5 : DHCP fails intermittently when the connection is through BIG-IP.

Links to More Info: BT1051153

Component: Local Traffic Manager

Symptoms:
DHCP DISCOVER packets are received, load balanced to the back end DHCP server, a DHCP OFFER reply is received from the server to BIG-IP, but this packet is dropped.

Conditions:
A BIG-IP system is between the DHCP client and DHCP server.

Impact:
DHCP OFFER is never passed on to the client, and as such, the client keeps sending DHCP DISCOVER packets, which are all dropped the same way.


1049237-6 : Restjavad may fail to cleanup ucs file handles even with ID767613 fix

Links to More Info: BT1049237

Component: Device Management

Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client (such as a BIG-IQ which is out of disk space) does not complete the download.
Since these files remain open, you may see low disk space even after deleting the associated files, and you may see items listed with '(deleted)' in lsof output.

Additionally, on a software version with ID767613 fix, you may see restjavad NullPointerException errors on /var/log/restjavad.*.log.

[SEVERE][1837][23 Sep 2021 10:18:16 UTC][RestServer] java.lang.NullPointerException
at com.f5.rest.workers.FileTransferWorker$3.run(FileTransferWorker.java:230)
at com.f5.rest.common.ScheduleTaskManager$1$1.run(ScheduleTaskManager.java:68)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:473)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1152)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:622)
at java.lang.Thread.run(Thread.java:748)

Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.

Impact:
Low disk space, items listed with '(deleted)' when listed using lsof.

Workaround:
To free the file handles, restart restjavad:

# tmsh restart sys service restjavad

Files that were deleted now have their space reclaimed.


1048949-8 : TMM xdata leak on websocket connection with asm policy without websocket profile

Links to More Info: BT1048949

Component: Application Security Manager

Symptoms:
Excessive memory consumption, tmm core.

Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Websocket profile isn't attached to the virtual server
- Long lived websocket connection with messages

Impact:
Excessive memory consumption, tmm crash. Traffic disrupted while tmm restarts.

Workaround:
Attach the websocket profile to the virtual server


1048425-6 : Packet tester crashes TMM when vlan external source-checking is enabled

Links to More Info: BT1048425

Component: Advanced Firewall Manager

Symptoms:
TMM SIGFPE Core Assertion "packet must already have an ethernet header".

Conditions:
Run the AFM Packet Tracer when external source-checking is enabled on the VLAN.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable source checking on the vlan.


1046469-4 : Memory leak during large attack

Links to More Info: BT1046469

Component: Anomaly Detection Services

Symptoms:
ADMD daemon memory consumption increases over several days until it causes OOM.

Conditions:
A large DoS attack occurs and is not mitigated.

Impact:
ADMD daemon will get killed and restarted. Due to the restart, the BADoS protection might be disabled for a couple of seconds.

Workaround:
To workaround the issue before installing the fix, ADMD could be monitored by a script and restarted as needed. This is similar to the current behavior, but it will avoid reaching OOM which might affect other daemons.


1046401-3 : APM logs shows truncated OCSP URL path while performing OCSP Authentication.

Links to More Info: BT1046401

Component: Access Policy Manager

Symptoms:
While performing OCSP authentication, the APM log file (/var/log/apm) shows the incomplete path of the OCSP URL.

Conditions:
-- Configure OCSP Server object
-- Configure OCSP Agent in the VPE
-- Perform OCSP Authentication

Impact:
Incomplete path of the OCSP URL causes ambiguity and gives the impression that APM is not parsing the URL correctly, while LTM parses correctly at the same time.

Workaround:
N/A


1045277-6 : The /var partition may become 100% full requiring manual intervention to clear space

Links to More Info: BT1045277

Component: TMOS

Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.

Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.


1044893-4 : Kernel warnings from NIC driver Realtek 8139

Links to More Info: BT1044893

Component: TMOS

Symptoms:
Excessive kernel logs occur from the NIC driver Realtek 8139

Conditions:
-- Realtek 8139 driver is used
-- Packets with partial checksum and protocol IPPROTO_TCP/IPPROTO_UDP arrives

Impact:
The Realtek 8139 driver logs excessive kernel warnings.


1044873-5 : Deleted GTM link is not removed from virtual server object and causes load failure.

Links to More Info: BT1044873

Component: Global Traffic Manager (DNS)

Symptoms:
The configuration fails to load with an error:

01070712:3: Values (/Common/Link_to_delete) specified for Virtual Server (/Common/vs1 /Common/HTTPP): foreign key index (explicit_link_FK) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.

Conditions:
-- Create GTM link
-- Assign specific link to any virtual server object
-- Delete link object
-- Run tmsh load sys config gtm-only (or create a sync group and the sync will fail)

Impact:
GTM config fails to load or config sync.

Workaround:
Remove any assigned virtual servers from the link prior to deleting it.


1044457-4 : APM webtop VPN is no longer working for some users when CodeIntegrity is enabled.

Links to More Info: BT1044457

Component: Access Policy Manager

Symptoms:
Users are unable to use the BIG-IP VPN in Edge, Internet Explorer, Firefox, and Chrome.
Microsoft believes the issue is because the Network Access webtop is using MSXML 2.0a which is blocked by their desktop policy

Conditions:
-- Attempting to connect to Network Access VPN using Edge, Internet Explorer, Chrome and Firefox.
-- CodeIntegrity is enabled

Impact:
Users are not able to connect to F5 VPN through APM Browser.

Workaround:
Workaround is to use the BIG-IP Edge client.


1044089-5 : ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI.

Links to More Info: BT1044089

Component: TMOS

Symptoms:
Virtual address is reachable even when the virtual server is offline.

Conditions:
The virtual server status is updated to offline by modifying the virtual server and adding an iRule via the GUI.

Impact:
ICMP echo requests are still handled by the virtual address even though the virtual server is marked offline.

Workaround:
Use tmsh to attach the iRule to the virtual server:

tmsh modify ltm virtual <virtual_server_name> rules {<rule_name> }


1043249-1 : Misconfigured CA bundle causes a misleading HTTP error message.

Links to More Info: BT1043249

Component: Access Policy Manager

Symptoms:
You see an error in /var/log/ltm:
Error in getting Address Space Provider Metadata from the URI <URI name> for the provider <Address space name> and error message is Content length header is missing.

Conditions:
Intentionally or mistakenly configuring a wrong "Trusted Certificate Authorities" bundle on a network access address space.

Impact:
The error message is confusing. It really means that the CA bundle is misconfigured.

Workaround:
No workaround


1042153-3 : AFM TCP connection issues when tscookie-vlans enabled on server/client side VLAN.

Links to More Info: BT1042153

Component: Advanced Firewall Manager

Symptoms:
The BIG-IP system is unable to restore the Timestamp (by replacing the TS cookie) when the packet is offloaded to hardware. This happens only when TS cookie enabled on either of the VLANS (client/server), when the TS cookie enabled on both the VLAN no issues are seen.

Conditions:
Configure TCP BADACK Flood DDoS vector to start mitigation at a given value and enable TS cookies on the server VLAN.

Impact:
The TS cookie will not be restored to its original value when the SYN packet is processed by software in BIG-IP and the SYNACK will be handled by the hardware in BIG-IP. As s result, end-hosts (client/server) RTT calculation is incorrect and causes various issues (ex : blocks the Internet access from hosts in the backend infrastructure).

Workaround:
Use fastL4 profile with EST mode i.e. change the 'pva-offload-state to EST'


1041985-5 : TMM memory utilization increases after upgrade

Links to More Info: BT1041985

Component: Access Policy Manager

Symptoms:
TMM memory utilization increases after upgrading.

The keep-alive interval of the _tmm_apm_portal_tcp default profile is set to a value that is less than the Idle Timeout setting.

Conditions:
-- APM enabled and passing traffic
-- The configuration has a profile that uses or is derived from _tmm_apm_portal_tcp where the keep-alive interval was reduced to 60

Note that this can be encountered any time a tcp profile contains a keep-alive interval setting that is less than the idle timeout.

For more information about the relationship between keep-alive and idle time out, see K13004262: Understanding Idle Timeout and Keep Alive Interval settings in the TCP profile, available at https://support.f5.com/csp/article/K13004262

Impact:
TMM memory may increase while passing traffic.

Workaround:
Change the tcp keep alive interval to the default setting of 1800 seconds.


1040829-5 : Errno=(Invalid cross-device link) after SCF merge

Links to More Info: BT1040829

Component: Access Policy Manager

Symptoms:
A single config file (SCF) merge fails with the following error:

01070712:3: failed in syscall link(/var/system/tmp/tmsh/IHxlie/files_d/Common_d/customization_group_d/:Common:otters-connectivity_1_secure_access_client_customization_62552_1, /config/filestore/.trash_bin_d/.current_d/Common_d/customization_group_d/:Common:otters-connectivity_1_secure_access_client_customization_62552_1) errno=(Invalid cross-device link)

Conditions:
A customization group with the same name is present in both the SCF file and the BIG-IP device.

Impact:
SCF merge fails

Workaround:
None


1040573-5 : REST operation takes a long time when two different users perform tasks in parallel

Links to More Info: BT1040573

Component: TMOS

Symptoms:
A considerable delay is observed when different users attempt to execute multiple REST(iCR) requests in parallel.

Conditions:
Multiple iControl REST operations are performed by different users in parallel.

When attempting multiple requests by single or multiple users with and without bulk config , following behaviors are observed:

5 ICRD children getting spawned successfully and same are being observed in logs and noticed that these children are serving multiple rest requests fired by multiple users


Observed expected results for all below scenarios, except the last scenario which has a caveat:

1. Verify multiple rest requests fired with single user
2. Verify multiple rest requests fired with multiple users(5 users )
3. Verify single rest request fired with multiple users (5 users)
4. Verify multiple rest requests fired from multiple users with Bulk config(5 users)
5. Verify single rest request fired from multiple users with Bulk Config(5 users)

    Scenario5 has a Caveat with the current fix , since this fix limits up to 4 concurrent requests , the connection may be refused for some of the requests if the concurrent requests are more than 4.

Impact:
BIG-IP system performance is impacted.

Workaround:
Use only one user to process the multiple requests.
OR
Use an iControl REST transaction containing multiple requests.


1040117-4 : BIG-IP Virtual Edition drops UDP packets

Links to More Info: BT1040117

Component: TMOS

Symptoms:
BIG-IP Virtual Edition drops padded UDP packets when the hardware will accept and forward these same packets.

Conditions:
-- BIG-IP Virtual Edition
-- Padded UDP packets are sent

Impact:
UDP packets are dropped, potentially disrupted traffic


1039941-4 : The webtop offers to download F5 VPN when it is already installed

Links to More Info: BT1039941

Component: Access Policy Manager

Symptoms:
A pop-up window shows up and requests to download the client component.

Conditions:
Either of these conditions can trigger this issue:

-- Network Access configured and webtop type to "Network Access"
-- VPE configured
[Machine Info (or Anti Virus Check)] -- [Resource Assignment (NA + Webtop)]

 or

-- Network Access (auto-launch) and webtop configured
-- VPE configured
[Machine Info (or Anti Virus Check)] -- [Resource Assignment (NA + Webtop)]

Impact:
End users are unable to use the browser-based VPN.

Workaround:
Any one of these following workarounds will work:

-- Use Internet Explorer.
-- Do not configure Network Access auto launch or "Network Access" for the webtop type.
-- Insert the message box between Client Inspection (Machine info, etc.) and "Resource Assignment" on the VPE.
-- Ignore the message (click "Click here"), and it allows you to move on to the next step.


1038057-5 : Unable to add a serverssl profile into a virtual server containing a FIX profile

Links to More Info: BT1038057

Component: Service Provider

Symptoms:
You are unable to configure a virtual server to use server SSL encryption with FIX protocol messages.

Conditions:
This is encountered when serverssl needs to be configured for FIX profiles

Impact:
You are unable to assign a server-ssl profile to the virtual server.

Workaround:
None


1037257-1 : SSL::verify_result showing wrong output for revoked cert during Dynamic CRL check

Links to More Info: BT1037257

Component: Local Traffic Manager

Symptoms:
In logs the result of Dynamic CRL validation using SSL::verify_result is appearing as 0, which is not correct.

Conditions:
1. Use Dynamic CRL
2. Use a REVOKED certificate

Impact:
Incorrect information that certification validation is successful for a revoked certificate is logged.

Workaround:
Static CRL method of certificate validation can be used.


1035661-5 : REST Requests return 401 Unauthorized when using Basic Auth

Links to More Info: BT1035661

Component: TMOS

Symptoms:
REST Requests are intermittently failing with a 401 error.

The restjavad-audit.*.log shows these requests are closely preceded by a 503 response from /mgmt/tm/auth/source.

Conditions:
Triggered when a REST request comes in using Basic Auth while an asynchronous task is executing on the BIG-IP.

An example of an asynchronous task is the BIG-IP processing an AS3 declaration.

Impact:
REST requests will fail with a misleading response code and for no readily apparent reason.

Workaround:
Use token based authentication for REST requests.


1034865-6 : CACHE::enable failed on private/no-store content

Links to More Info: BT1034865

Component: Local Traffic Manager

Symptoms:
BIG-IP provides a possibility to cache HTTP responses with RAMCACHE feature. When a response has either "Cache-Control: private" or "Cache-Control: no-store", the CACHE::enable setting allows the content to be cached. This option was removed when a fix to ID 360047 was introduced.

Conditions:
-- A virtual server has a web-acceleration profile without a policy.
-- An iRule has CACHE::enable command, overwriting Cache-Control header's values "no-store" and/or "private".

Impact:
BIG-IP always requests for a response from the origin web server even when a response is cacheable, putting extra load on the origin web server.


1033537-5 : Cookie persistence profile only examines the first cookie.

Component: Local Traffic Manager

Symptoms:
The cookie persistence profile does not process multiple cookies with the same name. If that cookie is not valid for the selected pool or if it fails to decrypt, if encryption is enabled, it stops - even if there are other cookies of the same name.

Conditions:
-- Virtual server with an HTTP profile and a cookie persistence profile.
-- Multiple cookies with the same name arrive from the client.
 They can appear in a single Cookie header or two separate headers.
-- This can occur with cookie encryption enabled or disabled.

Impact:
Only the first cookie is evaluated.

Workaround:
Do not use cookie persistence profile.


1032001-3 : Statemirror address can be configured on management network or clusterd restarting

Links to More Info: BT1032001

Component: TMOS

Symptoms:
- Able to create statemirror address on the same network as management or cluster network.
- Validation issues when attempting to remove a management address.
- Clusterd process restarts constantly.

Conditions:
- Management/cluster address set up with IPv6 and statemirror address is configured with IPv4.

Impact:
- Unable to make configuration changes to the management or cluster address until the statemirror address is removed.
- Clusterd process restarts constantly causing the blade or cluster to report as offline.


1030129-5 : iHealth unnecessarily flags qkview for H701182 with mcp_module.xml

Links to More Info: BT1030129

Component: Application Security Manager

Symptoms:
iHealth unnecessarily flags the uploaded qkview for Heuristic H701182 "Non-ASCII characters removed from Qkview XML files".

Conditions:
Qkview generated from an unit with asm provisioned is uploaded to iHealth

Impact:
Inaccurate Heuristic on iHealth

Workaround:
None.


1030093 : An http2 to http2 virtual connection with translate-address disabled might only use one stream on the server side.

Links to More Info: BT1030093

Component: Local Traffic Manager

Symptoms:
When there is no pool object available, this issue results in only stream ID 1 succeeding to the server-side. All subsequent streams fail.

Conditions:
With the following configuration:
-- client side HTTP2
-- server side HTTP2
-- HTTP2 MRF enabled
-- translate-address disabled

Impact:
Connection only works for stream 1. All other streams fail.

Workaround:
If you set "translate-address enabled" on the virtual server, then all streams work fine.


1029173-5 : MCPD fails to reply and does not log a valid message if there are problems replicating a transaction to PostgreSQL

Links to More Info: BT1029173

Component: TMOS

Symptoms:
In rare circumstances Master Control Program Daemon (MCPD) fails to reply to a request from TMSH, GUI, or any daemon, for example, SNMPD.

Following is an example error message:

Mar 29 00:03:12 bigip1 err mcpd[15865]: 01070734:3: Configuration error: MCPProcessor::processRequestNow: std::exception

Conditions:
- AFM is provisioned.
- MCPD fails to connect PostgreSQL.

Impact:
TMSH command save sys config might be hung.
SNMPD stops replying to SNMP GET requests.

Workaround:
If there are any hung TMSH commands, then quit.

If SNMPD stops responding to SNMP requests, then use the command bigstart restart snmpd to restart SNMPD.


1028081-3 : [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page

Links to More Info: BT1028081

Component: Access Policy Manager

Symptoms:
1. Users connecting with F5 Access from an Android device see string "function () {[native code]}" in the Logon Page Form 'Username' field.
2. This issue only affects the F5 Access embedded browser. It works fine when connecting from the same Android device using Chrome. F5 Access from iOS is also working fine.

Conditions:
Configure an access policy with modern customization that includes a Logon Page.

Impact:
The string "function () {[native code]}" appears in the Logon Page Form 'Username' field.

Workaround:
This solution is temporal as changes are lost after an upgrade.
steps:
1) create a copy of the original "main.js" file
# cp /var/sam/www/webtop/public/include/js/modern/main.js /var/sam/www/webtop/public/include/js/modern/main.js.origin

2) edit the file using an editor (e.g., vi).
# vi /var/sam/www/webtop/public/include/js/modern/main.js
modify
window.externalAndroidWebHost.getWebLogonUserName to window.externalAndroidWebHost.getWebLogonUserName()
and
window.externalAndroidWebHost.getWebLogonPassword to window.externalAndroidWebHost.getWebLogonPassword()

3) Restart BIG-IP


1026781-5 : Standard HTTP monitor send strings have double CRLF appended

Links to More Info: BT1026781

Component: Local Traffic Manager

Symptoms:
Standard (bigd-based, not In-TMM) HTTP monitors have a double CRLF appended (\r\n\r\n) to the send string. This does not comply with RFC1945 section 5.1 which states requests must terminate with a single CRLF (\r\n). This non-compliant behavior can lead to unexpected results when probing servers.

Conditions:
Standard bigd (not In-TMM) HTTP monitors

Impact:
Servers probed by these non-RFC-compliant HTTP monitors may respond in an unexpected manner, resulting in false negative or false positive monitor results.

Workaround:
There are several workarounds:

1. If running 13.1.0 or later, switch monitoring from bigd-based to In-TMM. In-TMM monitors properly follow RFC1945 and will send only a single CRLF (\r\n)

2. Remain with bigd-based monitoring and configure probed servers to respond to double CRLF (\r\n\r\n) in a desired fashion

Depending on server configuration, a customized send string, even with the double CRLF, may still yield expected responses.


1026273-5 : HA failover connectivity using the cluster management address does not work on VIPRION platforms

Links to More Info: BT1026273

Component: TMOS

Symptoms:
Upon upgrade to an affected version, failover communication via the management port does not work. You may still see packets passing back and forth, but the listener on the receiving end is not configured, and therefore the channel is not up.

Here are a few symptoms you may see:
-- Running 'tmsh show cm failover-status' shows a status of 'Error' on the management network.

-- Running 'tmctl' commands reports the disconnected state:
Example:
$ tmctl -l sod_tg_conn_stat -s entry_key,last_msg,status
entry_key last_msg status
----------------------------- ---------- ------
10.76.7.8->10.76.7.9:1026 0 0 <--- Notice there is no 'last message' and 'status' is 0, which means disconnected.
10.76.7.8->17.1.90.2:1026 1623681404 1

-- Looking at 'netstat -pan | grep 1026 command output, you do not see the management port listening on port 1026:
Example (notice that the management IP from the above example of 10.76.7.9 is not listed):
# netstat -pan | grep 1026
udp 0 0 10.10.10.10:1026 0.0.0.0:* 6035/sod

-- Listing /var/run/ contents shows that the chmand.pid file is missing:
 # ls /var/run/chmand.pid
ls: cannot access /var/run/chmand.pid: No such file or directory

Conditions:
-- Running on VIPRION platforms
-- Only cluster management IP address is configured: No cluster member IP addresses are configured
-- Install a software version where ID810821 is fixed (see https://cdn.f5.com/product/bugtracker/ID810821.html)
-- Management IP is configured in the failover configuration

Impact:
If only the management is configured for failover or there are communication issues over the self IP (such as misconfigured port lockdown settings), then the devices may appear to have unusual behavior such as both going active.

Workaround:
-- Configure a cluster member IP address on each individual blade in addition to the Cluster management IP address.


1025089-7 : Pool members marked DOWN by database monitor under heavy load and/or unstable connections

Links to More Info: BT1025089

Component: Local Traffic Manager

Symptoms:
BIG-IP database monitors (mssql, mysql, oracle, postgresql) may exhibit one of the following symptoms:

- Under heavy, sustained load, the database monitoring subsystem may become unresponsive, causing pool members to be marked DOWN and eventually causing the database monitoring daemon (DBDaemon) to restart unexpectedly.

- If the network connection to a monitored database server is unstable (experiences intermittent interruptions, drops, or latency), pool members may be marked DOWN as the result of a momentary loss of connectivity. This is more likely to occur when a database monitor is used to monitor a GTM pool member instead of an LTM pool member, due to differences between how monitors are configured for GTM versus LTM.

Conditions:
These symptoms may occur under the following conditions:

- The database monitoring subsystem may become unresponsive, and the database monitoring daemon (DBDaemon) may restart unexpectedly, if a large number of LTM or GTM pool members are being monitored by database monitors, and/or with short polling intervals ("interval" of 10 seconds or less), or when GTM pool members are monitored by database monitors with a short "probe-timeout" value (10 seconds or less).

- The GTM pool members may be marked DOWN after a single interrupted connection if they are monitored by a database monitor, configured with a short "probe-timeout" value (10 seconds or less) and "ignore-down-response" configured as "disabled" (default).

Impact:
-- High CPU utilization is observed on control plane cores.

-- The database monitoring daemon (DBDaemon) may restart unexpectedly, causing GTM or LTM pool members monitored by a database monitor to be marked DOWN temporarily.

-- GTM or LTM pool members monitored by a database monitor may be marked DOWN temporarily if the network connection to the database server is dropped or times out.

Workaround:
Perform one of the following actions:

-- Configure the database (mssql, mysql, oracle, postgresql) monitor with a "count" value of "1". This prevents the caching or reuse of network connections to the database server between probes. Thus there is no cached connection to time out or get dropped. However, the overhead of establishing the network connection to the database server will be incurred for each probe and will result in generally higher (but more consistent) CPU usage by the database monitoring daemon (DBDaemon).

-- Configure the database monitor "interval" and "timeout" values (for an LTM monitor), or the "interval", "timeout", "probe-attempts", "probe-interval" and "probe-timeout" values (for a GTM monitor) such that multiple failed monitor probes are required before the monitored member is marked DOWN, and with a minimum value of 10 seconds or greater.

Note: A restart of bigd (and consequently the DBDaemon) might be necessary to properly clear any currently stale/stuck database connections.


1024241-5 : Empty TLS records from client to BIG-IP results in SSL session termination

Links to More Info: BT1024241

Component: Local Traffic Manager

Symptoms:
After client completes TLS handshake with BIG-IP, when it sends an empty TLS record (zero-length cleartext), the client BIG-IP SSL connection is terminated.

Conditions:
This is reported on i7800 which has Intel QAT crypto device
The issue was not reported on Nitrox crypto based BIG-IP platforms. Issue is not seen when hardware crypto is disabled.

Impact:
SSL connection termination is seen in TLS clients.

Workaround:
Disable hardware crypto acceleration.


1023889-5 : HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message

Links to More Info: BT1023889

Component: Application Security Manager

Symptoms:
Protocol filter does not suppress WS/WSS server->client message.

Conditions:
- protocol filter is set to HTTP, HTTPS or HTTP/HTTPS
- response logging is set to For All Requests

Impact:
Remote log server receives unexpected messages

Workaround:
None


1023529-5 : FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory.

Links to More Info: BT1023529

Component: Local Traffic Manager

Symptoms:
Command "tmsh show sys tmm-traffic" reports non-zero number of current connections but "tmsh show sys connection" shows nothing.

Conditions:
-- A virtual sever with fastL4 profile with infinite timeout enabled and an iRule containing "after" command. Having "-periodic" argument makes the problem more prominent.
-- Aggressive sweeper activated due to low memory conditions.

Impact:
Connections that were supposed to be removed by aggressive sweeper but were waiting for completion of an iRule may end up in a state where they are not reported by "tmsh show sys connection." Because of this issue, these connections cannot be deleted manually using 'tmsh del sys connection", but remain in memory. Their presence can be confirmed by non-zero number of current connections shown by "tmsh show sys tmm-traffic". Because of the infinite timeout setting, they will not timeout by themselves either.

Workaround:
N/A


1022997-5 : TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC)

Links to More Info: BT1022997

Component: TMOS

Symptoms:
Deployments on AWS that use the sock driver (1NIC, for example) transmit packets with bad checksums when TSO/GSO is required. This causes significant delays as TMM re-segments the packets with correct checksums for retransmission, and may cause some operations to time out (such as configsyncs of large configurations).

Conditions:
-- BIG-IP Virtual Edition (VE) using the sock driver on AWS (all 1NIC deployments use this)
-- TSO/GSO required due to MTU limitations on one or more VLANs

Impact:
-- Delayed packets.
-- Possible timeouts for some operations (configsyncs, for example).

Workaround:
Modify (or create, if not present) the file /config/tmm_init.tcl on the affected BIG-IP systems, and add the following line to it:

ndal force_sw_tcs off 1d0f:ec20

Then restart TMM:

bigstart restart tmm

Note: Restarting TMM will cause a failover (or an outage if there is no high availability (HA) peer available).


1020129-5 : Turboflex page in GUI reports 'profile.Features is undefined' error

Links to More Info: BT1020129

Component: TMOS

Symptoms:
The System :: Resource Provisioning : TurboFlex page is unusable, and the BIG-IP GUI reports an error:

An error occurred: profile.Features is undefined.

Conditions:
-- BIG-IP iSeries appliance
-- Upgrade to:
--- v15.1.3 or later within v15.1.x
--- v16.0.1.2 or later within v16.0.x
--- v16.1.0 or later
-- Accessing the System :: Resource Provisioning : TurboFlex page in the BIG-IP GUI

Impact:
Unable to manage TurboFlex profile via the BIG-IP GUI.

Workaround:
Use tmsh or iControl REST to manage TurboFlex profile configuration.


1020041-7 : "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs

Component: Policy Enforcement Manager

Symptoms:
The following message may be logged to /var/log/tmm*

   Can't process event 16, err: ERR_NOT_FOUND

Conditions:
Applying a PEM policy to an existing session that already has that policy (eg, through an irule using 'PEM::subscriber config policy referential set xxxx'

Impact:
Since the PEM policy is already applied to the session, the failure message is essentially cosmetic, but it can cause the tmm logs to grow in size if this is happening frequently.

Workaround:
--


1019641-4 : SCTP INIT_ACK not forwarded

Links to More Info: BT1019641

Component: Local Traffic Manager

Symptoms:
After SCTP link down/up (not physical IF link down up), SCTP session can't be established.

Conditions:
-- CMP forwarding enabled (source-port preserve-strict)
-- The BIG-IP system is encountering heavy traffic load
-- A connection is deleted from the connection table

Impact:
Flow state can become out of sync between TMMs

Workaround:
Once the problem occurs, execute "tmsh delete sys connection", and the SCTP session will be re-established.


1019261-5 : In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile.

Links to More Info: BT1019261

Component: In-tmm monitors

Symptoms:
HTTPS monitors with SSL profile set to None (default) will not use the default ServerSSL profile of "serverssl" when In-TMM monitoring is enabled. Instead, another internal ServerSSL profile is used which has different values from "serverssl".

Conditions:
-- In-TMM monitoring is enabled
-- HTTPS monitor(s) with SSL profile field is set to the default of "None"

Impact:
The TLS settings for the HTTPS monitor monitor probes will not match those of the ServerSSL "serverssl" profile and may cause unexpected behavior such as utilizing TLS 1.3 (disabled by default in the "serverssl" profile) or random session IDs.

Workaround:
Specify a ServerSSL profile in every HTTPS monitor when using In-TMM monitoring.

Attaching the profile "serverssl" will result in the same behavior that SSL Profile "none" should provide, given that the "serverssl" profile should be the default.


1016589-6 : Incorrect expression in STREAM::expression might cause a tmm crash

Links to More Info: BT1016589

Component: Local Traffic Manager

Symptoms:
Tmm restarts and generates a core file

Conditions:
An iRule uses STREAM::expression that contains certain strings or is malformed.

Stream expressions use a string representing a series of search/replace or search components. If there is more than one search-only component, this might cause tmm to crash.

The delimiter character used is the first character of each component search/replace pair. This example uses the '@' character as the delimiter, but it is malformed.

Given
  STREAM::expression "@dog@dot@cat@car@uvw@xyz@"
This would be interpreted as three items:
  search for "dog" replace with "dot"
  search for "at@"
  search for "r@uvw@xyz@"

This string should likely be:
  STREAM::expression "@dog@dot@@cat@car@@uvw@xyz@"
Which would be interpreted as
  search for "dog" replace with "dot"
  search for "cat" replace with "car"
  search for "uvw" replace with "xyz"

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure that strings in STREAM::expression iRule statements do not have more than one search-only component and are well formed.


1016433-3 : URI rewriting is incorrect for "data:" and "javascript:"

Links to More Info: BT1016433

Component: TMOS

Symptoms:
In case of LTM rewrite, HTML content having attribute values like "javascript:", "mailto:", "data:" etc are incorrectly rewritten as URI. This can cause web applications to fail.

Conditions:
-- LTM rewrite profile in URI translation mode.
-- HTML contents of web application contains attribute values like "javascript:abc", "data:" etc.

Impact:
Incorrect URI rewriting may cause web application to fail.


1016045-5 : OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows.

Links to More Info: BT1016045

Component: Carrier-Grade NAT

Symptoms:
OOPS logging may appear in /var/log/ltm and /var/log/tmm

Conditions:
1. Active ftp connection.
2. Sending the port command immediately followed by a quit.

Impact:
Log pollution and potential for performance degradation.

Workaround:
N/A


1014361-3 : Config sync fails after provisioning APM or changing BIG-IP license

Links to More Info: BT1014361

Component: TMOS

Symptoms:
Clustered high availability (HA) devices cannot establish ConfigSync connection, and the prompt status reports disconnected.

MCPD is logging a message similar to this repeatedly, even though all TMMs are up and running:

err mcpd[4247]: 0107142f:3: Can't connect to CMI peer 192.0.2.1, TMM outbound listener not yet created

Conditions:
This can occur under either of the following conditions:

-- Some provisioning operations (i.e. provisioning APM), when TMM restarts during the provisioning. This has primarily been seen with BIG-IP instances running in Google Cloud.

-- Changing the license of a BIG-IP VE when the new license changes the number of TMM instances that will run on the BIG-IP (i.e. upgrading from a 1Gbps to 3Gbps VE license)

Impact:
BIG-IP devices are not able to perform ConfigSync operations.

Workaround:
Restart MCPD on the affected system.

Note: This will disrupt traffic while system services restart.


1013209-6 : BIG-IP components relying on ca-bundle.crt may stop working after upgrade

Links to More Info: BT1013209

Component: TMOS

Symptoms:
After upgrading, the BIG-IP system components may stop working due to missing CA certificates in ca-bundle.crt.

Conditions:
CA cert which is expired/will expire in 6 months (or 182 days) after upgrade is removed from ca-bundle.crt.

Impact:
The BIG-IP components such as TMM, APM etc. may stop working due to missing CA certificates in ca-bundle.crt.

Workaround:
Download the blended-bundle.crt from the F5 download site. It is located at
https://downloads.f5.com/esd/product.jsp?sw=Certificate-Authority-Bundle&pro=Certificate-Authority-Bundle


1012377-3 : Unable to display/edit 'management route' via GUI

Links to More Info: BT1012377

Component: TMOS

Symptoms:
Unable to display/edit 'management route' via GUI

Conditions:
-- Viewing the management route in the GUI via System -> Platform
-- The management route is configured manually

Impact:
The management route field is blank, and you cannot make changes.

Workaround:
Display/edit the management route via tmsh:

tmsh list sys management-route
tmsh modify sys management-route <settings>


1011889-7 : The BIG-IP system does not handle DHCPv6 fragmented traffic properly

Links to More Info: BT1011889

Component: Local Traffic Manager

Symptoms:
In the following two scenarios, packets may get dropped by the BIG-IP device.

- [client MTU 1500]<--->(vlan1)<--->[MTU 1500BIG-IP MTU 9000]<--->(vlan2)<--->[MTU 1500server]
If the response from the server is large enough to be fragmented, the BIG-IP system is not able to process the packets.

- [client MTU 1500]<--->(vlan1)<--->[MTU 1500BIG-IP MTU 9000]<--->(vlan2)<--->[MTU 9000server]
Large response coming in a single packet is not fragmented properly on the client-side, then packets may be dropped.

Conditions:
DHCPv6 MTU size is greater than or equal to 1500.

Impact:
Packets are dropped, traffic is disrupted.


1010341-5 : Slower REST calls after update for CVE-2021-22986

Links to More Info: BT1010341

Component: TMOS

Symptoms:
As a result of changes were introduced to increase security around the REST API, REST calls that use HTTP basic authentication may take longer to execute that they did previously.

Conditions:
- REST API calls
- HTTP basic authentication used for the REST calls

Impact:
- Degraded performance of the REST API

Workaround:
Update automation scripting to use token based authentication, which is both faster and more secure than HTTP basic authentication


1006857-4 : Adding a source address list to a virtual server in a partition with a non-default route domain fails.

Links to More Info: BT1006857

Component: TMOS

Symptoms:
Adding a source address list to a virtual server in a partition with a non-default route domain fails with an error similar to:

0107176c:3: Invalid Virtual Address, the IP address 10.10.10.20%2 already exists.

Conditions:
-- A partition with a non-default route domain.
-- A virtual server and address list in said partition.
-- Modifying the virtual server to use the address list as its source address.

Impact:
Unable to use a source address list in a partition with a non-default route domain.

Workaround:
Manually create a traffic-matching-criteria object in TMSH with the desired configuration, and then create the virtual server using that traffic-matching-criteria.

Steps to help with this process can be found in F5 solution article K41752699.


1006449-4 : The default size of the subagent object cache possibly leading to slow snmp response time and high mcpd CPU use

Links to More Info: BT1006449

Component: TMOS

Symptoms:
After upgrading from a 13.1.x release to a later release (such as 15.1.x), BIG-IP CPU utilization increases and SNMP is slow to respond.

Conditions:
SNMP client repeatedly polls BIG-IP for OIDs in multiple tables over a short period of time.

Impact:
SNMP queries take an unusually long time to return data, and BIG-IP CPU utilization is higher.

Workaround:
To the file /config/snmp/bigipTrafficMgmt.conf, add one line with the following content:

  cacheObj 16

This could be accomplished by executing the following command line from bash:

  # echo "cacheObj 16" >> /config/snmp/bigipTrafficMgmt.conf

After the above config file has been modified and saved, the "snmpd" daemon must be restarted, using one of two command variants:

  (on a BIG-IP appliance or VE system)

  # bigstart restart snmpd

  (on a a multi-slot VIPRION or vCMP guest)

  # clsh bigstart restart snmpd

(However, this adjustment will be lost when the BIG-IP software is next upgraded.)


1003081-5 : GRE/TB-encapsulated fragments are not forwarded.

Links to More Info: BT1003081

Component: TMOS

Symptoms:
IP fragments that arrive over a GRE/TB tunnel are not reassembled, and are not forwarded through the BIG-IP system.

Conditions:
This occurs if all of the following conditions are true:

-- BIG-IP system with more than one TMM instance running.
-- Running a version or Engineering Hotfix that contains a fix for ID997541 (https://cdn.f5.com/product/bugtracker/ID997541.html).
-- GRE Round Robin DAG (the DB variable dag.roundrobin.gre) is enabled.
-- IP fragments arrive over GRE tunnel.

Impact:
BIG-IP system fails to process fragmented IP datagrams.

Workaround:
None


1002969-6 : Csyncd can consume excessive CPU time

Links to More Info: BT1002969

Component: Local Traffic Manager

Symptoms:
Following a configuration change or software upgrade, the "csyncd" process becomes always busy, consuming excessive CPU.

Conditions:
-- occurs on a multiblade VIPRION chassis
-- may occur with or without vCMP
-- may occur after configuring F5 Telemetry Streaming, but may also occur in other circumstances
-- large numbers of files are contained in one or more of the directories being sync'ed between blades

Impact:
The overuse of CPU resources by "csyncd" may starve other control-plane processes. Handling of payload network traffic by the data plane is not directly affected.

Workaround:
To mitigate the processing load, identify which directory or directories contain excessive numbers of files being replicated between blades by "csyncd". If this replication is not absolutely needed (see below), such a directory can be removed from the set of directories being sync'ed.

For example: if there are too many files being generated in the "/run/pamcache" directory (same as "/var/run/pamcache"), remove this directory from the set being acted upon by "csyncd" by running the following commands to comment-out the associated lines in the configuration file:

# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"

# clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"

# clsh "bigstart restart csyncd"

If the problem was observed soon after the installation of F5 Telemetry Streaming, the configuration can be adjusted to make csyncd ignore the related files in a subdirectory of "/var/config/rest/iapps". Run the following commands:

# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"

# clsh "sed -i '/\/var\/config\/rest\/iapps/a \ \ \ \ \ \ \ \ ignore f5-telemetry' /etc/csyncd.conf"

# clsh "bigstart restart csyncd"


----

The impact of disabling replication for the pamcache folder is that in the event of a primary blade failover, the new primary blade would not be aware of the existing valid auth tokens, so the user (eg, a GUI user, or a REST script already in progress at the time of the failover) would need to authenticate again.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************