Supplemental Document : BIG-IP 17.1.0 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.0

BIG-IP Analytics

  • 17.1.0

BIG-IP Link Controller

  • 17.1.0

BIG-IP LTM

  • 17.1.0

BIG-IP PEM

  • 17.1.0

BIG-IP AFM

  • 17.1.0

BIG-IP FPS

  • 17.1.0

BIG-IP DNS

  • 17.1.0

BIG-IP ASM

  • 17.1.0
Updated Date: 12/07/2023

BIG-IP Release Information

Version: 17.1.0
Build: 16.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Known Issues in BIG-IP v17.1.x

Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
890917 CVE-2023-22323 K56412001, BT890917 Performance may be reduced while processing SSL traffic 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1208001 CVE-2023-22374 K000130415 iControl SOAP vulnerability CVE-2023-22374 17.1.0
1183453 CVE-2022-31676 K87046687 Local privilege escalation vulnerability (CVE-2022-31676) 17.1.0
1143073 CVE-2022-41622 K94221585, BT1143073 iControl SOAP vulnerability CVE-2022-41622 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1107437 CVE-2023-22839 K37708118, BT1107437 TMM may crash when enable-rapid-response is enabled on a DNS profile 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1107293 CVE-2021-22555 K06524534, BT1107293 CVE-2021-22555: Linux kernel vulnerability 17.1.0, 15.1.8
1106289 CVE-2022-41624 K43024307, BT1106289 TMM may leak memory when processing sideband connections. 17.1.0, 17.0.0.1, 16.1.3.2, 15.1.7, 14.1.5.2, 13.1.5.1
1106161 CVE-2022-41800 K13325942, BT1106161 Securing iControlRest API for appliance mode 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1105389 CVE-2023-23552 K17542533, BT1105389 Incorrect HTTP request handling may lead to resource leak 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3
1104493 CVE-2022-35272 K90024104, BT1104493 Client-side abort during server-side establishment may cause tmm to behave abnormally in HTTP MRF proxy 17.1.0, 17.0.0.1, 16.1.3.1
1102881 CVE-2021-25217 K08832573 dhclient/dhcpd vulnerability CVE-2021-25217 17.1.0
1098829 CVE-2022-23852,CVE-2022-25235,CVE-2022-25236,CVE-2022-23515,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824 K19473898 Security vulnerabilities found in expat lib(used by iControlSoap) prior to version 2.4.8 17.1.0
1093821 CVE-2023-22422 K43881487, BT1093821 TMM may behave unexpectedly while processing HTTP traffic 17.1.0, 17.0.0.2, 16.1.3.3
1093813 CVE-2002-20001, CVE-2022-40735 K83120834 DH Key Agreement vulnerability in APM server side components 17.1.0
1093621-6 CVE-2022-41832 K10347453 Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1, 13.1.5.1
1093253 CVE-2021-3999 K24207649 CVE-2021-3999 Glibc Vulnerability 17.1.0
1091453 CVE-2022-23308 K32760744, BT1091453 libxml2 vulnerability CVE-2022-23308 17.1.0, 15.1.8
1086293-2 CVE-2023-22358 K76964818 Untrusted search path vulnerability in APM Windows Client installer processes 17.1.0
1086289-2 CVE-2023-22358 K76964818 BIG-IP Edge Client for Windows vulnerability CVE-2023-22358 17.1.0
1085729 CVE-2022-41836 K47204506, BT1085729 bd may crash while processing specific request 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1077301 CVE-2021-23133 K67416037, BT1077301 CVE-2021-23133 kernel: Race condition in sctp_destroy_sock list_del 17.1.0, 15.1.8
1066673 CVE-2022-35728 K55580033, BT1066673 BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1062569 CVE-2023-22664 K56676554, BT1062569 HTTP/2 stream bottom filter leaks memory at teardown under certain conditions 17.1.0, 17.0.0.2, 16.1.3.3
1051797-8 CVE-2018-18281 K36462841, BT1051797 Linux kernel vulnerability: CVE-2018-18281 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1032553 CVE-2023-22281 K46048342, BT1032553 Core when virtual server with destination NATing receives multicast 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3
950605 CVE-2020-14145 K48050136 openssh insecure client negotiation CVE-2020-14145 17.1.0
919357 CVE-2022-41770 K22505850, BT919357 iControl REST hardening 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
785197 CVE-2019-9075 K42059040 binutils vulnerability CVE-2019-9075 17.1.0
740321 CVE-2022-34851 K50310001, BT740321 iControl SOAP API does not follow current best practices 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1121965 CVE-2022-28614 K58003591 CVE-2022-28614 (httpd): out-of-bounds read via ap_rwrite() 17.1.0
1112445 CVE-2023-22302 K58550078, BT1112445 Fix to avoid zombie node on the chain 17.1.0, 17.0.0.2, 16.1.3.3
1091517 CVE-2020-25704 K44994972 CVE-2020-25704 Linux kernel Vulnerability 17.1.0
1089921 CVE-2022-0359 K08827426 Vim vulnerability CVE-2022-0359 17.1.0
1089233 CVE-2022-0492 K54724312 CVE-2022-0492 Linux kernel vulnerability 17.1.0
1084013 CVE-2022-36795 K52494562, BT1084013 TMM does not follow TCP best practices 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1073005 CVE-2023-22326 K83284425, BT1073005 iControl REST use of the dig command does not follow security best practices 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1065917 CVE-2023-22418 K95503300, BT1065917 BIG-IP APM Virtual Server does not follow security best practices 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.7, 14.1.5.3
1021245 CVE-2019-20907 K78284681 CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive 17.1.0
1006921 CVE-2022-33962 K80970653, BT1006921 iRules Hardening 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1063641 CVE-2022-33968 K23465404, BT1063641 NTLM library hardening 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1063637 CVE-2022-33968 K23465404, BT1063637 NTLM library hardening 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1144373 3-Major   BIG-IP SFTP hardening 17.1.0
1125561 3-Major   Add nameserver-min-rtt (infra-cache-min-rtt) feature support for DNS validating resolver cache 17.1.0
1093313 3-Major BT1093313 CLIENTSSL_CLIENTCERT iRule event is not triggered for TLS1.3 when the client sends an empty certificate response 17.1.0
1088037-1 3-Major BT1088037 VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers 17.1.0, 15.1.8
1040609 3-Major   RFC enforcement is bypassed when HTTP redirect irule is applied to the virtual server. 17.1.0
1036057 3-Major BT1036057 Add support for line folding in multipart parser. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1025261 3-Major BT1025261 Restjavad uses more resident memory in control plane after software upgrade 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1024421 3-Major BT1024421 At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log 17.1.0, 15.1.3.1
1001865-4 3-Major   No platform trunk information passed to tenant 17.1.0, 15.1.4
1071621 4-Minor BT1071621 Increase the number of supported traffic selectors 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1097193-7 2-Critical K000134769, BT1097193 Unable to SCP files using WinSCP or relative path name 17.1.0
1224125 1-Blocking BT1224125 When you upgrade to 16.1.3.2 or 17.1, keys that are not approved in FIPS 140-3 are permitted to be used. 17.1.0
1173441 1-Blocking   The 'tmsh save sys config' call is being triggered when REST Authentication tokens (X-F5-Auth-Token) are deleted or expired 17.1.0
1167869 1-Blocking   Unable to provision PEM module VELOS and rSeries platform 17.1.0
1120433 1-Blocking BT1120433 Removed gtmd and big3d daemon from the FIPS-compliant list 17.1.0, 16.1.3.1
1116845-2 1-Blocking BT1116845 Interfaces using the xnet driver are not assigned a MAC address 17.1.0
1101705 1-Blocking BT1101705 RSA-KEX ciphers list are removed from httpd configuration in FIPS mode since these are non-approved ciphers for FIPS 140-3 certification 17.1.0, 17.0.0.1, 16.1.3
1058509-2 1-Blocking BT1058509 Platform_agent crash on tenant token renewal 17.1.0, 15.1.6
1032761-2 1-Blocking BT1032761 HA mirroring may not function correctly. 17.1.0, 15.1.4
989517 2-Critical BT989517 Acceleration section of virtual server page not available in DHD 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
988645-1 2-Critical BT988645 Traffic may be affected after tmm is aborted and restarted 17.1.0, 15.1.4
987113 2-Critical BT987113 CMP state degraded while under heavy traffic 17.1.0, 15.1.4, 14.1.5
957637 2-Critical BT957637 The pfmand daemon can crash when it starts. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
940225 2-Critical BT940225 Not able to add more than 6 NICs on VE running in Azure 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
928029-1 2-Critical BT928029 Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis 17.1.0, 15.1.4, 14.1.3
909673-2 2-Critical BT909673 TMM crashes when VLAN SYN cookie feature is used on iSeries i2x00 and i4x00 platforms 17.1.0, 15.1.0.4
1208529 2-Critical   TMM crash when handling IPSEC traffic 17.1.0
1195377-2 2-Critical BT1195377 Getting Service Indicator log for disallowed RSA-1024 crypto algorithm 17.1.0
1181613 2-Critical BT1181613 IPsec IKEv2: BIG-IP version 16.1.0 introduced RFC5996 non-compliance in IKE SA delete 17.1.0
1178221 2-Critical BT1178221 In IPsec IKEv2, packet memory corruption after retransmitted ISAKMP with NAT 17.1.0
1173625 2-Critical   TMM core generate with SIGSEGV - mkv_free() 17.1.0
1161785 2-Critical   FIPS Module name updates 17.1.0
1144477 2-Critical BT1144477 IKE_SA_INIT uses src port 500 and dst port 4500 after IKE SA deleted 17.1.0
1136429 2-Critical BT1136429 Closing of unrelated MCPD connection causes an errant reply to an in-progress transaction or request group 17.1.0
1134301 2-Critical BT1134301 IPsec interface mode may stop sending packets over tunnel after configuration update 17.1.0
1128629-4 2-Critical BT1128629 Neurond crash observed during live install through test script 17.1.0
1124837 2-Critical   Detaching-then-reattaching VLAN on an active LACP trunk on r2k and r4k systemsneeds tmm restart 17.1.0
1122313-1 2-Critical BT1122313 VXLAN tunnels fail to pass traffic after TMM restarts 17.1.0
1110893 2-Critical BT1110893 Some portions of the BIG-IP GUI do not work when accessed behind an HTTP proxy 17.1.0
1108181 2-Critical BT1108181 iControl REST call with token fails with 401 Unauthorized 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
1098009-1 2-Critical BT1098009 DAG context synchronization problem in high availability (HA) mirroring on VELOS platforms 17.1.0, 15.1.8
1097193 2-Critical BT1097193 Unable to SCP files using WinSCP or relative path name 17.1.0, 16.1.3.1
1095217 2-Critical BT1095217 Peer unit incorrectly shows the pool status as unknown after merging the configuration 17.1.0
1085805 2-Critical   UCS restore with SSL Orchestrator deployed fails due to multiple iFiles and incorrect iFile reference. 17.1.0
1085597 2-Critical BT1085597 IKEv1 IPsec peer cannot be created in config utility (web UI) 17.1.0
1084213-1 2-Critical BT1084213 [rseries]: VLAN member not restored post loading default configuration in BIG-IP tenant 17.1.0, 15.1.6.1
1082941 2-Critical   System account hardening 17.1.0
1076909 2-Critical BT1076909 Syslog-ng truncates the hostname at the first period. 17.1.0
1075905-2 2-Critical BT1075905 TCP connections may fail when hardware SYN Cookie is active 17.1.0, 15.1.5.1, 14.1.5
1075733 2-Critical   Updated libcgroup library to fix CVE-2018-14348 17.1.0
1075689 2-Critical   Multiple CVE fixes for OpenLDAP library 17.1.0, 15.1.8
1027637-3 2-Critical BT1027637 System controller failover may cause dropped requests 17.1.0, 15.1.4
1018997 2-Critical   Improper logging of sensitive DB variables 17.1.0
1004517 2-Critical BT1004517 BIG-IP tenants on VELOS cannot install EHFs 17.1.0, 15.1.4, 14.1.4.3
998957 3-Major BT998957 MCPD consumes excessive CPU while collecting statistics 17.1.0
992865-1 3-Major BT992865 Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances 17.1.0, 16.1.2.2, 15.1.4
992053 3-Major BT992053 Pva_stats for server side connections do not update for redirected flows 17.1.0, 15.1.4.1
988793-3 3-Major BT988793 SecureVault on BIG-IP tenant does not store unit key securely 17.1.0, 15.1.4
966949 3-Major BT966949 Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node 17.1.0
966541 3-Major   Improper data logged in plaintext 17.1.0
930393 3-Major BT930393 IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration 17.1.0
925469 3-Major BT925469 SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo 17.1.0
921149 3-Major BT921149 After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy 17.1.0
919305-1 3-Major BT919305 Appliance mode is not working on BIG-IP 14.1.x tenant deployed on VELOS. 17.1.0, 15.1.4
905937 3-Major   TSIG key value logged in plaintext in log 17.1.0
886649 3-Major BT886649 Connections stall when dynamic BWC policy is changed via GUI and TMSH 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
662301 3-Major BT662301 'Unlicensed objects' error message appears despite there being no unlicensed config 17.1.0
651029 3-Major   Sensitive information exposed during incremental sync 17.1.0
586948 3-Major   Dynamic toggling for HSB hardware checksum validation 17.1.0
1196665 3-Major BT1196665 Required TCAM rules are deleted when virtual server configuration is modified 17.1.0
1195177-1 3-Major BT1195177 TMM may crash during hardware offload on virtual-wire setup 17.1.0
1167885 3-Major   IPsec tunnel establishment is not happening after rekeying 17.1.0
1166329 3-Major BT1166329 The mcpd process fails on secondary blades, if the predefined classification applications are updated. 17.1.0
1154933 3-Major   Improper permissions handling in REST SNMP endpoing 17.1.0
1153865 3-Major BT1153865 Restjavad OutOfMemoryError errors and restarts after upgrade 17.1.0
1128169 3-Major BT1128169 TMM core when IPsec tunnel object is reconfigured 17.1.0
1127169-1 3-Major BT1127169 The BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG 17.1.0
1126805-5 3-Major BT1126805 TMM CPU usage statistics may show a lower than expected value on Virtual Edition 17.1.0
1125773 3-Major BT1125773 TCP options are disabled while hardware SYN cookie is active 17.1.0
1125733 3-Major BT1125733 Wrong server-side window scale used in hardware SYN cookie mode 17.1.0
1123885 3-Major BT1123885 A specific type of software installation may fail to carry forward the management port's default gateway. 17.1.0
1123149-2 3-Major BT1123149 Sys-icheck fail for /etc/security/opasswd 17.1.0, 16.1.3.1
1122441 3-Major   Upgrade expat library to the latest version(2.4.8) to fix CVE's. 17.1.0
1122021 3-Major BT1122021 Killall command might create corrupted core files 17.1.0
1121085 3-Major BT1121085 Some valid connections may get rejected in hardware SYN cookie mode 17.1.0
1120685-2 3-Major BT1120685 Unable to update the password in the CLI when password-memory is set to > 0 17.1.0, 16.1.3.1
1117673 3-Major BT1117673 Configuration load error for a non default value of 'net dag-global {dag-ipv6-prefix-len}' 17.1.0
1117637 3-Major BT1117637 FastL4 traffic traversing the tunnels such as VXLAN, may fail on VELOS and rSeries tenants 17.1.0, 15.1.8
1116813-2 3-Major BT1116813 Some of the valid connections may get rejected in HW SYN cookie mode 17.1.0
1114137 3-Major   LibUV library for latest bind 9.16 17.1.0
1113961 3-Major K43391532, BT1113961 BIG-IP 16.1.3 VE with FIPS 140-3 May Fail to start in AWS-China 17.1.0
1113889-1 3-Major   Classic BIG-IP tenant running on F5OS will not correctly pin in-tenant control plane threads correctly on first deployment 17.1.0
1113385 3-Major BT1113385 Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1112109 3-Major BT1112109 Unable to retrieve SCP files using WinSCP or relative path name 17.1.0
1111993 3-Major   HSB tool utility does not display PHY settings for HiGig interfaces 17.1.0
1111629 3-Major BT1111629 Messages with "Failed Read: User, referer" are logged in /var/log/httpd/httpd_errors 17.1.0
1111421 3-Major BT1111421 TMSH/GUI fails to display IPsec SAs info 17.1.0
1111097 3-Major   gzip arbitrary-file-write vulnerability CVE-2022-1271 17.1.0
1103369 3-Major BT1103369 DELETE of REST Auth token does not result in deletion of the pamcache token file on a multi-slot VIPRION chassis, vCMP guest, or VELOS tenant 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1102849 3-Major BT1102849 Less-privileged users (guest, operator, etc) are unable to run top level commands 17.1.0, 14.1.5.1
1102837 3-Major BT1102837 Use native driver for e810 instead of sock 17.1.0, 15.1.7
1101453 3-Major BT1101453 MCPD SIGABRT and core happened while deleting GTM pool member 17.1.0
1100409 3-Major   Valid connections may fail while a virtual server is in SYN cookie mode. 17.1.0
1100321-3 3-Major BT1100321 MCPD memory leak 17.1.0
1100125 3-Major BT1100125 Per virtual SYN cookie may not be activated on all HSB modules 17.1.0
1091725 3-Major BT1091725 Memory leak in IPsec 17.1.0
1091345 3-Major BT1091345 The /root/.bash_history file is not carried forward by default during installations. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1090569-3 3-Major BT1090569 After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1089901 3-Major   Adding support to PVSCSI driver along with existing LSI driver 17.1.0
1089849-2 3-Major BT1089849 NIST SP800-90B compliance 17.1.0, 17.0.0.1, 16.1.3
1089225 3-Major   Polkit pkexec vulnerability CVE-2021-4034 17.1.0, 15.1.8
1088429-1 3-Major BT1088429 Kernel slab memory leak 17.1.0
1087621 3-Major BT1087621 IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1086517 3-Major BT1086517 TMM may not properly exit hardware SYN cookie mode 17.1.0, 15.1.6.1
1086389 3-Major   BIG-IP r4k and r2k series based systems shows has_pva flag true though they cannot support 17.1.0
1085837 3-Major BT1085837 Virtual server may not exit from hardware SYN cookie mode 17.1.0, 15.1.6.1
1084873-2 3-Major BT1084873 Packets are dropped when a masquerade MAC is on a shared VLAN 17.1.0, 15.1.6.1
1084781 3-Major   Resource Admin permission modification 17.1.0
1083537-2 3-Major BT1083537 FIPS 140-3 Certification 17.1.0, 17.0.0.1, 16.1.2.2
1081649 3-Major BT1081649 Remove the "F5 iApps and Resources" link from the iApps->Package Management 17.1.0
1081641-1 3-Major BT1081641 Remove Hyperlink to Legal Statement from Login Page 17.1.0
1080297 3-Major BT1080297 ZebOS does not show 'log syslog' in the running configuration, or store it in the startup configuration 17.1.0
1077405 3-Major BT1077405 Ephemeral pool members may not be created with autopopulate enabled. 17.1.0
1076785-4 3-Major BT1076785 Virtual server may not properly exit from hardware SYN Cookie mode 17.1.0, 15.1.5.1
1075729-2 3-Major BT1075729 Virtual server may not properly exit from hardware SYN Cookie mode 17.1.0, 15.1.5.1, 14.1.5.1
1075229-1 3-Major BT1075229 Jumbo frames not supported 17.1.0, 15.1.6
1069337 3-Major   CVE-2016-1841 - Use after free in xsltDocumentFunctionLoadDocument 17.1.0
1063473-4 3-Major BT1063473 While establishing a high availability (HA) connection, the number of npus in DAG context may be overwritten incorrectly 17.1.0, 15.1.5.1, 14.1.5
1061481 3-Major BT1061481 Denied strings were found in the /var/log/ folder after an update or reboot 17.1.0, 17.0.0.1, 16.1.3
1060625 3-Major BT1060625 Wrong INTERNAL_IP6_DNS length. 17.1.0, 17.0.0, 16.1.2.2
1060009-1 3-Major BT1060009 Platform Agent may run out of file descriptors 17.1.0, 15.1.6.1, 14.1.5
1048977-1 3-Major BT1048977 IPSec tunnel is not coming up after tmm/system restart when ipsec.removeredundantsa db variable is enabled 17.1.0, 15.1.6
1048709 3-Major BT1048709 FCS errors between the switch and HSB 17.1.0, 15.1.8
1047577 3-Major   System statistics may fail to update, or report negative deltas due to delayed stats merging 17.1.0
1042737 3-Major BT1042737 BGP sending malformed update missing Tot-attr-len of '0. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1036613 3-Major BT1036613 Client flow might not get offloaded to PVA in embryonic state 17.1.0, 15.1.5.1
1032257 3-Major BT1032257 Forwarded PVA offload requests fail on platforms with multiple PDE/TMM 17.1.0, 15.1.5.1
1029105-3 3-Major BT1029105 Hardware SYN cookie mode state change logs bogus virtual server address 17.1.0, 15.1.4
1024661 3-Major BT1024661 SCTP forwarding flows based on VTAG for bigproto 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1019793-3 3-Major BT1019793 Image2disk does not work on F5OS BIG-IP tenant. 17.1.0, 15.1.5
1001069-2 3-Major BT1001069 VE CPU usage higher after upgrade, given same throughput 17.1.0
995937 4-Minor   In IPsec, support AES-GCM on IKE Peer phase 1 17.1.0
962249-1 4-Minor BT962249 Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm 17.1.0, 15.1.4
936501 4-Minor BT936501 Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled 17.1.0, 16.1.3.1
904661-6 4-Minor BT904661 Mellanox NIC speeds may be reported incorrectly on Virtual Edition 17.1.0
760496 4-Minor BT760496 Traffic processing interrupted by PF reset 17.1.0
1207593 4-Minor BT1207593 Secure Shell (SSH) to BIG-IP is failing 17.1.0
1155733 4-Minor   NULL bytes are clipped from the end of buffer 17.1.0
1154673-1 4-Minor BT1154673 Enabling DHCP for management should not be allowed on F5OS BIG-IP tenants 17.1.0
1144817 4-Minor BT1144817 Traffic processing interrupted by PF reset 17.1.0
1105757-5 4-Minor BT1105757 Creating CSR with invalid parameters for basic-constraints, tmsh does not generate meaningful errors 17.1.0
1100609-2 4-Minor BT1100609 Length Mismatch in DNS/DHCP IPv6 address in logs and pcap 17.1.0, 16.1.3
1093045 4-Minor   CVE-2017-5225 - LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS 17.1.0
1091601 4-Minor   Glibc vulnerabilities CVE-2022-23218, CVE-2022-23219 17.1.0
1090449 4-Minor BT1090449 IPsec: Turn down pfkey logging 17.1.0
1090441 4-Minor BT1090441 IKEv2: Add algorithm info to SK_ logging 17.1.0
1089729 4-Minor   CVE-2021-3715 kernel: use-after-free in route4_change() in net/sched/cls_route.c 17.1.0
1080317 4-Minor BT1080317 Hostname is getting truncated on some logs that are sourced from TMM 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1076897 4-Minor BT1076897 OSPF default-information originate command options not working properly 17.1.0
1073165-1 4-Minor BT1073165 Add IPv6 prefix length 17.1.0, 15.1.6
1067105 4-Minor BT1067105 Racoon logging shows incorrect SA length. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1062385 4-Minor BT1062385 BIG-IP has an incorrect limit on the number of monitored HA-group entries. 17.1.0
1053557 4-Minor   Support for Mellanox CX-6 17.1.0
1043821 4-Minor   Inconsistent user permission handling across configuration UIs 17.1.0


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1136081 1-Blocking BT1136081 HSM sync issue in HA setups 17.1.0
1135041-1 1-Blocking BT1135041 Performance issue related to crypto and compression 17.1.0, 15.1.8
1112349 1-Blocking BT1112349 FIPS Card Cannot Initialize 17.1.0
1053809-1 1-Blocking BT1053809 TMM crashes while running L4 Max concurrent connections 17.1.0, 15.1.5
943101-1 2-Critical BT943101 Tmm crash in cipher group delete. 17.1.0, 15.1.4, 14.1.3
937649 2-Critical BT937649 Flow fwd broken with statemirror.verify enabled and source-port preserve strict 17.1.0
934461-1 2-Critical BT934461 Connection error with server with TLS1.3 single-dh-use. 17.1.0, 15.1.4, 14.1.3
1214073 2-Critical   LACP Trunks are not created in TMM on R2800/R4800 platforms. 17.1.0
1214069 2-Critical   Potential data leak inside Ethernet padding field on VELOS architecture products 17.1.0
1210433 2-Critical   Conversion between virtual-wire VLAN and normal VLAN 17.1.0
1209197 2-Critical   Gtmd crash SIGSEGV - OBJ_sn2nid() in 17.1.0
1186249 2-Critical BT1186249 TMM crashes on reject rule 17.1.0
1156697 2-Critical BT1156697 Translucent VLAN groups may pass some packets without changing the locally administered bit 17.1.0
1154681-1 2-Critical   Reconfiguration of virtual-wire VLAN in tenant 17.1.0
1134085 2-Critical BT1134085 Intermittent TMM core when iRule is configured with SSL persistence 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1
1132405 2-Critical BT1132405 TMM does not process BFD echo pkts with src.addr == dst.addr 17.1.0
1121661 2-Critical   TMM may core while processing HTTP/2 requests 17.1.0
1113549 2-Critical BT1113549 System boots into an inoperative state after installing engineering hotfix with FIPS140-2/140-3 License 17.1.0, 16.1.3.1
1110813-5 2-Critical   Improve MPTCP retransmission handling while aborting 17.1.0
1110205 2-Critical BT1110205 SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown 17.1.0, 16.1.3.1
1109833 2-Critical BT1109833 HTTP2 monitors not sending request 17.1.0, 16.1.3.1
1106989 2-Critical   Certain configuration settings leads to memory accumulation 17.1.0
1105145 2-Critical BT1105145 Request body on server side egress is not chunked when it needs to be after HTTP processes a 100 continue response. 17.1.0
1099545 2-Critical BT1099545 Tmm may core when PEM virtual with a simple policy and iRule is being used 17.1.0
1088049-1 2-Critical BT1088049 The fix for ID841469 became broken in the 15.1.x branch for some platforms. 17.1.0, 15.1.6.1
1087469 2-Critical BT1087469 iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate. 17.1.0, 16.1.3.1, 15.1.6.1
1087217 2-Critical BT1087217 TMM crash as part of the fix made for ID912209 17.1.0, 16.1.3.1
1084953-1 2-Critical BT1084953 CPU usage increase observed in some Ramcache::HTTP tests on BIG-IP Virtual Edition 17.1.0, 15.1.6
1076805-1 2-Critical BT1076805 Tmm crash SIGSEGV 17.1.0, 15.1.8
1074517 2-Critical BT1074517 Tmm may core while adding/modifying traffic-class attached to a virtual server 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1072377 2-Critical BT1072377 TMM crash in rare circumstances during route changes 17.1.0
1060093-1 2-Critical BT1060093 Upgrading BIG-IP tenant from 14.1.4.4-0.0.4 to 15.1.5-0.0.3 with blade in the 8th slot causes backplane CDP clustering issues. 17.1.0, 15.1.5
1059337-1 2-Critical BT1059337 Potential data leak inside Ethernet padding field on VELOS architecture products 17.1.0
1045629 2-Critical   FastL4 TCP Fast Close with Reset 17.1.0
1020645-5 2-Critical BT1020645 When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered 17.1.0, 16.1.3.1, 15.1.4.1
977761-2 3-Major BT977761 Connections are dropped if a certificate is revoked. 17.1.0, 16.1.2.2
947125 3-Major BT947125 Unable to delete monitors after certain operations 17.1.0
930385-2 3-Major BT930385 SSL filter does not re-initialize when an OCSP object is modified 17.1.0, 15.1.4, 14.1.3
922413-9 3-Major BT922413 Excessive memory consumption with ntlmconnpool configured 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
897045 3-Major   Add support of BrainpoolP384r1 and Brainpool256r1 17.1.0
884541 3-Major   Improper handling of cookies on VIPRION platforms 17.1.0
748886 3-Major BT748886 Virtual server stops passing traffic after modification 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1185133 3-Major BT1185133 ILX streaming plugins limited to MCP OIDs less than 10 million 17.1.0
1184153 3-Major BT1184153 TMM crashes when you use the rateshaper with packetfilter enabled 17.1.0
1161733 3-Major   Enabling client-side TCP Verified Accept can cause excessive memory consumption 17.1.0
1159569 3-Major BT1159569 Persistence cache records may accumulate over time 17.1.0
1155393 3-Major BT1155393 Failure to remove chunk headers from chunked response with Rewrite/HTML profile and compression 17.1.0
1146241 3-Major BT1146241 FastL4 virtual server may egress packets with unexpected and erratic TTL values 17.1.0
1146037 3-Major   Updating the firmware for a FIPS protected internal HSM due to SDK or driver upgrade 17.1.0
1141845 3-Major BT1141845 RULE_INIT with a call that contains an extra colon character (:) will crash BIG-IP. 17.1.0
1135313 3-Major BT1135313 Pool member current connection counts are incremented and not decremented 17.1.0
1133881 3-Major BT1133881 Errors in attaching port lists to virtual server when TMC is used with same sources 17.1.0
1133625 3-Major BT1133625 The HTTP2 protocol is not working when SSL persistence and session ticket are enabled 17.1.0
1133013 3-Major   Appliance mode hardening 17.1.0
1128721-1 3-Major BT1128721 L2 wire support on vCMP architecture platform 17.1.0, 15.1.8
1126701 3-Major   Provide caution banner when the system integrity check fails from daily anacron job 17.1.0
1126329 3-Major BT1126329 SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT 17.1.0
1123169 3-Major BT1123169 Error saving an iRule when calling a procedure from HTML_TAG_MATCHED event 17.1.0
1115041 3-Major BT1115041 BIG-IP does not forward the response received after GOAWAY, to the client. 17.1.0
1112745-3 3-Major BT1112745 System CPU Usage detailed graph is not accessible on Cerebrus+ 17.1.0, 15.1.7
1112205 3-Major BT1112205 HTTP/2 may garble responses if the client-side stream aborts while response headers are on the wire 17.1.0
1111473 3-Major BT1111473 "Invalid monitor rule instance identifier" error after sync with FQDN nodes 17.1.0
1109953 3-Major BT1109953 TMM may crash if a data-group is used when an SSL Forward Proxy Bypass/Intercept list contains extremely long entry 17.1.0
1102429 3-Major BT1102429 iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases. 17.1.0
1101697 3-Major BT1101697 TLS1.3 connection failure with 0-RTT and Hello Retry Request (HRR). 17.1.0, 15.1.7
1101181 3-Major BT1101181 HTTP request payload not forwarded by BIG-IP when serverside is HTTP/2 and HTTP MRF router is enabled on virtual server 17.1.0
1099229 3-Major BT1099229 SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present 17.1.0, 14.1.5.1
1091761 3-Major BT1091761 Mqtt_message memory leaks when iRules are used 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1088173-4 3-Major BT1088173 With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile 17.1.0, 15.1.7
1082505-2 3-Major BT1082505 TLS ciphersuites including RSA-KEX are non-approved ciphers for FIPS 140-3 certification 17.1.0, 17.0.0.1, 16.1.3
1082225 3-Major BT1082225 Tmm may core while Adding/modifying traffic-class attached to a virtual server. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1080569 3-Major   BIG-IP prematurely closes clientside HTTP1.1 connection when serverside is HTTP2 and HTTP MRF router is enabled on virtual server 17.1.0
1078109 3-Major   When Subject Alternative Field is empty while creating an SSL certificate, a caution should be displayed 17.1.0
1077553 3-Major BT1077553 Traffic matches the wrong virtual server after modifying the port matching configuration 17.1.0
1076577 3-Major BT1076577 iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg' 17.1.0, 15.1.7
1070789-2 3-Major BT1070789 SSL fwd proxy invalidating certificate even through bundle has valid CA 17.1.0, 16.1.3.1
1070389 3-Major   Tightening HTTP RFC enforcement 17.1.0
1068673 3-Major BT1068673 SSL forward Proxy triggers CLIENTSSL_DATA event on bypass. 17.1.0
1064785 3-Major BT1064785 BIG-IP must respond return code 0x01 (unacceptable protocol level) if the MQTT protocol level is not supported 17.1.0
1063977 3-Major BT1063977 Tmsh load sys config merge fails with "basic_string::substr" for non-existing key. 17.1.0, 16.1.3
1060989-2 3-Major BT1060989 Improper handling of HTTP::collect 17.1.0, 16.1.3.1
1060021 3-Major BT1060021 Using OneConnect profile with RESOLVER::name_lookup iRule might result in core. 17.1.0
1053741 3-Major BT1053741 Bigd may exit and restart abnormally without logging a reason 17.1.0, 15.1.8
1043009-4 3-Major BT1043009 TMM dump capture for compression engine hang 17.1.0
1022453 3-Major BT1022453 IPv6 fragments are dropped when packet filtering is enabled. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1006157 3-Major BT1006157 FQDN nodes not repopulated immediately after 'load sys config' 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1000069 3-Major BT1000069 Virtual server does not create the listener 17.1.0
1181345 4-Minor   Fix for VLAN Group reconfiguration issue when an additional virutal-wire configuration is added on top of deployed tenant 17.1.0
1168309 4-Minor   Virtual Wire traffic over trunk interface sometimes fail in Tenant based platforms 17.1.0
1156105 4-Minor BT1156105 Proxy Exclusion List is not configurable if VLAN group and route-domain are in non default partition 17.1.0
1132765 4-Minor BT1132765 Virtual server matching might fail in rare cases when using virtual server chaining. 17.1.0
1122377 4-Minor BT1122377 If-Modified-Since always returns 304 response if there is no last-modified header in the server response 17.1.0
1111981 4-Minor BT1111981 Decrement in MQTT current connections even if the connection was never active 17.1.0
1105229 4-Minor   iRule command 'connect' may fail to resume when invoked from CLIENT_DATA or SERVER_DATA 17.1.0
1104073 4-Minor BT1104073 Use of iRules command whereis with "isp" or "org" options may cause TCL object leak. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1103617 4-Minor BT1103617 'Reset on Timeout' setting might be ignored when fastl4 is used with another profile. 17.1.0
1101369 4-Minor   MQTT connection stats are not updated properly 17.1.0
1037265 4-Minor   Improper handling of multiple cookies with the same name. 17.1.0


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
1127445 2-Critical BT1127445 Performance degradation after Bug ID 1019853 17.1.0


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1211341 1-Blocking   Failed to delete custom monitor after dissociating from virtual server 17.1.0
1205049 1-Blocking   Unable to access pages of global settings for GSLB, Zones, and Keys 17.1.0
1137485 2-Critical BT1137485 Gtmd produces excessive logging and may also crash (SIGSEGV) repeatedly 17.1.0
1061537 2-Critical   DNS cache support for Prefetch, Outbound Message Retry, and Server Stale Data Settings 17.1.0
966461 3-Major BT966461 Tmm memory leak 17.1.0
935945 3-Major BT935945 GTM HTTP/HTTPS monitors cannot be modified via GUI 17.1.0
672374 3-Major   Support of Elliptic Curve Digital Signature Algorithm (ECDSA) for DNSSEC and SHA-384 DS Records 17.1.0
1200929 3-Major BT1200929 GTM configuration objects larger than 16384 bytes can cause the GTM sync process to hang 17.1.0
1189877 3-Major   The option /dev/random is depreciated from rndc-confgen with the latest BIND 9.16 17.1.0
1162081 3-Major   Upgrade the bind package to fix security vulnerabilities 17.1.0
1161241 3-Major   BIND default behavior changed from 9.11 to 9.16 17.1.0
1122497 3-Major BT1122497 Rapid response not functioning after configuration changes 17.1.0
1091249 3-Major BT1091249 BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1085377 3-Major   BIND9 upgrade from version 9.11 to 9.16 17.1.0
1073677 3-Major BT1073677 Add a db variable to enable answering DNS requests before reqInitState Ready 17.1.0
1060145 3-Major BT1060145 Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2. 17.1.0
1048077-2 3-Major   SELinux errors with gtmd when using internal FIPS card 17.1.0
1035889 3-Major   Support of ECDSA for DNSSEC in Unbound 17.1.0
1143985 4-Minor   TMUI options to configure Nameserver Minimum RTT are unavailable in DNS Cache and Net Resolver 17.1.0
1084673 4-Minor BT1084673 GTM Monitor "require M from N" status change log message does not print pool name 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1070197 4-Minor   In a RPZ zone, unbound continues to process matching against the after-coming RPZ zones 17.1.0
1025497 4-Minor   BIG-IP may accept and forward invalid DNS responses 17.1.0


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1105341 0-Unspecified BT1105341 Decode_application_payload can break exponent notation in JSON 17.1.0
911629-5 2-Critical BT911629 Manual upload of LiveUpdate image file results in NULL response 17.1.0, 15.0.1.4, 14.1.2.8
1208989 2-Critical   Improper value handling in DOS Profile properties page 17.1.0
1187157 2-Critical   BD crashes when provisioning ASM and AVR together on VIPRION 17.1.0
1142141 2-Critical   Violation details are missing for MALFORMED_JSON and MALFORMED_XML violations 17.1.0
1132409 2-Critical   Legal OpenAPI3 matrix type requests are blocked or alarmed in Bot Defense 17.1.0
1113161 2-Critical BT1113161 After upgrade, Learning and Blocking Settings page is not loading because some policies are still pointing to deleted factory Negsig sets 17.1.0
1095185 2-Critical BT1095185 Failed Configuration Load on Secondary Slot After Device Group Sync 17.1.0
1015881 2-Critical BT1015881 TMM might crash after configuration failure 17.1.0, 16.1.3.1, 15.1.7
948305 3-Major   New iRule Commands for login result and username 17.1.0
886533 3-Major BT886533 Icap server connection adjustments 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1183161 3-Major   Performance improvement in policy creation/deletion 17.1.0
1146081 3-Major   Multiple selection of Learning Suggestions does not work 17.1.0
1141665 3-Major   Significant slowness in policy creation following Threat Campaign LU installation 17.1.0
1127809 3-Major   Due to incorrect URI parsing, the system does not extract the expected domain name 17.1.0
1127093 3-Major   Attack Signature in authorization header with base64 is not detected 17.1.0
1126581 3-Major   Performance improvement for ASM signature engine 17.1.0
1126409 3-Major   BD process crash 17.1.0
1117117 3-Major   Trailing slash buffer details are missing from remote logger 17.1.0
1113881 3-Major   Headers without a space after the colon trigger an HTTP RFC violation 17.1.0
1112805 3-Major BT1112805 ip_address_intelligence field is not populated with value in ArcSight remote log when source IP is IPv4 17.1.0
1106937 3-Major   ASM may skip signature matching 17.1.0
1102301 3-Major   Content profiles created for types other than video and image allowing executable 17.1.0
1100669 3-Major BT1100669 Brute force captcha loop 17.1.0
1100393 3-Major BT1100393 Multiple Referer header raise false positive evasion violation 17.1.0
1100161 3-Major   IP Address description column does not appear on table from version 16.1.x 17.1.0
1099193 3-Major   Incorrect configuration for "Auto detect" parameter is shown after switching from other data types 17.1.0
1095041 3-Major BT1095041 ASM truncates cookies that contain a space in the name and TS cookie as part of cookie list. 17.1.0
1092965 3-Major   Disabled "Illegal Base64 value" violation is detect for staged base64 parameter with attack signature in value 17.1.0
1091185 3-Major   Issue with input normalization 17.1.0
1089853 3-Major   "Virtual Server" or "Bot Defense Profile" links in Request Details are not working 17.1.0
1089345 3-Major   BD crash when mcp is down, usually on startups 17.1.0
1084257 3-Major   New HTTP RFC Compliance check for incorrect newline separators in headers 17.1.0, 17.0.0.1, 15.1.7
1083913 3-Major BT1083913 Missing error check in ICAP handling 17.1.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1082461 3-Major BT1082461 The enforcer cores during a call to 'ASM::raise' from an active iRule 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1080613 3-Major BT1080613 LU configurations revert to default and installations roll back to genesis files 17.1.0
1078765 3-Major BT1078765 Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1077281 3-Major BT1077281 Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages 17.1.0, 16.1.2.2, 15.1.6.1
1072165 3-Major BT1072165 Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format 17.1.0
1070833 3-Major BT1070833 False positives on FileUpload parameters due to default signature scanning 17.1.0, 16.1.3, 15.1.6.1
1067589 3-Major BT1067589 Memory leak in nsyncd 17.1.0
1062493 3-Major BT1062493 BD crash close to it's startup 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1056957 3-Major BT1056957 An attack signature can be bypassed under some scenarios. 17.1.0, 17.0.0.1, 16.1.3.1
1030133 3-Major BT1030133 BD core on XML out of memory 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1029373 3-Major BT1029373 Firefox 88+ raising Suspicious browser violations with bot defense 17.1.0
1023229 3-Major BT1023229 False negative on specific authentication header issue 17.1.0
1017557 3-Major BT1017557 ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN 17.1.0
1014973 3-Major BT1014973 ASM changed cookie value. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
948241 4-Minor BT948241 Count Stateful anomalies based only on Device ID 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
947333 4-Minor BT947333 Irrelevant content profile diffs in Policy Diff 17.1.0, 17.0.0.1, 16.1.3.1
652793 4-Minor BT652793 "Signature Update Available" message is not cleared by UCS load/sync 17.1.0
1132925 4-Minor BT1132925 Bot defense does not work with DNS Resolvers configured under non-zero route domains 17.1.0
1112049 4-Minor   Performance improvement for checking signature exclusions on header 17.1.0
1111793 4-Minor BT1111793 New HTTP RFC Compliance check for incorrect newline separators between request line and first header 17.1.0, 15.1.7
1111089 4-Minor   Broken "select all" checkbox functionality on WS URL page 17.1.0
1110849 4-Minor   In GUI, sorting needs to be implemented for "Websocket URL" page 17.1.0
1108657 4-Minor   No notification about disabled "Virus detected" violation in case of enabling "Anti-Virus Protection" 17.1.0
1106897 4-Minor   Broken link under Cryptographic Failure section in OWASP page 17.1.0
1097853 4-Minor   Session Tracking screen may be missing the scroll bar after saving the configuration 17.1.0
1073625 4-Minor BT1073625 Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1062069 4-Minor   Online Help for " IP Address Exceptions": Policy Default does not specify an accurate GUI path 17.1.0
1058297 4-Minor BT1058297 Policy history values for 'max Size Of Saved Versions' and for 'min Retained Files In Dir' is reset during upgrade 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1048445 4-Minor BT1048445 Accept Request button is clickable for unlearnable violation illegal host name 17.1.0, 16.1.2.2, 15.1.6.1
1040513 4-Minor BT1040513 The counter for "FTP commands" is always 0. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1040285 4-Minor   Incident ID to log records that update incident properties is missing. 17.1.0
1037253 4-Minor BT1037253 No modal confirmation using "Enforce all Staged Signatures" button 17.1.0
1035361 4-Minor BT1035361 Illegal cross-origin after successful CAPTCHA 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.5
1021637 4-Minor BT1021637 In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs 17.1.0, 16.1.2.2, 15.1.6.1
1020717 4-Minor BT1020717 Policy versions cleanup process sometimes removes newer versions 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1014573 4-Minor BT1014573 Several large arrays/objects in JSON payload may core the enforcer 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1003765 4-Minor BT1003765 Authorization header signature triggered even when explicitly disabled 17.1.0, 15.1.4.1
1113333 5-Cosmetic   Change ArcSight Threat Campaign key names to be camelCase 17.1.0
1048989 5-Cosmetic   Slight correction of button titles in the Data Guard Protection Enforcement 17.1.0
1041469 5-Cosmetic   Request Log Page: Line break in the middle of the word in the note next to Block this IP Address 17.1.0
1029689 5-Cosmetic BT1029689 Incosnsitent username "SYSTEM" in Audit Log 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1007153 5-Cosmetic   Selected Attack type is not shown properly in the Attack Signature Set Properties screen 17.1.0


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
1191333 1-Blocking   AVR pdf or reports display F5 logo instead of YK logo 17.1.0
965581-1 2-Critical BT965581 Statistics are not reported to BIG-IQ 17.1.0, 15.1.4, 14.1.4
1111189 3-Major BT1111189 Listing errors in tmsh and installation failures when the configuration includes an AVR scheduled-report. 17.1.0


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
934393-1 1-Blocking BT934393 APM authentication fails due to delay in sessionDB readiness 17.1.0, 15.1.4, 14.1.3
1121657-1 1-Blocking BT1121657 EAM is down after APM is provisioned 17.1.0, 15.1.7
1173997 2-Critical   BIG-IP Mac Edge client download failure from connectivity profile 17.1.0
1122473 2-Critical BT1122473 TMM panic while initializing URL DB 17.1.0, 16.1.3.3
1106757 2-Critical   Horizon VDI clients are intermittently disconnected 17.1.0
1082581-4 2-Critical BT1082581 Apmd sees large memory growth due to CRLDP Cache handling 17.1.0, 14.1.5.3
958773 3-Major BT958773 [SAML SP] Assertion canonicalization fails if <AttributeValue> contains spaces. 17.1.0
957453 3-Major   Javascript parser incompatible with ECMA6/7+ 17.1.0
841513 3-Major   Client OS agent in Access Policy added iPadOS categorization option 17.1.0
819645 3-Major BT819645 Reset Horizon View application does not work when accessing through F5 APM 17.1.0
607697 3-Major   Improve 407 based authentication to allow flexible support for Basic, NTLM and Kerberos 17.1.0
490138 3-Major   Kerberos Auth might fail in case BIG-IP is configured with multiple AAA Kerberos Servers 17.1.0
1196401 3-Major   Restarting TMM does not restart APM Daemon 17.1.0
1174873 3-Major BT1174873 The location header query string separate is converted from "?" to "%3F" breaking multi-domain 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1173669 3-Major   Unable to reach backend server with Per Request policy and Per Session together 17.1.0
1169105 3-Major   Provide download links on BIG-IP for Linux ARM64 VPN Client 17.1.0
1166937 3-Major BT1166937 The path_match is missing in RCL path when path_match string is "Any String" 17.1.0
1166449 3-Major BT1166449 APM - NTLM authentication will stop working if any of DC FQDN is not resolvable in the configured DC list 17.1.0
1146341-1 3-Major BT1146341 TMM crash with APM per-request policy 17.1.0
1146017 3-Major   WebUI does not displays error when parent rewrite profile is not assigned to user defined rewrite profile 17.1.0
1124109-4 3-Major   Add "typ":"JWT" to JOSE Header while generating JWT token from OAuth AS 17.1.0
1113661 3-Major BT1113661 When OAuth profile is attached to access policy, iRule event in VPE breaks the evaluation 17.1.0
1108109 3-Major BT1108109 APM policy sync fails when access policy contains customization images 17.1.0
1103481 3-Major   Unnecessary data present in APM URL 17.1.0
1103213 3-Major   Support Resource Based Constrained Delegation (RBCD) for cross domains as part of Kerberos SSO 17.1.0
1101321-1 3-Major BT1101321 APM log files are flooded after a client connection fails. 17.1.0
1100549-2 3-Major BT1100549 "Resource Administrator" role cannot change ACL order 17.1.0
1099305 3-Major BT1099305 Nlad core observed due to ERR_func_error_string can return NULL 17.1.0
1097821 3-Major BT1097821 Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5
1089101 3-Major BT1089101 Apply Access Policy notification in UI after auto discovery 17.1.0
1067609 3-Major   Static keys were used while generating UUID's under OAuth module 17.1.0
1064573 3-Major   JWE token generation in BIG-IP as Authorization Server 17.1.0
1050165-3 3-Major BT1050165 APM - users end up with SSO disabled for their session, admin intervention required to clear session 17.1.0
1050009 3-Major BT1050009 Access encountered error:ERR_NOT_FOUND. File: <file name> messages in 'acs_cmp_acp_req_handler' function in APM logs 17.1.0
1041985 3-Major BT1041985 TMM memory utilization increases after upgrade 17.1.0
1038753 3-Major   OAuth Bearer with SSO does not process headers as expected 17.1.0
1037877 3-Major BT1037877 OAuth Claim display order incorrect in VPE 17.1.0
1010961 3-Major BT1010961 Redirect fails when accessing SAML Resource more than once in SAML IDP initiated Flow 17.1.0
1010809 3-Major BT1010809 Connection is reset when sending a HTTP HEAD request to APM Virtual Server 17.1.0
785933 4-Minor   PKCE support for BIG-IP as a Client 17.1.0
1088389-4 4-Minor BT1088389 Admin to define the AD Query/LDAP Query page-size globally 17.1.0
1079441 4-Minor BT1079441 APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries 17.1.0


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1141853 2-Critical BT1141853 SIP MRF ALG can lead to a TMM core 17.1.0
1167941 3-Major   CGNAT SIP ALG INVITE loops between BIG-IP and Server 17.1.0
1184629 4-Minor   Validate content length with respective to SIP header offset instead of parser offset 17.1.0
1116941 4-Minor   Need larger Content-Length value supported for SIP 17.1.0
1103233 4-Minor BT1103233 Diameter in-tmm monitor is logging disconnect events unnecessarily 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1154417-1 1-Blocking   Profile based attack is not mitigated at hardware on L2 wire setup 17.1.0
1162357 2-Critical   Hardware offloading is not working in the AFM DoS protection 17.1.0
1136917 2-Critical   TMM crashed when dos-profile (with BDOS and White-list enabled) disassociated from Virtual Server. 17.1.0
997429-2 3-Major BT997429 When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled 17.1.0
990461 3-Major BT990461 Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade 17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4
987637-4 3-Major BT987637 DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware 17.1.0, 17.0.0, 15.1.4
977153 3-Major BT977153 Packet with routing header IPv6 as next header in IP layer fails to be forwarded 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
750723-1 3-Major BT750723 Incorrect bad-actor stats for IGMP fragment flood vector 17.1.0, 15.1.0
1160973-1 3-Major   Profile based allow list not working on L2 wire enabled interfaces in appliances 17.1.0
1141597 3-Major BT1141597 DOS stats are not updating for IPv4-all and IPv6-all vectors 17.1.0
1137133-1 3-Major   Stats rate is showing incorrect data for broadcast, multicast and arp flood vectors 17.1.0
1135789 3-Major   Support for new vectors 'TCP ACK Flood' and 'TCP Uncommon Flags' in ZoneBased DDoS 17.1.0
1128977-1 3-Major BT1128977 When the device DoS vector rate-limit setting is configured to a low value, sampled attack log messages are not logged 17.1.0, 15.1.8
1128657-1 3-Major   Device DoS limits are swapped on FPGA when TMM count is odd 17.1.0
1127117-3 3-Major BT1127117 High Memory consumption for NAT translations of NAPT/PBA End Point Independent modes 17.1.0
1124149-3 3-Major BT1124149 Increase the configuration for the PCCD Max Blob size from 4GB to 8GB 17.1.0
1121521 3-Major BT1121521 Libssh upgrade from v0.7.7 to v0.9.6 17.1.0, 15.1.8
1104741 3-Major   ICMP flood or ICMP/IP/IPv6 fragment vectors are not hardware mitigated when configured on zone 17.1.0
1079053 3-Major BT1079053 SSH Proxy feature is not working in FIPS Licensed platforms 17.1.0
1070737 3-Major BT1070737 AFM does not detect NXDOMAIN attack at virtual context when DNS cache is activated. 17.1.0
1053949-1 3-Major BT1053949 AFM SSH proxy offering weak ciphers, the ciphers must be removed 17.1.0
1211885 4-Minor   Zone Based DDoS upgrade fails from 15.1.8 to 15.1.8.1 17.1.0
1211021 4-Minor   Enforcement does not happen for entries in new and modified IPI feed lists due to lock issues 17.1.0
1162661 4-Minor   The Bad Actor (BA) hit counter is not updating for ICMP vector during hardware mitigation 17.1.0
1137157 4-Minor   Under 'DoS overview' tab, the filter type is set to 'protected zone' even when the feature disabled 17.1.0
1100737-1 4-Minor   Integrate sPVA DDOS vector functionality to appliance devices with multiple ATSE 17.1.0
1038117-1 4-Minor BT1038117 TMM SIGSEGV with BDoS attack signature 17.1.0, 15.1.4


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1159397 1-Blocking BT1159397 The high utilization of memory when blade turns offline results in core 17.1.0
1095989 2-Critical BT1095989 PEM behaviour on receiving CCA with result code: 4012 and FUA on the Gy interface 17.1.0
1091565-5 2-Critical BT1091565 Gy CCR AVP:Requested-Service-Unit is misformatted/NULL 17.1.0, 16.1.3.1
1019481-2 2-Critical BT1019481 Unable to provision PEM on VELOS platform 17.1.0, 15.1.4
1174033 3-Major BT1174033 The UPDATE EVENT is triggered with faulty session_info and resulting in core 17.1.0
1108681 3-Major BT1108681 PEM queries with filters return error message when a blade is offline 17.1.0
1090649-5 3-Major BT1090649 PEM errors when configuring IPv6 flow filter via GUI 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1089829-5 3-Major BT1089829 PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers 17.1.0
1084993-1 3-Major BT1084993 [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
911585-1 4-Minor BT911585 PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
751719 2-Critical BT751719 UDP::hold/UDP::release does not work correctly 17.1.0


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1207661 1-Blocking   Datasafe UI hardening 17.1.0
1196033 3-Major   Improper value handling in DataSafe UI 17.1.0
1183565 3-Major   Throttle reoccurring FPS warning messages 17.1.0


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1060057-3 3-Major BT1060057 Enable or Disable APM dynamically with Bados generates APM error 17.1.0
1060409 4-Minor BT1060409 Behavioral DoS enable checkbox is wrong. 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
974205 3-Major BT974205 Unconstrained wr_urldbd size causing box to OOM 17.1.0, 15.1.4, 14.1.4.4, 12.1.6
1161965 3-Major BT1161965 File descriptor(fd) and shared memory leak in wr_urldbd 17.1.0
1168137 4-Minor   PEM Classification Auto-Update for month is working as hourly 17.1.0
1167889-5 4-Minor   PEM classification signature scheduled updates do not complete 17.1.0
1144329 4-Minor BT1144329 Traffic Intel does not classify Microsoft app properly 17.1.0
1117297-3 4-Minor BT1117297 Wr_urldbd continuously crashes and restarts 17.1.0


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
889605-4 3-Major BT889605 iApp with Bot profile is unavailable if application folder includes a subpath 17.1.0


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
1098837-5 4-Minor BT1098837 Configuration failure due to the DB validation exception happening in the ips_inspection_sig and ips_inspection_compl tables 17.1.0
1135073 5-Cosmetic   IPS signature update webUI warning message "An active subscription is required to access certain inspections" is always enabled 17.1.0


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
1107549 2-Critical BT1107549 In-TMM TCP monitor memory leak 17.1.0, 15.1.8
832133 3-Major BT832133 In-TMM monitors fail to match certain binary data in the response from the server 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1110241 3-Major BT1110241 in-tmm http(s) monitor accumulates unchecked memory 17.1.0
1046917 3-Major BT1046917 In-TMM monitors do not work after TMM crashes 17.1.0, 15.1.8


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
922737 2-Critical BT922737 TMM crashes with a sigsegv while passing traffic 17.1.0
1104037 2-Critical BT1104037 Tmm crash after changing "connection.vlankeyed" to disabled on system with L2 wire 17.1.0
1095145 3-Major BT1095145 Virtual server responding with ICMP unreachable after using /Common/service 17.1.0


Application Traffic Insight Fixes

ID Number Severity Links to More Info Description Fixed Versions
1155757 3-Major   Renaming the IVS monitors to remove the word "shape". 17.1.0
1137969 3-Major   All Distributed Cloud Services profiles should require HTTP profile available on virtual server 17.1.0


Client-Side Defense Fixes

ID Number Severity Links to More Info Description Fixed Versions
1183033 2-Critical   TMM Core can occur when client requests are sent with Device ID profile configured and Domain pool is down 17.1.0


Account Protection & Authentication Intelligence Fixes

ID Number Severity Links to More Info Description Fixed Versions
1154481 3-Major   Not able to add Host:port in the host field of a protected end point configuration 17.1.0
1135049 3-Major   Path configuration in query parameter '/hello?age=20' is displaying as '/hello\?age=20' 17.1.0


Bot Defense Fixes

ID Number Severity Links to More Info Description Fixed Versions
1200985 2-Critical   While disabling Mobile Application type through WebUI, 'Mobile Identifier - Request Headers' list is getting set to null 17.1.0
1112553 2-Critical   API timeout observed for few requests with telemetry data in body and such requests do not get processed successfully 17.1.0
1106337 2-Critical   Unable to add tenant ID greater than 12 characters in Bot Defense profile 17.1.0
1196173 3-Major   Bot Defense profile 'API Hostname - Web' configuration is hidden in case of Advanced/Premium service level 17.1.0
1185689 3-Major   In Bot Defense, TCP RST is sent if the complete body is not received in client request 17.1.0
1183581 3-Major BT1183581 Encoded URLs are not normalised for protected endpoint check for Advanced/Premium service level for both Web and Mobile requests 17.1.0
1145797 3-Major   In BD profile, query segment in the client request URI is not ignored for protect endpoint match 17.1.0
1135993 3-Major BT1135993 BIG-IP might send an incorrect value in header "sed-api-ip" towards Distributed Cloud for JavaScript requests 17.1.0
1123953 3-Major   Text in Application ID field in BD profile is being replaced with '*' in Configuration utility 17.1.0
1122077 3-Major   License check to enable Distributed Cloud Services in BIG-IP 17.1.0
1112137 3-Major   In Bot Defense profile, the SSE API timeout value is not considered for mobile requests 17.1.0
1107041 3-Major   The header ISTL-INFINITE-LOOP might get forwarded to origin server 17.1.0
1104381 3-Major   Incorrect value for "sed-api-host" is sent to Distributed Cloud with API call 17.1.0
1065109 3-Major BT1065109 In Bot Defense profile, tot_http_requests and tot_requests_forwarded_to_origin are not populated correctly 17.1.0
1145757 4-Minor   In BD profile, telemetry is seen in the client request even when Ajax requests with query string are not classified as endpoint requests 17.1.0
1112545 4-Minor   API timeout observed for few requests that have telemetry data in body 17.1.0
1110689 4-Minor   Fail to reset INSL statistics 17.1.0
1081733 4-Minor BT1081733 Bot Defense endpoint match debug log is not available for mobile requests in Advanced service level 17.1.0
1066101 4-Minor   In Bot Defense, the field "Check Mobile Identifier" for endpoints is available when "Applications in Scope" field is set to "Mobile" 17.1.0
1121125 5-Cosmetic   Need for additional space as separator for different methods in Protected URI field 17.1.0
1121117 5-Cosmetic   Remove the occurrence of Shape in the BIG-IP Bot Defense configuration 17.1.0


F5OS Messaging Agent Fixes

ID Number Severity Links to More Info Description Fixed Versions
1183553-1 3-Major BT1183553 The platform_mgr core dumps on token renewal intermittently 17.1.0, 15.1.8.1
1133869-2 3-Major   Distribution hash configuration done on platform shall not be published to a BIG-IP tenant on R2800/R4800 platforms 17.1.0

 

Cumulative fix details for BIG-IP v17.1.0 that are included in this release

998957 : MCPD consumes excessive CPU while collecting statistics

Links to More Info: BT998957

Component: TMOS

Symptoms:
MCPD CPU utilization is 100%.

Conditions:
This condition can occur when the BIG-IP system has a large number of virtual servers, pools, and pool members for which statistics are being collected. The CPU impact is proportional to the number of objects configured. It appears unlikely to see a significant impact when under 1000 objects.

Impact:
CPU utilization by MCPD is excessive.

Workaround:
None

Fix:
N/A

Fixed Versions:
17.1.0


997429-2 : When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled

Links to More Info: BT997429

Component: Advanced Firewall Manager

Symptoms:
Some DoS-related log messages may be missing

Conditions:
-- Static DDoS vector is configured with the same mitigation threshold and detection threshold setpoint.
-- The platform supports Hardware DDoS mitigation and hardware mitigation and hardware mitigation is not disabled.

Impact:
Applications dependent on log frequency may be impacted.

Workaround:
Configure the mitigation limit about 10% over the attack limit.

Fixed Versions:
17.1.0


995937 : In IPsec, support AES-GCM on IKE Peer phase 1

Component: TMOS

Symptoms:
The IKEv2 phase 1 does not support AES-GCM protocol for Authentication and Encryption algorithms.

Conditions:
Configuring IKE Peer.

Impact:
Cannot establish IKEv2 phase 1 using AES-GCM.

Workaround:
None

Fix:
Added AES-GCM support for IKEv2 phase 1. Configure AES-GCM at IKE Peer and establish an IKEv2 phase 1 tunnel.

Fixed Versions:
17.1.0


992865-1 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances

Links to More Info: BT992865

Component: TMOS

Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.

Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
  + BIG-IP i11000 series (C123)
  + BIG-IP i15000 series (D116)

Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.

Workaround:
None

Fix:
Virtual servers correctly enter hardware SYN cookie mode on all platforms.

Fixed Versions:
17.1.0, 16.1.2.2, 15.1.4


992053 : Pva_stats for server side connections do not update for redirected flows

Links to More Info: BT992053

Component: TMOS

Symptoms:
Pva_stats for server side connections do not update for the re-directed flows

Conditions:
-- Flows that are redirected to TMM.
-- Server flows are offloaded to PVA.

Impact:
PVA stats do not reflect the offloaded flow.

Workaround:
None

Fix:
Updated pva_stats to reflect server side flow.

Fixed Versions:
17.1.0, 15.1.4.1


990461 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade

Links to More Info: BT990461

Component: Advanced Firewall Manager

Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.

Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.

Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.

Workaround:
Manually update the SYN cookie threshold values after an upgrade.

Fixed Versions:
17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4


989517 : Acceleration section of virtual server page not available in DHD

Links to More Info: BT989517

Component: TMOS

Symptoms:
Cannot use Advanced Menu to create a virtual server for HTTP/2 on systems with DHD licenses. This occurs because the Acceleration section is not available.

You can via TMSH then it works, but at as soon as you use the GUI to modify the virtual server, it loses the HTTP/2 configuration.

Conditions:
The Acceleration section is not visible in case 'DoS' is provisioned (available with the DHD license).

Impact:
1) You are unable to use the GUI to modify any parameters of the Acceleration table in the virtual server page.

2) Loss of configuration items if making changes via the GUI.

Workaround:
A virtual server with parameters present in the Acceleration table can still be created using TMSH. However, do not edit that virtual server in the GUI, or the Acceleration parameters will be lost.

Fix:
The Acceleration table is now visible, and there is no loss of configuration items if making changes via the GUI.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1


988793-3 : SecureVault on BIG-IP tenant does not store unit key securely

Links to More Info: BT988793

Component: TMOS

Symptoms:
BIG-IP tenants running on the VELOS platform do not store the SecureVault unit key securely.

Conditions:
BIG-IP tenant running on the VELOS platform.

Impact:
The BIG-IP tenant does not utilize secure storage for unit key.

Workaround:
None

Fix:
BIG-IP tenants running on the VELOS platform now securely store the unit key.

Fixed Versions:
17.1.0, 15.1.4


988645-1 : Traffic may be affected after tmm is aborted and restarted

Links to More Info: BT988645

Component: TMOS

Symptoms:
Traffic may be affected after tmm is aborted and restarted.
/var/log/tmm contains a lot of "DAG Proxy failed" messages.

Conditions:
-- A BIG-IP device is deployed in a VELOS tenant
-- Tmm aborts and restarts for some reason.

Impact:
Traffic disrupted while tmm restarts. Traffic may be disrupted even after tmm has restarted.

Workaround:
Reboot the tenant

Fix:
Fixed system behavior when tmm is aborted and restarted.

Fixed Versions:
17.1.0, 15.1.4


987637-4 : DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware

Links to More Info: BT987637

Component: Advanced Firewall Manager

Symptoms:
BIG-IP systems mitigate traffic on all of the IP addresses in an address list when certain DoS vectors are detected on a virtual server.

Conditions:
-- BIG-IP hardware platform equipped with Neuron (BIG-IP iSeries)
-- Virtual server configured with a DoS profile
-- Flood traffic reaches the virtual server

Impact:
For Neuron-supported hardware, virtual servers with subnet destinations are not properly mitigated when flood vectors are detected.

Workaround:
None

Fixed Versions:
17.1.0, 17.0.0, 15.1.4


987113 : CMP state degraded while under heavy traffic

Links to More Info: BT987113

Component: TMOS

Symptoms:
When a VELOS 8 blade system is under heavy traffic, the clustered multiprocessing (CMP) state could become degraded. The symptom could exhibit a dramatic traffic performance drop.

Conditions:
Exact conditions are unknown; the issue was observed while under heavy traffic with all 8 blades configured for a tenant.

Impact:
System performance drops dramatically.

Workaround:
Lower traffic load.

Fix:
Fixed an inconsistent CMP state.

Fixed Versions:
17.1.0, 15.1.4, 14.1.5


977761-2 : Connections are dropped if a certificate is revoked.

Links to More Info: BT977761

Component: Local Traffic Manager

Symptoms:
SSL handshake failures occur with the backend server revoked certificate in case of reverse proxy.

Conditions:
1. BIG-IP LTM configured as SSL reverse proxy.
2. revoked-cert-status-response-control set to ignore in the server ssl profile.
3. server certificate authentication set to "require" in the server ssl profile.

Impact:
Ssl handshake failures due to revoked server certificate

Workaround:
1. Set the server certificate authentication to ignore in the server ssl profile.

Fix:
Added checks to validate the certificate as well as the flags set (ignore/drop) for the revoked certificate.

Fixed Versions:
17.1.0, 16.1.2.2


977153 : Packet with routing header IPv6 as next header in IP layer fails to be forwarded

Links to More Info: BT977153

Component: Advanced Firewall Manager

Symptoms:
BIG-IP systems fail to follow RFC 5095, which specifies the traffic should be forwarded.

Conditions:
This symptom is found when the following conditions are met:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.

Impact:
This failure in forwarding ICMP error message prevents the BIG-IP AFM product from completing certification.

Workaround:
None.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


974205 : Unconstrained wr_urldbd size causing box to OOM

Links to More Info: BT974205

Component: Traffic Classification Engine

Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.

Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.

Impact:
The device eventually runs out of memory (OOM condition).

Workaround:
Restart the wr_urldbd process:
 restart sys service wr_urldbd

Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.

Added two sys DB variables:

-- wr_urldbd.cloud_cache.log.level

Value Range:
sys db wr_urldbd.cloud_cache.log.level {
    value "debug"
    default-value "none"
    value-range "debug none"
}

-- wr_urldbd.cloud_cache.limit

Value Range:
sys db wr_urldbd.cloud_cache.limit {
    value "5500000"
    default-value "5500000"
    value-range "integer min:5000000 max:10000000"
}

Note: Both these variables are introduced for debugging purpose.

Fixed Versions:
17.1.0, 15.1.4, 14.1.4.4, 12.1.6


966949 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node

Links to More Info: BT966949

Component: TMOS

Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.

Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230

This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.

Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.

Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")

Fixed Versions:
17.1.0


966541 : Improper data logged in plaintext

Component: TMOS

Symptoms:
Improper data may be logged when audit forwarding is enabled.

Conditions:
Enable TACACS+ authentication with audit forwarding enabled.

Impact:
Sensitive data exposure.

Workaround:
N/A

Fix:
Removed improper data from logging

Fixed Versions:
17.1.0


966461 : Tmm memory leak

Links to More Info: BT966461

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm leaks memory for DNSSEC requests.

Conditions:
NetHSM is configured but disconnected.

or

Internal FIPS card is configured and tmm receives more DNSSEC requests than the FIPS card is capable of handling.

Impact:
Tmm memory utilization increases over time.

Workaround:
None

Fix:
A new DB variable dnssec.fipswaitingqueuecap is introduced to configure the capacity of the FIPS card.

You can throttle the incoming DNSSEC requests based on the count of outstanding DNSSEC requests in netHSM/Internal FIPS queue.

tmsh modify sys db dnssec.fipswaitingqueuecap value <value>
this value sets the capacity per tmm process.

Fixed Versions:
17.1.0


965581-1 : Statistics are not reported to BIG-IQ

Links to More Info: BT965581

Component: Application Visibility and Reporting

Symptoms:
After a BIG-IP system is attached to BIG-IQ, there are no statistics reported. The 'avrd' process periodically fails with a core on the BIG-IP system.

Conditions:
A BIG-IP system is attached to BIG-IQ.

Impact:
No statistics collected.

Fix:
The avrd process no longer fails, and statistics are collected as expected.

Fixed Versions:
17.1.0, 15.1.4, 14.1.4


962249-1 : Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm

Links to More Info: BT962249

Component: TMOS

Symptoms:
Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm

Conditions:
This message shows always on all platforms.

Impact:
No functional impact.

Fix:
Does not show this message on non-epva platforms.

Fixed Versions:
17.1.0, 15.1.4


958773 : [SAML SP] Assertion canonicalization fails if <AttributeValue> contains spaces.

Links to More Info: BT958773

Component: Access Policy Manager

Symptoms:
In /var/log/apm

[apmd]modules/Authentication/Saml/SamlSPAgent.cpp: 'verifyAssertionSignature()': 5883: Verification of SAML signature #1 failed
[apmd]SAML Agent: /Common/xxxxxx failed to process signed assertion, error: Digest of SignedInfo mismatch

Conditions:
SAML attribute values have double-byte spaces.

Impact:
Verification of SAML signature fails.

Workaround:
Remove double-byte spaces from SAML Attribute values (consult a vendor who populates SAML attribute values for advice on how to remove double-byte spaces).

Fix:
N/A

Fixed Versions:
17.1.0


957637 : The pfmand daemon can crash when it starts.

Links to More Info: BT957637

Component: TMOS

Symptoms:
The pfmand process crashes and writes out a core file during bootup (or if the process is manually restarted by an Administrator for any reason) on certain platforms.

The crash may happen more than once, until the process finally settles and is able to start correctly.

Conditions:
-- Platforms i4000/i2000/i4800/i2800/i4600/i2600/i850.

Impact:
Network connection lost while pfmand restarts.

Workaround:
None

Fix:
The issue causing the pfmand daemon to occasionally crash has been resolved.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1


957453 : Javascript parser incompatible with ECMA6/7+

Component: Access Policy Manager

Symptoms:
A web application mis-functions on the client side

Conditions:
-- APM proxying a web application
-- Web-application uses ES6/7 or higher javascript

Impact:
Web application mis-function

Fix:
The fix is implemented in two steps

STEP 1:
Initial implementation with ID 592353, added support for Javascript ECMA6/7+. Optional internal wrapping is added into client-side includes.

With this fix, a custom iRule workaround can be applied to fix limited set of possible cases.
 
STEP 2:
With ID 957453, implementation of light rewriter on the server side is also completed.

No iRule workaround is required to support ES6/7+ after the implementation of ID 957453.

Fixed Versions:
17.1.0


950605 : openssh insecure client negotiation CVE-2020-14145

Links to More Info: K48050136


1097193-7 : Unable to SCP files using WinSCP or relative path name

Links to More Info: K000134769, BT1097193

Component: TMOS

Symptoms:
When attempting to retrieve a file with WinSCP, you receive an error dialog and the session will be terminated:

"SCP Protocol error: Invalid control record (r; elative addresses not allowed)

Copying files from remote side failed."

If attempting to transfer a file by relative path with a command line utility the transfer will fail with the message:
"relative addresses not allowed"

Conditions:
-- Running BIG-IP version with fix for ID 915981
-- Using WinSCP set to use SCP protocol to retrieve files from a BIG-IP system.
-- Using a relative remote path to transfer a file with command line scp utility.

Impact:
No longer able to use WinSCP to retrieve files such as packet captures, log archives, or other diagnostic data from the BIG-IP system.

Workaround:
Use a command line SCP tool that allows specifying an absolute path for the source and/or destination file (a path that starts with a forward slash /), when the source and/or destination locations are a BIG-IP device.

If the user ID is permitted to do so, you may use WinSCP in SFTP mode.


948305 : New iRule Commands for login result and username

Component: Application Security Manager

Symptoms:
The iRule commands are not available to retrieve the web-user login results or to take actions based on the result of a login request.

Conditions:
Configure login page and send login request.

Impact:
Not able to get the login_result and username details of a login request.

Workaround:
None

Fix:
Add iRules commands to retrieve login request result and username information.

Fixed Versions:
17.1.0


948241 : Count Stateful anomalies based only on Device ID

Links to More Info: BT948241

Component: Application Security Manager

Symptoms:
Currently when Device ID is enabled, the BIG-IP system counts stateful anomalies on both IP and Device ID. When a client has a proxy (without XFF), and many requests arrive with the same IP, this can cause false positives

Conditions:
- Bot Defense profile is attached to a virtual server.
- Bot Defense profile has "Browser Verification" set to "Verify After Access" or "Device ID Mode" set to "Generate After Access".

Impact:
False positives may occur in case of a proxy without XFF

Workaround:
None

Fix:
Stateful anomalies are no longer counted on IP when Device ID is enabled

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


947333 : Irrelevant content profile diffs in Policy Diff

Links to More Info: BT947333

Component: Application Security Manager

Symptoms:
Defense attributes' grayed out values are shown in the policy diff even if "any" is selected

Conditions:
-- Import a policy
-- Perform a policy diff

Impact:
Policy diff showing irrelevant diffs

Workaround:
None

Fix:
Removed grayed out diffs from policy diff content profile section

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1


947125 : Unable to delete monitors after certain operations

Links to More Info: BT947125

Component: Local Traffic Manager

Symptoms:
Unable to delete monitor with an error similar to:

01070083:3: Monitor /Common/my-mon is in use.

Conditions:
-- Monitors are attached directly to pool members, or node-level monitors exist.
-- Issuing the "reloadlic" command, which causes the configuration to get rebuilt implicitly.

Impact:
Unable to delete object(s) no longer in use.

Workaround:
When the system enters this state, save and reload the configuration using the following command:
tmsh save sys config && tmsh load sys config

Fix:
None

Fixed Versions:
17.1.0


943101-1 : Tmm crash in cipher group delete.

Links to More Info: BT943101

Component: Local Traffic Manager

Symptoms:
Deleting a cipher group associated with multiple profiles could cause tmm crash.

Conditions:
Deleting a cipher group associated with multiple profiles.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed an issue with cipher group delete.

Fixed Versions:
17.1.0, 15.1.4, 14.1.3


940225 : Not able to add more than 6 NICs on VE running in Azure

Links to More Info: BT940225

Component: TMOS

Symptoms:
Azure BIG-IP Virtual Edition (VE) with more than 6 NICs fails to boot.

Conditions:
-- Standard_DS4_v2 Azure instance type.
-- Mellanox ConnectX-3 ethernet controller.
-- A greater-than-2-NIC template is used, for example https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/standalone/n-nic/existing-stack/byol with "numberOfAdditionalNics" set.
-- Accelerated networking is enabled on two or more NICs.

Impact:
Not able to boot BIG-IP VM with 8 NICs, which should be supported for Standard_DS4_v2 instance type:
8 vCPU
28 GiB
8 Max NICs

Adding more NICs to the instance makes the device fail to boot.

Workaround:
None

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1


937649 : Flow fwd broken with statemirror.verify enabled and source-port preserve strict

Links to More Info: BT937649

Component: Local Traffic Manager

Symptoms:
Flow forwarding does not work with statemirror.verify enabled and source-port is preserve strict. Depending on the number of tmms and the IP addresses/ports on the network, this causes return traffic to get dropped.

Traffic captures show packets leaving the BIG-IP system on one tmm and being returned on another. The return traffic that encounters the second tmm is dropped.

Conditions:
-- Mirroring is enabled.
-- High availability (HA) peer is connected.
-- The source-port setting is preserve-strict.
-- The statemirror.verify option is enabled.
-- There is more than one tmm.

Impact:
Server-side return traffic to the BIG-IP is dropped. This causes connection timeouts and resets.

Workaround:
-- Disable statemirror.verify, disable source-port preserve-strict, disable mirroring.

-- On BIG-IP Virtual Edition (VE), add the following to tmm_init.tcl on both units and restart tmm:
 ndal ignore_hw_dag yes

Fixed Versions:
17.1.0


936501 : Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled

Links to More Info: BT936501

Component: TMOS

Symptoms:
When attempting to Export/Import a file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf via SCP, you receive an error dialog:

"file not allowed"

Conditions:
-- fips140 or common criteria mode enabled
-- Export/Import file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf

Impact:
Import/Export file using scp tool from/to the BIG-IP file path(s) /var/local/ucs or /var/local/scf not allowed when fips140 or cc mode enabled even if the file is encrypted.

Workaround:
None

Fixed Versions:
17.1.0, 16.1.3.1


935945 : GTM HTTP/HTTPS monitors cannot be modified via GUI

Links to More Info: BT935945

Component: Global Traffic Manager (DNS)

Symptoms:
GUI reports an error when modifying DNS/GTM HTTP/HTTPS monitors:

01020036:3: The requested monitor parameter (/Common/http-default 2 RECV_STATUS_CODE=) was not found.

Conditions:
RECV_STATUS_CODE has never been set for the DNS/GTM HTTP/HTTPS monitors.

Impact:
Not able to make changes to DNS/GTM HTTP/HTTPS monitors through GUI.

Workaround:
If 'recv-status-code' has never been set, use tmsh instead.

Note: You can set 'recv-status-code' using tmsh, for example:

   tmsh modify gtm monitor http http-default recv-status-code 200

Fixed Versions:
17.1.0


934461-1 : Connection error with server with TLS1.3 single-dh-use.

Links to More Info: BT934461

Component: Local Traffic Manager

Symptoms:
Connection failure with TLS1.3 and single-dh-use configured.

Conditions:
14.1 with TLS1.3 single-dh-use.

Impact:
Connection failure in 14.1 versions.

Workaround:
Disable single-dh-use, or disable tls1.3.

Fix:
14.1 now supports TLS1.3 single-dh-use and hello retry on serverside.

Fixed Versions:
17.1.0, 15.1.4, 14.1.3


934393-1 : APM authentication fails due to delay in sessionDB readiness

Links to More Info: BT934393

Component: Access Policy Manager

Symptoms:
APM Authentication fails, and apmd cores when trying to connect to sessionDB.

Conditions:
-- APM configured.
-- SAML SP configured.

Impact:
It takes a long time to create the configuration snapshot. Authentication fails and apmd cores.

Workaround:
Restart all services by entering the following command:
tmsh restart /sys service all

Note: Restarting all services causes temporary traffic disruption.

Fix:
The sessionDB readiness has been corrected so that authentication succeeds.

Fixed Versions:
17.1.0, 15.1.4, 14.1.3


930393 : IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration

Links to More Info: BT930393

Component: TMOS

Symptoms:
-- IPsec tunnel does not start.
-- Remote IPsec networks unavailable.

Conditions:
-- Using IKEv1 and one of the following:
   + Performing an upgrade.
   + IPsec tunnel reconfiguration generally involving a change to, or addition of, a traffic-selector.

Impact:
IPsec tunnel is down permanently.

Workaround:
-- Reconfigure or delete and re-create the traffic selectors associated with the IPsec tunnel that does not start.

Special Notes:
-- This occurs rarely and does not happen spontaneously, without intentional changes (reconfiguration or upgrade).
-- A BIG-IP reboot or a restart of tmipsecd does not resolve this condition.
-- This symptom might also occur due to a genuine misconfiguration.
-- After major version upgrades, default ciphers can change, double-check the encryption and authentication ciphers for the tunnel.

Fixed Versions:
17.1.0


930385-2 : SSL filter does not re-initialize when an OCSP object is modified

Links to More Info: BT930385

Component: Local Traffic Manager

Symptoms:
Create an OCSP object using DNS resolver ns1, associate the OCSP object to SSL profile and a virtual.

Then, modify the OCSP object to DNS resolver ns2.

After the modification, wait for cache-timeout and cache-error-timeout and then connect to virtual again. The nameserver contacted is still ns1.

Conditions:
An OCSP object is configured and modified.

Impact:
The wrong nameserver is used after modification to the OCSP object.

Fix:
After the fix, the correct nameserver will be contacted after the OCSP object is modified.

Fixed Versions:
17.1.0, 15.1.4, 14.1.3


928029-1 : Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis

Links to More Info: BT928029

Component: TMOS

Symptoms:
Wrong popup message for switchboot popup "This will restart the chassis. Continue?".

Conditions:
Run "switchboot" command

Impact:
A confusing popup message is displayed.

Workaround:
NA

Fix:
Updated the switchboot popup message "This will restart BIG-IP tenant. Continue?"

Fixed Versions:
17.1.0, 15.1.4, 14.1.3


925469 : SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo

Links to More Info: BT925469

Component: TMOS

Symptoms:
When using the Certificate Order Manager to request new Multi-Domain certificate from the Sectigo Certificate Authority (CA), the request the BIG-IP sends is missing the field 'subjectAltName'.

Conditions:
-- Certificate Order Manager is configured to send requests to the Comodo/Sectigo CA.

-- Configure a new key with Subject Alternative Name (SAN).

Impact:
The BIG-IP system sends a request to the Sectigo CA that is missing the 'subjectAltName' field. That makes Certificate Order Manager not suitable for requesting Multi-Domain certificates.

Workaround:
There is no workaround other than not using Certificate Order Manager for Multi-Domain certificates.

Fixed Versions:
17.1.0


922737 : TMM crashes with a sigsegv while passing traffic

Links to More Info: BT922737

Component: SSL Orchestrator

Symptoms:
TMM crashes with a sigsegv while passing traffic.

Conditions:
Virtual server with a Connector profile that redirects to an internal virtual server on the same BIG-IP system.
Or
Service profile on the VIP causes TMM restarts.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
None

Fixed Versions:
17.1.0


922413-9 : Excessive memory consumption with ntlmconnpool configured

Links to More Info: BT922413

Component: Local Traffic Manager

Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.

Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.

Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.

Workaround:
None.

Fix:
When an NTLM Conn Pool profile is attached to a virtual server, it no longer causes memory pressure on a large number connections with NTLM authentication.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


921149 : After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy

Links to More Info: BT921149

Component: TMOS

Symptoms:
All Bandwidth Controller (BWC) stats are 0 (zero) even though traffic is passing.

Conditions:
-- A BWC policy is attached to a virtual server.
-- The virtual server with the attached BWC policy is modified.

Impact:
The system disassociates the BWC policy from the virtual server. Traffic is no longer throttled according to the policy rules.

Workaround:
To reattach the policy, detach the Bandwidth Controller policy from the virtual server, and then reapply it.

Fixed Versions:
17.1.0


919357 : iControl REST hardening

Links to More Info: K22505850, BT919357


919305-1 : Appliance mode is not working on BIG-IP 14.1.x tenant deployed on VELOS.

Links to More Info: BT919305

Component: TMOS

Symptoms:
Appliance mode does not enable on BIG-IP 14.1.x tenants deployed on VELOS.

Conditions:
A BIG-IP 14.1.3 tenant is deployed on VELOS with Appliance Mode enabled.

Impact:
The appliance mode restriction is not working as expected. The root account still has bash access.

Workaround:
N/A

Fix:
Appliance mode will now function when configured on a BIG-IP tenant deployed on VELOS.

Fixed Versions:
17.1.0, 15.1.4


911629-5 : Manual upload of LiveUpdate image file results in NULL response

Links to More Info: BT911629

Component: Application Security Manager

Symptoms:
When uploading a LiveUpdate image file from the GUI, the upload fails.

In /var/log/restjavad.0.log you see the following error:

[SEVERE][768][25 May 2020 05:38:20 UTC][com.f5.rest.workers.liveupdate.LiveUpdateFileTransferWorker] null

Conditions:
LiveUpdate images are uploaded manually.

Impact:
LiveUpdate images fail to upload.

Workaround:
1. Upload the file to LiveUpdate files directory '/var/lib/hsqldb/live-update/update-files' on the host.

2. Send a POST request with the filename for inserting the file to the LiveUpdate
 database:
* url : https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/update-files
* payload - json:
{ "filename": "<FILE_NAME>",
  "fileLocationReference": {"link": "<FILE_NAME>"}}

3. Get the file link reference:
   https://{{big_ip1}}/mgmt/tm/live-update/asm-attack-signatures/update-files?$filter=filename eq '<FILE_NAME>'

4. From the response copy the "selfLink" part :
   "selfLink": "https://localhost/mgmt/tm/live-update/asm-attack-signatures/update-files/<UPDATE_FILE_ID>"

5. Create a POST request with the value above for creating a new installation record:
* url : https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/installations
* payload - json:
{ "updateFileReference": {
        "link": "https://localhost/mgmt/tm/live-update/asm-attack-signatures/update-files/<UPDATE_FILE_ID>"}
}

6. Now the file is available to install it from the GUI.

7. Another option is to install it via the PATCH request and the installation_id from the response received at step 5:
* url: https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/installations/<INSTALLATION_ID>
* payload: { "status" : "install" }

Fixed Versions:
17.1.0, 15.0.1.4, 14.1.2.8


911585-1 : PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval

Links to More Info: BT911585

Component: Policy Enforcement Manager

Symptoms:
PEM sessions go to a stale state and the Credit Control Request (CCRi) is not sent.

Conditions:
-- PEM is configured and passing normal PEM traffic.
-- Using BIG-IP Virtual Edition (VE)

Impact:
Session is not established.

Workaround:
None.

Fix:
Enhanced application to accept new sessions under problem conditions.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


909673-2 : TMM crashes when VLAN SYN cookie feature is used on iSeries i2x00 and i4x00 platforms

Links to More Info: BT909673

Component: TMOS

Symptoms:
TMM crashes when VLAN SYN cookie feature is used.

Conditions:
-- Configuring for VLAN SYN cookie use.
-- Running on iSeries i2800/i2600 and i4800/i4600 platforms.

Impact:
Tmm crashes and traffic processing stops. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
VLAN SYN cookie processing now functions as expected.

Fixed Versions:
17.1.0, 15.1.0.4


905937 : TSIG key value logged in plaintext in log

Component: TMOS

Symptoms:
TSIG key is logged in /var/log/audit in clear text.

Conditions:
- TSIG key in the config.
- Key created via tmsh ltm dns tsig-key command

Impact:
TSIG key is logged in audit log file in clear text.

Fixed Versions:
17.1.0


904661-6 : Mellanox NIC speeds may be reported incorrectly on Virtual Edition

Links to More Info: BT904661

Component: TMOS

Symptoms:
Speeds for Mellanox NICs on BIG-IP Virtual Edition may be reported incorrectly. The behavior varies depending on what driver is in use:
- Speeds are always reported as 10G when the mlxvf5 driver is used, regardless of the actual speed of the interface.
- Speeds are reported as either 10G or 40G when the xnet driver is used. This is accurate unless the actual NIC speed is greater than 40G, in which is it will still be reported as 40G.

Conditions:
-- BIG-IP Virtual Edition
-- Using a Mellanox NIC with the mlxvf5 or xnet driver

Impact:
Possibly incorrect media speed reported. (Actual speed is correct, regardless of what is displayed.)

Fixed Versions:
17.1.0


897045 : Add support of BrainpoolP384r1 and Brainpool256r1

Component: Local Traffic Manager

Symptoms:
Support for BrainpoolP384r1 and Brainpool256r1 is not available in Cipher rule creation

Conditions:
You wish to configure TLS that uses these curves.

Impact:
You are unable to assign BrainpoolP384r1 and Brainpool256r1 curves to a Cipher rule.

Workaround:
None

Fix:
Support of brainpool curves is added for these functionalities:
   - Import of certificate/Key generated using brainpool256r1 /brainpool384r1
   - DH-group and signature algorithm can be customized for usgae of brainpool curve with TLS1.2 and TLS1.3.
   - Support this curve negotiation in both clientssl and serverssl side SSL handshakes
   - Support client authentication

Fixed Versions:
17.1.0


890917 : Performance may be reduced while processing SSL traffic

Links to More Info: K56412001, BT890917


889605-4 : iApp with Bot profile is unavailable if application folder includes a subpath

Links to More Info: BT889605

Component: iApp Technology

Symptoms:
iApp with Bot profile is unavailable if the application folder includes a subpath. If the subpath is not present then iApp with bot profile is available.

Conditions:
1) Create default "Bot Protection" or "Web Application Comprehensive Protection" with an enabled "Bot Defense" use case in WGC without a virtual server.
2) Go to "iApps >> Application Services: Applications" and refer to the created iApp.

Impact:
iApp cannot be loaded when tried to open through iApps >> Applications view in TMUI.

Workaround:
View the configuration created from Guided configuration as mentioned: iApps >> Application Services >> Applications LX menu

Fix:
Open the iApps >> Applications view in TMUI and load the iApp.

Fixed Versions:
17.1.0


886649 : Connections stall when dynamic BWC policy is changed via GUI and TMSH

Links to More Info: BT886649

Component: TMOS

Symptoms:
Connections stall when dynamic BWC policy is changed via GUI and TMSH.

Conditions:
Issue is seen when you have a dynamic bandwidth control policy configured, and you make a change to the policy via the GUI and TMSH.

Impact:
Connection does not transfer data.

Workaround:
Restart TMM. Delete the relevant configuration, create a new configuration, and apply it.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1


886533 : Icap server connection adjustments

Links to More Info: BT886533

Component: Application Security Manager

Symptoms:
Request getting to the ICAP server takes a long time to process (several seconds), which makes the whole transaction slower than expected. When testing the connection to the ICAP server itself, you determine that it is fast.

Conditions:
This happens especially with large file uploads that are mixed with smaller file uploads. The smaller uploads are waiting for the bigger upload.

Impact:
Slow responses to specific requests.

Workaround:
None.

Fix:
This release provides greater responsiveness of the internal queue to the ICAP thread.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


884541 : Improper handling of cookies on VIPRION platforms

Component: Local Traffic Manager

Symptoms:
Some cookies are not always removed after the logout on VIPRION platforms

Conditions:
Mutli-slot VIPRION, vcmp guest or f5os tenant.

Impact:
The session cookie is not invalidated as expected

Workaround:
None

Fix:
Cookies are always deleted on logout.

Fixed Versions:
17.1.0


841513 : Client OS agent in Access Policy added iPadOS categorization option

Component: Access Policy Manager

Symptoms:
iPadOS is categorized as iOS.

Conditions:
Use F5 Access for iPadOS to access webtop or establish VPN.

Impact:
Client OS agent in Access Policy does have an iPadOS categorization option

Fix:
iPadOS option is added to Client OS agent in Access Policy.

Fixed Versions:
17.1.0


832133 : In-TMM monitors fail to match certain binary data in the response from the server

Links to More Info: BT832133

Component: In-tmm monitors

Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system marks them DOWN.

Conditions:
This issue occurs when all of the following conditions are met:

- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).

- One or more TCP or HTTP monitors specify a receive string using HEX encoding, in order to match binary data in the server's response.

- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.

Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.

Workaround:
Either one of the following workarounds can be used:

- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.

- Do not monitor the application through a binary response (if the application allows it).

Fix:
The monitor finds the recv string and shows the pool or member as available.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


819645 : Reset Horizon View application does not work when accessing through F5 APM

Links to More Info: BT819645

Component: Access Policy Manager

Symptoms:
You are unable to reset VMware applications from a Windows VM client, Android VM client or HTML5 client.

Conditions:
-- VMware Horizon Proxy configured via an iApp on APM
-- Access the VM applications via APM webtop through native client /HTML5 client for windows or access applications via native client on android

Impact:
Impaired reset option functionality

Fixed Versions:
17.1.0


785933 : PKCE support for BIG-IP as a Client

Component: Access Policy Manager

Symptoms:
The BIG-IP system does not support PKCE for OAuth clients.

Conditions:
-- BIG-IP APM configured as an OAuth Authorization Server.
-- The environment requires PKCE

Impact:
You are unable to configure PKCE not the BIG-IP system.

Workaround:
None

Fix:
When BIG-IP requests access to the system as a client, a code challenge is sent along with authorization details to the authorization server to obtain the authorization code. In the token request, a code verifier is sent to the token endpoint along with the authorization code. Therefore, the server compares the code verifier to the code challenge and performs the proof of possession.

Fixed Versions:
17.1.0


785197 : binutils vulnerability CVE-2019-9075

Links to More Info: K42059040


760496 : Traffic processing interrupted by PF reset

Links to More Info: BT760496

Component: TMOS

Symptoms:
CPU usage increases after PF reset. Traffic between client and server is interrupted.

Conditions:
-- E710 NICs are used.
-- Reset PF.

Impact:
The BIG-IP instance requires a restart after PF reset to resume traffic processing.

Workaround:
Restart the BIG-IP device.

Fix:
A TMSH db variable ve.ndal.exit_on_ue, is introduced to enable/disable device restart on PF reset. On restart, a new error message within /var/log/tmm is written. Error message: "Restarting TMM on unrecoverable error."

Fixed Versions:
17.1.0


751719 : UDP::hold/UDP::release does not work correctly

Links to More Info: BT751719

Component: Carrier-Grade NAT

Symptoms:
UDP::hold/UDP::release do not work properly. Connections cannot be deleted and tmm logs an error:

crit tmm14[38818]: 01010289:2: Oops @ 0x2b6b31b:7903: Flow already has peer. Tried to overwrite.

Conditions:
iRule with UDP::hold/UDP::release

Impact:
UDP::hold/UDP::release does not work correctly

Fix:
UDP::hold/UDP::release now works correctly

Fixed Versions:
17.1.0


750723-1 : Incorrect bad-actor stats for IGMP fragment flood vector

Links to More Info: BT750723

Component: Advanced Firewall Manager

Symptoms:
For incorrect fragments, the bad actor stats for the IGMP fragment flood vector are displayed incorrectly.

Conditions:
When a DoS attack is sent for IGMP fragment flood vectors with incorrect fragments.

Impact:
Incorrect stats

Workaround:
None

Fix:
With this change, the stats are displayed correctly.

Fixed Versions:
17.1.0, 15.1.0


748886 : Virtual server stops passing traffic after modification

Links to More Info: BT748886

Component: Local Traffic Manager

Symptoms:
A virtual server stops passing traffic after changes are made to it.

Conditions:
-- Virtual server is using a port-list or address-list
-- High availability (HA) environment with multiple traffic groups
-- A change is made to the virtual server

Impact:
Every time you make changes to the virtual server, the traffic-group for the virtual address is changed, and traffic goes down.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


740321 : iControl SOAP API does not follow current best practices

Links to More Info: K50310001, BT740321


672374 : Support of Elliptic Curve Digital Signature Algorithm (ECDSA) for DNSSEC and SHA-384 DS Records

Component: Global Traffic Manager (DNS)

Symptoms:
The BIG-IP system does not support ECDSA, which is important for DNS software vendors to comply with DNS standards.

Conditions:
Zone creation with ECDSA algorithms

Impact:
Won't be able to configure ECDSA keys.

Workaround:
None

Fix:
Now able to configure the ECDSA keys.

Fixed Versions:
17.1.0


662301 : 'Unlicensed objects' error message appears despite there being no unlicensed config

Links to More Info: BT662301

Component: TMOS

Symptoms:
An error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.

Examination of the configuration and license shows that there are no configuration errors or unlicensed configuration objects. The device is operational.

Conditions:
The BIG-IP system is licensed and the configuration loaded.

Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.

Workaround:
On an appliance, restart mcpd by running the following command:

    bigstart restart mcpd

On a VIPRION or vCMP guest running on a VIPRION, restart MCPD on all blades by running the following command:

    clsh bigstart restart mcpd

Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.

Fixed Versions:
17.1.0


652793 : "Signature Update Available" message is not cleared by UCS load/sync

Links to More Info: BT652793

Component: Application Security Manager

Symptoms:
If the most recent Signature Update was loaded by device group sync or UCS load, the "Signature Update Available" message is never cleared out.

Conditions:
ASM provisioned and "Signature Update Available" was indicated prior to loading the most recent Signature Update by device group sync or UCS load.

Impact:
The "Signature Update Available" message is never cleared out.

Fixed Versions:
17.1.0


651029 : Sensitive information exposed during incremental sync

Component: TMOS

Symptoms:
A device group using incremental sync may not properly handle values that should be protected by Secure Vault.

Conditions:
A device group configured to use incremental sync.

Impact:
Some values that should be protected by Secure Vault are not encrypted as expected.

Workaround:
N/A

Fix:
Secure configuration values are encrypted as expected.

Fixed Versions:
17.1.0


607697 : Improve 407 based authentication to allow flexible support for Basic, NTLM and Kerberos

Component: Access Policy Manager

Symptoms:
BIG-IP can only identify users based on NTLM Auth credentials, not combined with Kerberos and Basic.
Not all clients are capable of NTLM authentication (or behave erratically when HTTPS comes on top like Apple Safari on MacOS) and not all are capable of Kerberos authentication.
BIG-IP benefits from the speed and security of Kerberos authentication while leaving the option for the client to fall back to NTLM if the client is not able to present a Kerberos token instead of falling back directly to insecure Basic authentication.

Conditions:
In APM access policy, APM needs to have an option to authenticate user accounts with a 407 response and offer Kerberos, NTLM and Basic together.

Impact:
- performance lacks due to the regular authentications happening between the F5 SWG and the Active Directory. All requests for each element get a 407 back for another NTLM authentication that then leads to a communication between the SWG and the AD domain controller. If this were Kerberos the SWG would just need to verify if the Kerberos token is still valid.

- If a client does not support NTLM it has no chance to authenticate although it might still support basic authentication.

Workaround:
None

Fix:
None.

Fixed Versions:
17.1.0


586948 : Dynamic toggling for HSB hardware checksum validation

Component: TMOS

Symptoms:
Disabling hardware checksum validation on BIG-IP requires manually editing a config tcl file and restarting TMM.

Conditions:
- Configuring HSB hardware checksum validation.

Impact:
None

Workaround:
None

Fix:
HSB hardware checksum validation can now be configured by using the new DB variable "tmm.hsb.hwchecksumvalidation".

When the value of this DB variable is changed, the HSB will be updated immediately without requiring a TMM restart.

Fixed Versions:
17.1.0


490138 : Kerberos Auth might fail in case BIG-IP is configured with multiple AAA Kerberos Servers

Component: Access Policy Manager

Symptoms:
In case BIG-IP is configured with multiple AAA Kerberos Server objects and those Kerberos Server uses different keytabs for different service account but for the same realm,
authentication may fail intermittently

Conditions:
- multiple AAA Kerberos Servers created
- AAA Kerberos servers are configured with different keytabs
- the keytabs are for different service accounts but for the same realm

Impact:
Kerberos authentication fails, user cannot log in

Workaround:
As a workaround, it is suggested to merge keytab files and use cumulative keytab file for all AAA Kerberos Servers

Administrator can merge keytab files with "ktutil" kerberos utility that is installed at BIG-IP.
1. run ktutil
2. load all the keytab files to merge using:
rkt <file>
3. you cal list currently loaded entries with "l"
4. after you load all required keytabs, save new keytab with
wkt <newfile>

Fixed Versions:
17.1.0


1224125 : When you upgrade to 16.1.3.2 or 17.1, keys that are not approved in FIPS 140-3 are permitted to be used.

Links to More Info: BT1224125

Component: TMOS

Symptoms:
As part of the upgrade from older versions to 16.1.3.2 and 17.1, the use of non-approved keys as per FIPS 140-3 standards is permitted for RSA keys with a length of 1024 and 512 bits, as well as for EC521, DSA, and SM2 keys.
It should be noted that the creation of new keys is not permitted.

Conditions:
The FIPS 140-3 non-approved ciphers, that is, RSA keys with a length of 1024 and 512 bits, EC521, DSA and SM2 keys are only permitted in the following cases:
1) When upgrading from the older versions to FIPS 140-3 supported versions (16.1.3.2 and 17.1)
2) Importing UCS from the older versions to FIPS 140-3 supported versions (16.1.3.2 and 17.1)

Impact:
Non-Approved keys could exist in the configuration after the BigIP version upgrade and UCS installation on a FIPS 140-3 approved system.

Workaround:
When upgrading or installing UCS, ensure that you do not use any non-approved ciphers (as per FIPS 140-3) in the configuration.

Fix:
Added a warning message in /var/log/ltm when non-approved keys are imported during upgrade or UCS installation

Sample log:
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b5004e:4: /Common/TEST_KEY_SI_2.key: FIPS 140-3 mode does not support the use of key sizes 512 and 1024.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b5004e:4: /Common/TEST_KEY_SI_23.key: FIPS 140-3 mode does not support the use of key sizes 512 and 1024.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b50050:4: /Common/TEST_KEY_TYPE_DSA2.key: FIPS 140-3 mode does not support the use of private and public keys of type DSA and SM2.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b50050:4: /Common/TEST_KEY_TYPE_DSA.key: FIPS 140-3 mode does not support the use of private and public keys of type DSA and SM2.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b50052:4: /Common/TEST_KEY_curve3.key: FIPS 140-3 mode does not support EC curve secp521r1.

Fixed Versions:
17.1.0


1214073 : LACP Trunks are not created in TMM on R2800/R4800 platforms.

Component: Local Traffic Manager

Symptoms:
When a BIG-IP tenant is launched with LACP trunks on R2800/R4800 platforms, LACP Trunk is not being created at the TMM level.

Conditions:
When LACP Trunk is created with a VLAN associated to it and a tenant is launched with VLAN associated to LACP Trunk.

Impact:
LACP Trunks will not be created in TMM level.

Workaround:
Change the distribution hash configuration of the LACP Trunk being attached to the tenant on the platform.

Fixed Versions:
17.1.0


1214069 : Potential data leak inside Ethernet padding field on VELOS architecture products

Component: Local Traffic Manager

Symptoms:
Padding bytes added by TMM to bring packets up to the minimum Ethernet frame length of 64 bytes may contain contents of TMM's CPU memory.

Conditions:
Issue can occur whenever TMM creates a packet that is shorter than the 64 byte Ethernet minimum transmitted on a VELOS architecture platform.

Impact:
An unintentional leak of TMM memory contents in the Ethernet padding on VELOS architecture platforms.

Workaround:
Upgrade to latest BIG-IP version.

Fix:
Ethernet minimum frame padding explicitly zeroed by the TMM's data path driver used on VELOS architecture products.

Fixed Versions:
17.1.0


1211885 : Zone Based DDoS upgrade fails from 15.1.8 to 15.1.8.1

Component: Advanced Firewall Manager

Symptoms:
If the protected zone feature is enabled and configured, when the BIG-IP is upgraded from 15.1.8 to 15.1.8.1, then the loading of the configuration will fail as the feature is disabled in the 15.1.8.1 build.

Conditions:
Zone based DDoS feature enabled and provisioned on release 15.1.8.

Impact:
Upgrade from 15.1.8 to 15.1.8.1 will fail when the protected-zone object is provisioned in release 15.1.8 and the user upgrades to 15.1.8.1.

Note: The variable dos.protectedzone will be enabled by default in future releases (17.1.0, 16.1.4, and 15.1.9). Upgrading to a future releases will be successful.

Workaround:
Enable the variable dos.protectedzone manually and reload the configuration. The protected-zone configuration will load successfully.

Fix:
Enable the variable dos.protectedzone manually and reload the configuration. The protected-zone configuration will load successfully.

Fixed Versions:
17.1.0


1211341 : Failed to delete custom monitor after dissociating from virtual server

Component: Global Traffic Manager (DNS)

Symptoms:
When dissociated from virtual server, unable to delete custom monitor.

Conditions:
- Dissociate the custom monitor from virtual server
- Delete the custom monitor

Impact:
Unable to delete custom monitor.

Workaround:
None

Fix:
The custom monitor can be deleted after dissociating from virtual server.

Fixed Versions:
17.1.0


1211021 : Enforcement does not happen for entries in new and modified IPI feed lists due to lock issues

Component: Advanced Firewall Manager

Symptoms:
Entries added or updated in IP Intelligence (IPI) feed lists are not enforced. This occurs when threads in Dynamic White or Black Daemon (DWBLD) module are in deadlock.

Conditions:
- IPI license is enabled.
- Feed lists and policies are configured.

Impact:
Enforcement of entries in new and updated IPI feed lists does not happen.

Workaround:
Run the command "bigstart restart dwbld" to resolve the issue.

Check for "Empty items" message in /var/log/dwbld.log. If same message is seen for more than 100 times continuously, threads are in lock state and we can recover by restarting DWBLD module.

Fix:
The function "set_curl_state" was returning without unlocking mutex in a condition.
The mutex is now unlocked appropriately and prevents locking up of DWBLD threads.

Fixed Versions:
17.1.0


1210433 : Conversion between virtual-wire VLAN and normal VLAN

Component: Local Traffic Manager

Symptoms:
In tenant-based platforms, VLAN can be configured on the tenants. On platforms supported with virtual-wire, adding a virtual-wire would cause a conversion of normal VLAN to virtual-wire VLAN and vice-versa. After conversion, the following error message is displayed.
01070712:3: Internal error, object is not in a folder: type: vlan id: /Common/vlan-11-31.
This issue has been fixed with this.

Conditions:
Virtual-wire enabled tenants to see this issue.

Impact:
The tenant will not become operationally up.

Workaround:
None

Fix:
With the fix, normal VLAN and virtual-wire VLAN can co-exist.

Fixed Versions:
17.1.0


1209197 : Gtmd crash SIGSEGV - OBJ_sn2nid() in

Component: Local Traffic Manager

Symptoms:
The crash occurs while importing or exporting a key or certificate to the BIG-IP.

Conditions:
While importing the exported buffer, an improper initialization of the variable may create a condition leading to the crash.

Impact:
Tmm gets cored.

Workaround:
None

Fix:
Added a fix to handle this issue. Initialized the variable to 0. Hence, it will not have any other value which can be used for fetching the PEM string information.

Fixed Versions:
17.1.0


1208989 : Improper value handling in DOS Profile properties page

Component: Application Security Manager

Symptoms:
The DOS Profile properties page incorrectly renders certain data in the UI.

Conditions:
N/A

Impact:
Improper rendering of the DOS Profile.

Workaround:
N/A

Fix:
The DOS Profile Properties page now renders data correctly.

Fixed Versions:
17.1.0


1208529 : TMM crash when handling IPSEC traffic

Component: TMOS

Symptoms:
A TMM crash may occur when handling certain packets using an IPSEC listener.

Conditions:
An IPSEC listener processing traffic

Impact:
Core detected

Workaround:
N/A

Fix:
Connections are processed as expected.

Fixed Versions:
17.1.0


1208001 : iControl SOAP vulnerability CVE-2023-22374

Links to More Info: K000130415


1207661 : Datasafe UI hardening

Component: Fraud Protection Services

Symptoms:
The Datasafe UI does not follow best security practices.

Conditions:
N/A

Impact:
N/A

Workaround:
Restrict access to the BIG-IP control plane to only trusted users.

Fix:
The Datasafe UI now follows best practices.

Fixed Versions:
17.1.0


1207593 : Secure Shell (SSH) to BIG-IP is failing

Links to More Info: BT1207593

Component: TMOS

Symptoms:
Secure Shell (SSH) connection with the aes128-gcm and aes256-gcm ciphers to BIG-IP fails.

Conditions:
When you explicitly try to establish the connection using aes128-gcm and aes256-gcm ciphers.

Impact:
BIG-IP is unable to match the cipher requirement and an SSH connection is unable to establish.

Workaround:
Make use of other ciphers (aes128-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc) other than aes128-gcm and aes256-gcm.

Fix:
The aes128-gcm and aes256-gcm ciphers have been added. Now, the BIG-IP will be reachable with SSH using these ciphers.

Fixed Versions:
17.1.0


1205049 : Unable to access pages of global settings for GSLB, Zones, and Keys

Component: Global Traffic Manager (DNS)

Symptoms:
The pages containing global settings of GSLB, Zones, and Keys do not load in TMUI.

Conditions:
The BIG-IP box is provisioned with a DNS licence(and GTM licence as well if DNS WideIP capability is required).

Impact:
It is not possible to configure the global settings of GSLB, Zones and Keys.

Workaround:
Open DNS -> Setting - Caches before opening the pages where the issue is observed. This needs to be done once a session.
And afterward, other pages should show correctly.

Fix:
The pages load successfully.

Fixed Versions:
17.1.0


1200985 : While disabling Mobile Application type through WebUI, 'Mobile Identifier - Request Headers' list is getting set to null

Component: Bot Defense

Symptoms:
While disabling Mobile Application type through WebUI, the 'Mobile Identifier - Request Headers' list is deleted.

Conditions:
- Disabling and enabling Mobile Application type through WebUI.

Impact:
The 'Mobile Identifier - Request Headers' list is deleted.

Workaround:
Disable or enable Mobile Application type through TMSH.

Fix:
The 'Mobile Identifier - Request Headers' list is being preserved when enabling or disabling Mobile Application type.

Fixed Versions:
17.1.0


1200929 : GTM configuration objects larger than 16384 bytes can cause the GTM sync process to hang

Links to More Info: BT1200929

Component: Global Traffic Manager (DNS)

Symptoms:
If GTM objects larger than 16384 bytes are created, then the GTM sync process will not complete. In addition, the gtm_add process (which requests a GTM sync for all objects) will not complete.

Following is the symptom for gtm_add:
After "Retrieving remote GTM configuration...", the process will pause for 300 seconds (5 minutes), and then exit, with a message "Syncer failed to retrieve configuration".

For a normal GTM sync, where gtm_add is not being used, the symptom is that the synchronisation of configuration changes is not working.

Conditions:
The presence of any MCPD object in the GTM configuration (/config/bigip_gtm.conf) which is larger than 16384 bytes, for example a large GTM rule.

Note: The GTM iRules are distinct from LTM iRules. Only GTM objects, such as GTM rules (applied to wideIPs) are relevant to this issue.

Impact:
Unable to complete GTM sync, unable to add a new GTM into the sync group.

Workaround:
Reduce the size of the problematic object to lower than 16384 bytes. For example, if the issue is with a GTM iRule, then try removing comments, blank lines, or unnecessary log statements that do not affect the functionality of the rule.

Fix:
None

Fixed Versions:
17.1.0


1196665 : Required TCAM rules are deleted when virtual server configuration is modified

Links to More Info: BT1196665

Component: TMOS

Symptoms:
All TCAM rules of a virtual server, that has active protection offloaded to hardware, are deleted when a VLAN is removed from the VLAN list of the virtual server. The protection is handled in software afterwards.

Conditions:
- Virtual server is configured with an enable VLAN list.
- Security or SYN cookie protection is activated and offloaded to hardware.
- A VLAN is deleted from the VLAN list of the virtual server.

Impact:
The activated protection is handled by software only.

Workaround:
None

Fix:
Updated TCAM rule management logic of deleting VLANs, TCAM rules of a virtual server are not deleted.

Fixed Versions:
17.1.0


1196401 : Restarting TMM does not restart APM Daemon

Component: Access Policy Manager

Symptoms:
Due to asynchronous nature of TMM threads and APM plugin channel threads, a core can trigger when TMM exited and APM Daemon (APMD) is still available with earlier TMM plugin handlers.

Conditions:
When TMM restarts and APM still has old TMPLUGIN handle (which will become invalid eventually).

Impact:
Might observe APMD core.

Workaround:
Restart APM, when TMM is restarted.

Fix:
Updated TMM bigstart scripts to restart APMD and related tm_plugin services.

Fixed Versions:
17.1.0


1196173 : Bot Defense profile 'API Hostname - Web' configuration is hidden in case of Advanced/Premium service level

Component: Bot Defense

Symptoms:
The Bot Defense (BD) profile 'API Hostname - Web' configuration is hidden in case of Advanced/Premium service level.

Conditions:
- BD profile is configured from webUI
- Advance/Premium Service level is configured

Impact:
The configuration field 'API Hostname - Web' is unavailable in webUI.

Workaround:
Configure 'API Hostname - Web' using TMSH.

Fix:
The BD profile 'API Hostname - Web' configuration is visible when 'Web' application is in scope.

Fixed Versions:
17.1.0


1196033 : Improper value handling in DataSafe UI

Component: Fraud Protection Services

Symptoms:
The DataSafe UI does not properly handle certain requests.

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
Requests are now handled as expected.

Fixed Versions:
17.1.0


1195377-2 : Getting Service Indicator log for disallowed RSA-1024 crypto algorithm

Links to More Info: BT1195377

Component: TMOS

Symptoms:
Displaying disallowed algorithm as approved. It must not display approved log for disallowed algorithms when FIPS license is installed on the platform.

Conditions:
- FIPS license is installed on the platform.
- Creating a bit key.

Impact:
Creating keys for approved algorithms only

Workaround:
Change log statements or do not create a key for disallowed algorithms.

Fix:
Approved log for disallowed algorithms is not displayed.

Fixed Versions:
17.1.0


1195177-1 : TMM may crash during hardware offload on virtual-wire setup

Links to More Info: BT1195177

Component: TMOS

Symptoms:
TMM SIGSEGV may crash.

Conditions:
-- ePVA capable HSB based platform.
-- virtual-wire setup.

Impact:
Failover may occur.

Workaround:
Disable hardware offload of virtual-wire flows by setting the 'pva-acceleration' parameter of the related fastl4 profile to 'none'.

Fix:
None

Fixed Versions:
17.1.0


1191333 : AVR pdf or reports display F5 logo instead of YK logo

Component: Application Visibility and Reporting

Symptoms:
F5 logo is displayed on the reports.

Conditions:
- Navigate to Statistics ›› Analytics: CPU
- Click on Export button to download AVR reports in pdf format.

Impact:
In the OEM build, F5 logo is displayed instead of YK logo. This causes inconsistency in branding display.

Workaround:
None

Fix:
None

Fixed Versions:
17.1.0


1189877 : The option /dev/random is depreciated from rndc-confgen with the latest BIND 9.16

Component: Global Traffic Manager (DNS)

Symptoms:
The option /dev/random is deprecated from the rndc-confgen after the BIND upgrade.
The keygen.sysinit scripts using the rndc-confgen with the deprecated option /dev/random leading to the failure in creation of the rndc.key file.
The ZRD daemon waits for the rndc.key but as the key creation failed the daemon waits for the key creation infinitely and will be in a down state.

Conditions:
Upgrade the BIND package from 9.11 to 9.16.

Impact:
The ZRD daemon will be down till the rndc.key is created.

Workaround:
Create the key manually without the deprecated option.


Run the following command:
bigstart stop zrd

rm -f /config/rndc.key
/usr/sbin/rndc-confgen -t /var/named -a -c /config/rndc.key
ln -sf /var/named/config/rndc.key /config/rndc.key
chown -f named:named /var/named/config/rndc.key

bigstart start zrd

Fix:
The issue is fixed by removing the deprecated option when generating the rndc.key.

Fixed Versions:
17.1.0


1187157 : BD crashes when provisioning ASM and AVR together on VIPRION

Component: Application Security Manager

Symptoms:
BD crashes during provisioning of ASM and AVR together on VIPRION.

Conditions:
-Platform is VIPRION.
-Possibly only one slot is used out of many available.

Impact:
BD crashes which leads to reboot of BD services.

Workaround:
N/A

Fix:
Updated BD logic to handle slot names.

Fixed Versions:
17.1.0


1186249 : TMM crashes on reject rule

Links to More Info: BT1186249

Component: Local Traffic Manager

Symptoms:
The TMM crashes when the configuration has a rule that contains a reject in an HTTP_RESPONSE.

Conditions:
The crash happens when this rule is processed after a client has disconnected.

Impact:
TMM crashes every time this condition occurs.

Workaround:
If possible, avoid the use of reject or use HTTP::disable before the reject.

Fix:
Reject can be used without a crash.

Fixed Versions:
17.1.0


1185689 : In Bot Defense, TCP RST is sent if the complete body is not received in client request

Component: Bot Defense

Symptoms:
Client request's connection can get reset with reason "SAAS: not received complete body".

Conditions:
- Bot Defense profile configured with protected endpoint, client request is sent to protected endpoint without complete body.

Impact:
Client request's connection resets with reason "SAAS: not received complete body".

Workaround:
None

Fixed Versions:
17.1.0


1185133 : ILX streaming plugins limited to MCP OIDs less than 10 million

Links to More Info: BT1185133

Component: Local Traffic Manager

Symptoms:
When trying to get started with iRules LX, every script attempted results in the following error:
"Sep 16 11:16:26 pid[6958] streaming tm_register failed"

Conditions:
MCP configuration (MCP OID's) should go beyond 10 million.

Impact:
Unable to run iRules LX streaming plugins.

Workaround:
The below command forces MCPD to load the configuration from the text file with an empty database, thus the OID counter is reset to 0.

bigstart stop
rm -f /var/db/mcpdb*
bigstart start

Fix:
The TMSTAT segment names are limited to 31 characters (not including terminating NUL). With 23 characters used by the constant portion, 8 characters are left for both OID and CPU. The CPU will be 1 or 2 characters, leaving 6 or 7 characters for the OID. When exceeded, the tmstat_create fails.
tmplugin_nodejsplugin_1000000_0 err 0
tmplugin_nodejsplugin_10000000_0 err -1

Change the plugin class from "nodejsplugin" to "nodejs" or similar, to allow 6 more digits of OID space (allowing to 10 trillion).

Fixed Versions:
17.1.0


1184629 : Validate content length with respective to SIP header offset instead of parser offset

Component: Service Provider

Symptoms:
The SIP parser is validating the content length of the SIP message with respective to the parser offset instead of SIP actual header. Validating the content length with parser offset is inaccurate.

Conditions:
The SIP message should have content length greater than zero and should have content.

Impact:
The SIP parser is calculating the SIP message body size inaccurately.

Workaround:
None

Fix:
Validating the content length with respective to SIP header offset instead of parser offset.

Fixed Versions:
17.1.0


1184153 : TMM crashes when you use the rateshaper with packetfilter enabled

Links to More Info: BT1184153

Component: Local Traffic Manager

Symptoms:
Tmm might crash when you use the packet-filter with the packetfilter.established option enabled, and when rate-class is applied via packet-filter rule.

Conditions:
- packet-filter with packetfilter.established option enabled.
  AND
- rate-class is applied via packet-filter rule.

Impact:
TMM crash/failover.

Workaround:
Do not apply rate-class via packetfilter or disable the packetfilter.established option.

Fixed Versions:
17.1.0


1183581 : Encoded URLs are not normalised for protected endpoint check for Advanced/Premium service level for both Web and Mobile requests

Links to More Info: BT1183581

Component: Bot Defense

Symptoms:
Client requests with encoded URL are not normalised for protected endpoint check for Advanced/Premium service level for both Web and Mobile requests. This may cause these requests not to be treated as protected requests.

Conditions:
- In BD profile Advanced/Premium is set as service level
- Client request with encoded URL

Impact:
Requests with encoded URL may not be treated as protected requests.

Workaround:
None

Fixed Versions:
17.1.0


1183565 : Throttle reoccurring FPS warning messages

Component: Fraud Protection Services

Symptoms:
Some FPS warning messages sometimes have a reoccurring pattern.
They can come in overwhelming numbers.

Conditions:
One of the possibilities is client IP change.

Impact:
TMM logs are overwhelmed which causes a crash.

Workaround:
N/A

Fix:
Added a throttling mechanism, that limits warning messages originating from a specific line of code to be printed only once per 30 seconds.

Fixed Versions:
17.1.0


1183553-1 : The platform_mgr core dumps on token renewal intermittently

Links to More Info: BT1183553

Component: F5OS Messaging Agent

Symptoms:
The platform_mgr core dumps on token renewal.

Conditions:
On token renewal, gRPC is adding additional characters to token buffer in initial metadata of gRPC channel.

Impact:
The platform_agent core dumped and configuration related to tenant will be re-fetched on platform_agent startup.

Workaround:
None

Fix:
Token renewal handling is changed to read token considering token's length from initial metadata in gRPC channel.

Fixed Versions:
17.1.0, 15.1.8.1


1183453 : Local privilege escalation vulnerability (CVE-2022-31676)

Links to More Info: K87046687


1183161 : Performance improvement in policy creation/deletion

Component: Application Security Manager

Symptoms:
Policy creation/deletion takes more time than expected.

Conditions:
This issue occurs when there are multiple update_core events within a second.

Impact:
Policy creation/deletion takes time.

Workaround:
NA

Fix:
Performance improvement in policy creation/deletion.

Fixed Versions:
17.1.0


1183033 : TMM Core can occur when client requests are sent with Device ID profile configured and Domain pool is down

Component: Client-Side Defense

Symptoms:
TMM Cores

Conditions:
- Device ID profile configured and attached to a virtual server.
- Domain pool is unreachable or down.
- Certain requests received from the client.

Impact:
Traffic interruption can occur as TMM restarts

Fixed Versions:
17.1.0


1181613 : IPsec IKEv2: BIG-IP version 16.1.0 introduced RFC5996 non-compliance in IKE SA delete

Links to More Info: BT1181613

Component: TMOS

Symptoms:
After the deletion of an IKE SA, the child IPsec SAs will not be deleted.

Conditions:
-- IKEv2 IPsec tunnels
-- Tunnels use Route Domains.
-- An IPsec SA is deleted.

Impact:
The BIG-IP believes it still has valid IPsec SAs to use, while the remote peer does not. In this case, if the BIG-IP is normally the initiator, the tunnel will be unusable until the lifetime expires on the existing IPsec SAs.

Fix:
IPsec SAs are now deleted after the related IKE SA is deleted.

Fixed Versions:
17.1.0


1181345 : Fix for VLAN Group reconfiguration issue when an additional virutal-wire configuration is added on top of deployed tenant

Component: Local Traffic Manager

Symptoms:
Failed to create VLAN group when adding new virtual-wire config with different VLAN on a deployed tenant (reconfiguration issue).

Conditions:
Other virtual-wire configurations are added on top of the deployed tenant.

Impact:
Failed to create VLAN group when adding new virtual-wire config with different VLAN on a deployed tenant.

Workaround:
None

Fix:
With this fix, the VLAN group reconfiguration issue is resolved when an additional virtual-wire configuration is added on top of the deployed tenant.

Fixed Versions:
17.1.0


1178221 : In IPsec IKEv2, packet memory corruption after retransmitted ISAKMP with NAT

Links to More Info: BT1178221

Component: TMOS

Symptoms:
When the retransmit happens, and other side is not reachable, the BIG-IP logs the "err packet length does not match field of ikev2 header" and then "ERR dropping unordered message".

Conditions:
Tunnel is established between Initiatior and Responder.
Responder is able to send DPD request. but not able to receive response.

Impact:
Wrong information logged.
DPD response packet corruption.

Workaround:
None

Fix:
Logs will display correct message.
Packet will not corrupt.

Fixed Versions:
17.1.0


1174873 : The location header query string separate is converted from "?" to "%3F" breaking multi-domain

Links to More Info: BT1174873

Component: Access Policy Manager

Symptoms:
In muti-domain Single Sign-On (SSO), the location header query string separate is converted from "?" to "%3F" breaking multi-domain.

Conditions:
- Create an access policy with a redirect to login page.

Impact:
Breaking multi-domain.

Workaround:
None

Fix:
Issue is with the normalized URL function, removed the search filter parameters normalization.

Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3


1174033 : The UPDATE EVENT is triggered with faulty session_info and resulting in core

Links to More Info: BT1174033

Component: Policy Enforcement Manager

Symptoms:
The UPDATE EVENT requires a proper initialization of the session_info which in turn is used to set the tcl pcb's cmdctx. With properly defined cmdctx, the sess_data is populated successfully. But, without proper initialization of the session_info makes the cmdctx to carry incorrect vaules, thus resulting in a core when populating the sess_data.

Conditions:
Enable the Global UPDATE-EVENT option and make sure you log
some session attributes as part of the UPDATE EVENT.

Impact:
Results in a core.

Workaround:
None

Fix:
Triggering UPDATE EVENT is not causing any core.

Fixed Versions:
17.1.0


1173997 : BIG-IP Mac Edge client download failure from connectivity profile

Component: Access Policy Manager

Symptoms:
BIG-IP Mac Edge client download fails from the connectivity profile.

Conditions:
Create a connectivity profile.

Impact:
Mac Edge client download fails from the connectivity profile.

Workaround:
None

Fix:
BIG-IP Mac Edge client downloads successfully.

Fixed Versions:
17.1.0


1173669 : Unable to reach backend server with Per Request policy and Per Session together

Component: Access Policy Manager

Symptoms:
It is observed that backend pool is not reachable.

Conditions:
The OAuth case with Per Request policy and Per Session together.

Impact:
Backend Pool is not reachable.

Workaround:
None

Fix:
Variables pushed with server configuration into per request flow are accessed with last rather than the server configuration.

Fixed Versions:
17.1.0


1173625 : TMM core generate with SIGSEGV - mkv_free()

Component: TMOS

Symptoms:
TMM crash and restart.

Conditions:
TMM is receiving a delete message for a VLAN that does not exist.

Impact:
TMM restart.

Fixed Versions:
17.1.0


1173441 : The 'tmsh save sys config' call is being triggered when REST Authentication tokens (X-F5-Auth-Token) are deleted or expired

Component: TMOS

Symptoms:
The 'tmsh save sys config' call is being triggered when REST authentication tokens (X-F5-Auth-Token) are deleted or expired.

Conditions:
The REST authentication tokens (X-F5-Auth-Token) are deleted or expired.

Impact:
There is no functional impact. However, in the BIG-IPs where there is huge configuration, a 'tmsh save sys config' call takes a lot of time and thus impacts the performance.

Workaround:
None

Fix:
The REST authentication tokens (X-F5-Auth-Token) are deleted or expired without triggering the 'tmsh save sys config' call as the call is unnecessary.

Fixed Versions:
17.1.0


1169105 : Provide download links on BIG-IP for Linux ARM64 VPN Client

Component: Access Policy Manager

Symptoms:
No download links are available in the welcome page in BIG-IP for Linux ARM64 VPN Client.

Conditions:
- Login to BIG-IP.

Impact:
None

Workaround:
None

Fix:
Added download links in BIG-IP for Linux ARM64 VPN Client.

Fixed Versions:
17.1.0


1168309 : Virtual Wire traffic over trunk interface sometimes fail in Tenant based platforms

Component: Local Traffic Manager

Symptoms:
Traffic does not flow through the virtual-wire trunk. Traffic through the interface is not impacted.

Conditions:
When there is an overlap between the DID values of the interface and trunk, virtual-wire traffic does not pass through the trunk.

Impact:
Traffic outage might occur.

Workaround:
None

Fix:
The conflict between Interface DID values and Trunk DID values are avoided, by marking whether the DID value belongs to a trunk or interface.

Fixed Versions:
17.1.0


1168137 : PEM Classification Auto-Update for month is working as hourly

Component: Traffic Classification Engine

Symptoms:
After configuring PEM classification signature auto-update as monthly, but it runs on hourly.

If the update schedule is set to daily or weekly, then the latest IM package is downloaded based on the set update schedule. But, when it is set to monthly, it is working on hourly.

Conditions:
Automatic updates for classification signatures is configured and enabled, and update schedule should be set to monthly.

Impact:
Classification update is not working on monthly basis.

Workaround:
None

Fix:
None

Fixed Versions:
17.1.0


1167941 : CGNAT SIP ALG INVITE loops between BIG-IP and Server

Component: Service Provider

Symptoms:
On an inbound call on the ephemeral listener, if the INVITE message TO header is not registered, and From header is registered, then INVITE is sent out on the ephemeral listener which might cause a loop issue, if the server sends back the INVITE to BIG-IP again.

Conditions:
It occurs with inbound calls.

Impact:
It could lead to performance issue if the loop continues.

Workaround:
Step 1 or 2 can be used as a workaround based on the use case.
1)If the From and To headers are the same, 400 bad response is given.
Also, the packets are dropped in case the destination address is not translated.

ltm rule sip_in_rule {

    when SIP_REQUEST_SEND {
        if {[SIP::method] == "INVITE" && [IP::addr [IP::remote_addr] equals $localAddr]} {
            SIP::discard
        }
    }

    when SIP_REQUEST {
        set localAddr [IP::local_addr]
        set from [substr [SIP::header from] 0 ";"]
        set to [substr [SIP::header to] 0 ";"]
        if {[SIP::method] == "INVITE" && $from equals $to} {
            SIP::respond 400 "Bad Request"
        }
}

(tmos)# modify ltm virtual vs_alg_sip_private { rules { sip_in_rule } }


2)below Irule would drop all inbound calls.

ltm rule sip_drop_rule {
   when MR_INGRESS {
        if { [MR::transport] contains "_$" } {
            MR::message drop
        }
    }
(tmos)# modify ltm virtual vs_alg_sip_private { rules { sip_drop_rule } }

Fix:
BIG-IP will drop the messages in the following cases.
a)If From and To headers are the same in the sip INVITE message.
b)If the SIP INVITE message To header is not registered and From is registered.

Fixed Versions:
17.1.0


1167889-5 : PEM classification signature scheduled updates do not complete

Component: Traffic Classification Engine

Symptoms:
After configuring PEM classification signature updates to run at an defined interval, the updates may not actually occur.

Via tmsh:

   ltm classification auto-update settings { }

via GUI:

   Traffic Intelligence -> Applications -> Signature Update -> Automatic Update Settings


In the /var/log/ltm log, the following message may be seen

mcpd[xxxx]: 01070827:3: User login disallowed: User (guest) is not an administrator, does not have a UID of zero, and has not been assigned a role on a partition.

Conditions:
Automatic updates for classification signatures is configured and enabled.

Impact:
The classification updates do not occur.

Workaround:
Run the classification update manually.

Fixed Versions:
17.1.0


1167885 : IPsec tunnel establishment is not happening after rekeying

Component: TMOS

Symptoms:
Rekey will result in a crash.

Conditions:
Set Rekey for a lesser time and see the crash.

Impact:
Crash

Workaround:
No workaround. Take the fix into the version.

Fix:
This is a side effect of adding the AES-GCM functionality. During rekey, the right argument is to be passed to check algorithms.

Fixed Versions:
17.1.0


1167869 : Unable to provision PEM module VELOS and rSeries platform

Component: TMOS

Symptoms:
PEM option is not displaying when command "tmsh list sys provision" is executed.

Conditions:
- Run command "tmsh list sys provision".

Impact:
Unable to provision PEM module.

Workaround:
None

Fixed Versions:
17.1.0


1166937 : The path_match is missing in RCL path when path_match string is "Any String"

Links to More Info: BT1166937

Component: Access Policy Manager

Symptoms:
The capital letter "A" should be generated at the end while "Any String" is selected in RCL builder in webUI.

Conditions:
- Go to rewrite profile and create a new rewrite profile.
- Enable split tunneling in the webUI.
- Go to RCL builder and select "Any String" and leave the path empty.
- Click Add On.
- Update the page.

Impact:
The capital letter "A" at the end of the RCL list is not appended while "Any String" is selected for Path Match field of the RCL builder

Workaround:
None

Fix:
The capital letter "A" at the end of the RCL list is now appended while "Any String" is selected for Path Match field of the RCL builder.

Fixed Versions:
17.1.0


1166449 : APM - NTLM authentication will stop working if any of DC FQDN is not resolvable in the configured DC list

Links to More Info: BT1166449

Component: Access Policy Manager

Symptoms:
NTLM authentication will stop working.

Conditions:
If any of the DC FQDN is not resolvable in the configured NTLM Auth Config DC list during below scenarios:
- Create/Modify NTLM Auth Configuration
- Restart ECA/NTLM service
- Restart, Power cycle or after upgrade
- Active/Stand by switch over.

Impact:
NTLM authentications targeted towards this NTLM Auth Config will start to fail.

Workaround:
User need to remove the non-resolvable DC FQDN from the NTLM Auth configuration's DC list.

Fix:
Fix will be provided to try FQDN resolution for all entries in the NTLM Auth configuration's DC list, NTLM Auth will proceed if at least one of the DC is resolvable and reachable.

Fixed Versions:
17.1.0


1166329 : The mcpd process fails on secondary blades, if the predefined classification applications are updated.

Links to More Info: BT1166329

Component: TMOS

Symptoms:
If a user installs and deploys a classification update (classification-update-*.im) the predefined classification applications are changed to "user modified".

This change causes the mcpd process to fail and restart on secondary blades during startup.

Conditions:
- Multi-slot VIPRION or vcmp guest
- PEM provisioned
- Classification applications updated either with tmsh load sys config merge or by using the Signature Update option in the Traffic Intelligence tab from the GUI or tmsh

Impact:
No impact

Workaround:
None

Fixed Versions:
17.1.0


1162661 : The Bad Actor (BA) hit counter is not updating for ICMP vector during hardware mitigation

Component: Advanced Firewall Manager

Symptoms:
The hardware mitigation was not proper due to spva ba_hit statistics not generated.

Conditions:
Configure BA with rate limits for ICMP vectors at virtual server level.

Impact:
Attack traffic will get pass through because of ba_hit is not updating.

Workaround:
None

Fix:
Neuron support is not available for ICMP packets, directly write rules into flow cache through which hardware can get entries.

Fixed Versions:
17.1.0


1162357 : Hardware offloading is not working in the AFM DoS protection

Component: Advanced Firewall Manager

Symptoms:
AFM supports DoS protection where packets can be dropped at Hardware. In the current release, Hardware offloading is not working on tenants launched over F5OS/vCMP.

Conditions:
On vCMP guests, AFM DoS is enabled. DoS protection with Hardware offloading is expected. Traffic-related vectors are configured under security.

Impact:
Hardware offloading does not work which forces software to handle the DoS protection.

Workaround:
To enable hardware DoS offload, within the guest/tenant, modify dos.vcmphwdos variable value to true. Modify sys db dos.vcmphwdos value true.

Fix:
In tenant over the VELOS family platform, dos.vcmphwdos will not make any effect and hardware offload can be controlled with the dos.forceswdos variable.

Fixed Versions:
17.1.0


1162081 : Upgrade the bind package to fix security vulnerabilities

Component: Global Traffic Manager (DNS)

Symptoms:
Upgrade the bind package to fix the following security vulnerabilities:

- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178

Conditions:
Upgrade the bind package to fix the following security vulnerabilities:

- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178

Impact:
Upgrade the bind package to fix the following security vulnerabilities:

- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178

Workaround:
None

Fix:
Upgraded the bind package to 9.16.33.

Fixed Versions:
17.1.0


1161965 : File descriptor(fd) and shared memory leak in wr_urldbd

Links to More Info: BT1161965

Component: Traffic Classification Engine

Symptoms:
When updating the customdb, fd and shared memory leaks were observed in wr_urldbd.

Conditions:
The issue happens when a urldb feed list is modified multiple times in a loop.

Impact:
Updating customdb will not work.

Workaround:
No

Fix:
Handled the updating of the customdb more efficiently to prevent any fd or shared memory leaks.

Fixed Versions:
17.1.0


1161785 : FIPS Module name updates

Component: TMOS

Symptoms:
FIPS 140-3 requires that the FIPS Module name must be displayed when requested by an administrator. The module name for rSeries/VELOS is added to meet these requirements.

Conditions:
Platform FIPS license enabled.

Impact:
FIPS Module name is displayed.

Workaround:
None

Fix:
FIPS module name is added.

Fixed Versions:
17.1.0


1161733 : Enabling client-side TCP Verified Accept can cause excessive memory consumption

Component: Local Traffic Manager

Symptoms:
Under certain scenarios when Verified Accept is enabled on a TCP profile, TCP packets with large Receive Windows may cause high consumption of resources like xdata and xhead, aggressive sweeper messages, and TMM cores under certain conditions.

Conditions:
1. A TCP Virtual Server with Verified Accept enabled in the clientside TCP profile
2. Unspecified TCP packet sequences with large receive windows.

Impact:
High Memory usage and TMM might crash

Workaround:
Disable Verified Accept in TCP profile

Fix:
Excessive resource usage no longer occurs when TCP Verified Accept is enabled on a TCP profile.

Fixed Versions:
17.1.0


1161241 : BIND default behavior changed from 9.11 to 9.16

Component: Global Traffic Manager (DNS)

Symptoms:
The default behavior of BIND configurations for minimal-responses and dnssec-validation is changed in BIND 9.16 and leaving the issues for existing test cases and expected behavior.

Conditions:
Upgrade BIND package from version 9.11.36 to 9.16.27.

Impact:
Behavior change for minimal-responses and dnssec-validation.

Workaround:
None

Fix:
Reverted the default behavior changes for minimal-responses and dnssec-validation in 9.16.33 as per BIND 9.11.36 behavior.

Fixed Versions:
17.1.0


1160973-1 : Profile based allow list not working on L2 wire enabled interfaces in appliances

Component: Advanced Firewall Manager

Symptoms:
Attack mitigation is done in hardware for entries which are configured as allowed IPs in a DoS profile attached to virtual server.

Conditions:
- L2 wire need to be enabled.
- Allow list need to be configured and attach to virtual server DoS profile.
- Attack need to be detected for the traffic initiated from the source IP configured in allowed list.

Impact:
Virtual server allow list functionality will not work as expected.
Rate limiting will be done in hardware, although IP is configured to be allowed.

Workaround:
None

Fix:
Allowed IP list on L2 wire enabled interfaces can be configured.

Fixed Versions:
17.1.0


1159569 : Persistence cache records may accumulate over time

Links to More Info: BT1159569

Component: Local Traffic Manager

Symptoms:
The persistence cache records accumulate over time if the expiration process does not work reliably. The 'persist' memory type grows over time when multiple TMMs are sharing the records.

Conditions:
- Non-cookie, persistence configured.
- Multi TMM box
- Traffic that activates persistence is occurring.

Impact:
Memory pressure eventually impacts servicing of traffic in multiple ways. Aggressive mode sweeper runs and terminates active connections. TMM may restart. Traffic is disrupted while TMM restarts.

Workaround:
None

Fix:
Persistence records are now reliably expired at the appropriate time.

Fixed Versions:
17.1.0


1159397 : The high utilization of memory when blade turns offline results in core

Links to More Info: BT1159397

Component: Policy Enforcement Manager

Symptoms:
The TMM memory utilization continue to increase after a blade turns offline.

Conditions:
Blade turns offline.

Impact:
The TMM memory utilization will finally cause out-of-memory errors or cores and TMM processes will restart. The service will be interrupted.

Workaround:
None

Fix:
Error code ERR_MEM will be handled successfully.

Fixed Versions:
17.1.0


1156697 : Translucent VLAN groups may pass some packets without changing the locally administered bit

Links to More Info: BT1156697

Component: Local Traffic Manager

Symptoms:
Translucent VLAN groups may pass some packets without changing the locally administered bit.

Conditions:
The destination mac address of the ingress packet does not match the nexthop.

Impact:
Connections may fail, packet captures show the packets being egressed the VLAN group with the locally administered bit set.

Workaround:
None

Fix:
None

Fixed Versions:
17.1.0


1156105 : Proxy Exclusion List is not configurable if VLAN group and route-domain are in non default partition

Links to More Info: BT1156105

Component: Local Traffic Manager

Symptoms:
Unable to add IP apart from /Common to Proxy Exclusion List.

Conditions:
- Route-Domain is created with default-route-domain in same partition.

#tmsh create auth partition part5
#tmsh create net route-domain /part5/rd5 id 5
#tmsh modify auth partition part5 default-route-domain 5

Impact:
The following command fails:
tmsh modify net vlan-group /part5/RD5-VLAN-GRP proxy-excludes add { 10.10.20.196 }

Workaround:
- The following command is used to create route-domain in /Commom:
   #tmsh create net route-domain /part5/rd5 id 5
   Modify this command as following:
   #tmsh create net route-domain rd5 id 5

- Manually edit the bigip.conf file in partitions and add IP address manually, and then reload the config.

Fix:
IP can be added to Proxy Exclusion List.

Fixed Versions:
17.1.0


1155757 : Renaming the IVS monitors to remove the word "shape".

Component: Application Traffic Insight

Symptoms:
All predefined SAAS IVS monitors include the word "shape" in their name.
Monitors should be renamed to indicate that they support all the SAAS products.

Conditions:
Use predefined monitors.

Impact:
The word "shape" is part of monitor names.

Workaround:
NA

Fix:
Predefined monitor renamed.

Fixed Versions:
17.1.0


1155733 : NULL bytes are clipped from the end of buffer

Component: TMOS

Symptoms:
In logs the key length is less then the actual key length.

Conditions:
- Establish IPSec tunnel.
- Check the logs.

Impact:
Incomplete information in the logs.

Workaround:
None

Fix:
Printing all bytes in the buffer irrespective of NULL bytes.

Fixed Versions:
17.1.0


1155393 : Failure to remove chunk headers from chunked response with Rewrite/HTML profile and compression

Links to More Info: BT1155393

Component: Local Traffic Manager

Symptoms:
The BIG-IP fails to remove chunk headers when compressing a chunked response from a pool member.

The chunk headers are compressed and delivered to the client as part of the payload.

Conditions:
-- Version with the fix for ID902377
-- Rewrite/HTML profile
-- Compression profile
-- Chunked response from pool member (With "Transfer-Encoding: Chunked" header)
-- HTTP response eligible for compression

Impact:
Chunk header and terminating 0 length chunk are compressed and delivered to the client as part of the payload, resulting in broken application functionality.

Workaround:
Remove the compression profile, or modify the compression profile to ensure the response in question is no longer eligible for compression.

Fix:
None

Fixed Versions:
17.1.0


1154933 : Improper permissions handling in REST SNMP endpoing

Component: TMOS

Symptoms:
Certain requests to the REST SNMP standpoint improperly handle user permissions.

Conditions:
Not specified

Impact:
Security best practices are not followed

Workaround:
Only allow trusted users to have access to the REST interface.

Fix:
User permissions work as expected.

Fixed Versions:
17.1.0


1154681-1 : Reconfiguration of virtual-wire VLAN in tenant

Component: Local Traffic Manager

Symptoms:
When normal VLAN in the controller is reconfigured to virtual-wire VLANs, issue is observed in vWire VLAN creation.

Conditions:
- vWire is configured in the tenant.

Impact:
The command "tmsh list net vlan" throws error.

Workaround:
1. Delete the vlan-groups and vlans in the tenant using "tmsh delete net vlan-group all" followed by "tmsh delete net vlan all".
2. Reconfigure the VLANs in the controller.
3. Execute "tmsh list net vlan-group" and "tmsh list net vlan" in tenant and verify whether all the VLANs are created fine.

Fix:
None

Fixed Versions:
17.1.0


1154673-1 : Enabling DHCP for management should not be allowed on F5OS BIG-IP tenants

Links to More Info: BT1154673

Component: TMOS

Symptoms:
Options to enable DHCP for the management interface are available on F5OS BIG-IP tenants.

Conditions:
F5OS BIG-IP tenant

Impact:
The F5OS BIG-IP tenant can be configured with options that are incompatible with BIG-IP operation.
This might result in a loss of management IP in the tenant after a reboot.

Workaround:
Do not attempt DHCP on the management interface of a F5OS BIG-IP tenant.

Fixed Versions:
17.1.0


1154481 : Not able to add Host:port in the host field of a protected end point configuration

Component: Account Protection & Authentication Intelligence

Symptoms:
The host field is not allowing both port and IP address.

Conditions:
-> Create a saas ap-ai profile.
-> Add a protected endpoint with the Host field with IP address and port.

Impact:
Unable to create saas ap-ai profile if host field contains IP address and port.

Workaround:
N/A

Fixed Versions:
17.1.0


1154417-1 : Profile based attack is not mitigated at hardware on L2 wire setup

Component: Advanced Firewall Manager

Symptoms:
Attack is not mitigated at hardware for configured profile DoS vectors on virtual-wire setup.

Conditions:
- virtual-wire is enabled.
- DoS vector is configured and attached to virtual server DoS profile.

Impact:
Virtual server DoS hardware offloading functionality will not work as expected and full traffic will be reaching to software.

Workaround:
None

Fix:
Program hardware on virtual-wire setup will be successful.

Fixed Versions:
17.1.0


1153865 : Restjavad OutOfMemoryError errors and restarts after upgrade

Links to More Info: BT1153865

Component: TMOS

Symptoms:
After upgrade to an affected version, restjavad restarts intermittently or frequently, and/or may use high CPU.

The restjavad logs, /var/log/restjavad.X.log, may report the following errors:
 java.lang.OutOfMemoryError: Java heap space

restjavad may instead, or as well, run many full garbage collection cycles one after another, causing high CPU. This will be shown by frequent logs with [FullGC] in /var/log/restjavad-gc.log.X.current

Conditions:
- Update to affected version: 14.1.5.1-, 15.1.7-, 16.1.3.1-, 17.0.0.1- or later versions.
- Value of sys db restjavad.useextramb is true.
- Value of sys db provision.restjavad.extramb is 192 or lower than previous restjavad heap size.
- Use of REST API calls that need a lot of memory. Heavy users of REST API may be very affected such as SSLO.

Impact:
May have problems in TMUI with certain pages or tabs, such as network map with very config or SSLO or iLX related tabs.

Other services that use REST API, internal and external to BIG-IP, may be impacted with low performance or service instability

Workaround:
Before upgrade - if you set sys db restjavad.useextramb to value false before install of new version you will have more restjavad memory, the default 384MB, after upgrade.

  tmsh modify sys db restjavad.useextramb value false

If you restart restjavad you can see if that value works before upgrade. If you don't restart then it will come into effect after reboot.

If that no longer has issues after update then leave that setting at false. Otherwise set back to true (no restart) and increase provision.restjavad.extramb as in After upgrade section below.

After upgrade:
Set sys db provision.restjavad.extramb to an appropriate value and restart restjavad.

Run the following command:

  tmsh modify sys db provision.restjavad.extramb value X
  bigstart restart restjavad

Iterate as necessary.

The value of X is derived by using one of the following formulae:

- When updating from versions before 14.1.4 and 15.1.3, to affected versions, a value that preserves the maximum previous restjavad heap size is:
  192MB + 80% of MIN(provision.extramb|2500)
the minimum possible heap size was:
  192MB + 20% of MIN(provision.extramb|2500)
The actual restjavad heap size would be between those extremes. SSLO systems would typically need the maximum.

- When updating from 14.1.4-14.1.5, from 15.1.3-15.1.6.1 or from 16.0.x to affected versions:
  384MB + 80% of MIN(provision.extramb|2500)

- When updating from 16.1.0-16.1.3 or from 17.0.0.0 to affected versions:
  384MB + 90% of MIN(provision.extramb|4000)

Fix:
After upgrade, the system now sets the default value for provision.restjavad.extramb variable to 384MB. This sets the maximum heap size to 384MB. For values of provision.restjavad.extramb of 384 and lower the starting heap size is set at 96MB. For values above 384MB the starting heap size is set to the same value as maximum heap size.

Where sys db restjavad.useextramb was set to value true in the previously used version, the value for provision.restjavad.extramb is based on a calculation of the maximum restjavad heap size that could have been used.

Usually this maintains the same or very similar restjavad heap size as used previously with more ability to fine tune it. The default size works in a wider range of settings.

When upgrading from a version that had a smaller starting heap size than maximum heap size, so before 14.1.4 or 15.1.3, and restjavad.useextramb set to true, it's possible that restjavad will use more memory than required. That's because for values above the default size of 384MB for provision.restjavad.extramb starting heap size is set the same as maximum heap size to lower performance issues when large memory sizes are required. You can lower restjavad memory use by lowering the value of provision.restjavad.extramb and restarting it if needed.

Fixed Versions:
17.1.0


1146341-1 : TMM crash with APM per-request policy

Links to More Info: BT1146341

Component: Access Policy Manager

Symptoms:
The TMM cores while executing per-request policy after BIG-IP is upgraded from version 17.0.0 to version 17.0.0.1.

Conditions:
- Assigning per-request policy to virtual server.

Impact:
TMM crashes leading to disruption in traffic flow.

Workaround:
None

Fix:
TMM does not crash with APM per-request policy.

Fixed Versions:
17.1.0


1146241 : FastL4 virtual server may egress packets with unexpected and erratic TTL values

Links to More Info: BT1146241

Component: Local Traffic Manager

Symptoms:
A FastL4 virtual server may egress (either towards the client or the server) IP packets with unexpected and erratic TTL values. The same also applies to IPv6, where the TTL field is known as Hop Limit.

Conditions:
- The BIG-IP system is a Virtual Edition (VE).

- The Large Receive Offload (LRO) is enabled on the system (which it is by default), and is operating in software mode. You can determine whether LRO is enabled on the system by inspecting the tm.tcplargereceiveoffload DB key, and you can determine whether LRO is operating in software mode by trying to query the tcp_lro tmstat table (tmctl -d blade tcp_lro). If the table exists, LRO will be operating in software mode.

- The FastL4 profile is configured to decrement the TTL (this is the default mode).

- The virtual server uses mismatched IP versions on each side of the proxy (for example, an IPv6 client and an IPv4 server).

Impact:
Depending on the actual TTL values that will be sent out on the wire (which can be random and anything within the allowed range for the field) traffic can be dropped by routers on the way to the packet's destination.

This will happen if there are more routers (hops) on the way to the packet's destination than the value specified in the TTL field.

Ultimately, this will lead to retransmissions and possibly application failures.

Workaround:
You can work around this issue by doing either of the following things:

- Disable LRO on the BIG-IP system by setting DB key tm.tcplargereceiveoffload to disable.

- Use a TTL mode for the FastL4 profile other than decrement (for example, use proxy or set).

Fix:
The TTL decrement mode now works as expected under the conditions specified above.

Fixed Versions:
17.1.0


1146081 : Multiple selection of Learning Suggestions does not work

Component: Application Security Manager

Symptoms:
In the Leaning Suggestions list, selecting multiple items does not show the correct items selected by the user.

Conditions:
In Security ›› Application Security : Policy Building : Traffic Learning screen, ensure you select at least 2 items of Learning Suggestions. Try to select all of them, and you will observe that they are not shown properly.

Impact:
Users cannot select more than one item for the applicable operations, such as deletion or ignoring them.

Fixed Versions:
17.1.0


1146037 : Updating the firmware for a FIPS protected internal HSM due to SDK or driver upgrade

Component: Local Traffic Manager

Symptoms:
In this release, FIPS HSM SDK and Driver version upgraded to 1.1-6.

Conditions:
When FIPS device upgraded to version where this bug is included and this applies to all BIG-IP FIPS platforms, except for BIG-IP 5250F, 7200F, 10200F, 11000F, and 11050F.

Impact:
Without manual firmware upgrade, FIPS HSM may have a not recommended firmware version, which may lead to unpredictable behavior.

Workaround:
None

Fix:
The FIPS device firmware need to be manually upgraded to version 1.1-5. For more information, refer to the article https://support.f5.com/csp/article/K26061560.

Fixed Versions:
17.1.0


1146017 : WebUI does not displays error when parent rewrite profile is not assigned to user defined rewrite profile

Component: Access Policy Manager

Symptoms:
WebUI does not show error when parent profile is empty.

Conditions:
1) Navigate to Access > Connectivity/VPN > Portal Access > Rewrite.
2) Enter the details, do not assign any parent rewrite profile.
3) Click Create.

Impact:
No webUI error is seen as parent profile is not assigned to user defined rewrite profile.

Workaround:
Enter details in the parent profile field and click Create.

Fix:
WebUI error is displayed when the parent profile filed is empty and clicked on Create button.

Fixed Versions:
17.1.0


1145797 : In BD profile, query segment in the client request URI is not ignored for protect endpoint match

Component: Bot Defense

Symptoms:
In Bot Defense (BD) profile, query segment in the client request URI is not ignored for protect endpoint match.

This is applicable for both Web and Mobile endpoints, and applicable for both Standard and Advanced/Premium service levels.

Conditions:
- BD profile is configured with protected endpoints.

Impact:
Client request containing query segment is not ignored for endpoint match, so these requests are not considered for bot detection.

Workaround:
None

Fixed Versions:
17.1.0


1145757 : In BD profile, telemetry is seen in the client request even when Ajax requests with query string are not classified as endpoint requests

Component: Bot Defense

Symptoms:
In BD profile, telemetry is seen in the client request even when Ajax requests with query string are not classified as endpoint requests.

Conditions:
- BD profile is configured with protected endpoints.
- Request with query string is sent from client

Impact:
Client request containing query segment is not classified as endpoint request, so these requests are not considered for bot detection even though telemetry is present in the request.

Fixed Versions:
17.1.0


1144817 : Traffic processing interrupted by PF reset

Links to More Info: BT1144817

Component: TMOS

Symptoms:
Traffic between client and server is interrupted.

Conditions:
- E810 NICs are used.
- Reset PF.

Impact:
The BIG-IP instance requires a restart after PF reset to resume traffic processing.

Workaround:
Restart the BIG-IP device.

Fix:
A TMSH db variable ve.ndal.exit_on_ue is used to enable/disable device restart on PF reset. On restart, following error message is recorded in /var/log/tmm:

"Restarting TMM on unrecoverable error."

Fixed Versions:
17.1.0


1144477 : IKE_SA_INIT uses src port 500 and dst port 4500 after IKE SA deleted

Links to More Info: BT1144477

Component: TMOS

Symptoms:
The new IPsec tunnel IKE INIT exchange source port is 500, and the destination port is 4500, but the destination port should be 500.

Conditions:
This issue is observed after deleting IKE SA from tmsh.

Impact:
Interoperability issue, tunnel will not get established with other devices.

Workaround:
None

Fix:
Default configuration was overwritten after tunnel establishment, added valid conditions before overwriting the configuration.

Fixed Versions:
17.1.0


1144373 : BIG-IP SFTP hardening

Component: TMOS

Symptoms:
Under certain conditions SFTP does not follow current best practices.

Conditions:
- Authenticated high-privilege user
- SFTP file transfer

Impact:
BIG-IP does not follow current best practices for filesystem protection.

Workaround:
None

Fix:
All filesystem protections now follow best practices.

Behavior Change:
when you are using SFTP to transfer the files from BIG-IP to remote-machine and vice versa,
1. filename should have absolute file paths.
2. un-encrypted files cannot be transferred when fips/cc-mode is enabled.

Fixed Versions:
17.1.0


1144329 : Traffic Intel does not classify Microsoft app properly

Links to More Info: BT1144329

Component: Traffic Classification Engine

Symptoms:
Some of the Microsoft teams based URLs are marked uncategorized or categorized as SSL and http2 by traffic intelligence categorization.

Conditions:
Geolocation based traffic not classified.

Impact:
Incorrect classification of Microsoft application.

Workaround:
None

Fix:
Implemented signature for Microsoft and its subsidiary applications and released the IM package.

Fixed Versions:
17.1.0


1143985 : TMUI options to configure Nameserver Minimum RTT are unavailable in DNS Cache and Net Resolver

Component: Global Traffic Manager (DNS)

Symptoms:
The webUI field to configure the option NameServer Minimum RTT in DNS Cache and/or Net resolver is unavailable.

Conditions:
- The DNS Cache is configured and used in a DNS profile associated with a GTM listener.

or

- A DNS Resolver is used.

Impact:
The features provided by the option NameServer Minimum RTT cannot be managed through TMUI.

Workaround:
Use TMSH to configure the options.

Fix:
The cache option can now be managed through TMUI.

Fixed Versions:
17.1.0


1143073 : iControl SOAP vulnerability CVE-2022-41622

Links to More Info: K94221585, BT1143073


1142141 : Violation details are missing for MALFORMED_JSON and MALFORMED_XML violations

Component: Application Security Manager

Symptoms:
No violation details are available in GUI for MALFORMED_JSON and MALFORMED_XML and displays the context as URL instead of param.

Conditions:
- Enable the malformed JSON/XML violations.
- Send a malformed JSON/XML data to the server.

Impact:
Violation details are not displayed.

Workaround:
None

Fix:
Violation details are displayed as expected.

Fixed Versions:
17.1.0


1141853 : SIP MRF ALG can lead to a TMM core

Links to More Info: BT1141853

Component: Service Provider

Symptoms:
SIP MRF ALG can lead to a TMM core

Conditions:
SIP MRF ALG in use

Impact:
TMM core

Workaround:
None

Fix:
TMM does not core anymore when SIP MRF ALG is in use.

Fixed Versions:
17.1.0


1141845 : RULE_INIT with a call that contains an extra colon character (:) will crash BIG-IP.

Links to More Info: BT1141845

Component: Local Traffic Manager

Symptoms:
If a RULE_INIT contains an extra colon character (:)
when RULE_INIT {
    catch { call sv::hsl:open "/Common/publisher-syslog_server_pool" }
}
It will crash instead of reporting the error.
In this example, the extra : before 'open' is an error. Instead of logging the error, it crashes the process.

Conditions:
RULE_INIT contains more than 2 colon characters (:) on a rule.

Impact:
The tmm process crashes.

Workaround:
Avoid creating a RULE_INIT containing a third colon character(:).

Fix:
Correctly log an error instead of trying to process it.

Fixed Versions:
17.1.0


1141665 : Significant slowness in policy creation following Threat Campaign LU installation

Component: Application Security Manager

Symptoms:
Significant and consistent slowness in policy creation in Layered Policies suites in BVT (asmdp).

Conditions:
Slowness was triggered by installing a Threat Campaign LU.

Impact:
Slow policy creation when we have Threat Campaign LU.

Workaround:
None

Fix:
Optimized policy creation following Threat Campaign LU installation.

Fixed Versions:
17.1.0


1141597 : DOS stats are not updating for IPv4-all and IPv6-all vectors

Links to More Info: BT1141597

Component: Advanced Firewall Manager

Symptoms:
DOS stats are not updating when IPv4-all and IPv4-all flood or sweep types are selected.

Conditions:
When user configures sweep or flood vectors with IPv4-all and IPv6-all, the DOS related functionality for these types is not getting triggered.

Impact:
For IPv4-all and IPv6-all sweep or flood types, the DOS attack-detection and mitigation will not happen as expected.

Workaround:
None

Fix:
Updated the call to identify the IPv4-all and IPv6-all types as expected.

Fixed Versions:
17.1.0


1137969 : All Distributed Cloud Services profiles should require HTTP profile available on virtual server

Component: Application Traffic Insight

Symptoms:
Distributed Cloud Services profiles (ATI, CSD, AP & AI, and BD) are inoperative if HTTP profile is not attached to the same virtual server.

Conditions:
- One of the Distributed Cloud Services profiles (ATI, CSD, AP & AI, and BD) is attached to a virtual server while HTTP profile is not attached to it.

Impact:
Distributed Cloud Services profiles (ATI, CSD, AP & AI, BD) are inoperative.

Workaround:
Attach HTTP profile to same virtual server that Distributed Cloud Services profiles (ATI, CSD, AP & AI, and BD) are attached to.

Fix:
New validation is added to validate if HTTP profile is attached to the virtual server.

Fixed Versions:
17.1.0


1137485 : Gtmd produces excessive logging and may also crash (SIGSEGV) repeatedly

Links to More Info: BT1137485

Component: Global Traffic Manager (DNS)

Symptoms:
1. --An excessive number log lines are seen in /var/log/gtm, which indicate a state change even though a state change has not occurred (eg, blue --> blue, green --> green), for example:

/var/log/gtm:

   alert gtmd[13612]: 011a6006:1: SNMP_TRAP: virtual server ltm1 (ip:port=192.168.0.1:0) (Server /Common/vs1) state change blue --> blue ()

2. If, on affected version, the GTM configuration contains virtual servers with a depends-on clause, the gtmd process can exit abnormally ("crash") and produce a gtmd core file. The process restarts immediately automatically, but may then exit and restart again every few seconds or minutes, and continues to do this indefinitely.

In /var/log/user.log, many messages similar to the following may be seen

   notice logger[26789]: Started writing core file: /var/core/gtmd.bld0.0.6.core.gz for PID 26739
   notice logger[26800]: Finished writing 35032053 bytes for core file: /var/core/gtmd.bld0.0.6.core.gz for PID 26739

Conditions:
- For the excessive logging issue: A GTM server object exists with one or more virtual servers configured under it

 - For the gtmd crashing issue: One or more GTM server object's virtual-servers has a depends-on clause referring to another virtual-server.

Impact:
- Flood of SNMP trap logs are seen
- gtmd process exits abnormally, bringing down iquery connection and potentially impacting GTM monitoring

Fixed Versions:
17.1.0


1137157 : Under 'DoS overview' tab, the filter type is set to 'protected zone' even when the feature disabled

Component: Advanced Firewall Manager

Symptoms:
Under the DOS overview page, the Protected zone tab is still visible even when the feature is not enabled.

Conditions:
When the Zone base DDOS feature is not enabled, we should not see any UI objects related to the protected zone in the user interface.

Impact:
Minor UI issue (Cosmetic)

Workaround:
None

Fix:
Updated code to hide the Protected zone tab when the feature is disabled.

Fixed Versions:
17.1.0


1137133-1 : Stats rate is showing incorrect data for broadcast, multicast and arp flood vectors

Component: Advanced Firewall Manager

Symptoms:
At tenant side stats_rate is almost double.

Conditions:
Appliance has two ATSE's.
AFM is enabled and licensed and broadcast or multicast packets are sent.

Impact:
Stats_rate is shown as double than sent traffic rate.
If vector is configured and traffic is passing with higher rate than mitigation value, stats_rate and int_drops_rate will be shown as double data rate.

Workaround:
None

Fix:
Only one of the ATSE will be configured with broadcast/multicast dos vectors.

Fixed Versions:
17.1.0


1136917 : TMM crashed when dos-profile (with BDOS and White-list enabled) disassociated from Virtual Server.

Component: Advanced Firewall Manager

Symptoms:
This happens only if the specific sequence of events occur. The reason for TMM crash is accessing a Dangling Pointer memory.

Conditions:
This issue only happens if the following sequence of events occur:
1) Attach dos-profile to a Virtual Server (VS) (The dos-profile should be enabled with White-list and BDOS).
2) There should be active connections on the VS.
3) Disable BDOS from the dos-profile while it is still attached to the VS.
4) Detach the dos-profile from the VS.
5) While processing the incoming traffic, TMM will crash.

Impact:
TMM Cores.

Workaround:
This only happens if the sequence mentioned in Conditions are followed.

Modify the profile and add to the virtual server to avoid TMM crash.

Fix:
The Dangling pointer will not be available when the actual memory is freed.

Fixed Versions:
17.1.0


1136429 : Closing of unrelated MCPD connection causes an errant reply to an in-progress transaction or request group

Links to More Info: BT1136429

Component: TMOS

Symptoms:
MCPD can send an unexpected (another request group) result response message to a current processing request group in the middle of a transaction

Conditions:
While MCPD processing multiple request groups.

Impact:
MCPD closes the connection of the current request group and
subscriber of that particular request group never get requested data.

Workaround:
Restart the subscriber daemon.

Fixed Versions:
17.1.0


1136081 : HSM sync issue in HA setups

Links to More Info: BT1136081

Component: Local Traffic Manager

Symptoms:
FIPS card sync can return error when trying to sync FIPS card in High Availability (HA) setups.

HSMs are initialized with old software are not compatible with HSMs which are initialized with recent software release. If
 one device in HA pair is replaced and new device is initialized with new software, then HSM sync can fail in few scenarios.

Conditions:
Replacing a device in HA pair.

Impact:
HA pair will not be able to sync the FIPS keys which can cause the traffic impact if active device goes down.

Workaround:
Following are workaround steps for target device (RMAed or new device in HA pair):
1. Downgraded the BIG-IP version to old releases.
2. Execute "tmsh stop sys service all".
3. Execute fipsutil reset.
4. Execute fipsutil init.
5. Execute bigstart restart.
6. Execute the following command to check the FIPS card health:
tmsh show sys crypt fips key

Following is an example output:
-------------------------------------------
FIPS 140 Hardware Device
-------------------------------------------
no private keys found

7. Upgrade the BIG-IP version to latest release where active device is present.
8. Reboot to upgraded volume.
9. Execute the fipscardsyn from source device.

Fix:
The solution is available in the n3fipsutil standalone tool in F5 download site. Contact F5 support team for more information.

Fixed Versions:
17.1.0


1135993 : BIG-IP might send an incorrect value in header "sed-api-ip" towards Distributed Cloud for JavaScript requests

Links to More Info: BT1135993

Component: Bot Defense

Symptoms:
For JS requests towards Distributed Cloud, the value of "sed-api-ip" is not being set according to the 'Source of Client IP address' configuration from the Bot Defense profile.

Conditions:
- Bot Defense profile is configured.
- The 'Source of Client IP address' field is configured to any other value other than 'x-forwarded-for'.

Impact:
Incorrect 'sed-api-ip' is forwarded towards Distributed Cloud.

Workaround:
None

Fix:
For JS requests towards Distributed Cloud, the value of "sed-api-ip" is set according to 'Source of Client IP address' configuration from Bot Defense profile.

Fixed Versions:
17.1.0


1135789 : Support for new vectors 'TCP ACK Flood' and 'TCP Uncommon Flags' in ZoneBased DDoS

Component: Advanced Firewall Manager

Symptoms:
The vectors 'TCP Ack Flood' and 'TCP Uncommon Flags' are supported at the global and virtual server level.

Conditions:
- DDoS functionality configured in the BIG-IP.
- Protected zone feature is enabled.

Impact:
The vectors 'TCP Ack Flood' and 'TCP Uncommon Flags' do not work at Zone level.

Workaround:
None

Fix:
Support for new vectors 'TCP ACK Flood' and 'TCP Uncommon Flags' added in ZBDDoS.

Fixed Versions:
17.1.0


1135313 : Pool member current connection counts are incremented and not decremented

Links to More Info: BT1135313

Component: Local Traffic Manager

Symptoms:
With a certain configuration the connection counts on a gateway pool may increment and not be decremented.

Conditions:
- A gateway pool with more than one member.
- Autolasthop disabled.
- A pool monitor with a TCP monitor where the pool member responds to the TCP handshake with data. Common services that do this are SSH, SMTP, and FTP.

Impact:
The connection counts are inflated.

Workaround:
- Configure autolasthop.
- Configure a receive string on the TCP monitor.

Fixed Versions:
17.1.0


1135073 : IPS signature update webUI warning message "An active subscription is required to access certain inspections" is always enabled

Component: Protocol Inspection

Symptoms:
Following warning message is displayed on BIG-IP webUI in Security ›› Protocol Security: Inspection Updates:

"An active subscription is required to access certain inspections"

Conditions:
If the BIG-IP has AFM and IPS subscription license, then this warning message on webUI should not be displayed.

Impact:
There is no impact if AFM and IPS subscription license are installed on BIG-IP. All the IPS signatures and compliances will work as usual.

Workaround:
None

Fix:
Based on the IPS full subscription flag in the license the warning message is displayed. Earlier, it was verified on the wrong feature flag.

Fixed Versions:
17.1.0


1135049 : Path configuration in query parameter '/hello?age=20' is displaying as '/hello\?age=20'

Component: Account Protection & Authentication Intelligence

Symptoms:
In TMSH and GUI while configuring AP and AI profile, when entering value in path fields the special character "?" will display a "\" as a prefix. This has no impact on functionality.
For example, during path configuration in query parameter "/hello?age=20" is displayed as "/hello\?age=20", where an additional backslash is added before special character "?".

Conditions:
- Configuring AP and AI profile

Impact:
No functional impact, when entering value in path fields the special character "?" will display a "\" as a prefix.

Workaround:
None

Fixed Versions:
17.1.0


1135041-1 : Performance issue related to crypto and compression

Links to More Info: BT1135041

Component: Local Traffic Manager

Symptoms:
Crypto and compression were yielding low throughput when considered more than 32 vCPUs.

Conditions:
Always, crypto and compression were yielding low throughput when considered more than 32 vCPUs.

Following is the RCA:
- Maximum configuration files were 48, but 36 vCPUs need 54 Virtual Function (VF) and hence 54 VF configuration files.
- A variable was not thread safe and hence not proper, need a fix.

Impact:
Less throughput.

Workaround:
None

Fix:
- By increasing the number of VF configuration files, earlier maximum configuration files were 48, but 36 vCPUs need 54 VFs and hence 54 VF configuration files.
- A variable was not thread safe and hence not proper, it is made thread safe.

Fixed Versions:
17.1.0, 15.1.8


1134301 : IPsec interface mode may stop sending packets over tunnel after configuration update

Links to More Info: BT1134301

Component: TMOS

Symptoms:
An interface mode IPsec policy handles traffic through a route-domain to send over the IPsec tunnel. When the traffic-selector is updated, the static default route for the route-domain no longer works. Even if the tunnel is functional, traffic is not sent over it.

Conditions:
- IPsec tunnel with ipsec-policy in interface mode.
- Static routes pointing to the IPsec interface.
- Tunnel configuration updated.

Other unknown conditions could trigger the behavior, but updating the tunnel configuration is a confirmed condition.

Impact:
The tunnel is functional but the BIG-IP does not send packets into it. No ESP packets related to that tunnel will be seen leaving the BIG-IP.

Workaround:
There are two similar workaround options for when the issue is observed:

Option 1: Delete the route to the remote network that points to the IPsec interface and create the route again.

Option 2: Alternatively, leave the existing route in place and create a similar specific route that points to the same IPsec interface. The issue should be immediately resolved and so the new route can be immediately deleted.

Fix:
None

Fixed Versions:
17.1.0


1134085 : Intermittent TMM core when iRule is configured with SSL persistence

Links to More Info: BT1134085

Component: Local Traffic Manager

Symptoms:
The TMM core file is observed.

Conditions:
Under certain conditions, the TMM core file is observed with iRule and SSL persistence.

Impact:
TMM core file is observed.

Workaround:
Perform either of the following tasks:

- Disable SSL persistence
- Disable iRule

Fix:
Added fix to handle cases which can lead to the TMM core file generation.

Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1


1133881 : Errors in attaching port lists to virtual server when TMC is used with same sources

Links to More Info: BT1133881

Component: Local Traffic Manager

Symptoms:
When creating a virtual server that has identical traffic matching criteria with another virtual server, but uses a source address defined same as configured in TMC object, and when we try to attach the port-list it fails, with an error similar to the following:

01b90011:3: Virtual Server /Common/vs2-443's Traffic Matching Criteria /Common/vs2-443_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs1-443 destination address, source address, service port.

Conditions:
- Port lists are used.
- The first virtual server uses a wildcard source, for example, 0.0.0.0/0.
- The second virtual server uses an identical destination, protocol, and port, with the same source address configured in TMC object.

Impact:
Inability to utilize 'port lists' to configure the virtual server.

Workaround:
None

Fixed Versions:
17.1.0


1133869-2 : Distribution hash configuration done on platform shall not be published to a BIG-IP tenant on R2800/R4800 platforms

Component: F5OS Messaging Agent

Symptoms:
For an LACP LAG interface the distribution hash configuration applied on F5OS is not applied automatically on BIG-IP tenants running on R2800 and R4800 platforms.

Conditions:
When distribution hash is configured for a LACP LAG interface.

Impact:
A BIG-IP tenant running on R2800 and R4800 platforms shall not apply distribution hash configuration automatically from platform.

Workaround:
Manually distribution hash configuration has to be applied on BIG-IP tenant to whatever is applied on platform.

Fix:
None

Fixed Versions:
17.1.0


1133625 : The HTTP2 protocol is not working when SSL persistence and session ticket are enabled

Links to More Info: BT1133625

Component: Local Traffic Manager

Symptoms:
Connection gets dropped when SSL persistence is enabled with session ticket and HTTP2 protocol.

Conditions:
When SSL persistence is enabled with session ticket and HTTP2 protocol.

Impact:
Connection will get dropped.

Workaround:
-- Disable SSL persistence OR
-- Disable session ticket.

Fix:
Provided fix to handle this defect.

Fixed Versions:
17.1.0


1133013 : Appliance mode hardening

Component: Local Traffic Manager

Symptoms:
Appliance mode license restrictions do not follow current best practices.

Conditions:
- Appliance-mode license
- Authenticated administrative user
- Monitors in use

Impact:
Appliance mode does not follow current best practices.

Fix:
Appliance mode now follows current best practices.

Fixed Versions:
17.1.0


1132925 : Bot defense does not work with DNS Resolvers configured under non-zero route domains

Links to More Info: BT1132925

Component: Application Security Manager

Symptoms:
When a DNS Resolver is configured under a non-zero route domain, the bot defense does not use the DNS resolver to perform DNS queries, resulting in some bots not being detected.

Conditions:
DNS Resolver is configured under non-zero route domain.

Impact:
Some bots are not detected by bot defense mechanism.

Workaround:
Configure DNS Resolver under route domain 0.

Fix:
Enhanced bot defense to use resolvers from any corresponding route domain. However, bot defense does not support route domain modification of DNS resolvers. Resolvers must be deleted and created again in the correct route domain.

Fixed Versions:
17.1.0


1132765 : Virtual server matching might fail in rare cases when using virtual server chaining.

Links to More Info: BT1132765

Component: Local Traffic Manager

Symptoms:
When using virtual server chaining (for example iRule 'virtual' command sending traffic to another virtual server explicitly), a small percentage of packets might be dropped.

Conditions:
- Virtual server chaining.
- virtual servers have the vlan_enabled feature configured.
- DatagramLB or idle-timeout = 0 configured on protocol profile.
- High packet rate of incoming traffic.

Impact:
Some packets fail to match a virtual server and get dropped.

Workaround:
- Remove vlan_enabled feature
- OR remove datagramLB/set idle-timoeut > 0 on protocol profile.

Fixed Versions:
17.1.0


1132409 : Legal OpenAPI3 matrix type requests are blocked or alarmed in Bot Defense

Component: Application Security Manager

Symptoms:
When requests with matrix path parameters are sent to BIG-IP, then they can be incorrectly blocked or alarmed with Illegal parameter value violation.

Conditions:
- OpenAPI ASM security policy is in enabled.
- Illegal parameter value violation is set to enabled.
- Request has matrix path parameters.

Impact:
Legal requests are recognized as violation.

Workaround:
None

Fix:
Updated naming style of path parameters.

Fixed Versions:
17.1.0


1132405 : TMM does not process BFD echo pkts with src.addr == dst.addr

Links to More Info: BT1132405

Component: Local Traffic Manager

Symptoms:
TMM does not process BFD echo pkts with src.addr == dst.addr.

Conditions:
- TMM does not process BFD echo pkts with src.addr == dst.addr.

Impact:
TMM does not process BFD echo pkts with src.addr == dst.addr.

Workaround:
None

Fix:
TMM now processes BFD echo pkts with src.addr == dst.addr.

Fixed Versions:
17.1.0


1128977-1 : When the device DoS vector rate-limit setting is configured to a low value, sampled attack log messages are not logged

Links to More Info: BT1128977

Component: Advanced Firewall Manager

Symptoms:
On hardware platforms, with the default-internal-rate-limit of a device DoS vector being set to a low number, there is no sampled attack message in the log, even when the attack is being detected.

Conditions:
- Setting the default-internal-rate-limit of the targeted device DoS vector to a low number.
- Detect attack.

Impact:
No visibility of the attack after being detected.

Workaround:
Use a higher number for the default-internal-rate-limit of the targeted device DoS vector.

Fix:
The sampled attack log message is displayed even when a lower number is used for the default-internal-rate-limit value.

Fixed Versions:
17.1.0, 15.1.8


1128721-1 : L2 wire support on vCMP architecture platform

Links to More Info: BT1128721

Component: Local Traffic Manager

Symptoms:
L2 wire works on BIG-IP, virtual-wire on vCMP architecture platform will be based on Network Tenant Interface (NTI) objects.
Tenant related data path and control plane changes.

Conditions:
- vCMP architecture based on NTI.
- F5OS is completely responsible to create/modify/delete NTI objects and synchronizing it to the tenants.

Impact:
The virtual-wire is one of the most important features used under operating in L2 domain. This mode of operation involves very little changes to topology and configuration and thereby can easily plug in a BIG-IP device with virtual-wire configuration.

Workaround:
None

Fix:
Tenant (data/control) plane changes for virtual-wire support on vCMP architecture.

Fixed Versions:
17.1.0, 15.1.8


1128657-1 : Device DoS limits are swapped on FPGA when TMM count is odd

Component: Advanced Firewall Manager

Symptoms:
Device DoS thresholds are divided between FPGAs. When there are odd number of TMMs, then values are swapped.
Because of this there will be a small increase in allow or drop packets compared with the configured thresholds.

Conditions:
- This issue will be seen only in Appliance devices with two ATSEs.
- When there are odd number of TMMs running inside the tenant.

Impact:
There will be a small increase in allow or drop packets compared with configured thresholds.

Workaround:
Create tenant with vcpu cores as 4,8,12,16 e.t.c which results in even number of tmms.

Fix:
The FPGA can be configured with correct device DoS threshold configurations.

Fixed Versions:
17.1.0


1128629-4 : Neurond crash observed during live install through test script

Links to More Info: BT1128629

Component: TMOS

Symptoms:
Neurond core is observed during live install followed by FPGA firmware upgrade through the test script.

Conditions:
Live install through the test script

Impact:
No functional impact

Workaround:
None

Fix:
N/A

Fixed Versions:
17.1.0


1128169 : TMM core when IPsec tunnel object is reconfigured

Links to More Info: BT1128169

Component: TMOS

Symptoms:
TMM may core when a "tunnel tunnels" object related to an IPsec interface is reconfigured.

For example, a command that changes the IP address of the object may lead to a core:

# tmsh modify net tunnels tunnel my-ipsec-tunnel remote-address 1.2.3.4

Conditions:
-- IPsec IKEv1 or IKEv2.
-- Tunnel is in "interface" mode.
-- Tunnel object is reconfigured while the tunnel is up.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure the tunnel is down before reconfiguring it.
-- Set the IKE-Peer config state to disabled.
-- Delete an established IKE SA and IPsec SA related to that peer.

For example:

  # tmsh modify net ipsec ike-peer <Name> state disabled
  # tmsh delete net ipsec ike-sa peer-ip <IP>
  # tmsh delete net ipsec ipsec-sa dst-addr <IP>

"Name" is the specific name given to the ike-peer config object.
"IP" is the address configured to use for the remote peer.

Then make the desired changes and enable the IKE-Peer.

  # tmsh modify net ipsec ike-peer <name> state enabled

Fixed Versions:
17.1.0


1127809 : Due to incorrect URI parsing, the system does not extract the expected domain name

Component: Application Security Manager

Symptoms:
The system will fail to send webhook requests to the server.

Conditions:
Add webhook to the policy and execute Apply policy on BIG-IP.

Impact:
Webhook requests will fail

Fix:
After the fix, BIG-IP will send webhook requests to the server.

Fixed Versions:
17.1.0


1127445 : Performance degradation after Bug ID 1019853

Links to More Info: BT1127445

Component: Performance

Symptoms:
Performance degradation is observed with BD in TPS in the versions that have the fix for Bug ID 1019853.

Conditions:
Versions that have the fix for Bug ID 1019853.

Impact:
Lower TPS performance with BD.

Workaround:
None

Fix:
The part of the change for Bug ID 1019853 has been reverted while still addressing the problem reported in ID1019853.

Fixed Versions:
17.1.0


1127169-1 : The BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG

Links to More Info: BT1127169

Component: TMOS

Symptoms:
There is a possibility that BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG.

Conditions:
- BIG-IP versions 16.1.3 and above.
- FIPS 140-3 license is installed on BIG-IP or it is a FullBoxFIPS device.
- Establish multiple SSL/TLS connections.

Impact:
The BIG-IP device reboots randomly.

Workaround:
None

Fix:
Updated serialization to use RDTSC instruction to read CPU time stamp in jitterentropy-lib to generate random numbers.

Fixed Versions:
17.1.0


1127117-3 : High Memory consumption for NAT translations of NAPT/PBA End Point Independent modes

Links to More Info: BT1127117

Component: Advanced Firewall Manager

Symptoms:
Memory consumption increases with the number of connections.

Conditions:
1. Configure LSN Pool in CGNAT with Persistence mode with Address and Port.

OR

1. Configure AFM NAT source Translations with DPAT and PBA with End Point Independent Mode

Impact:
Memory keeps increasing and eventually might reach 100% utilization.

Sample Comparison table below:

Connection_Count: 30M
Memory_Usage_on_14.x_Version: ~3GB
Memory_usage_on_15+_Version: ~30GB

Workaround:
-- Increase the available RAM if possible
OR
-- Reduce the connection timeout interval
OR
-- Try using other options like Address Pooling Paired Mode in PBA

Fixed Versions:
17.1.0


1127093 : Attack Signature in authorization header with base64 is not detected

Component: Application Security Manager

Symptoms:
Under certain condition, ASM may not process signatures as expected.

Conditions:
If authorization header type is Bearer and base64 violations are not configured as blocking.

Impact:
Signature matching is skipped.

Workaround:
Illegal base64 value violation should be set to blocking.
If base64 decoding fails, then the requests are blocked.

Fix:
ASM now processes signature as expected.

Fixed Versions:
17.1.0


1126805-5 : TMM CPU usage statistics may show a lower than expected value on Virtual Edition

Links to More Info: BT1126805

Component: TMOS

Symptoms:
The self-reported CPU statistics of TMM may show a usage value that is lower than the expected number. Some TMM threads may show lower CPU usage than others even if the threads are processing the same amount of traffic. When this issue occurs, a high number of idle polls are observed in the tmm_stat table for the affected TMM.

Conditions:
Virtual Edition

Impact:
TMM CPU stats may not be accurate.

Fix:
The cpu stats are now accurate.

Fixed Versions:
17.1.0


1126701 : Provide caution banner when the system integrity check fails from daily anacron job

Component: Local Traffic Manager

Symptoms:
When the anacron job /etc/cron.daily/integritycheck fails, the failure is logged only to /var/log/secure which might not be easily visible to the user.

Conditions:
The /etc/libexec/sys-eicheck.py script for system integrity check fails through crontab script /etc/cron.daily/integritycheck.

Impact:
User might not be aware of the system integrity failure and the system will halt or brick on the next reboot.

Workaround:
None

Fix:
If the anacron job integrity check fails, then during the next login a caution is displayed to the user with the message "FIPS SYSTEM VALIDATION FAILED, CHECK /var/log/secure FOR DETAILS" on both Configuration utility and TMSH.

Fixed Versions:
17.1.0


1126581 : Performance improvement for ASM signature engine

Component: Application Security Manager

Symptoms:
Bot Defense (BD) consumes high CPU power when processing signatures on headers.

Conditions:
Header signatures are enabled on policy.

Impact:
BD consumes high CPU power when processing header signatures.

Workaround:
None

Fix:
A header-policy-signature cache is added which improves performance. A few additional changes are implemented which enables faster lookup of signature data.

Fixed Versions:
17.1.0


1126409 : BD process crash

Component: Application Security Manager

Symptoms:
BD process restarts with a core file.

Conditions:
Unknown

Impact:
The unit goes offline for a short period of time.

Workaround:
None

Fix:
A sanity check has been added in order to avoid possible crash.

Fixed Versions:
17.1.0


1126329 : SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT

Links to More Info: BT1126329

Component: Local Traffic Manager

Symptoms:
SSL Orchestrator sends a TLS client hello instead of the expected HTTP CONNECT, leading to a failure in the client environment after an upgrade.

Conditions:
SSL Orchestrator in explicit proxy mode with proxy chaining enabled

Impact:
The exit proxy gives an HTTP 5xx error in response to the unexpected TLS Client Hello.

Workaround:
None

Fixed Versions:
17.1.0


1125773 : TCP options are disabled while hardware SYN cookie is active

Links to More Info: BT1125773

Component: TMOS

Symptoms:
TCP options are not included in the SYN/ACK packet generated by hardware while hardware SYN cookie mode is active.

Conditions:
- VELOS or rSeries platform
- Hardware SYN cookie is activated on a virtual server

Impact:
Minor performance impact on the connections of the related virtual server.

Workaround:
None

Fix:
The TCP options are enabled in SYN/ACK packets generated by hardware.

Fixed Versions:
17.1.0


1125733 : Wrong server-side window scale used in hardware SYN cookie mode

Links to More Info: BT1125733

Component: TMOS

Symptoms:
Client enables Window Scale in the first SYN packet with a specific factor value, however the BIG-IP system disables Window Scale in its SYN/ACK response.

Instead, disabling the Window Scale TCP option in both peer BIG-IPs, TMM honors the Window Scale presented by the client in the first SYN, whereas client assumes Window Scale is disabled. This will cause BIG-IP to send data payload bytes exceeding the client's Windows Size.

Conditions:
Below conditions must be met in order to match this issue:

- Client and server enables timestamp TCP option.
- Client enables Window Scale TCP option.
- SYN Cookie HW is activated in BIG-IP.

Impact:
This can cause performance issues because some packets could need to be retransmitted.

In rare cases where client TCP stack is configured to abort connection when it receives window overflow the connection will be RST by client.

Workaround:
The preferred workaround is changing to Software SYN Cookie mode.

Fixed Versions:
17.1.0


1125561 : Add nameserver-min-rtt (infra-cache-min-rtt) feature support for DNS validating resolver cache

Component: Global Traffic Manager (DNS)

Symptoms:
- A DNS Validating resolver returns SERVFAIL responses to clients, despite the BIG-IP system receiving a valid (albeit delayed) response from upstream servers.

- When this happens, the BIG-IP system rejects the responses from the upstream servers with following ICMP error:
Destination unreachable - Port unreachable.

- If the db key dnscacheresolver.loglevel is set to debug5, the following error message is visible in the /var/log/ltm file when this issue occurs:

debug tmm[13147]: DNScache: request example.com. has exceeded the maximum number of glue fetches 17 to a single delegation point

Conditions:
This issue occurs when the following conditions are met:

- A DNS Validating resolver is in use on the BIG-IP system.

- The aforementioned object is configured with a forward-zone that uses multiple servers to perform resolutions.

- The RTT of the servers fluctuates. For example, the servers are generally fast to reply for most domains, but take extra time to reply for a given domain.

- 'Randomize Query Character Case' is enabled in the DNS Validating resolver.

- If the requests for the domain take a long time to resolve, BIG-IP may reply with SERVFAIL.

Impact:
Clients of the BIG-IP DNS Validating Resolver are not returned an answer. As a result, application failures may occur.

Workaround:
You can work around this issue by changing 'Randomize Query Character Case' to 'No' in the DNS Validating resolver settings.

Fix:
The nameserver-min-rtt now has a setting of unbound which sets the minimum RTT with upstream servers for validating resolver cache. Increase this value if using forwarders need more time to perform recursive name resolution. The default value is 50 ms.

Behavior Change:
The nameserver-min-rtt setting is now available. This setting sets the minimum RTT with upstream servers for DNS Validating resolver objects. Increase the value if using forwarders need more time to perform recursive name resolution. The default value is 50 ms.

Fixed Versions:
17.1.0


1124837 : Detaching-then-reattaching VLAN on an active LACP trunk on r2k and r4k systemsneeds tmm restart

Component: TMOS

Symptoms:
On an active LACP trunk with VLAN configured, Detaching-then-reattaching the VLAN stops the traffic flow to the tenant launched on R2x00/R4x00 based appliances.

Conditions:
On working LACP trunk with VLAN configured,
Detaching-then-reattaching the VLAN on an active LACP trunk on R2x00/R4x00 appliances.

Impact:
Traffic flow gets impacted and misses the packets routed onto the LACP trunk on which the VLAN was reconfigured.

Workaround:
- Through ConfD CLI, Detach-then-reattach VLAN on a trunk.
- Restart tmm in the tenants launched pertaining to the trunk.

Fix:
Detach-then-reattach a VLAN on configured LACP trunk stops traffic flow on an R2x00/R4x00 appliance system, restarting tmm in the tenants resolves the issue.

Fixed Versions:
17.1.0


1124149-3 : Increase the configuration for the PCCD Max Blob size from 4GB to 8GB

Links to More Info: BT1124149

Component: Advanced Firewall Manager

Symptoms:
There was a limit of 4GB for the firewall rules prior to this change being checked in. The user could configure a blob size of 4GB only.

Conditions:
PCCD rules provisioning with an AFM license.

Impact:
Provisioning firewall rules. The PCCD blob size was restricted to 4GB.

Workaround:
None

Fix:
With these changes, the user will now be able to provision FW rules with a blob size of 8G.

Fixed Versions:
17.1.0


1124109-4 : Add "typ":"JWT" to JOSE Header while generating JWT token from OAuth AS

Component: Access Policy Manager

Symptoms:
The "typ":"JWT" is missing in the JWT header.

Conditions:
The JWT token is generated from OAuth Authorization Server (AS).

Impact:
The "typ":"JWT" is missing.

Workaround:
None

Fix:
The "typ":"JWT" is added in the header, it is available whenever JWT token is generated from OAuth AS.

Fixed Versions:
17.1.0


1123953 : Text in Application ID field in BD profile is being replaced with '*' in Configuration utility

Component: Bot Defense

Symptoms:
Text in Application ID field in Bot Defense (BD) profile is treated as password and replaced with '*' asterisk in Configuration utility.

Conditions:
The BD profile is configured through Configuration utility.

Impact:
Application ID is not visible on BD profile in Configuration utility.

Workaround:
None

Fix:
Text in the Application ID field for BD profile is visible.

Fixed Versions:
17.1.0


1123885 : A specific type of software installation may fail to carry forward the management port's default gateway.

Links to More Info: BT1123885

Component: TMOS

Symptoms:
After performing a specific type of software installation, the unit returns on-line without the management port's default gateway.

Conditions:
-- A software installation that does not carry forward the entirety of the BIG-IP system's configuration is performed. For example, this is achieved by running "image2disk --format=volumes <...>", or by using the live-install subsystem after disabling the liveinstall.saveconfig and liveinstall.moveconfig db keys. This type of installation, however, does carry forward the management port's configuration (IP address, subnet mask, and default gateway).

-- In addition to the default gateway, the management port is configured with additional static routes (for example, to a log server, dns server, etc.).

-- When mcpd is queried for the management routes, the default gateway is not the first entry in mcpd's reply (this is something outside of your control that entirely depends on the name of the objects and how the config was loaded).

Impact:
On Virtual Edition systems, this issue coupled with the removal of autolasthop from the management port means you will not be able to connect to the BIG-IP system's management port from non-directly connected clients after the installation.

On all systems, this issue means the BIG-IP system will not be able to initiate connections to non-directly connected systems over the management port after the installation.

Note: If the system is configured for dual-stack (IPv4 and IPv6) this issue can affect either (or both) stack.

Workaround:
After the issue has occurred, you can connect to the affected BIG-IP system by means of serial console or video console and apply the default gateway again.

If you are trying to prevent this issue, you can remove all management routes except the default one before performing this type of installation.

Fix:
The issue has been corrected; this specific type of software installation now correctly carries forward the management port's default gateway.

Fixed Versions:
17.1.0


1123169 : Error saving an iRule when calling a procedure from HTML_TAG_MATCHED event

Links to More Info: BT1123169

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system tries to save an iRule that calls a procedure from HTML_TAG_MATCHED event, an error occurs.

Conditions:
-- configure an iRule with event HTML_TAG_MATCHED
-- The event calls a procedure

Impact:
A TCL error is thrown: Rule checker ::tclCheck::checkScript did not complete: can't read "BIGIP::ltmEventCategoryHierarchy(CLIENTSIDE)": no such element in array

Workaround:
None

Fixed Versions:
17.1.0


1123149-2 : Sys-icheck fail for /etc/security/opasswd

Links to More Info: BT1123149

Component: TMOS

Symptoms:
In common criteria mode, when password-memory is set to > 0 and create the user and login from CLI causes the system integrity check to failed

An error message may be logged "ERROR: S.5...... c /etc/security/opasswd (no backup)"

Conditions:
--- common criteria mode enabled
--- password-memory set to > 0 in password-policy configuration
--- create a new user and login first time using CLI
--- run sys-icheck

Impact:
System integrity check failure when common criteria mode is enabled

Workaround:
None

Fixed Versions:
17.1.0, 16.1.3.1


1122497 : Rapid response not functioning after configuration changes

Links to More Info: BT1122497

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Rapid Response is not functioning and stats are not present and/or not changing as requests are being sent to the virtual server.

Conditions:
- DNS Rapid Response is set on the virtual.
- Rapid response is toggled off and back on in the DNS profile.

Impact:
DNS rapid response remains disabled.

Workaround:
Restarting services will allow rapid-response to begin functioning again.

Fixed Versions:
17.1.0


1122473 : TMM panic while initializing URL DB

Links to More Info: BT1122473

Component: Access Policy Manager

Symptoms:
TMM panic because of a race condition which prevents the TMM from accessing files related to the URL database.

Conditions:
While the BIG-IP system is rebooting, if an infrequent timing delay occurs, one or more files related to the URL database may be created in the wrong order of sequence.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None. Repeated attempts at rebooting may eventually succeed.

Fixed Versions:
17.1.0, 16.1.3.3


1122441 : Upgrade expat library to the latest version(2.4.8) to fix CVE's.

Component: TMOS

Symptoms:
For more information see:
https://support.f5.com/csp/article/K19473898
https://support.f5.com/csp/article/K91589041
https://support.f5.com/csp/article/K23421535
https://support.f5.com/csp/article/K23231802

Conditions:
For more information see:
https://support.f5.com/csp/article/K19473898
https://support.f5.com/csp/article/K91589041
https://support.f5.com/csp/article/K23421535
https://support.f5.com/csp/article/K23231802

Impact:
The following CVEs impact BIG-IP modules.
CVE-2021-45960, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852, CVE-2022-25235, CVE-2022-25236, CVE-2022-23515, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2021-46143.

For more information see:
https://support.f5.com/csp/article/K19473898
https://support.f5.com/csp/article/K91589041
https://support.f5.com/csp/article/K23421535
https://support.f5.com/csp/article/K23231802

Workaround:
N/A

Fixed Versions:
17.1.0


1122377 : If-Modified-Since always returns 304 response if there is no last-modified header in the server response

Links to More Info: BT1122377

Component: Local Traffic Manager

Symptoms:
Requests sent with an If-Modified-Since header always return a 304 Not Modified response

Conditions:
The Last Modified header is not included in the origin server response headers.

Impact:
When the Last Modified header is not present in the response, its default value i.e., Thu, 01 Jan 1970 00:00:00 GMT, is used and 304 Not Modified is sent to the client.

Workaround:
Add the Last-Modified header to the response headers using iRule

when HTTP_RESPONSE priority 1 {
  set time [clock format [clock seconds] -gmt 1 -format "%a, %d %b %Y %H:%M:%S %Z"]
  HTTP::header insert Last-Modified $time
  log local0.debug "Inserting Last-Modified header as $time"
}

Fix:
Use date header value when Last-Modified is not present in Response headers

Fixed Versions:
17.1.0


1122313-1 : VXLAN tunnels fail to pass traffic after TMM restarts

Links to More Info: BT1122313

Component: TMOS

Symptoms:
After TMM restarts (or the tenant reboots), VXLAN tunnels will not pass traffic.

The administrator may see messages such as the following in /var/log/tmm:

notice MCP message handling failed in 0x9ce140 (16977920): May 26 14:07:19 on 1 - MCP Message:
notice create {
notice l2_forward_tunnel {
notice l2_forward_tunnel_vlan_name "/Common/vxlan-tunnel"

Conditions:
-- BIG-IP tenant running on rSeries appliance or VELOS chassis
-- VXLAN tunnels

Impact:
VXLAN tunnels do not function.

Workaround:
After TMM restarts, delete and recreate the FDB entries associated with the tunnel.

To do this manually, run these commands:

TMPFILE=$(mktemp -p /var/tmp)
tmsh list net fdb tunnel all one-line > "$TMPFILE"
tmsh delete net fdb tunnel all all-records
tmsh load sys config merge file "$TMPFILE"
rm -f "$TMPFILE"

Or a one-line command:

TMPFILE=$(mktemp -p /var/tmp) && tmsh list net fdb tunnel all one-line > "$TMPFILE" && tmsh delete net fdb tunnel all all-records && tmsh load sys config merge file "$TMPFILE" && rm -f "$TMPFILE"


To configure the system to automatically apply the workaround after TMM restarts, put the following content into /config/user_alert.conf:

# Delete and re-add tunnel FDBs after TMM starts up to work-around ID1122313
alert tmm_vxlan_workaround "Tmm ready - links up" {
    exec command="TMPFILE=$(mktemp -p /var/tmp) && tmsh list net fdb tunnel all one-line > $TMPFILE && tmsh delete net fdb tunnel all all-records && tmsh load sys config merge file $TMPFILE && rm -f $TMPFILE";
}

Fixed Versions:
17.1.0


1122077 : License check to enable Distributed Cloud Services in BIG-IP

Component: Bot Defense

Symptoms:
In BIG-IP 17.0.0, if LTM is not licensed then Distributed Cloud Services (SaaS Services) are not enabled on BIG-IP.

Conditions:
- LTM is not licensed.

Impact:
Users with APM and Advanced WAF license are not able to use Distributed Cloud Services (SaaS Services) features.

Workaround:
None

Fix:
Extended license check from LTM to APM and Advanced WAF to enable Distributed Cloud Services in BIG-IP.

Fixed Versions:
17.1.0


1122021 : Killall command might create corrupted core files

Links to More Info: BT1122021

Component: TMOS

Symptoms:
When killing multiple processes via the 'killall' command, a single corrupted core file is created.

Conditions:
- using killall command
- killing multiple processes

Impact:
Corrupted core file is created.

Workaround:
Kill single specific processes instead

Fixed Versions:
17.1.0


1121965 : CVE-2022-28614 (httpd): out-of-bounds read via ap_rwrite()

Links to More Info: K58003591


1121661 : TMM may core while processing HTTP/2 requests

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may core while processing HTTP requests.

Conditions:
A virtual server with an HTTP/2 and httprouter profile attached.

Impact:
A TMM core occurs.

Fix:
The TMM core no longer occurs.

Fixed Versions:
17.1.0


1121657-1 : EAM is down after APM is provisioned

Links to More Info: BT1121657

Component: Access Policy Manager

Symptoms:
After BIG-IP is provisioned with APM, EAM is down.

Conditions:
Error invalid number of channel threads, MAX_CHANNEL_THREADS are greater than the number of threads set while binary is called.

Impact:
EAM is down.

Fix:
Set MAX_CHANNEL_THREADS to highest number possible.

Fixed Versions:
17.1.0, 15.1.7


1121521 : Libssh upgrade from v0.7.7 to v0.9.6

Links to More Info: BT1121521

Component: Advanced Firewall Manager

Symptoms:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/

Conditions:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/

Impact:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/

Workaround:
NA

Fix:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/

Fixed Versions:
17.1.0, 15.1.8


1121125 : Need for additional space as separator for different methods in Protected URI field

Component: Bot Defense

Symptoms:
In GUI, while configuring Bot Defense profile, need more space as separator for different methods in Protected URI field.

Conditions:
- Bot Defense profile configuration.

Impact:
None

Workaround:
None

Fix:
Added additional space in method selection for better visibility in Protected URI field.

Fixed Versions:
17.1.0


1121117 : Remove the occurrence of Shape in the BIG-IP Bot Defense configuration

Component: Bot Defense

Symptoms:
In GUI, the term Shape is available in the BD profile configuration.

Conditions:
- Configuring Bot Defense profile.

Impact:
None

Workaround:
None

Fix:
The term "Shape" is replaced with applicable term in Bot Defense profile page.

Fixed Versions:
17.1.0


1121085 : Some valid connections may get rejected in hardware SYN cookie mode

Links to More Info: BT1121085

Component: TMOS

Symptoms:
Due to an algorithm mismatch in software and hardware, valid TCP connections may get rejected with "No flow found for ACK' reset-cause when the hardware SYN cookie mode is active.

Conditions:
- BIG-IP iSeries appliances with ePVA support and the B2250 and B44xx VIPRION blades.
- Hardware SYN cookie mode is activated.

Impact:
Service degradation.

Workaround:
- Disable the hardware SYN cookie mode globally.
- After a reboot, restart the TMM for an additional time.

Fix:
The SYN cookie hash algorithm is correctly selected on all TMMs.

Fixed Versions:
17.1.0


1120685-2 : Unable to update the password in the CLI when password-memory is set to > 0

Links to More Info: BT1120685

Component: TMOS

Symptoms:
A BIG-IP system with password-memory enabled will fail to update the user password in the first login using the CLI

Conditions:
Password-memory set to > 0 in password-policy configuration

Impact:
Not able to update the user password in the first login using the CLI.

Workaround:
Create the user using the GUI and log in from the GUI.

Fixed Versions:
17.1.0, 16.1.3.1


1120433 : Removed gtmd and big3d daemon from the FIPS-compliant list

Links to More Info: BT1120433

Component: TMOS

Symptoms:
The gtmd is not able to establish a secure connection to big3d due to failure in handshake because no common ciphers were found between big3d and gtmd in FIPS mode.

Conditions:
-- BIG-IP versions 16.1.3 and above
-- FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device.
-- Connections are established between big3d and gtmd in FIPS mode.

Impact:
SSL handshakes fail between big3d and gtmd because no common ciphers are present.

Workaround:
None

Fix:
Gtmd and big3d can now communicate when FIPS mode is enabled.

Fixed Versions:
17.1.0, 16.1.3.1


1117673 : Configuration load error for a non default value of 'net dag-global {dag-ipv6-prefix-len}'

Links to More Info: BT1117673

Component: TMOS

Symptoms:
Configuration load fails after an upgrade, with the following error

warning mcpd[6758]: 01071859:4: Warning generated : Configuring DAG Global IPv6 Prefix Length still might require modification of vlans previously created with the old setting.
err mcpd[6758]: 01071e16:3: DAG ipv6 prefix length is not supported on this platform.
err tmsh[9523]: 01420006:3: Loading configuration process failed.
emerg load_config_files[9521]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Loading schema version: 15.1.5.1
err mcpd[6758]: 01070422:3: Base configuration load failed.

Conditions:
-- Configure a non-default value of 'net dag-global {dag-ipv6-prefix-len}'.
-- Upgrade the BIG-IP software to the affected version.

Impact:
-- Configuration load error
-- The setting of 'net dag-global {dag-ipv6-prefix-len}' is not functioning correctly

Workaround:
None

Fix:
Fixed configuration load error for a non default value of 'net dag-global {dag-ipv6-prefix-len}'

Fixed Versions:
17.1.0


1117637 : FastL4 traffic traversing the tunnels such as VXLAN, may fail on VELOS and rSeries tenants

Links to More Info: BT1117637

Component: TMOS

Symptoms:
The BIG-IP tenants running on an VELOS or rSeries system may incorrectly attempt to PVA accelerate traffic that goes through a VXLAN tunnel. That is, where the pool members are reachable through a VXLAN tunnel.

Conditions:
- BIG-IP tenant running on VELOS or rSeries.
- Virtual server that processes traffic over a tunnel. For example, VXLAN, GRE, or IP-IP.

Impact:
Connections fail.

A packet capture from the F5OS layer shows packets arriving at the system, but not forwarded through the tunnel.

As a result, packet retransmits are obeserved.

A packet capture in the tenant shows packets arriving at the TMM, but with layer 3 and layer 4 headers rewritten to match the server-side connection information.

Workaround:
FastL4 acceleration is not supposed to work for traffic being load-balanced over a tunnel.

To mitigate this issue, disable PVA acceleration in the FastL4 profile for virtual servers that will load-balance traffic over a tunnel.

Fix:
Packets are successfully forwarded through the tunnel, these flows are not accelerated.

Fixed Versions:
17.1.0, 15.1.8


1117297-3 : Wr_urldbd continuously crashes and restarts

Links to More Info: BT1117297

Component: Traffic Classification Engine

Symptoms:
Malloc failed while wr_urldb is started

Conditions:
Intermittently reproduced when rebooting to a new version or after restarting wr_urldbd

Impact:
Wr_urldbd crashes.

Workaround:
- Stop the wr_urldbd to stabilize(#bigstart stop wr_urldbd)
-- Update the customdb(i.e. delete or add custom urls) on the backend server
-- Start wr_urldbd to download and load the new DB(#bigstart start wr_urldbd)

Fix:
After the fix, malloc is properly done and no crash

Fixed Versions:
17.1.0


1117117 : Trailing slash buffer details are missing from remote logger

Component: Application Security Manager

Symptoms:
Incoming requests with path parameters in the URI that cause "Trailing Slash" evasion sub-violation might be reported without buffer details in the remote logger and the GUI violation details.

Conditions:
In terms of configurations, "Trailing Slash" and "Trailing Dot" must be enabled in the policy builder, with the addition of "Handle Path Parameters" set to "As Parameters" in the policy.

In terms of incoming requests, the URI has to contain path parameters.

Impact:
The buffer reported in violation details is masked with asterisks "*****" while the buffer in the remote logger is missing.

Workaround:
None

Fix:
For violation details and remote logger, the reported evasion sub-violation will have a buffer with value "N/A".

Fixed Versions:
17.1.0


1116941 : Need larger Content-Length value supported for SIP

Component: Service Provider

Symptoms:
SIP MRF sends error 413 when the content_length value in the SIP message is greater than 65535 (0xff).

Conditions:
The SIP content_length has to be greater than 65535 (0xff) on SIP MRF configuration

Impact:
The SIP messages with content_length greater than 65535 can't be processed by the BIG-IP successfully because of the hard coded constraint on the SIP content_length

Workaround:
None

Fix:
Make the allowable SIP content_length dynamic with respective to the configured max_msg_size in the SIP MRF session profile configuration.

Fixed Versions:
17.1.0


1116845-2 : Interfaces using the xnet driver are not assigned a MAC address

Links to More Info: BT1116845

Component: TMOS

Symptoms:
Interfaces on BIG-IP Virtual Edition that are capable of 100gb are unusable when the default driver of xnet is used.

The following validation error will be present in /var/log/ltm

"01071ab7:3: 'not-supported' is an invalid forward-error-correction setting for Interface"

The interfaces will not report a MAC address in either of:

- tmsh list /net interfaces
- tmsh show /sys mac

Conditions:
BIG-IP Virtual Edition where the interfaces report a 100gb max speed and the xnet driver is used.

Impact:
Interfaces are not assigned a MAC address, therefore are unusable.

Workaround:
Force the interface(s) to use a driver other then xnet.

In order to apply the workaround you will need to get 1) the available drivers and 2) the pci id of the interfaces.

The available drivers are reported using this tmctl command:

# tmctl -d blade tmm/device_probed
pci_bdf pseudo_name type available_drivers driver_in_use
------------ ----------- --------- -------------------- -------------
0000:00:03.0 F5DEV_PCI mlxvf5, xnet, sock,
0000:00:05.0 1.1 F5DEV_PCI mlxvf5, xnet, sock, xnet
0000:00:06.0 1.2 F5DEV_PCI mlxvf5, xnet, sock, xnet

The pci id is reported with the lspci -nnvvv command:

In this example: the pci id is 15b3:101a

# lspci -nnvvv | grep -i ethernet
00:03.0 Ethernet controller [0200]: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function] [15b3:101a]
00:05.0 Ethernet controller [0200]: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function] [15b3:101a]
00:06.0 Ethernet controller [0200]: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function] [15b3:101a]

And to force the use of a different driver you need to modify /config/tmm_init.tcl by adding a line such as:

device driver vendor_dev 15b3:101a mlxvf5

Where the last values of that line are the pci id and driver name.

Fixed Versions:
17.1.0


1116813-2 : Some of the valid connections may get rejected in HW SYN cookie mode

Links to More Info: BT1116813

Component: TMOS

Symptoms:
Due to algorithm mismatch in software and hardware, valid TCP connections may get rejected with "No flow found for ACK' reset-cause while HW SYN cookie mode is active.

Conditions:
In vCMP environment either the host or the guest is installed with an affected version.

Impact:
Service degradation.

Workaround:
Disable HW SYN cookie globally on the guest.

Fix:
SYN cookie hash algorithm is correctly selected on vCMP guests.

Fixed Versions:
17.1.0


1115041 : BIG-IP does not forward the response received after GOAWAY, to the client.

Links to More Info: BT1115041

Component: Local Traffic Manager

Symptoms:
After receiving a GOAWAY from the server followed by data on the same stream, the BIG-IP system does not forward that data to the client but rather sends RESET_STREAM.

Conditions:
1. Configure an NGINX server to handle two streams per connection
2. Virtual server with http2 profile
3. Send more than two requests on the same connection

Impact:
The client does not get a proper response

Workaround:
None

Fix:
The client should receive proper response.

Fixed Versions:
17.1.0


1114137 : LibUV library for latest bind 9.16

Component: TMOS

Symptoms:
The latest bind software requires the latest libuv for performance improvements and to support new protocol layers (for example, DNS over TLS).

Conditions:
The latest bind software requires the latest libuv for performance improvements and to support new protocol layers (for example, DNS over TLS).

Impact:
None

Workaround:
None

Fix:
Maintain a new libuv in the BIG-IP code base.

Fixed Versions:
17.1.0


1113961 : BIG-IP 16.1.3 VE with FIPS 140-3 May Fail to start in AWS-China

Links to More Info: K43391532, BT1113961

Component: TMOS

Symptoms:
BIG-IP 16.1.3 VE with FIPS 140-3 may fail to start in AWS-China

Conditions:
Running BIG-IP 16.1.3 VE with FIPS 140-3 with 16.1.3 in AWS China region

Impact:
BIG-IP 16.1.3 VE with FIPS 140-3 may fail to start in AWS-China

Workaround:
Upgrade to 16.1.3.1 when it is available.

Fixed Versions:
17.1.0


1113889-1 : Classic BIG-IP tenant running on F5OS will not correctly pin in-tenant control plane threads correctly on first deployment

Component: TMOS

Symptoms:
This may not impact performance in the tenant, but for tenant builds without this fix, upon initial deployment, the control plane will not be pinned correctly (should be pinned to odd-numbered cpus).
Note: This pinning is inside the tenant virtual machine, not in the F5OS host. The datapath (TMM) will still be pinned correctly.

Conditions:
The BIG-IP tenant without this fix is initially deployed.

Impact:
The datapath (TMM) threads run at elevated priority anyway, so would be protected from the control plane threads.

Workaround:
If this is bothersome, redeploy the tenant, and the problem will not reoccur.

Fix:
Tenant platform determination no longer depends on a file that is not there on initial startup. The dmidecode utility is used instead.

Fixed Versions:
17.1.0


1113881 : Headers without a space after the colon trigger an HTTP RFC violation

Component: Application Security Manager

Symptoms:
An "Unparsable request content" violation is detected for valid headers without a space after the headers name ':'

Conditions:
Any header without a space between the ':' and the header value will trigger "Unparsable request content"

Impact:
Requests that suppose to pass are blocked by ASM enforcer

Workaround:
The client has to send headers with space after ':'

Fix:
No "Unparsable request content" violation for headers with space after ':'

Fixed Versions:
17.1.0


1113661 : When OAuth profile is attached to access policy, iRule event in VPE breaks the evaluation

Links to More Info: BT1113661

Component: Access Policy Manager

Symptoms:
After upgrading to 16.1.2.1, the OAuth configuration does not work anymore.

Based on the below observations, an internal redirect to /renderer/agent_irule_event_form.eui is initiated but it is not processed, so the ACCESS_POLICY_AGENT_EVENT event is never fired.

Observations:
Following are the results from in-house troubleshooting:
Test 1: Access Policy evaluation works with a standard Access Profile, clientless mode set with iRule, and an iRule event.
Test 2: Access Policy evaluation fails with a standard Access Profile but an OAuth profile attached to access policy (clientless mode to be set automatically) and an iRule event.

Conditions:
As soon as the iRule event is removed from VPE in Test 2, the access policy evaluation works fine.

Impact:
ACCESS_POLICY_AGENT_EVENT event is never fired

Fix:
Pass on the packet to the upper hudfilter handles.

Fixed Versions:
17.1.0


1113549 : System boots into an inoperative state after installing engineering hotfix with FIPS140-2/140-3 License

Links to More Info: BT1113549

Component: Local Traffic Manager

Symptoms:
The BIG-IP system persistently starts up in an inoperative state after installing an engineering hotfix with a console error similar to:

*** FIPS or Common Criteria power-up self-test failure.
*** This system has been placed in an error state.
*** To recover return to the grub menu and select another volume
*** or reinstall the system.
***
*** On many devices pressing the escape key followed by the (
*** key will bring up a menu which allows the system to be restarted.

Power-up self-test failures: <number>

Unmounting file systems
System halting.

Conditions:
- First boot after installing an engineering hotfix.
- FIPS 140-2 or FIPS140-3 license.

Impact:
You are unable to boot the BIG-IP system into an operational state after applying an engineering hotfix, and you are required to boot to a known good volume.

For more information, see K52534643: Overview of the Platform FIPS BIG-IP system :: https://support.f5.com/csp/article/K52534643

Workaround:
None

Fix:
The BIG-IP system successfully boots after installing an engineering hotfix on a system with a FIPS 140-2 or FIPS140-3 license.

For a complete solution for BIG-IP software v16.1.3.1 and later v16.1.x releases, you must also have the additional fix described in ID 1137037 https://cdn.f5.com/product/bugtracker/ID1137037.html.

Fixed Versions:
17.1.0, 16.1.3.1


1113385 : Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP

Links to More Info: BT1113385

Component: TMOS

Symptoms:
REST tokens which are present in /var/run/pamcache on BIG-IP are not deleted after token expiration when there are a large number of tokens.

Conditions:
When a large number of tokens are generated.

Impact:
More memory will be used as /run/pamcache is an in memory filesystem

Workaround:
Try to remove token files from /run/pamcache manually.
You can check what would be deleted by the command below by using -print in place of -delete

# find /run/pamcache -regextype posix-extended -type f -regex '/run/pamcache/[A-Z0-9]{26}' -delete

Fix:
Expired token are removed from /run/pamcache by the BIG-IP system.

Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3


1113333 : Change ArcSight Threat Campaign key names to be camelCase

Component: Application Security Manager

Symptoms:
The threat_campagin_names and staged_threat_campaign_names do not follow other key name format. Changing these key names to be camelCase (threatCampaignNames and stagedThreatCampaignNames).

Conditions:
ArcSight is in use with ASM remote logging.

Impact:
Inconsistent key name formatting.

Workaround:
None

Fix:
Changed name format to be camelCase (threatCampaignNames and stagedThreatCampaignNames).

Fixed Versions:
17.1.0


1113161 : After upgrade, Learning and Blocking Settings page is not loading because some policies are still pointing to deleted factory Negsig sets

Links to More Info: BT1113161

Component: Application Security Manager

Symptoms:
Learning and Blocking Settings page is not loading

Conditions:
Some policies are using factory sets which were deleted in later versions, and an upgrade was performed.

Impact:
When trying to open "Security ›› Application Security : Policy Building : Learning and Blocking Settings" page, GUI is stuck on 'loading' status

Workaround:
Run this mysql in the BIG-IP in order to fix the database, it will remove all unreferenced policy sets from the system:
mysql -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password(user => q{root})'` -e "delete from PLC. PL_POLICY_NEGSIG_SETS where set_id not in (SELECT set_id from PLC.NEGSIG_SETS);"

Fix:
After the fix, the 'Learning and Blocking Settings' page will be loaded with no error.

Fixed Versions:
17.1.0


1112805 : ip_address_intelligence field is not populated with value in ArcSight remote log when source IP is IPv4

Links to More Info: BT1112805

Component: Application Security Manager

Symptoms:
The key used for the ip_address_intelligence field is mapped to an IPv6 Address in the latest CEF standard.

Conditions:
-- IP Intelligence is enabled.
-- An ArcSight remote logger is configured.
-- A HTTP transaction is carried out with a malicious Source IP Address

Impact:
The ip_address_intelligence field value is not populated in the ArcSight remote log

Workaround:
None

Fix:
A new key for ip_address_intelligence is implemented specific to IPv4

Fixed Versions:
17.1.0


1112745-3 : System CPU Usage detailed graph is not accessible on Cerebrus+

Links to More Info: BT1112745

Component: Local Traffic Manager

Symptoms:
When accessing performance reports of CPU usage detailed graph, error "Error trying to access the database." is displayed since the CPU graph name is getting truncated.

Conditions:
When on a single blade, if we have more than 17 TMMs this error will be seen.

Impact:
Detailed graph for system CPU usage will not be accessible.

Workaround:
No workaround

Fix:
Increased the size of the detail string to support more than 32 TMMs.

Fixed Versions:
17.1.0, 15.1.7


1112553 : API timeout observed for few requests with telemetry data in body and such requests do not get processed successfully

Component: Bot Defense

Symptoms:
Requests with telemetry data in body may not get processed successfully.
Observed API timeout in SAAS logs and bbrdump.

Conditions:
- Configure BD profile and attach it to virtual server
- Send web requests with telemetry data in body

Impact:
Requests with telemetry data in body may not get processed successfully.

Fixed Versions:
17.1.0


1112545 : API timeout observed for few requests that have telemetry data in body

Component: Bot Defense

Symptoms:
API timeout is observed in SAAS logs and bbrdump for requests that have telemetry data in the body

Conditions:
- Configure the BD profile and attach it to a virtual server.
- Send web requests with telemetry data in the body.

Impact:
Observed API timeout in SAAS logs and bbrdump for requests that have telemetry data in the body.

Fix:
Fixed issue of API timeout timer that was started prematurely for few requests.

Fixed Versions:
17.1.0


1112445 : Fix to avoid zombie node on the chain

Links to More Info: K58550078, BT1112445


1112349 : FIPS Card Cannot Initialize

Links to More Info: BT1112349

Component: Local Traffic Manager

Symptoms:
Initializing the FIPS card for the first time which contains the FIPS firmware CNN35XX-NFBE-FW-1.1-02 may cause the below error and will not be able to initialize the card:
Enter new Security Officer password (min. 0, max. 0 characters):
ERROR: Too long input (max.: 0 characters)
ERROR: Failed to read password
ERROR: INITIALIZATION FAILED!

Conditions:
First time initialization of new device with "tmsh run util fips-util -f init" command which contains the FIPS firmware CNN35XX-NFBE-FW-1.1-02

Impact:
FIPS card cannot be used for the FIPS key traffic and will not be able to re-initialize.

Workaround:
None

Fixed Versions:
17.1.0


1112205 : HTTP/2 may garble responses if the client-side stream aborts while response headers are on the wire

Links to More Info: BT1112205

Component: Local Traffic Manager

Symptoms:
If the client-side stream aborts while response headers are on the wire, the subsequent requests may receive a garbled response.

Conditions:
- HTTP2 profile is used on both client and server side.
- The client terminates the stream while the response has not yet reached the BIG-IP system.

Impact:
The client will receive an obscure response

Workaround:
None

Fix:
Even if the client terminates a stream (while the response has yet not reached BIG-IP), the subsequent requests will receive a correct response.

Fixed Versions:
17.1.0


1112137 : In Bot Defense profile, the SSE API timeout value is not considered for mobile requests

Component: Bot Defense

Symptoms:
Distributed Cloud API timeout is not considered for Mobile endpoint requests.

Conditions:
- Bot Defense profile configured with mobile endpoints.
- Distributed Cloud API timeout value is configured.
- Requests to mobile endpoint are sent from client, which triggers API request to SSE but the response is not received within the timeout configured.

Impact:
Distributed Cloud API timeout is not considered for Mobile endpoint requests.

Workaround:
None

Fixed Versions:
17.1.0


1112109 : Unable to retrieve SCP files using WinSCP or relative path name

Links to More Info: BT1112109

Component: TMOS

Symptoms:
When you attempt to retrieve a file with WinSCP, you receive an error dialog and the session will be terminated:

"SCP Protocol error: Invalid control record (r; elative addresses not allowed)

Copying files from the remote side failed."

If you attempt to transfer a file by the relative path with a command line utility the transfer will fail with the message:
"relative addresses not allowed"

Conditions:
-- Running BIG-IP version with a fix for ID 915981
-- Using WinSCP set to use SCP protocol to retrieve files from a BIG-IP system.
-- Using a relative remote path to transfer a file with the command line SCP utility.

Impact:
Cannot use WinSCP to retrieve files such as packet captures, log archives, or other diagnostic data from the BIG-IP system.

Workaround:
Use a command line SCP tool that allows specifying an absolute path for the source and/or destination file (a path that starts with a forward slash /), when the source and/or destination locations are a BIG-IP device.

You may use WinSCP in SFTP mode if the user ID is permitted to do so.

Fixed Versions:
17.1.0


1112049 : Performance improvement for checking signature exclusions on header

Component: Application Security Manager

Symptoms:
As part of a general performance improvement effort, we were looking into profiling data and observed that in many cases a lot of CPU is wasted, in the process to find out whether a specific signature is excluded on a specific header.

Conditions:
Signatures are enabled in ASM.

Impact:
High CPU usage when checking for signature header exclusions.

Workaround:
N/A

Fix:
Optimized the code responsible for checking signature exclusions on header.

Fixed Versions:
17.1.0


1111993 : HSB tool utility does not display PHY settings for HiGig interfaces

Component: TMOS

Symptoms:
When running the hsb_tool utility, PHY settings for HiGig interfaces are not displayed.

Conditions:
Run hsb_tool on a BIG-IP system with HSB functionality.

Impact:
None

Workaround:
None

Fix:
The HSB tool now displays PHY settings for HiGig interfaces.
Following is an example:

[root@localhost:/S1-green-P::LICENSE EXPIRED:Standalone] config # hsb_tool
no nde found
no anti-nde found

HSB Debug Tool:
hsb_tool <-m module > [-o option] [-n dev_idx] [-p multi_params]
    module: lbb
        option: info # show bus info for hsb and pde
        option: memory
        option: phy # show phy settings for higig interfaces
    module: pde
        option: memory
    module: edag or edagv2 # edagv2 refers to edag version 2
        option: default
                src_clst # show source cluster tables
                dst_clst # show dest cluster tables
                dst_assn # show dest assignment tables
                vcmp_dsag # show VCMP disaggregation table
                hash_cfg # show edag hash config
    module: epva
        option: mac_src # show epva mac src table
    module: nde
        option: memory
    module: ande
        option: memory
    device idx params:
        device indexes seperated by comma: e.g. -n 1,3,5
    -p params:
      option memory
        3 params seperated by comma [offset, size, mode], e.g. -p 0x300,64,0
        mode = 1 means binary mode, display in bytes
        mode = 0 means register mode, display in 4 bytes
      option mac_src
        2 params [start, size], e.g. -p 1,10
Device index convention:
    The device index is assigned in the pci device enumeration order
    For example: hsb0 on bus 20:0:0, and hsb1 on 21:0:0
    Note: the device index assigned in this tool might not be the same as BIG-IP software.
    Please refer to the bus.dev.func for discrepancy.
Examples:

display edag info on all HSBs

hsb_tool -m edag


display edag source cluster table for hsb1

hsb_tool -m edag -o src_clst -n 1


display memory for pde 0 & pde 1 with offset 0x200, size 64, register mode

hsb_tool -m pde -o memory -p 0x300,64,0 -n 0,1


display first 10 entries in the epva mac src table

hsb_tool -m epva -o mac_src -p 0,10


[root@localhost:/S1-green-P::LICENSE EXPIRED:Standalone] config # hsb_tool -m lbb -o phy
no nde found
no anti-nde found
lbb0 on bus 1:0:0 phy dump
hsb version 0x03100100
PHY dump for [HGM1] started.
channel:00 drive:00000020
channel:00 pre:00000000
channel:00 post1:00000000
channel:00 post2:00000011
channel:00 rxdcgain:00000004
channel:00 rxeq:0000000c
channel:01 drive:00000020
channel:01 pre:00000000
channel:01 post1:00000000
channel:01 post2:00000011
channel:01 rxdcgain:00000004
channel:01 rxeq:0000000c
channel:02 drive:00000020
channel:02 pre:00000000
channel:02 post1:00000000
channel:02 post2:00000011
channel:02 rxdcgain:00000004
channel:02 rxeq:0000000c
channel:03 drive:00000020
channel:03 pre:00000000
channel:03 post1:00000000
channel:03 post2:00000011
channel:03 rxdcgain:00000004
channel:03 rxeq:0000000c
PHY dump for [HGM1] completed.
PHY dump for [HGM2] started.
channel:08 drive:00000020
channel:08 pre:00000000
channel:08 post1:00000000
channel:08 post2:00000011
channel:08 rxdcgain:00000004
channel:08 rxeq:0000000c
channel:09 drive:00000020
channel:09 pre:00000000
channel:09 post1:00000000
channel:09 post2:00000011
channel:09 rxdcgain:00000004
channel:09 rxeq:0000000c
channel:0a drive:00000020
channel:0a pre:00000000
channel:0a post1:00000000
channel:0a post2:00000011
channel:0a rxdcgain:00000004
channel:0a rxeq:0000000c
channel:0b drive:00000020
channel:0b pre:00000000
channel:0b post1:00000000
channel:0b post2:00000011
channel:0b rxdcgain:00000004
channel:0b rxeq:0000000c
PHY dump for [HGM2] completed.
lbb1 on bus 82:0:0 phy dump
hsb version 0x03100100
PHY dump for [HGM1] started.
channel:00 drive:00000020
channel:00 pre:00000000
channel:00 post1:00000000
channel:00 post2:00000011
channel:00 rxdcgain:00000004
channel:00 rxeq:0000000c
channel:01 drive:00000020
channel:01 pre:00000000
channel:01 post1:00000000
channel:01 post2:00000011
channel:01 rxdcgain:00000004
channel:01 rxeq:0000000c
channel:02 drive:00000020
channel:02 pre:00000000
channel:02 post1:00000000
channel:02 post2:00000011
channel:02 rxdcgain:00000004
channel:02 rxeq:0000000c
channel:03 drive:00000020
channel:03 pre:00000000
channel:03 post1:00000000
channel:03 post2:00000011
channel:03 rxdcgain:00000004
channel:03 rxeq:0000000c
PHY dump for [HGM1] completed.
PHY dump for [HGM2] started.
channel:08 drive:00000020
channel:08 pre:00000000
channel:08 post1:00000000
channel:08 post2:00000011
channel:08 rxdcgain:00000004
channel:08 rxeq:0000000c
channel:09 drive:00000020
channel:09 pre:00000000
channel:09 post1:00000000
channel:09 post2:00000011
channel:09 rxdcgain:00000004
channel:09 rxeq:0000000c
channel:0a drive:00000020
channel:0a pre:00000000
channel:0a post1:00000000
channel:0a post2:00000011
channel:0a rxdcgain:00000004
channel:0a rxeq:0000000c
channel:0b drive:00000020
channel:0b pre:00000000
channel:0b post1:00000000
channel:0b post2:00000011
channel:0b rxdcgain:00000004
channel:0b rxeq:0000000c
PHY dump for [HGM2] completed.

Fixed Versions:
17.1.0


1111981 : Decrement in MQTT current connections even if the connection was never active

Links to More Info: BT1111981

Component: Local Traffic Manager

Symptoms:
Current connections statistics display unrealistic values.

Conditions:
When MQTT Over Websockets setup is in passthrough mode.

Impact:
The correct count of the current connections is lost.

Fix:
Added a new field called 'activated' in pcb, to verify if the connection was activated at least once.

Fixed Versions:
17.1.0


1111793 : New HTTP RFC Compliance check for incorrect newline separators between request line and first header

Links to More Info: BT1111793

Component: Application Security Manager

Symptoms:
ASM does not enforce incoming HTTP requests where the request line and the first header are separated with a line feed ('\n').

Conditions:
Any HTTP request with a line feed only at the end of the request line will not be enforced.

Impact:
Invalid requests might pass through ASM enforcement.

Workaround:
None

Fix:
HTTP requests with LF('\n') as the only separator between the request line and the first header are enforced, and "Unparsable request content" is reported.

Fixed Versions:
17.1.0, 15.1.7


1111629 : Messages with "Failed Read: User, referer" are logged in /var/log/httpd/httpd_errors

Links to More Info: BT1111629

Component: TMOS

Symptoms:
After logging in to the GUI you may observe these logs under /var/log/httpd/httpd_errors

warning httpd[7698]: [auth_pam:warn] [pid 7698] [client 10.6.4.2:61221] AUTHCACHE Error processing cookie AFQ6MCL2VWASB6NZTAWGQLFFWY - Failed Read: User, referer:

Conditions:
- Using token authentication for rest calls
- Login to the GUI

Impact:
- Increased disk space usage under /var/log
- Increased memory size of httpd processes

Workaround:
None

Fix:
These messages are no longer logged when not needed.

Fixed Versions:
17.1.0


1111473 : "Invalid monitor rule instance identifier" error after sync with FQDN nodes

Links to More Info: BT1111473

Component: Local Traffic Manager

Symptoms:
The following log messages may be observed in /var/log/ltm:

bigip1 err mcpd[4783]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 29.

This may also result in some monitors stuck in "checking" state.

Conditions:
-- FQDN nodes exist on the configuration.
-- A full config sync occurs
-- Device contains a fix for ID1017513
-- May happen regardless of bigd or in-tmm monitoring

Impact:
Some monitor statuses may not be correctly reported. Some monitors may be stuck in "checking" state.

Workaround:
Force the mcpd process to reload the BIG-IP configuration: K13030.

Fixed Versions:
17.1.0


1111421 : TMSH/GUI fails to display IPsec SAs info

Links to More Info: BT1111421

Component: TMOS

Symptoms:
Ipsec SAs are not visible in GUI/TMSH in tunnel/interface mode
GUI network -> ipsec -> diagnostic -> traffic-selectors -> security association details shows no SAs
The 'tmsh show net ipsec ipsec-sa traffic-selector ts' command shows no SA

Conditions:
-- Configure the ipsec with tunnel/Interface mode.
-- Create the tunnel.
-- Check the ipsec-sa

Impact:
You are unable to see ipsec-sa in GUI/TMSH

Workaround:
None

Fix:
Link of TS cfg with req_key was not working. Added code to fix the issue.

Fixed Versions:
17.1.0


1111189 : Listing errors in tmsh and installation failures when the configuration includes an AVR scheduled-report.

Links to More Info: BT1111189

Component: Application Visibility and Reporting

Symptoms:
-- The tmsh utility may return an error when listing analytics configuration.

-- TMOS installations may fail and return an error.

-- Saving new UCS archives may fail and return an error.

In all cases, the error is similar to the following example:

TSocket::open() getaddrinfo() <Host: 127.3.0.2
 Port: 9090>Name or service not known
std exception: (Could not resolve host for client socket.), exiting...

Conditions:
-- Multi-blade VIPRION system (either metal or in the form of a vCMP guest).

-- AVR is provisioned.

-- At least one AVR scheduled-report is present in the configuration.

-- An action such as listing the config, saving a UCS archive, performing a TMOS installation, etc. is performed on a secondary blade.

Impact:
The operation you were attempting fails and an error is returned.

Workaround:
The only workaround consists in removing all AVR scheduled-reports, performing the intended task, and then re-defining the AVR scheduled-reports as necessary. This is of course disruptive and may not be indicated for your site. If you require an Engineering Hotfix for this issue, please contact F5 Support.

Fix:
The presence of AVR scheduled-reports in the configuration no longer interferes with administrative tasks.

Fixed Versions:
17.1.0


1111097 : gzip arbitrary-file-write vulnerability CVE-2022-1271

Component: TMOS

Symptoms:
An arbitrary file write vulnerability was found in GNU gzip's zgrep utility.

Conditions:
When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names.

Impact:
This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system

Workaround:
None

Fix:
None.

Fixed Versions:
17.1.0


1111089 : Broken "select all" checkbox functionality on WS URL page

Component: Application Security Manager

Symptoms:
Under Overridden Security Policy Settings, select "Attack Signature" check box and it does not select all attack-signatures which are excluded in the "Websocket URL" page.

Conditions:
On the WS URL page, under overridden attack signature, click the "select all" checkbox and it does not select all items.

Impact:
On the WS URL page, under overridden attack signature, click the "select all" checkbox and it does not select all items.

Workaround:
Check each item manually.

Fix:
Fixed the "select all" checkbox functionality on the WS URL page.

Fixed Versions:
17.1.0


1110893 : Some portions of the BIG-IP GUI do not work when accessed behind an HTTP proxy

Links to More Info: BT1110893

Component: TMOS

Symptoms:
Some sections of the BIG-IP GUI fail to load properly, and may report "An error occurred:" Additionally, iControl REST calls may fail with a 401 unauthorized error.

Conditions:
-- BIG-IP GUI or iControl REST is accessed behind a proxy that that includes an X-Forwarded-For header

-- The "httpd.matchclient" BigDB key is set to true (this is the default).

Impact:
Some portions of the GUI are broken as well as iControl REST calls may fail.

Workaround:
Disable the "httpd.matchclient" DB key:

tmsh modify sys db httpd.matchclient value false
bigstart restart httpd

Fix:
REST Auth token client ip address and mod_auth_pam client ip address should match

Fixed Versions:
17.1.0


1110849 : In GUI, sorting needs to be implemented for "Websocket URL" page

Component: Application Security Manager

Symptoms:
You are unable to sort Websocket URLs in the GUI.

Conditions:
Viewing the Websocket URL page

Impact:
The URLs cannot be sorted.

Workaround:
None

Fix:
Added sorting functionality to the websocket URLs page

Fixed Versions:
17.1.0


1110813-5 : Improve MPTCP retransmission handling while aborting

Component: Local Traffic Manager

Symptoms:
- MPTCP enabled TCP connection is aborting.
- TMM cores.

Conditions:
- MPTCP is enabled.
- MPTCP enabled TCP connection is aborting.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP option in the TCP profile.

Fix:
Improved MPTCP retransmission handling while aborting.

Fixed Versions:
17.1.0


1110689 : Fail to reset INSL statistics

Component: Bot Defense

Symptoms:
Below INSL statistics reset failure on profile in it or from TMSH:
- tot_requests_instl_endpoints_matched
- tot_requests_instl_served

Conditions:
- Bot Defense profile is configured.
- Interstitial endpoint is configured.

Impact:
Below statistics can display higher numbers than expected:
- tot_requests_instl_endpoints_matched
- tot_requests_instl_served

Workaround:
None

Fix:
The INSL statistics reset as expected.

Fixed Versions:
17.1.0


1110241 : in-tmm http(s) monitor accumulates unchecked memory

Links to More Info: BT1110241

Component: In-tmm monitors

Symptoms:
Connflows growing larger than expected/desired.

Conditions:
-- in-TMM monitors are enabled
-- http(s) monitors are configured
-- Pool members continue spooling chunked data

Impact:
If an http(s) server does not close its connection to BIG-IP and continues spooling chunked data, the connflow remains and can eventually cause similar issues.

Workaround:
Three possible:
1. Fix the server.
2. Periodically reboot the server.
3. Use BigD LTM monitors.

Fixed Versions:
17.1.0


1110205 : SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown

Links to More Info: BT1110205

Component: Local Traffic Manager

Symptoms:
If a virtual server has an iRule performing SSL payload processing in CLIENTSSL_DATA, TMM fails to process or forward an ingress TCP FIN from a client, leaving the connection in a zombie state until it eventually idles out.

Conditions:
The issue occurs only when SSL::collect is used in CLIENTSSL_DATA

   when CLIENTSSL_DATA {
        log local0. "."
        SSL::release
        SSL::collect
    }

Impact:
Unexpected growth in the number of connections idling on a virtual server leads to memory pressure.

Workaround:
None

Fixed Versions:
17.1.0, 16.1.3.1


1109953 : TMM may crash if a data-group is used when an SSL Forward Proxy Bypass/Intercept list contains extremely long entry

Links to More Info: BT1109953

Component: Local Traffic Manager

Symptoms:
A very long entry (exceeding the maximum length allowed by internet stndards) in a data-group used for SSL Forward Proxy Bypass/Intercept hostname list may cause TMM to crash.

Conditions:
All of the below conditions have to be met:
-- A virtual server uses SSL profile
-- This SSL profile has Forward Proxy enabled.
-- The SSL profile has Forward Proxy Bypass enabled.
-- The SSL profile uses Hostname Bypass and/or Hostname Intercept data-group.
-- Anny to the data-groups contains entries which are longer than 255 characters.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Make sure all entries in the data-group used for intercept/bypass hostnanme list do not exceed 255 characters. According to RFC 1035 section 2.3.4, longer hostnames are not valid.

Fix:
TMM no longer crashes when hostname data-group entries are too long. Instead there is an error message logged: 01260000:2: Profile <affected SSL profile name>: could not load hostname bypass/intercept list
However, incorrect entries need to be fixed as they are not valid anyway and make the data-group to be ignored.

Fixed Versions:
17.1.0


1109833 : HTTP2 monitors not sending request

Links to More Info: BT1109833

Component: Local Traffic Manager

Symptoms:
HTTP2 monitors do not send monitor traffic, incorrectly marking pool members down.

Conditions:
HTTP2 monitor configured.

Impact:
Pool members marked down erroneously.

Workaround:
Use different monitor type, if possible.

Fixed Versions:
17.1.0, 16.1.3.1


1108681 : PEM queries with filters return error message when a blade is offline

Links to More Info: BT1108681

Component: Policy Enforcement Manager

Symptoms:
Attempting to retrieve subscriber session data for a specific subscriber returns the following error: "Data Input Error: ERROR: 'query_view' query reply did not contain a result object."

Conditions:
One of the blades is disabled, and the pem sessiondb query contains a filter, for example subscriber-id or session-ip.

Impact:
Cosmetic error, no impact.

Workaround:
Enable the disabled blades, or send a pem sessiondb query without filters.

Fix:
No error is returned when sending a pem session query with filters when one of the blades is disabled.

Fixed Versions:
17.1.0


1108657 : No notification about disabled "Virus detected" violation in case of enabling "Anti-Virus Protection"

Component: Application Security Manager

Symptoms:
If the "Virus detected" violation is disabled, there is no notification about it after enabling "Anti-Virus Protection".

Conditions:
1. In Security ›› Application Security : Policy Building : Learning and Blocking Settings screen, for Virus Detected violation set at least one of the Learn, Alarm, or Block checkboxes as empty.

2. In Security ›› Application Security : Security Policies : Policies List ›› <selected_policy> screen - check the Scan HTTP Uploads (in Anti-Virus Protection field)

3. No warning is shown.

Impact:
No warning is shown to user which indicates that the related violation settings are switched off (Learning, Alarming or Blocking)

Workaround:
None

Fix:
Warning of the related switched-off violation settings will be shown.

Fixed Versions:
17.1.0


1108181 : iControl REST call with token fails with 401 Unauthorized

Links to More Info: BT1108181

Component: TMOS

Symptoms:
For a short period after creating or refreshing a token, the iControl REST calls may fail with a 401 Unauthorized error and an HTML body content, or a 401 F5 Authorization Required error and a JSON body content.

When using F5 Ansible modules for BIG-IP, the modules may fail with an error "Expecting value: line 1 column 1 (char 0)".

The AS3 may return an error "AS3 API code: 401".

Conditions:
- REST call using valid token.
- Can commonly occur on the call after a token has been refreshed or a Token list has been requested.

Impact:
The iControl REST calls may temporarily fail (typically less than 1 second) after the creation or refresh of an iControl REST token.

Workaround:
After being issued a token or refreshing a token, wait a second before attempting to use it.

If this does not work, request a new token.

No workaround exists for AS3 or F5 Ansible BIG-IP modules.

Fix:
A race condition on a PAM file update has been resolved. Tokens should remain valid.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1


1108109 : APM policy sync fails when access policy contains customization images

Links to More Info: BT1108109

Component: Access Policy Manager

Symptoms:
APM policy sync fails after an upgrade. Mcpd logs an error

err mcpd[6405]: 01b70117:3: local_path (/tmp/psync_local_file) starts with invalid directory. Valid directories are /var/config/rest/, /var/tmp/, /shared/tmp/.

Conditions:
APM access policy contains a custom image file

Impact:
APM policy sync fails.

Workaround:
None

Fix:
Customization image file is allowed to be created from /tmp local_path.

Fixed Versions:
17.1.0


1107549 : In-TMM TCP monitor memory leak

Links to More Info: BT1107549

Component: In-tmm monitors

Symptoms:
TMM memory use grows unbounded; aggressive sweeper is engaged

Conditions:
-- In-TMM TCP monitors are enabled

Impact:
TCP peer ingress accumulates over time. Over an extended period of time the aggressive sweeper begins freeing memory.

Workaround:
1. Rebooting the BIG-IP system after the change is made is one potential remedy.
2. Use regular LTM monitors.

Fix:
Fixed a memory leak with in-tmm TCP monitors.

Fixed Versions:
17.1.0, 15.1.8


1107437 : TMM may crash when enable-rapid-response is enabled on a DNS profile

Links to More Info: K37708118, BT1107437


1107293 : CVE-2021-22555: Linux kernel vulnerability

Links to More Info: K06524534, BT1107293


1107041 : The header ISTL-INFINITE-LOOP might get forwarded to origin server

Component: Bot Defense

Symptoms:
The internal header ISTL-INFINITE-LOOP is forwarded to the origin server.

Conditions:
- Bot Defense profile is in use.
- Interstitial endpoint is configured.

Impact:
Origin server receives internal header 'ISTL-INFINITE-LOOP header'.

Workaround:
None

Fix:
The header ISTL-INFINITE-LOOP is removed from request before forwarding to the origin server.

Fixed Versions:
17.1.0


1106989 : Certain configuration settings leads to memory accumulation

Component: Local Traffic Manager

Symptoms:
Some specific traffic configurations causing memory consumption.

Conditions:
Profiles attached to Virtual server

Impact:
Memory will get accumulated.

Workaround:
Set udp timeout > 0 on a UDP profile.

Fix:
corrected memory management during packet processing.

Fixed Versions:
17.1.0


1106937 : ASM may skip signature matching

Component: Application Security Manager

Symptoms:
Under certain conditions ASM skips signature matching.

Conditions:
Authorization header type is Bearer.
- When input contains less than or more than 3 parts of JWT token values.
- When base64 decode fails while decoding JWT token.

Impact:
Signature matching gets skipped.

Workaround:
None

Fix:
ASM checks for signature matching.

Fixed Versions:
17.1.0


1106897 : Broken link under Cryptographic Failure section in OWASP page

Component: Application Security Manager

Symptoms:
The link for Mask Credit Card Numbers in Request Log is broken.

Conditions:
1. Navigate to Security ›› Overview : OWASP Compliance page.
2. Click on a policy which has an OWASP score.
3. Under A2 Cryptographic Failures category, find the Mask Credit Card Numbers field in Request Log.
4. Click the FULFILLED/NOT FULFILLED link.

The link does not load the requested page.

Impact:
The user does not have an easy access for the policy details page from OWASP page.

Workaround:
Navigate to Security ›› Application Security : Security Policies : Policies List ›› <policy_name> page and find the entry of Mask Credit Card Numbers in Request Log.

Fix:
The link for Mask Credit Card Numbers in Request Log is loading the page.

Fixed Versions:
17.1.0


1106757 : Horizon VDI clients are intermittently disconnected

Component: Access Policy Manager

Symptoms:
VMware Horizon Clients experience intermittent freezes and disconnects as the mapping between blast UUID and session id in CLIENT_CLOSED function is maintained only for 20 seconds.

Conditions:
-- VMware VDI is configured via an iApp
-- The connection to the virtual server is lost for more than 20 seconds

Impact:
VMware Horizon Clients experience freezes and disconnects intermittently.

Workaround:
None

Fix:
VMware Horizon Clients are not being disconnected intermittently.

Fixed Versions:
17.1.0


1106337 : Unable to add tenant ID greater than 12 characters in Bot Defense profile

Component: Bot Defense

Symptoms:
The tenant ID field is limited to 12 characteristics in Bot Defense profile and if user provides more than 12 characters, then an error is displayed that field is limited to 12 characters length.

Tenant ID length should be minimum of 16 characters length and maximum of 64 characters in Bot Defense profile. To be compatible minimum length has been set to 12 characters
 which is valid for both F5CS portal and F5XC.

Conditions:
- Configuring Bot Defense profile.

Impact:
User cannot configure tenant ID successfully, subsequently Bot Defense profile configuration will not be successful.

Workaround:
None

Fix:
The field tenant ID range is updated to have minimum of 12 characters and maximum of 64 characters.

Fixed Versions:
17.1.0


1106289 : TMM may leak memory when processing sideband connections.

Links to More Info: K43024307, BT1106289


1106161 : Securing iControlRest API for appliance mode

Links to More Info: K13325942, BT1106161


1105757-5 : Creating CSR with invalid parameters for basic-constraints, tmsh does not generate meaningful errors

Links to More Info: BT1105757

Component: TMOS

Symptoms:
A similar error as below is observed:
Key management library returned bad status: -45, No Error

Conditions:
Always observed.

Impact:
The error thrown is not meaningful hence it is difficult to identify the invalid parameters.

Workaround:
N/A

Fix:
Errors are now more descriptive and provide information about invalid parameters.

Fixed Versions:
17.1.0


1105389 : Incorrect HTTP request handling may lead to resource leak

Links to More Info: K17542533, BT1105389


1105341 : Decode_application_payload can break exponent notation in JSON

Links to More Info: BT1105341

Component: Application Security Manager

Symptoms:
With decode_application_payload set to 1, the single pass of decoding prior to JSON parsing will convert positive exponents to ascii characters ie "+" to " ". This results in Malformed numeric value violations

Conditions:
Positive exponents with decode_application_payload set to 1.

Impact:
Malformed JSON violations

Workaround:
Disable decode_application_payload
decode_application_payload set to 0.

Fixed Versions:
17.1.0


1105229 : iRule command 'connect' may fail to resume when invoked from CLIENT_DATA or SERVER_DATA

Component: Local Traffic Manager

Symptoms:
The 'connect' iRule command fails to resume when it is called from CLIENT_DATA or SERVER_DATA events. The processing of traffic could halt due to 'irule_scope_msg' and the iRule is not processed as expected.

Conditions:
- iRule using the 'connect' command
- Diameter/Generic-message 'irule_scope_msg' enabled
- 'connect' command is being called from CLIENT_DATA or SERVER_DATA events

Impact:
Traffic processing halts (no crash)

Fix:
The 'connect' iRule command works as expected in all cases.

Fixed Versions:
17.1.0


1105145 : Request body on server side egress is not chunked when it needs to be after HTTP processes a 100 continue response.

Links to More Info: BT1105145

Component: Local Traffic Manager

Symptoms:
After HTTP processes a 100 continue responses, the request body is incorrectly not chunked on egress to the server, whenever server-side chunking is expected.

Conditions:
- Basic HTTP virtual server with rechunking iRule.
- Incoming client requests containing 'Expect' header.

Impact:
Server may return an error response, for example, 400 Bad Request.

Workaround:
None

Fix:
The request body is chunked on server-side when expected and the server responses are as per expectation.

Fixed Versions:
17.1.0


1104741 : ICMP flood or ICMP/IP/IPv6 fragment vectors are not hardware mitigated when configured on zone

Component: Advanced Firewall Manager

Symptoms:
Hardware drops are not seen for the vectors ICMP flood or ICMP/IP/IPv6 fragment when configured on zone.

Conditions:
In case of a zone configured with ICMP flood or ICMP/IP/IPv6 fragment vectors, will see only attack mitigation and drops at software level.

Impact:
Hardware mitigation is not happening when ICMP flood and ICMP/IP/IPv6 fragment vectors configured on a zone.

Workaround:
None

Fix:
This was due to know limitation in one of the hardware module. Added the required changes to use SPVA for these vectors to fix the issue.

Fixed Versions:
17.1.0


1104493 : Client-side abort during server-side establishment may cause tmm to behave abnormally in HTTP MRF proxy

Links to More Info: K90024104, BT1104493


1104381 : Incorrect value for "sed-api-host" is sent to Distributed Cloud with API call

Component: Bot Defense

Symptoms:
Incorrect Value of "sed-api-host:" is sent to Distributed Cloud in requests to "ibd-ebus.fastcache.net/api/v1/decision".

Conditions:
- Virtual with Bot Defense profile attached is in used.

Impact:
Incorrect sed-host-ip value is received at Distributed Cloud.

Workaround:
None

Fix:
The correct value of sed-host-ip is forwarded to Distributed Cloud.

Fixed Versions:
17.1.0


1104073 : Use of iRules command whereis with "isp" or "org" options may cause TCL object leak.

Links to More Info: BT1104073

Component: Local Traffic Manager

Symptoms:
When iRules command whereis is being used with "isp" or "org" options and underlying GEOIP database(s) have not been loaded,
cur_allocs for tcl memory increases over time and does not return to the prior level.

Conditions:
- iRules command whereis is used with "isp" or "org" options
- The underlying GEOIP database(s) have not been loaded

Impact:
Cur_allocs for tcl memory increases over time and does not return to the prior level.

Workaround:
Load the underlying GEOIP database(s) before using "isp" or "org" options of the iRules command whereis.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


1104037 : Tmm crash after changing "connection.vlankeyed" to disabled on system with L2 wire

Links to More Info: BT1104037

Component: SSL Orchestrator

Symptoms:
Tmm crashes.

Conditions:
Changing "connection.vlankeyed" from enabled to disabled on a system configured for L2 wire

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Keep "connection.vlankeyed" enabled

Fix:
The crash was eliminated

Fixed Versions:
17.1.0


1103617 : 'Reset on Timeout' setting might be ignored when fastl4 is used with another profile.

Links to More Info: BT1103617

Component: Local Traffic Manager

Symptoms:
'Reset on Timeout' setting might be ignored when Fastl4 profile is configured along with some other profile.

Conditions:
Fastl4 profile is configured along with some other profile (for example IPS).

Impact:
Traffic might be reset unexpectedly.

Workaround:
None

Fixed Versions:
17.1.0


1103481 : Unnecessary data present in APM URL

Component: Access Policy Manager

Symptoms:
N/A

Conditions:
APM with network access profile configured.

Impact:
N/A

Workaround:
-No-

Fix:
Modified the code such that APM URLs follow best practices

Fixed Versions:
17.1.0


1103369 : DELETE of REST Auth token does not result in deletion of the pamcache token file on a multi-slot VIPRION chassis, vCMP guest, or VELOS tenant

Links to More Info: BT1103369

Component: TMOS

Symptoms:
The REST tokens are not deleted from cache /var/run/pamcache when the tokens are expired or deleted.

Conditions:
- A large number of REST Auth tokens are created in multi-slot VIPRION, multi-slot vCMP Guest, or multi-slot VELOS tenant.

Impact:
The deleted token continue to be available in the cache.
Memory is consumed as cache is stored in an in-memory filesystem.

Workaround:
Execute the following commands in bash to remove the pamcache directory from the set being acted upon by "csyncd":

    # clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"

    # clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"

    # clsh "bigstart restart csyncd"

Also, clear any stale content either by rebooting or deleting the tokens.

Remove token files from /run/pamcache manually.

Execute the following command by using -print instead of -delete to verify the tokens to be deleted (recommended to not use clsh):

# clsh "find /run/pamcache -regextype posix-extended -type f -regex '/run/pamcache/[A-Z0-9]{26}' -delete"

Fix:
Auth tokens in /run/pamcache are deleted as required.

Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3


1103233 : Diameter in-tmm monitor is logging disconnect events unnecessarily

Links to More Info: BT1103233

Component: Service Provider

Symptoms:
Errors are logged to /var/log/ltm:

err tmm[20104]: 01cc0006:3: Peer (<peer>) connection state has changed: disconnected

Conditions:
A diameter in-tmm monitor is configured

Impact:
Debug logs are logged at the error level.

Workaround:
None

Fix:
Log level has been changed to the debug level for the peer disconnected log.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


1103213 : Support Resource Based Constrained Delegation (RBCD) for cross domains as part of Kerberos SSO

Component: Access Policy Manager

Symptoms:
In BIG-IP APM 17.0.0 and earlier versions, the Kerberos SSO Resource Based Constrained Delegation (RBCD) is not supported. Constrained Delegation does not work without User Domain Controller admin adding cross domain service FQDNs as part of Delegated User.

Conditions:
User Domain Controller admin adding cross domain service FQDNs as part of Delegated User.

Impact:
The Service administrators need support of User domain administrators to add new services as part of delegation.

Workaround:
User domain administrators can add new services as part of delegation.

Fix:
From BIG-IP APM 17.1.0 version onward, RBCD feature is supported. Service administrators can directly add or delete new service FQDNs with in Service Domain Controller.

Fixed Versions:
17.1.0


1102881 : dhclient/dhcpd vulnerability CVE-2021-25217

Links to More Info: K08832573


1102849 : Less-privileged users (guest, operator, etc) are unable to run top level commands

Links to More Info: BT1102849

Component: TMOS

Symptoms:
Less privileged users are no longer able to run top-level commands such as "show running-config recursive". Executing this command from TMOS results in an error:

Unexpected Error: Can't display all items, can't get object count from mcpd

and mcpd throws error:

result_message "01070823:3: Read Access Denied: user (test) type (Abort Ending Agent)"

Conditions:
User account with a role of guest, operator, or any role other than admin.

Impact:
You are unable to show the running config, or use list or list sys commands.

Workaround:
Logon with an account with admin access.

Fixed Versions:
17.1.0, 14.1.5.1


1102837 : Use native driver for e810 instead of sock

Links to More Info: BT1102837

Component: TMOS

Symptoms:
Default driver sock cannot provide good performance.

Conditions:
Running BIG-IP Virtual Edition (sock is the default virtual function network driver for VE until 15.1.6 release)

Impact:
Default driver sock cannot provide good performance.

Workaround:
No mitigation when native drivers are not yet available for e810 NIC (for example, 15.1.6 and earlier). Default driver sock are used and that is unable to provide good performance.

Fix:
This release provides a native driver.

Fixed Versions:
17.1.0, 15.1.7


1102429 : iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases.

Links to More Info: BT1102429

Component: Local Traffic Manager

Symptoms:
Invoking the iRule command 'reject' under the iRule event 'FLOW_INIT' may, in some cases, fail to send out the intended reject packet (i.e. TCP reset or ICMP port unreachable).

Conditions:
The issue occurs when the BIG-IP system does not have a route back to the client, and should instead deliver the reject packet by means of autolasthop.

Impact:
The connection is actually removed from the BIG-IP system's connection table, and correctly does not progress. However, the lack of a reject packet could make the client retransmit its initial packet or insist in opening more connections.

Fix:
iRule 'reject' command under 'FLOW_INIT' event now works correctly even when autolasthop should be employed to deliver the reject packet back to the client.

Fixed Versions:
17.1.0


1102301 : Content profiles created for types other than video and image allowing executable

Component: Application Security Manager

Symptoms:
When creating "API Security" policy, "Disallow File Upload of Executables" options are disabled for contents different than video/* or image/*.

Conditions:
Create "API Security" policy with binary content URL.

Impact:
Incorrect violation is raised.

Workaround:
None

Fix:
Disabled Disallow File Upload of Executables in content profiles.

Fixed Versions:
17.1.0


1101705 : RSA-KEX ciphers list are removed from httpd configuration in FIPS mode since these are non-approved ciphers for FIPS 140-3 certification

Links to More Info: BT1101705

Component: TMOS

Symptoms:
- RSA-KEX ciphers list are removed from httpd configuration when FIPS mode is enabled since these are non-approved ciphers for FIPS 140-3 certification.
- Mandatory fix for FIPS 140-3 Certification.

Conditions:
- BIG-IP versions 16.1.3 and above.
- Applies to systems requiring FIPS 140-3 Certification.
- FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device.
- https connections are established using the RSA-KEX based ciphers

Impact:
- BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be running a FIPS 140-3 certified configuration.
- https connection using RSA KEX ciphers will not be successful when FIPS 140-3 license is installed in the device.

Workaround:
None

Fix:
Apply this fix to ensure that the system is compliant with FIPS 140-3 Certification.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3


1101697 : TLS1.3 connection failure with 0-RTT and Hello Retry Request (HRR).

Links to More Info: BT1101697

Component: Local Traffic Manager

Symptoms:
Connection failure.

Conditions:
This condition can occur when:
- The 0-RTT is enabled.
- When TLS1.3 session goes for Hello Retry Request (HRR).

Impact:
Connection failure.

Workaround:
Disable the 0-RTT.

Fix:
Added changes which handle this defects.

Fixed Versions:
17.1.0, 15.1.7


1101453 : MCPD SIGABRT and core happened while deleting GTM pool member

Links to More Info: BT1101453

Component: TMOS

Symptoms:
Mcpd crashes while deleting a pool member.

Conditions:
-- Huge GTM configuration
-- One pool members is referenced by 1000 wide IPs

Impact:
Traffic disrupted while mcpd restarts.

Workaround:
None

Fixed Versions:
17.1.0


1101369 : MQTT connection stats are not updated properly

Component: Local Traffic Manager

Symptoms:
Negative values can be seen in current connections.

Conditions:
This issue can be seen when the 'CONNECT' message is dropped by iRule or when the first message received is not 'CONNECT.'

Impact:
MQTT profile stats are not incremented correctly with CONNECT message.

Workaround:
NA

Fix:
MQTT profile stats are incremented correctly with CONNECT message.

Fixed Versions:
17.1.0


1101321-1 : APM log files are flooded after a client connection fails.

Links to More Info: BT1101321

Component: Access Policy Manager

Symptoms:
Once a client connection fails, the var/log/apm log files get flooded with repeat error messages like "queue.cpp func: "printx()" line: 359 Msg: Queued fd"

Conditions:
When the client connection fails, for example, when the client connection is no longer valid, the log files are flooded with all queued connections which are available at that point of time.

Impact:
The continuous error messages in the log files may cause high CPU issues.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.1.0


1101181 : HTTP request payload not forwarded by BIG-IP when serverside is HTTP/2 and HTTP MRF router is enabled on virtual server

Links to More Info: BT1101181

Component: Local Traffic Manager

Symptoms:
The BIG-IP forwards HTTP request headers to pool member, but does not forward the request body. This results in a connection stall, and the connection eventually timing out and failing.

Conditions:
-- Virtual server with HTTP/2 full proxy configured (HTTP MRF router is enabled, and HTTP/2 profile present on virtual server).
-- Virtual server has request-logging profile assigned.
-- Serverside connection uses HTTP/2.
-- Client sends a request that includes a payload body (e.g. a POST).

Impact:
HTTP transaction fails; traffic does not pass.

Workaround:
Remove the request-logging profile.

Fixed Versions:
17.1.0


1100737-1 : Integrate sPVA DDOS vector functionality to appliance devices with multiple ATSE

Component: Advanced Firewall Manager

Symptoms:
Multiple ATSEs are not handled in the current code.
The users will observe an incorrect traffic rate limit against the configured vector.
Selection of the linked TMM thread to ATSE could go wrong, which will result in the handling of the traffic only on one of the ATSEs.

Conditions:
Occurs on appliances with multiple ATSEs when dos_vectors are configured to mitigate the attack.

Impact:
An incorrect rate_limit will apply on the vectors.
Both the ATSEs (TMM) might not participate in handling of the traffic.

Workaround:
None

Fix:
The traffic will be handled properly and the correct rate_limit will apply on the vector configuration.

Fixed Versions:
17.1.0


1100669 : Brute force captcha loop

Links to More Info: BT1100669

Component: Application Security Manager

Symptoms:
Captchas for a user that failed to login after several attempts will continue after a successful login.

Conditions:
-- A user fails to log in after several attempts.
-- The mitigation is captcha mitigation.

Impact:
If the user eventually provides the correct password, the user will be able to log in.

Workaround:
None

Fix:
Issue with captcha loop was fixed.

Fixed Versions:
17.1.0


1100609-2 : Length Mismatch in DNS/DHCP IPv6 address in logs and pcap

Links to More Info: BT1100609

Component: TMOS

Symptoms:
The wrong length is shown in logs for DNS/DHCP IPv6 addresses.

Conditions:
-- DNS/DHCP IPv6 configured in IKE-PEER configuration.
-- The tunnel is established.

Impact:
The length is reported incorrectly in the logs. It is reported as 15 when it should be reported as 16.

Workaround:
None

Fix:
Fix the logs.

Fixed Versions:
17.1.0, 16.1.3


1100549-2 : "Resource Administrator" role cannot change ACL order

Links to More Info: BT1100549

Component: Access Policy Manager

Symptoms:
You encounter a 'No Access' error when trying to change ACL order

Conditions:
You are logged in with a Resource Administrator role.

Impact:
You are unable to change the ACL order

Workaround:
None

Fixed Versions:
17.1.0


1100409 : Valid connections may fail while a virtual server is in SYN cookie mode.

Component: TMOS

Symptoms:
Some of the valid connections to a TCP virtual server may fail while the virtual server is in SYN cookie mode due to an attack.

Conditions:
-- BIG-IP i4x00 platform.
-- TCP virtual server under SYN flood attack.

Impact:
Failed connections, service degradation.

Workaround:
Disabling SYN cookie in the TCP or fastL4 profile is a possible workaround, but that would leave the virtual server open to SYN flood attacks.

Fix:
The ePVA module is now correctly initialized on the i4x00 platform.

Fixed Versions:
17.1.0


1100393 : Multiple Referer header raise false positive evasion violation

Links to More Info: BT1100393

Component: Application Security Manager

Symptoms:
When Multiple Referer headers contains a backslash character ('\') in query string portion, 'IIS backslashes' evasion technique violation is raised.

Conditions:
- 'Url Normalization' is turned on and 'Evasion Techniques Violations' is enabled.
- Multiple Referer header contains a backslash character ('\') in query string part.

Impact:
False positive evasion technique violation is raised for Referer header.

Workaround:
In the HTTP Header Properties screen, turn off the 'Url Normalization' on the 'Normalization Settings' section of the 'referer' property.

Fix:
Fixed Multiple Referer header handling before URL Normalization.

Fixed Versions:
17.1.0


1100321-3 : MCPD memory leak

Links to More Info: BT1100321

Component: TMOS

Symptoms:
Viewing virtual server firewall policy rules leaks some memory in MCPD.

Conditions:
- BIG-IP AFM is provisioned
- Virtual server firewall policy rules are viewed, e.g. by running one of the following commands:
  tmsh show ltm virtual fw-enforced-policy-rules
  tmsh show ltm virtual fw-staged-policy-rules

Impact:
A memory leak occurs when the command is run.

Workaround:
None

Fixed Versions:
17.1.0


1100161 : IP Address description column does not appear on table from version 16.1.x

Component: Application Security Manager

Symptoms:
In the new GUI design for IP Address Exceptions table, the "Descriptions" column was removed.

Conditions:
For a policy configured in Security ›› Application Security : Security Policies : Policies List, setting IP Address Exception description, will be shown only inside the IP details window, and not on the main table (inside IP Address Exceptions tab).

Impact:
You need to click on the IP details link to see the description.

Workaround:
None

Fix:
The table will include back the Description column.

Fixed Versions:
17.1.0


1100125 : Per virtual SYN cookie may not be activated on all HSB modules

Links to More Info: BT1100125

Component: TMOS

Symptoms:
The virtual reports Hardware SYN cookie mode, but some of the SYNs are still processed in software.

Conditions:
On platforms where one TMM instance attached to multiple HSB modules.

Impact:
A portion of an SYN flood is processed in Software instead of Hardware.

Workaround:
-

Fix:
SYN cookie processing is correctly offloaded to all HSB modules.

Fixed Versions:
17.1.0


1099545 : Tmm may core when PEM virtual with a simple policy and iRule is being used

Links to More Info: BT1099545

Component: Local Traffic Manager

Symptoms:
Tmm cores with SIGSEGV.

Conditions:
-- PEM virtual with a simple policy and iRule attached.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.1.0


1099305 : Nlad core observed due to ERR_func_error_string can return NULL

Links to More Info: BT1099305

Component: Access Policy Manager

Symptoms:
The following symptoms are observed in /var/log/ltm:

err nlad[17535]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.

Nlad core is observed
/var/log/kern.log:Apr 7 03:46:53 <vs name > info kernel: nlad[13119]: segfault at 0 ip <> sp <> error 4.

Conditions:
NLAD core is SIGSEGV - crashing while processing a SSL Certificate via a SAML login.

Impact:
Core results in disruption of APM sessions

Workaround:
None

Fix:
NA

Fixed Versions:
17.1.0


1099229 : SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present

Links to More Info: BT1099229

Component: Local Traffic Manager

Symptoms:
-- A connection to the virtual server hangs from the client device.
-- A memory leak occurs in tmm

Conditions:
-- Virtual server has an L7 policy configured.
-- Virtual server has iRules configured.

Impact:
-- Clients are unable to connect to the virtual server.
-- A memory leak occurs.

Workaround:
Remove the L7 policy or the iRules from the virtual server configuration.

Fixed Versions:
17.1.0, 14.1.5.1


1099193 : Incorrect configuration for "Auto detect" parameter is shown after switching from other data types

Component: Application Security Manager

Symptoms:
The Configuration shown in the GUI for the "Auto detect" Parameter value type is incorrect after certain steps are performed.

Conditions:
1. Create a default policy
2. Create new a Parameter with "User-input value" as a Parameter Value Type, and "File Upload" as the Data Type.
3. Save the settings above, and go back to the newly created Parameters settings.
4. Change its Parameter Value Type to "Auto detect".

Impact:
You either see unrelated fields, e.g. "Disallow File Upload of Executables" or missing tabs, like Value Meta Characters.

Workaround:
You can save a configuration with "User-input value" as a Parameter Value type, and "Alpha-Numeric" as Data Type, and then set "Auto detect" as Parameter Value Type.

Fixed Versions:
17.1.0


1098837-5 : Configuration failure due to the DB validation exception happening in the ips_inspection_sig and ips_inspection_compl tables

Links to More Info: BT1098837

Component: Protocol Inspection

Symptoms:
During the upgrade, configuration error with reason DB validation exception occurs and unique constraint violation in the tables ips_inspection_sig and ips_inspection_compl.

Conditions:
During the upgrade of the device, there should not be a configuration error with a DB exception message.

Impact:
Some of the signatures and compliances will not load into the MCPD database tables ips_inspection_sig and ips_inspection_compl respectively.

Workaround:
Store the details of the signatures and compliances into the file and run the following command:

 "tmsh load sys config merge filename"

Fix:
No DB exception on the tables ips_inspection_sig and ips_inspection_compl.

Fixed Versions:
17.1.0


1098829 : Security vulnerabilities found in expat lib(used by iControlSoap) prior to version 2.4.8

Links to More Info: K19473898


1098009-1 : DAG context synchronization problem in high availability (HA) mirroring on VELOS platforms

Links to More Info: BT1098009

Component: TMOS

Symptoms:
There might be problems in DAG context synchronization in high availability (HA) mirroring on VELOS platform.

The problem can be observed as a long sequence of logs similar to:

notice SDAG CDP: Selected DAG state from primary PG 0 for CMP state 07 with clock 4622

Conditions:
-- An high availability (HA) pair is setup
-- The problem is currently known to manifest itself particularly for tenants with 3 blades.

Impact:
Traffic is disrupted when failover occurs.

Workaround:
-- The system should eventually heal itself after up to a few minutes
-- Force a high availability (HA) reconnect, for example by modifying sys db statemirror.clustermirroring to "within" then back to "between".

Fix:
Fixed DAG context synchronization problem in high availability (HA) mirroring on VELOS platforms.

Fixed Versions:
17.1.0, 15.1.8


1097853 : Session Tracking screen may be missing the scroll bar after saving the configuration

Component: Application Security Manager

Symptoms:
After pressing the Save button, the page may be refreshed without the ability to scroll down.

Conditions:
1. Go to Security ›› Application Security : Session Tracking screen.

2. Change the configuration, for example choose 'Use individual Login Pages' and move the login URL from available to Selected (under Session Tracking Configuration section).

3. Save.

Impact:
After the page is refreshed, the scroller may be not available.

Workaround:
Refresh the page again, and the scroll bar returns.

Fixed Versions:
17.1.0


1097821 : Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified

Links to More Info: BT1097821

Component: Access Policy Manager

Symptoms:
Creating an APM policy image file with source_path attribute fails.

Conditions:
APM provisioned

Impact:
You are unable to use the source_path attribute for creating APM customization image files.

Workaround:
Copy the image file to one of the directories of /var/config/rest/, /var/tmp/, /shared/tmp/ and use local_path instead of source_path.

E.g. create apm policy image-file test.jpg local-path /var/tmp/<file name>

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5


1097193 : Unable to SCP files using WinSCP or relative path name

Links to More Info: BT1097193

Component: TMOS

Symptoms:
When attempting to retrieve a file with WinSCP, you receive an error dialog and the session will be terminated:

"SCP Protocol error: Invalid control record (r; elative addresses not allowed)

Copying files from remote side failed."

If attempting to transfer a file by relative path with a command line utility the transfer will fail with the message:
"relative addresses not allowed"

Conditions:
-- Running BIG-IP version with fix for ID 915981
-- Using WinSCP set to use SCP protocol to retrieve files from a BIG-IP system.
-- Using a relative remote path to transfer a file with command line scp utility.

Impact:
No longer able to use WinSCP to retrieve files such as packet captures, log archives, or other diagnostic data from the BIG-IP system.

Workaround:
Use a command line SCP tool that allows specifying an absolute path for the source and/or destination file (a path that starts with a forward slash /), when the source and/or destination locations are a BIG-IP device.

If the user ID is permitted to do so, you may use WinSCP in SFTP mode.

Fixed Versions:
17.1.0, 16.1.3.1


1095989 : PEM behaviour on receiving CCA with result code: 4012 and FUA on the Gy interface

Links to More Info: BT1095989

Component: Policy Enforcement Manager

Symptoms:
PEM received Radius Acct req, and sent Both Gx Gy Interface CCR. When receiving Gy CCA Multi-Services-Credit-Control.Result-code:4012 (Diameter_Credit_Limit_Reached),Final-Unit-Action (Redirect) and "Redirect-Server-address" is NOT installed on the PEM session.

Conditions:
Session quota information is passed from OCS to PCEF on the Gy interface.

Impact:
The action specified in FUI does not get applied to the session. Quota management will not work properly for the session.

Fix:
For the case where the PEM receives a CCA with a result code:
4012 and FUI, added changes to install FUA on the session.

Fixed Versions:
17.1.0


1095217 : Peer unit incorrectly shows the pool status as unknown after merging the configuration

Links to More Info: BT1095217

Component: TMOS

Symptoms:
The peer unit incorrectly shows the state of pool members as "checking" after merging the configuration from the terminal.

Conditions:
This is encountered if 2 or more configurations are specified for an already configured pool on the peer device when using the "tmsh load sys config merge from-terminal" command.

For example:

Existing pool:

ltm pool http_pool {
  members {
    member1:http {
      address 10.82.243.131
      monitor http
    }
  }
}

tmsh load sys config merge from-terminal:

ltm pool http_pool {
  members none
}
ltm pool http_pool {
  members replace-all-with {
    member1:http {
      address 10.82.243.131
      monitor http
    }
  }
}

Impact:
Pool members are marked with a state of "Checking".

Workaround:
Define all object properties at once (in a single configuration block) instead of multiple times (in multiple configuration blocks) when merging the configuration from the terminal.

Fix:
Specifying the configuration for an LTM pool object multiple times when issuing the "tmsh load sys config merge from-terminal" command no longer causes LTM pool members to remain marked with a state of "Checking".

Fixed Versions:
17.1.0


1095185 : Failed Configuration Load on Secondary Slot After Device Group Sync

Links to More Info: BT1095185

Component: Application Security Manager

Symptoms:
Configuration synchronization fails on secondary slots after the primary slot receives a full sync from a peer in a device group.

Conditions:
Bladed chassis devices are configured in an ASM enabled device group

Impact:
Incorrect enforcement on secondary slots.

Workaround:
None

Fix:
Synchronization to secondary slots is successful.

Fixed Versions:
17.1.0


1095145 : Virtual server responding with ICMP unreachable after using /Common/service

Links to More Info: BT1095145

Component: SSL Orchestrator

Symptoms:
After adding /Common/service profile and removing it from the virtual server, the virtual server starts dropping traffic with ICMP unreachable.

This profile is normally only needed in SSLo deployments.

Conditions:
/Common/service was attached and removed from a virtual server.

Impact:
Traffic is dropped on a virtual server.

Workaround:
Restart TMM after making the configuration change.

Fixed Versions:
17.1.0


1095041 : ASM truncates cookies that contain a space in the name and TS cookie as part of cookie list.

Links to More Info: BT1095041

Component: Application Security Manager

Symptoms:
HTTP requests are truncated at the cookie and raise a violation.

Conditions:
-- Cookie list contains TS cookie
-- A cookie contains a space in the name
-- TS cookie stripping is enabled (db asm.strip_asm_cookies is set as true)

Impact:
Backend server does not receive a complete cookie.

Workaround:
Sys db asm.strip_asm_cookies is set as false.

Fixed Versions:
17.1.0


1093821 : TMM may behave unexpectedly while processing HTTP traffic

Links to More Info: K43881487, BT1093821


1093813 : DH Key Agreement vulnerability in APM server side components

Links to More Info: K83120834


1093621-6 : Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP

Links to More Info: K10347453


1093313 : CLIENTSSL_CLIENTCERT iRule event is not triggered for TLS1.3 when the client sends an empty certificate response

Links to More Info: BT1093313

Component: TMOS

Symptoms:
When an SSL client connects to the BIG-IP system using TLS 1.3 and sends an empty certificate, the CLIENTSSL_CLIENTCERT iRule event is not triggered.

Conditions:
-- Virtual server configured on BIG-IP with SSL and iRule added
-- Client authentication for client certificates is set to "request"
-- iRule relying on CLIENTSSL_CLIENTCERT
-- A client connects to BIG-IP using TLSv1.3 protocol without a certificate(empty certificate)

Impact:
CLIENTSSL_CLIENTCERT irules aren't triggered.

Workaround:
None

Fix:
CLIENTSSL_CLIENTCERT iRules are now triggered when an SSL client connects to BIG-IP with TLS1.3 and sends an empty certificate message.

Behavior Change:
CLIENTSSL_CLIENTCERT iRules are now triggered when an SSL client connects to BIG-IP with TLS1.3 and sends an empty certificate message.

Fixed Versions:
17.1.0


1093253 : CVE-2021-3999 Glibc Vulnerability

Links to More Info: K24207649


1093045 : CVE-2017-5225 - LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS

Component: TMOS

Symptoms:
LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value.

Conditions:
LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value.

Impact:
It can either lead to DOS or arbitrary code execution which will compromise the system security.

Workaround:
NA

Fix:
Heap buffer overflow in the library has been resolved.

Fixed Versions:
17.1.0


1092965 : Disabled "Illegal Base64 value" violation is detect for staged base64 parameter with attack signature in value

Component: Application Security Manager

Symptoms:
An "Illegal Base64 value" violation will be reported for a staged parameter even though Alarm/Blocking/Learning is disabled for this violation.

Conditions:
- A parameter has to be set to staging mode with base64 decoding.
- The Alarm/Blocking/Learning flags has to be disabled for the violation "Illegal Base64 value".
- The incoming request has to have the defined parameter in QS with an attack signature that is not base64 encoded in the parameter value.

Impact:
The violation "Illegal Base64 value" is reported.

Workaround:
None

Fix:
The violation "Illegal Base64 value" is not reported if Alarm/Blocking/Learning flags are disabled.

Fixed Versions:
17.1.0


1091761 : Mqtt_message memory leaks when iRules are used

Links to More Info: BT1091761

Component: Local Traffic Manager

Symptoms:
Mqtt_message memory leaks when iRules like insert_after, insert_before, and respond are used.

Conditions:
Basic mqtt virtual server with any of the below rules ->insert_after
>insert_before
>respond

Impact:
Memory leak occurs and TMM may crash

Workaround:
NA

Fix:
There is no longer a memory leak with iRules usage

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1


1091725 : Memory leak in IPsec

Links to More Info: BT1091725

Component: TMOS

Symptoms:
Slow memory growth of tmm over time.

This leak affects both the active and standby BIG-IPs.

Conditions:
IPsec is in use.

Security associations are being created or recreated.

Impact:
Over time, tmm may exhaust its memory causing a tmm crash.

Fix:
A leak in IPsec security association handling has been fixed.

Fixed Versions:
17.1.0


1091601 : Glibc vulnerabilities CVE-2022-23218, CVE-2022-23219

Component: TMOS

Symptoms:
For more details:
https://support.f5.com/csp/article/K52308021

Conditions:
For more details:
https://support.f5.com/csp/article/K52308021

Impact:
For more details:
https://support.f5.com/csp/article/K52308021

Workaround:
For more details:
https://support.f5.com/csp/article/K52308021

Fixed Versions:
17.1.0


1091565-5 : Gy CCR AVP:Requested-Service-Unit is misformatted/NULL

Links to More Info: BT1091565

Component: Policy Enforcement Manager

Symptoms:
Observed diameter protocol warning when Requested Service Unit(RSU) is empty for CCR-I and CCR-U requests.

Conditions:
If the 'Initial Quota' is EMPTY in policy under Policy Enforcement ›› Rating Groups, the BIG-IP system reports empty data in AVP: Requested-Service-Unit.

Impact:
In Wireshark, a protocol warning occurs.

Workaround:
None

Fix:
If the Initial PEM Quota values are EMPTY/0 We are updating the RSU values to Zero.

Fixed Versions:
17.1.0, 16.1.3.1


1091517 : CVE-2020-25704 Linux kernel Vulnerability

Links to More Info: K44994972


1091453 : libxml2 vulnerability CVE-2022-23308

Links to More Info: K32760744, BT1091453


1091345 : The /root/.bash_history file is not carried forward by default during installations.

Links to More Info: BT1091345

Component: TMOS

Symptoms:
By default, the /root/.bash_history file is not included in the UCS archives. As such, this file is not rolled forward during a software installation.

Conditions:
Performing a BIG-IP software installation.

Impact:
This issue may hinder the efforts of F5 Support should the need to determine what was done prior to a software installation arise.

Workaround:
None

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


1091249 : BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address.

Links to More Info: BT1091249

Component: Global Traffic Manager (DNS)

Symptoms:
As BIG-IP DNS and Link Controller systems connect with one another (or with monitored BIG-IP systems) over iQuery, you may notice:

-- Log messages that specify IPv6 translation addresses non-existent in your configuration and often meaningless (as in not pertaining to some of the more common IPv6 address spaces). For example:

debug gtmd[24229]: 011ae01e:7: Creating new socket to connect to 2001::1 (a06d:3d70:fd7f:0:109c:7000::)

-- If you restart the gtmd daemon, the IPv6 translation address mentioned above between parenthesis changes to a new, random meaningless value.

-- The GTM portion of the configuration fails to synchronize.

Conditions:
IPv6 translation addresses are in use in relevant objects.

Impact:
The logs are misleading and the GTM portion of the configuration may fail to synchronize.

Workaround:
If possible, do not use IPv6 translation addresses.

Fix:
IPv6 translation addresses now function as designed.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


1091185 : Issue with input normalization

Component: Application Security Manager

Symptoms:
Signatures may not be matched correctly with input normalization

Conditions:
N/A

Impact:
Signature is not matched.

Fix:
After fix - signature is correctly detected.

Fixed Versions:
17.1.0


1090649-5 : PEM errors when configuring IPv6 flow filter via GUI

Links to More Info: BT1090649

Component: Policy Enforcement Manager

Symptoms:
An error occurs while configuring an IPv6 flow filter using the GUI:
0107174e:3: The source address (::) and source netmask (0.0.0.0) addresses for pem flow info filter (filter0) must be be the same type (IPv4 or IPv6).

Conditions:
Configuring an IPv6 flow filter using the GUI

Impact:
You are unable to configure the IPv6 flow filter via the GUI

Workaround:
The error does not occur when using tmsh.

Fix:
Modified the IPv6 Validation. Able to create IPV6 flow filter after the fix

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1


1090569-3 : After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV

Links to More Info: BT1090569

Component: TMOS

Symptoms:
Some SSL handshakes are fail when using the CRL certificate validator and tmm crashes.

Conditions:
-- TLS virtual server
-- The virtual server passes network traffic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed a tmm crash related to the CRL certificate validator.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1


1090449 : IPsec: Turn down pfkey logging

Links to More Info: BT1090449

Component: TMOS

Symptoms:
A lot of pfkey messages are observed in the log file ipsec.log.

Conditions:
This occurs at the debug2 log level.

Impact:
Excessive pfkey messages are logged.

Workaround:
None

Fix:
Protected pfkey messages under ipsec.debug.pfkey.msg DB variable.

1. Set ipsec.debug.pfkey.msg value 1 --pfkey logging seen in ipsec.log file
2. Set ipsec.debug.pfkey.msg value 0 --pfkey logging not seen in ipsec.log file

Fixed Versions:
17.1.0


1090441 : IKEv2: Add algorithm info to SK_ logging

Links to More Info: BT1090441

Component: TMOS

Symptoms:
Shared key logs do not contain the authentication and encryption algorithm name

Conditions:
When sys-db "ipsec.debug.logsk" is enabled, the shared keys are logged for debugging purpose, but it does not contain the algorithm names.

Impact:
The encryption algorithm name is not included in the logs.

Workaround:
None

Fix:
Authentication and encryption algorithm name is added in shared key logs.

Fixed Versions:
17.1.0


1089921 : Vim vulnerability CVE-2022-0359

Links to More Info: K08827426


1089901 : Adding support to PVSCSI driver along with existing LSI driver

Component: TMOS

Symptoms:
The initramfs consists of a driver that support Legacy Fusion LSI, adding support for PVSCSI.

Conditions:
- VMware platforms.

Impact:
None

Workaround:
None

Fix:
Added support for PVSCSI driver in initramfs in which LSI driver is available.

Fixed Versions:
17.1.0


1089853 : "Virtual Server" or "Bot Defense Profile" links in Request Details are not working

Component: Application Security Manager

Symptoms:
Nothing happens when you click the link for "Virtual Server" or "Bot Defense Profile" in request details on "Security ›› Event Logs : Bot Defense : Bot
Requests" page.

Conditions:
1. Go to Security ›› Event Logs : Bot Defense : Bot
Requests" page and click a Bot Request for details.
2. If "Virtual Server" or "Bot Defense Profile" has a hyperlink, the link does not work.

Impact:
You cannot reach the related pages of Virtual Server or Bot Profile details

Workaround:
Right-click one of the links above - and choose to open it in a new tab or new window.

Fix:
Links are working.

Fixed Versions:
17.1.0


1089849-2 : NIST SP800-90B compliance

Links to More Info: BT1089849

Component: TMOS

Symptoms:
Common Criteria and FIPS 140-3 certifications require compliance with NIST SP800-90B; this completes that compliance.

Conditions:
This applies to systems requiring Common Criteria and/or FIPS 140-3 compliance.

Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be using a Common Criteria and/or FIPS 140-3 certified configuration.

Workaround:
None

Fix:
Apply this fix to ensure that the system is compliant with NIST SP800-90B.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3


1089829-5 : PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers

Links to More Info: BT1089829

Component: Policy Enforcement Manager

Symptoms:
SIGSEGV tmm cores with back trace in PEM area.
"pem_sessiondump --list" command will show session with custom attribute name as empty/NULL.

Conditions:
Setting pem session custom attribute value with length more than (1024- attribute name length).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
In the iRule, make sure the custom attribute value size + custom attribute name length is not more than 1024.

Fix:
Adding restriction, allowed custom attribute value size + custom attribute name length should be less than 1024.

Fixed Versions:
17.1.0


1089729 : CVE-2021-3715 kernel: use-after-free in route4_change() in net/sched/cls_route.c

Component: TMOS

Symptoms:
A flaw was found in the "Routing decision" classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition. This flaw allows unprivileged local users to escalate their privileges on the system.

Conditions:
The vulnerable module cls_route does present in our system but it is not built into the kernel in the default configuration of BIG-IP.

Impact:
The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Workaround:
NA

Fixed Versions:
17.1.0


1089345 : BD crash when mcp is down, usually on startups

Component: Application Security Manager

Symptoms:
Bd crashes during system start-up when MCP is down for some reason, usually an mcpd crash.

bd.log contains the following log message:
Failed to connect to mcpd, sleep 5 secs and try to re-connect

Conditions:
Mcpd crashed or down.

Impact:
System fails to start, it may successfully start after the crash happened or maybe several such crashes will happen.

Workaround:
Restarting the BIG-IP system usually helps. Determine why mcpd does not work.

Fix:
Prevent a possible crash when bd exits due mcp not available.

Fixed Versions:
17.1.0


1089233 : CVE-2022-0492 Linux kernel vulnerability

Links to More Info: K54724312


1089225 : Polkit pkexec vulnerability CVE-2021-4034

Component: TMOS

Symptoms:
For more information see:
https://support.f5.com/csp/article/K46015513

Conditions:
For more information see:
https://support.f5.com/csp/article/K46015513

Impact:
For more information see:
https://support.f5.com/csp/article/K46015513

Workaround:
For more information see:
https://support.f5.com/csp/article/K46015513

Fix:
For more information see:
https://support.f5.com/csp/article/K46015513

Fixed Versions:
17.1.0, 15.1.8


1089101 : Apply Access Policy notification in UI after auto discovery

Links to More Info: BT1089101

Component: Access Policy Manager

Symptoms:
"apply access policy notification" pops up in GUI

Conditions:
1. OAuth auto discovery is enabled for OAuth provider
2. The relevant access policy has macros in it.

Impact:
Traffic may fail until "apply access policy" is clicked manually

Workaround:
Access policy can be modified to not have macros in it.

Fixed Versions:
17.1.0


1088429-1 : Kernel slab memory leak

Links to More Info: BT1088429

Component: TMOS

Symptoms:
The Linux kernel unreclaimable slab leaks kmalloc-64 (64 byte) allocations due to an issue with ext4 filesystem code.

The kmalloc-64 leaks occur when specific operations are executed on ext4 filesystems, such as copy of file with extended attribute preservation.

Red Hat have documented the issue, refer to the links below.
Note: Red Hat account with appropriate access are required to view these pages.

Posix ACL object is leaked in setattr and fsetxattr syscalls
https://access.redhat.com/solutions/4967981.

This issue is tracked by Red Hat as bug 1543020
https://bugzilla.redhat.com/show_bug.cgi?id=1543020.

Conditions:
This usually happens a small amount, such as 100MB over a year on most systems.

On some systems memory use can grow much faster and the precise file manipulations that might do this are not known at this time.

Impact:
Kernel unreclaimable slab memory grows over time. This will be growth of what F5 term host memory, and will appear as increased other and/or swap memory on memory graphs.

Usually the amount leaked is quite small and has no impact.

If large enough this may leave system with too little host memory and trigger typical out of memory symptoms such as:
  
  - sluggish management by TMUI (GUI) and CLI shell
  - possible invocation of oom-killer by kernel leading to termination of a process
  - if severe, the system may thrash and become unstable, leading to cores and possibly reboot.

The amount of slab usage can be tracked with the following commands executed from the advanced shell (bash).

# cat /proc/meminfo | grep ^SUnreclaim
SUnreclaim: 46364 kB

The precise use of slab memory by component can be viewed using:

/bin/slabtop --once

Note: This includes both reclaimable and unreclaimable slab use. High reclaimable slab is usually not a concern because as host memory gets filled it can be freed (reclaimed).
Look for the amount of memory in use by kmalloc-64. There will be some use even without the leak documented here. The amount can be compared with free or easily freeable host memory, a good estimate of which is given by the following command:

 # cat /proc/meminfo | grep ^MemAvailable
MemAvailable: 970852 kB

Workaround:
None

Fix:
Linux kernel ext4 filesystem module memory leak fixed.

Fixed Versions:
17.1.0


1088389-4 : Admin to define the AD Query/LDAP Query page-size globally

Links to More Info: BT1088389

Component: Access Policy Manager

Symptoms:
The page-size is fixed value in LDAP and AD query.

Earlier the value was 1000 and later increased to 2048, after the increase in the value the session got failed as the AD Servers are configured with lesser value.

Require a configurable page-size.

Conditions:
As the latest page-size value is 2048 the AD Query/LDAP Query with the same may have problem with the AD server whose configured/supported value is 1000 which is lower than 2048.

Impact:
AD/LDAP may fail due to the page-size issue.

Workaround:
None

Fix:
A global setting for the page-size for AD/LDAP Query is available.

Fixed Versions:
17.1.0


1088173-4 : With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile

Links to More Info: BT1088173

Component: Local Traffic Manager

Symptoms:
Log files indicate that the client certificate is retained when it should not be.

Conditions:
Enable TLS 1.3 and disable retain-certificate parameter in SSL profile

Impact:
Storage of client certificates will increase memory utilization.

Workaround:
None

Fixed Versions:
17.1.0, 15.1.7


1088049-1 : The fix for ID841469 became broken in the 15.1.x branch for some platforms.

Links to More Info: BT1088049

Component: Local Traffic Manager

Symptoms:
The feature/enhancement introduced by and discussed in https://cdn.f5.com/product/bugtracker/ID841469.html became broken in some BIG-IP 15.1.x versions.

The fix works correctly in BIG-IP versions 15.1.2.1, 15.1.3, and 15.1.3.1. However, the fix is broken in BIG-IP versions 15.1.4, 15.1.4.1, 15.1.5, and 15.1.5.1.

Conditions:
All VIPRION chassis are affected. VELOS chassis are not affected.

Impact:
An upstream load-balancer monitoring and directing traffic to a group of standalone VIPRION chassis may not stop sending traffic to a particular VIPRION system after this suffers an internal interface failure. As a result, some application traffic may fail.

For more information, refer to the bugtracker link in the Symptoms section.

Workaround:
None

Fixed Versions:
17.1.0, 15.1.6.1


1088037-1 : VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers

Links to More Info: BT1088037

Component: TMOS

Symptoms:
The VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers.
Use `tmsh list/modify net vlan vlan-XYZ dag-adjustment` to view or change the settings.
The recommended and default setting is xor-5mid-xor-5low.

Conditions:
- only even port numbers are used (usually by a Linux client)

Impact:
- only even TMM threads are processing traffic

Workaround:
None

Fix:
VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers. Traffic should be distributed evenly between all TMM threads.

Behavior Change:
VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers. Traffic should be distributed evenly between all TMM threads.

Fixed Versions:
17.1.0, 15.1.8


1087621 : IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload

Links to More Info: BT1087621

Component: TMOS

Symptoms:
The tunnel stops working after initially starting with no problem.

The BIG-IP will send a bad KE (Key Exchange) Payload when rekeying the IKE SA with ECP.

Conditions:
-- IKEv2
-- ECP PFS
-- Peer attempts to re-key IKE SA (CREATE_CHILD SA) over existing IKE SA.

Impact:
IPsec tunnels stop working for periods of time.

Workaround:
Do not use ECP for PFS.

Fix:
ECP will work correctly when rekeying.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1


1087469 : iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate.

Links to More Info: BT1087469

Component: Local Traffic Manager

Symptoms:
When an SSL client connects to BIG-IP system and sends an empty certificate, the CLIENTSSL_CLIENTCERT is not triggered for iRules.

Conditions:
- Virtual server configured on BIG-IP with a clientssl profile
- Client authentication on the virtual server is set to "request"
- iRule relying on CLIENTSSL_CLIENTCERT
- A client connects to BIG-IP using an empty certificate

Impact:
CLIENTSSL_CLIENTCERT irules aren't triggered.

Workaround:
None

Fix:
CLIENTSSL_CLIENTCERT irules are now triggered when receiving empty certificates.

Fixed Versions:
17.1.0, 16.1.3.1, 15.1.6.1


1087217 : TMM crash as part of the fix made for ID912209

Links to More Info: BT1087217

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
BIG-IP versions 16.1.0 or later which includes the fix of ID912209.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.1.0, 16.1.3.1


1086517 : TMM may not properly exit hardware SYN cookie mode

Links to More Info: BT1086517

Component: TMOS

Symptoms:
Due to a race condition, when one TMM exits SYN cookie mode, another may immediately re-enter hardware SYN cookie mode, keeping the virtual server in SYN cookie mode and the mitigation offloaded to hardware. The SYN cookie status of the virtual server is not properly updated and will show 'not-activated'.

Conditions:
Hardware SYN cookie protection is enabled and SYN cookie mode is triggered.

Impact:
A virtual server that once entered hardware SYN cookie mode may remain in that state indefinitely. The reduced MSS size may affect performance of that virtual server.

Workaround:
Disable hardware SYN cookie either locally via the TCP or FastL4 profile, or globally by the PvaSynCookies.Enabled BigDB variable. Software SYN cookie mode is unaffected.

Fix:
The race condition is eliminated, virtual servers properly exit hardware SYN cookie mode.

Fixed Versions:
17.1.0, 15.1.6.1


1086389 : BIG-IP r4k and r2k series based systems shows has_pva flag true though they cannot support

Component: TMOS

Symptoms:
The BIG-IP r4k and r2k series-based systems cannot support ePVA feature by design. But there are flags related to ePVA, like `has_pva` and `pva_version` which are wrongly shown when ran query with `guishell` app for `platform`.

Issue:
=======
# guishell -c 'select has_pva,pva_version from platform'


-------------------------
| HAS_PVA | PVA_VERSION |
-------------------------
| true | 0 |
-------------------------
1 row 0.115s (mcpd: 0.003s, mcpj: 0.006s, hsql: 0.091s, conn: 0.005s, format: 0.007s)
              (rcv: 0Kb, 0.003s, snd: 38b, 0.000s)

[root@localhost:NO LICENSE:Standalone] config #

Conditions:
The ePVA feature flags, `has_pva` and `pva_version` in guishell are not correct on BIG-IP r4k and r2k systems as they cannot support this feature with this release.

Impact:
Though the values for these ePVA fields are misleading it has no impact on the functionality as the underlying NIC Card used is Intel NIC card which cannot support ePVA feature on BIG-IP r4k and r2k systems.

So, there is no impact on the functionality as ePVA not possible on r4k and r2k.

Workaround:
None

Fix:
The ePVA feature cannot be possible on BIG-IP r4k and r2k systems. So, no probable fix can be provided.

Fixed Versions:
17.1.0


1086293-2 : Untrusted search path vulnerability in APM Windows Client installer processes

Links to More Info: K76964818


1086289-2 : BIG-IP Edge Client for Windows vulnerability CVE-2023-22358

Links to More Info: K76964818


1085837 : Virtual server may not exit from hardware SYN cookie mode

Links to More Info: BT1085837

Component: TMOS

Symptoms:
Once a virtual server enters hardware SYN cookie mode it may not exit until a TMM restart.

Conditions:
-- On B2250 and B4450 platforms.
-- A condition triggers SYN cookie mode and then goes back to normal.

Impact:
-- Virtual servers in hardware SYN cookie mode do not receive TCP SYN packets.
-- The limited number of possible TCP MSS values may have a light performance impact.

Workaround:
Disable hardware SYN cookie mode on the affected objects.

Fix:
Virtual servers properly exit hardware SYN cookie mode.

Fixed Versions:
17.1.0, 15.1.6.1


1085805 : UCS restore with SSL Orchestrator deployed fails due to multiple iFiles and incorrect iFile reference.

Component: TMOS

Symptoms:
The UCS restore process with SSL Orchestrator deployment fails due to multiple iFiles. This happens because the UCS restore process does not clean up the existing iFile belonging to SSL Orchestrator. On restore, the BIG-IP system contains two iFiles, one created as a part of the UCS and the other existing iFile belonging to SSL Orchestrator.

Additionally, the path in the rest storage referencing the iFile object does not get updated.

In the bigip.conf, the iFile version does not point to the iFile that is restored as part of the UCS restore process.

To check the reference in restDB use the following https://<<MGMT-IP>>/mgmt/tm/sys/file/ifile/~Common~ssloF_global.app~SSL OrchestratoriFile?options=-hidden.

A new bug was created (ID 1185001) for the iFile reference issue in bigip.conf file. The issue is caused by save/sys/config call triggered from SSL Orchestrator code base.

Conditions:
-- UCS contains SSL Orchestrator deployment
-- iFile version number in the UCS and on the BIG-IP before restoring the UCS is different.
-- Multiple iFile which belongs to SSL Orchestrator after restore. This can be verified by executing the below command on the box
ll /config/filestore/files_d/Common_d/ifile_d/ | grep SSL Orchestrator

Impact:
-- Error in the SSL Orchestrator UI.
-- You are unable to make changes through the SSL Orchestrator UI.

Workaround:
Mitigation depends on the user state.

State 1: when you know that a restore will cause multiple iFile creation, use the following.

Before restoring the UCS file, perform the following steps:

a) Delete the iFile object using the following command. Do not create any configuration using SSL Orchestrator UI after deleting the iFile.

tmsh delete sys application service ssloF_global.app/ssloF_global

b) Restore the UCS.


State 2: when you already tried the UCS restore and it is in an error state, use the following

a) On UCS restore when the system is in an error state, use the following command to verify multiple files:
ll /config/filestore/files_d/Common_d/ifile_d/ | grep SSL Orchestrator

b) Use the following commands, to delete the multiple iFiles:
tmsh delete sys application service ssloF_global.app/ssloF_global

rm -fr /config/filestore/files_d/Common_d/ifile_d/\:Common\:ssloF_global.app\:SSL OrchestratoriFile_*

c) Restore the UCS

Fixed Versions:
17.1.0


1085729 : bd may crash while processing specific request

Links to More Info: K47204506, BT1085729


1085597 : IKEv1 IPsec peer cannot be created in config utility (web UI)

Links to More Info: BT1085597

Component: TMOS

Symptoms:
It is not possible to configure an IKE peer using the web UI.

Conditions:
-- Configuring an IKEv1 peer
-- Using the configuration utility (web UI)

Impact:
Configuration cannot be created.

Workaround:
Use the tmsh shell to create the ike-peer config.

Fix:
IKEv1 peer config can be created using the config utility.

Fixed Versions:
17.1.0


1085377 : BIND9 upgrade from version 9.11 to 9.16

Component: Global Traffic Manager (DNS)

Symptoms:
BIND 9.11 reached End of Life (EoL) at the end of March 2022, and needs to be updated.

Conditions:
Usage of BIND 9.11 which has reached EoL.

Impact:
BIND 9.11 has reached EoL and does not receive security updates.

Workaround:
None

Fix:
Upgraded the BIND version from 9.11.36 to 9.16.33.

Fixed Versions:
17.1.0


1084993-1 : [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching

Links to More Info: BT1084993

Component: Policy Enforcement Manager

Symptoms:
E2e id and h2h id in Re-Authorisation Answer from PEM to OCS is not matching with Re-Authorisation Request from OCS to PEM.

Conditions:
Diameter-endpoint configuration. PCEF(PEM) communicating over gy interface with OCS for quota information.

Impact:
OCS will not be able to determine for which RAR it got RAA. This is catastrophic for billing.

Workaround:
None

Fix:
There was conversion issue in PEM, fixed it.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


1084953-1 : CPU usage increase observed in some Ramcache::HTTP tests on BIG-IP Virtual Edition

Links to More Info: BT1084953

Component: Local Traffic Manager

Symptoms:
Increase in CPU usage by 7.3% observed for Ramcache::HTTP tests.

Conditions:
- BIG-IP Virtual Edition
- VMWARE 40G NIC SR-IOV with 8 vCPUs unpacked 16GB
- 16KB file size with 1 Request Per Connection
- 16KB file size with 100 Requests Per Connection
- 512KB file size with 1 Request Per Connection
- 512KB file size with 100 Requests Per Connection

Virtual server with the following profiles -
1. http
2. tcp profile with nagle disabled
3. web acceleration profile with following attributes -
   - cache-max-age 36000
   - cache-object-max-size 1500001
   - cache-object-min-size 1

Impact:
Response delay or failure in connectivity on client side especially during peak traffic flow due to increased CPU usage.

Workaround:
None.

Fix:
The Virtual Edition network driver now processes traffic more efficiently as expected.

Fixed Versions:
17.1.0, 15.1.6


1084873-2 : Packets are dropped when a masquerade MAC is on a shared VLAN

Links to More Info: BT1084873

Component: TMOS

Symptoms:
Packets are dropped when a masquerade MAC is on a shared VLAN.

Conditions:
- A masquerade MAC is on a shared VLAN.
- Traffic is initiated, i.e. ping a self-ip.
- Packets are lost.

Impact:
Connectivity issues.

Workaround:
Configure a static fdb entry.

Fix:
Packets are no longer dropped when a masquerade MAC is on a shared VLAN.

Fixed Versions:
17.1.0, 15.1.6.1


1084781 : Resource Admin permission modification

Component: TMOS

Symptoms:
A user with the Resource Admin role may have incorrect permissions.

Conditions:
A user with Resource Admin role.

Impact:
Undisclosed

Workaround:
None

Fix:
Resource Admin permissions are matched to expected behavior.

Fixed Versions:
17.1.0


1084673 : GTM Monitor "require M from N" status change log message does not print pool name

Links to More Info: BT1084673

Component: Global Traffic Manager (DNS)

Symptoms:
The number of probes that are succeeding is changing in between different windows in which the "N" number of probes were sent.

Conditions:
- GTM/DNS is provisioned
- A "require M from N" monitor rule is assigned to a gtm pool or an individual gtm pool member.

Impact:
The log written to provide information on the changing number of successful probes does not contain information about the pool member.

Workaround:
None

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


1084257 : New HTTP RFC Compliance check for incorrect newline separators in headers

Component: Application Security Manager

Symptoms:
ASM is not enforcing incoming HTTP requests headers ending with LF('\n')

Conditions:
Any HTTP request with LF('\n') as the only header separator will pass ASM without enforcement

Impact:
Invalid requests according to RFC might pass through ASM enforcement

Fix:
HTTP requests with LF('\n') as the only header separator are enforced, and "Unparsable request content" is reported

Fixed Versions:
17.1.0, 17.0.0.1, 15.1.7


1084213-1 : [rseries]: VLAN member not restored post loading default configuration in BIG-IP tenant

Links to More Info: BT1084213

Component: TMOS

Symptoms:
On a BIG-IP tenant running on a rSeries (r4x00 or r2x00) platform, VLAN members are not restored when the default configuration is restored.

Conditions:
--- One ore more tenants running on a rSeries (r4x00 or r2x00) platforms.
--- Loading default configuration removes the VLAN member.

Impact:
Loading the default configuration removes VLAN members which blocks traffic.

Workaround:
Below steps are to restore the VLAN members after loading the default configuration.

1. Login to confd on the platform.
2. Detach the VLANs from the interfaces.
3. Re-attach the VLANs to interfaces.
4. VLAN members shall be created in the BIG-IP tenant.

Fixed Versions:
17.1.0, 15.1.6.1


1084013 : TMM does not follow TCP best practices

Links to More Info: K52494562, BT1084013


1083913 : Missing error check in ICAP handling

Links to More Info: BT1083913

Component: Application Security Manager

Symptoms:
Bd crashes.

Conditions:
Asm policy is configured for ICAP integration

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fixed Versions:
17.1.0, 16.1.3.1, 15.1.6.1, 14.1.5.1


1083537-2 : FIPS 140-3 Certification

Links to More Info: BT1083537

Component: TMOS

Symptoms:
For FIPS 140-3 Certification

Conditions:
This applies to systems requiring FIPS 140-3 Certification.

Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be running a FIPS 140-3 certified configuration.

Workaround:
None

Fix:
Apply this fix to ensure that the system is compliant with FIPS 140-3 Certification.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.2.2


1082941 : System account hardening

Component: TMOS

Symptoms:
System accounts are used by various processes to access resources on the BIG-IP.

Note: Only user accounts with root privileges are allowed bash access to the BIG-IP.

Conditions:
N/A

Impact:
Security best practices are not followed.

Fix:
Security best practices are now followed.

Fixed Versions:
17.1.0


1082581-4 : Apmd sees large memory growth due to CRLDP Cache handling

Links to More Info: BT1082581

Component: Access Policy Manager

Symptoms:
Apmd memory keeps growing slowly over time and finally oom killer kills apmd.

Conditions:
Access policy has the crldp auth agent configured.

Impact:
Apmd killed by oom-killer thereby impacting traffic

Workaround:
None

Fixed Versions:
17.1.0, 14.1.5.3


1082505-2 : TLS ciphersuites including RSA-KEX are non-approved ciphers for FIPS 140-3 certification

Links to More Info: BT1082505

Component: Local Traffic Manager

Symptoms:
TLS ciphersuites including RSA KEX are non-approved ciphers as per FIPS 140-3 certification standard

Conditions:
- BIG-IP versions 16.1.3 and above
- FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device.
- f5-fips cipher-group is associated with SSL profiles
- Connections are established using the RSA-KEX based ciphers

Impact:
SSL handshake will not be successful.

Workaround:
Create a custom cipher-group including all the required cipher strings and associate with the SSL profiles.

Fix:
For FIPS 140-3 certification, TLS ciphersuites including RSA-KEX are reported as non-approved ciphers in fips mode, also these cipher strings have been removed from the f5-fips cipher group.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3


1082461 : The enforcer cores during a call to 'ASM::raise' from an active iRule

Links to More Info: BT1082461

Component: Application Security Manager

Symptoms:
In the case of 'ASM::raise' call execution from an iRule that contains a list length greater than 100, the enforcer (bd) will core.

Conditions:
A call to 'ASM::raise' with a list length greater than 100 from an iRule.

Impact:
Traffic disrupted while bd restarts.

Workaround:
While constructing the iRule, make sure that the list passed into 'ASM::raise' contains fewer than 100 elements.

Fix:
Fixed an enforcer core.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1


1082225 : Tmm may core while Adding/modifying traffic-class attached to a virtual server.

Links to More Info: BT1082225

Component: Local Traffic Manager

Symptoms:
Tmm may core with 'tmm SIGSEGV' while performing addition/updating of traffic class attached to a virtual server.

Conditions:
-- Some Traffic classes have been removed from the virtual server.
-- A new traffic class is attached to the virtual server, or modification of the existing traffic class is triggered.

Impact:
Traffic disrupted while tmm restarts.
The traffic class might not be applied as expected.

Workaround:
None

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1


1081733 : Bot Defense endpoint match debug log is not available for mobile requests in Advanced service level

Links to More Info: BT1081733

Component: Bot Defense

Symptoms:
Bot Defense endpoint match debug log is not available for mobile requests in Advanced service level.

Conditions:
- Configure Bot Defense profile with service level set to Advanced/Premium, Log level set to Debug, and Mobile endpoint configured.

Impact:
The endpoint match debug log is not available, unable to debug the Bot Defense profile errors.

Workaround:
None

Fix:
Endpoint match debug log is available for mobile.

Fixed Versions:
17.1.0


1081649 : Remove the "F5 iApps and Resources" link from the iApps->Package Management

Links to More Info: BT1081649

Component: TMOS

Symptoms:
The "F5 iApps and Resources" is being removed.

Conditions:
NA

Impact:
iApp page shows "F5"

Workaround:
None

Fixed Versions:
17.1.0


1081641-1 : Remove Hyperlink to Legal Statement from Login Page

Links to More Info: BT1081641

Component: TMOS

Symptoms:
The hyperlink to the legal statement should be removed from the login page.

Conditions:
This appears on the login page of OEM-branded BIG-IP systems.

Impact:
The OEM GUI shows the F5 logo/info.

Workaround:
None

Fixed Versions:
17.1.0


1080613 : LU configurations revert to default and installations roll back to genesis files

Links to More Info: BT1080613

Component: Application Security Manager

Symptoms:
The LiveUpdate configurations, such as 'Installation of Automatically Downloaded Updates', and the update installation history disappears and reverts to default, and the installations roll back to genesis files.

Conditions:
This occurs during the first tomcat restart, after upgrading to the versions that have the fix for ID907025.

Impact:
The LiveUpdate configuration and the installation history are reverted to the default.

Workaround:
Https://support.f5.com/csp/article/K53970412

Fix:
N/A

Fixed Versions:
17.1.0


1080569 : BIG-IP prematurely closes clientside HTTP1.1 connection when serverside is HTTP2 and HTTP MRF router is enabled on virtual server

Component: Local Traffic Manager

Symptoms:
When clientside is using HTTP1.1, serverside is using HTTP2 and two HTTP GET requests are sent by the client, BIG-IP completes the first HTTP transaction and sends a FIN, even though HTTP keepalive should be enabled.

Conditions:
-- HTTP2 full proxy is configured i.e. http profile, http2 profile and MRF router is enabled. As per https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-http2-full-proxy-configuration-14-1-0/http2-full-proxy-configuring.html

-- clientside uses HTTP1.1.
-- serverside uses HTTP2.
-- Two subsequent GET requests are sent by the client.

Impact:
Premature TCP connection termination on the clientside.

Workaround:
Disable the MRF router (httprouter).
The drawback is that serverside will always use HTTP1.1 in this case and it might be undesirable if you want to leverage HTTP2.

Fixed Versions:
17.1.0


1080317 : Hostname is getting truncated on some logs that are sourced from TMM

Links to More Info: BT1080317

Component: TMOS

Symptoms:
Hostnames in the APM, IPSEC, SAAS, FW_LOG logs that are sourced from TMM are truncated.

Conditions:
The truncation occurs when the hostname contains a period (for example "my.hostname").

Impact:
Some logs contain truncated hostnames and some contain full hostnames. The inconsistent hostnames degrade the readability and therefore the usefulness of the logs.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1


1080297 : ZebOS does not show 'log syslog' in the running configuration, or store it in the startup configuration

Links to More Info: BT1080297

Component: TMOS

Symptoms:
ZebOS does not show the 'log syslog' or 'no log syslog' in the running configuration, nor is it saved to the startup configuration.

There is no way to verify if the 'log syslog' is configured or not by checking the configuration.

Conditions:
-- Under Configure log syslog.
-- Check the show running-config.

Impact:
There is no way to verify if the 'log syslog' is configured or not by checking the configuration.

Workaround:
If logging to syslog is not desired, it must be re-disabled every time the ZebOS daemons are started, using 'no log syslog'.

Fixed Versions:
17.1.0


1079441 : APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries

Links to More Info: BT1079441

Component: Access Policy Manager

Symptoms:
APMD memory can grow over a period of time

Conditions:
-- A BIG-IP system with the patched cyrus-sasl/krb5 libraries

Impact:
APMD memory can grow over a period of time

Workaround:
None

Fixed Versions:
17.1.0


1079053 : SSH Proxy feature is not working in FIPS Licensed platforms

Links to More Info: BT1079053

Component: Advanced Firewall Manager

Symptoms:
AFM SSH is not working when FIPS license is enabled.

Conditions:
When you configure AFM SSH Proxy and enable FIPS License.

Impact:
AFM SSH-related features such as, SCP and SFTP cannot be used.

Workaround:
NA

Fix:
FIPS-related keys support is added in the latest version of libssh that is, v0.9.6.

Fixed Versions:
17.1.0


1078765 : Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer.

Links to More Info: BT1078765

Component: Application Security Manager

Symptoms:
A BD core may occur due to enforcement of 200004390 200004389 signatures with the combination of Arcsight remote logger enabled.

Conditions:
The request must contain 200004390 200004389 signatures with the combination of Arcsight remote logger attached to the virtual server.

Impact:
The enforcer may crash.

Workaround:
Disable 200004390 200004389 signatures.

Fix:
200004390 200004389 are now signatures enforced successfully.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


1078109 : When Subject Alternative Field is empty while creating an SSL certificate, a caution should be displayed

Component: Local Traffic Manager

Symptoms:
When a new SSL certificate is created on BIG-IP, if only the Common Name field is filled and the Subject Alternative Name field is blank, by default, the resulting certificate has only Common Name field.

Conditions:
- Creating an SSL certificate using GUI or TMSH.

Impact:
The SSL certificate is created without any error but most browsers and OS started using the Subject Alternative Name field instead of Common Name and expect the Subject Alternative Name field must be available in the certificate.

Workaround:
None

Fix:
An interactive caution is now displayed that the Subject Alternative Name is empty.
An appropriate choice can be selected based on the need for Subject Alternative Name.

Fixed Versions:
17.1.0


1077553 : Traffic matches the wrong virtual server after modifying the port matching configuration

Links to More Info: BT1077553

Component: Local Traffic Manager

Symptoms:
Traffic matches the wrong virtual server.

Conditions:
A virtual server configured to match any port is modified to matching a specific port. Alternatively, a virtual server matching a specific port is modified to match any port.

Impact:
Traffic may be directed to the wrong backend server.

Workaround:
Restart the TMM after the config change.

Fixed Versions:
17.1.0


1077405 : Ephemeral pool members may not be created with autopopulate enabled.

Links to More Info: BT1077405

Component: TMOS

Symptoms:
Ephemeral pool members might not be added to a pool with an FQDN pool member "autopopulate enabled".

When this issue occurs:

-- Some or all of the expected Ephemeral Pool Members will not be created for the affected pool.

-- A message will be logged in the LTM log similar to the following:

err mcpd[####]: 01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (/Common/_auto_<IP address>) has autopopulate set to disabled.

(Note that the node name here is an Ephemeral Node.)

Also note that if you attempt to create an FQDN Pool Member with autopopulate enabled while the corresponding FQDN Node has autopopulate disabled, you will see a similar error message:
01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (/Common/fred) has autopopulate set to disabled.

Conditions:
This issue can occur under the following conditions:

-- Two or more FQDN Nodes have FQDN names that resolve to the same IP address(es).
  -- That is, some Ephemeral Nodes have addresses resolved by more than one FQDN name defined in FQDN Nodes.

-- At least one of these FQDN Nodes has "autopopulate enabled."

-- At least one of these FQDN Nodes does not have "autopopulate enabled."
  -- That is, autopopulate is disabled for one or more of these FQDN Nodes.

-- The FQDN Pool Member(s) in the affected pool(s) has "autopopulate enabled."

Impact:
The affected LTM pool(s) are not populated with expected (or any) ephemeral pool members.

Workaround:
To allow some LTM pools to use FQDN pool members with autopopulate enabled (allowing multiple ephemeral pool members to be created) while other LTM pools use FQDN pool members with autopopulate (allowing only one ephemeral pool member to be created), configure the following:

-- Create all FQDN Nodes with FQDN names that might resolve to a common/overlapping set of IP addresses with "autopopulate enabled".

-- Create FQDN Pool Members with autopopulate enabled or disabled depending on the desired membership for each pool.

Fix:
Ephemeral pool members can now be successfully added to LTM pools regardless of the autopopulate configuration of the respective FQDN pool member.

Fixed Versions:
17.1.0


1077301 : CVE-2021-23133 kernel: Race condition in sctp_destroy_sock list_del

Links to More Info: K67416037, BT1077301


1077281 : Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages

Links to More Info: BT1077281

Component: Application Security Manager

Symptoms:
When a policy contains an individual login page in session tracking, the exported xml policy fails to be imported back due to error “Malformed XML: Could not resolve foreign key dependence”.

Conditions:
The policy contains an individual login page in session tracking and the policy is exported in xml format

Impact:
Import the policy fails with an error: "Could not resolve foreign key dependence”.

Workaround:
This occurs when using XML format only, so you can use binary export/import

Fix:
XML export/import now will work also if policy contains an individual login page in session tracking

Fixed Versions:
17.1.0, 16.1.2.2, 15.1.6.1


1076909 : Syslog-ng truncates the hostname at the first period.

Links to More Info: BT1076909

Component: TMOS

Symptoms:
Messages that are logged to journald use the configured hostname, while sylog-ng uses the hostname (machine name) and truncates it starting at the first '.' (period). This results in hostnames being inconsistent when it contains '.'; e.g., 'my.hostname' is logged as 'my' by syslog-ng, and 'my.hostname' by journald. This can make it difficult for log analysis tools to work with the log files.

Conditions:
-- Hostname contains a period.
-- Viewing log files emitted from journald and from syslog-ng.

Impact:
The full hostname is logged for system logs while logs that go directly to syslog-ng use a truncated hostname.

Workaround:
None

Fixed Versions:
17.1.0


1076897 : OSPF default-information originate command options not working properly

Links to More Info: BT1076897

Component: TMOS

Symptoms:
OSPF default-information originate command options are not working properly.

Conditions:
Using OSPF default-information originate with metric/metric-type options.

Impact:
Incorrect route advertisement.

Workaround:
None

Fixed Versions:
17.1.0


1076805-1 : Tmm crash SIGSEGV

Links to More Info: BT1076805

Component: Local Traffic Manager

Symptoms:
Tmm crash with SIGSEGV

Conditions:
Unknown

Impact:
Traffic disrupted while tmm restarts.

Fixed Versions:
17.1.0, 15.1.8


1076785-4 : Virtual server may not properly exit from hardware SYN Cookie mode

Links to More Info: BT1076785

Component: TMOS

Symptoms:
Virtual servers do not exit hardware SYN Cookie mode even after the SYN flood attack stops. The TMSH 'show ltm virtual' output shows 'full hardware' mode.

Conditions:
Selected HSB platforms where TMM is attached to multiple HSB modules. This depends on platform, BIG-IP version and selected Turboflex profile where applicable.

Impact:
The affected virtual server would not receive the TCP SYN packets until a TMM restart. The limited range of MSS values in SYN Cookie mode may slightly affect performance.

Workaround:
Disable hardware SYN Cookie mode on all virtual servers.

Fix:
Virtual server is now fully exits hardware SYN Cookie mode once a SYN flood attack stops.

Fixed Versions:
17.1.0, 15.1.5.1


1076577 : iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg'

Links to More Info: BT1076577

Component: Local Traffic Manager

Symptoms:
The 'connect' iRule command fails to resume, causing processing of traffic to halt due to 'irule_scope_msg', which causes iRule processing to proceed in a way that 'connect' does not expect.

Conditions:
- iRule using 'connect' command
- Diameter/Generic-message 'irule_scope_msg' enabled

Impact:
Traffic processing halts (no crash)

Fixed Versions:
17.1.0, 15.1.7


1075905-2 : TCP connections may fail when hardware SYN Cookie is active

Links to More Info: BT1075905

Component: TMOS

Symptoms:
When an object is in hardware SYN Cookie mode, some of the valid connections are also rejected with "No flow found for ACK" reset cause.

Conditions:
VELOS and rSeries platforms.

Impact:
Service degradation.

Workaround:
Disable hardware SYN Cookie on all objects (virtual server, VLAN, etc.).

Fix:
Valid connections are now accepted in hardware SYN Cookie mode.

Fixed Versions:
17.1.0, 15.1.5.1, 14.1.5


1075733 : Updated libcgroup library to fix CVE-2018-14348

Component: TMOS

Symptoms:
libcgroup up to and including 0.41 creates /var/log/cgred with mode 0666 regardless of the configured umask, leading to disclosure of information.

Conditions:
cgrulesengd creates log files with insecure permissions.

Impact:
The cgrulesengd daemon (cgred) in libcgroup through version 0.41 creates log files (/var/log/cgred) with mode 0666 regardless of the configured umask, leading to disclosure of information.

Workaround:
NA

Fix:
The libcgroup library has been updated to resolve the issue.

Fixed Versions:
17.1.0


1075729-2 : Virtual server may not properly exit from hardware SYN Cookie mode

Links to More Info: BT1075729

Component: TMOS

Symptoms:
Virtual servers do not exit hardware SYN Cookie mode even after the SYN flood attack stops. The TMSH 'show ltm virtual' output shows 'full hardware' mode.

Conditions:
-- VELOS and rSeries platforms.
-- SYN cookie mode is triggered.

Impact:
The affected virtual server will not receive TCP SYN packets until TMM is restarted. The limited range of MSS values in SYN Cookie mode may slightly affect performance.

Workaround:
Disable HW SYN Cookie mode on all virtual servers.

Fix:
Virtual server is now fully exits hardware SYN Cookie mode once a SYN flood attack stops.

Fixed Versions:
17.1.0, 15.1.5.1, 14.1.5.1


1075689 : Multiple CVE fixes for OpenLDAP library

Component: TMOS

Symptoms:
CVE-2020-12243, CVE-2020-25692, CVE-2020-25709, CVE-2020-25710, CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2021-27212

Conditions:
An improper authorization issue in cyrus-sasl based SASL mechanisms may lead to ACL bypass

Impact:
An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL authentication and session encryption, and relying on the SASL security layers in slapd access controls, it is possible to obtain access that would otherwise be denied via a simple bind for any identity covered in those ACLs. After the first SASL bind is completed, the sasl_ssf value is retained for all new non-SASL connections. Depending on the ACL configuration, this can affect different types of operations (searches, modifications, etc.). In other words, a successful authorization step completed by one user affects the authorization requirement for a different user.

Workaround:
NA

Fix:
Fixed 13 CVEs affecting the OpenLDAP library.

Fixed Versions:
17.1.0, 15.1.8


1075229-1 : Jumbo frames not supported

Links to More Info: BT1075229

Component: TMOS

Symptoms:
MTU size higher than 1500 is not allowed.

Conditions:
If a client is configured for PMTU, it will discover MTU as a maximum of 1500 and the client will not be able to send packets larger than 1500 bytes.

Packets greater than 1500 bytes will be dropped if don't fragment is set, and they will be fragmented if it is not set.

Impact:
End-End MTU will be limited to 1500.
You are unable to set the MTU size beyond 1500

Workaround:
None

Fixed Versions:
17.1.0, 15.1.6


1074517 : Tmm may core while adding/modifying traffic-class attached to a virtual server

Links to More Info: BT1074517

Component: Local Traffic Manager

Symptoms:
Tmm may core while adding/modifying traffic-class attached to a virtual server

Conditions:
-- Traffic class is attached to a virtual server.
-- Add an existing traffic class to a virtual server.
-- Afterwards, a new traffic class is attached to the virtual server, or modification of the existing traffic class is triggered.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1


1073677 : Add a db variable to enable answering DNS requests before reqInitState Ready

Links to More Info: BT1073677

Component: Global Traffic Manager (DNS)

Symptoms:
When a new GTM is added to the Sync group, it takes a significant amount of time, and the newly added GTM won't become ready.

Conditions:
-- GTMs in a cluster with a large number of persist records
-- A new GTM device is added

Impact:
Clients of the BIG-IP GTM do not receive an answer, and application failures may occur.

Workaround:
None

Fixed Versions:
17.1.0


1073625 : Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled.

Links to More Info: BT1073625

Component: Application Security Manager

Symptoms:
ASM policy import is successful on Active unit and it syncs to standby device, but "Apply changes" is displayed on the standby device policies page.

Conditions:
1. XML policy with learning enabled imported via TMSH.
2. Autosync with incremental sync enabled on device-group with ASM sync enabled.

Impact:
The peer (standby) unit needs to have the policies applied manually even though everything is set to auto-sync

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


1073165-1 : Add IPv6 prefix length

Links to More Info: BT1073165

Component: TMOS

Symptoms:
The per-VLAN control of DAG IPv6 prefix length is implemented.

Conditions:
DAG IPv6 prefix length is used.

Impact:
The per-VLAN control of DAG IPv6 prefix length is implemented.

Workaround:
None

Fix:
The per-VLAN control of DAG IPv6 prefix length is implemented.

Fixed Versions:
17.1.0, 15.1.6


1073005 : iControl REST use of the dig command does not follow security best practices

Links to More Info: K83284425, BT1073005


1072377 : TMM crash in rare circumstances during route changes

Links to More Info: BT1072377

Component: Local Traffic Manager

Symptoms:
TMM might crash in rare circumstances when static/dynamic route changes.

Conditions:
Dynamic/static route changes.

Impact:
TMM can crash or core. Traffic processing stops during process restart.

Workaround:
None

Fix:
None

Fixed Versions:
17.1.0


1072165 : Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format

Links to More Info: BT1072165

Component: Application Security Manager

Symptoms:
Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format

Conditions:
ASM remote logging in ArcSight format

Impact:
Due to the missing fields, the remote message does not tell name of threat campaign name(s) that was detected.

Workaround:
Use other message format.

Fixed Versions:
17.1.0


1071621 : Increase the number of supported traffic selectors

Links to More Info: BT1071621

Component: TMOS

Symptoms:
There is an imposed limit of 30 traffic selectors that can be attached to an IPsec policy / IKEv2 ike-peer.

Conditions:
-- IKEv2
-- More than 30 traffic selectors required on one IPsec policy / ike-peer.

Impact:
No more than 30 traffic selectors can be added to a single IPsec policy / ike-peer.

Workaround:
None

Fix:
The behavior of sys db ipsec.maxtrafficselectors has changed.

- Max traffic selectors associated with an ike-peer are increased from 30 to 100.

- When the sys-db variable is non-zero, the limit is enforced.

Warning: Adding hundreds or thousands of traffic-selectors to an ipsec-policy may result in slow config-load times (for example, during startup). An excessive number of traffic selectors may also slow down IPsec tunnel negotiation. The impact will depend on the BIG-IP system's provisioning and the overall configuration.

- ipsec.maxtrafficselectors can be set to "0" to indicate there is no limit.

Behavior Change:
The behavior of sys db ipsec.maxtrafficselectors has changed.

- Max traffic selectors associated with an ike-peer are increased from 30 to 100.

- When the sys-db variable is non-zero, the limit is enforced.

- ipsec.maxtrafficselectors can be set to "0" to indicate there is no limit.

Warning: Adding hundreds or thousands of traffic-selectors to an ipsec-policy may result in slow config-load times (for example, during startup). An excessive number of traffic selectors may also slow down IPsec tunnel negotiation. The impact will depend on the BIG-IP system's provisioning and the overall configuration.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1


1070833 : False positives on FileUpload parameters due to default signature scanning

Links to More Info: BT1070833

Component: Application Security Manager

Symptoms:
False positives on FileUpload parameters due to signature scanning by default

Conditions:
A request containing binary content is sent in "FileUpload" type parameters

Impact:
False positives and ineffective resource utilization

Workaround:
Disable signature scanning on "FileUpload" parameters manually using GUI/REST.

Fix:
Default signature scanning is disabled for FileUpload parameters created using OpenAPI to reduce false positives on binary content.

Fixed Versions:
17.1.0, 16.1.3, 15.1.6.1


1070789-2 : SSL fwd proxy invalidating certificate even through bundle has valid CA

Links to More Info: BT1070789

Component: Local Traffic Manager

Symptoms:
BIG-IP system rejects SSL forward proxy connections due to expired CA certificates present in ca-bundle even though other, valid CA certificates exist.

Conditions:
-- Forward proxy is enabled in client and server SSL profiles.
-- A valid CA certificate is followed by an expired CA certificate in ca-bundle.

Impact:
SSL handshakes will fail.

Workaround:
Remove all invalid trusted (i.e., expired) certificates from the certificate chain and replace them with a valid trusted certificate.

Fix:
Fixed the certificate verification issue that was leading to SSL handshake failure.

Fixed Versions:
17.1.0, 16.1.3.1


1070737 : AFM does not detect NXDOMAIN attack at virtual context when DNS cache is activated.

Links to More Info: BT1070737

Component: Advanced Firewall Manager

Symptoms:
When the DNS cache is activated, the NXDOMAIN DoS vector does not increase for the virtual server context. As a result, NXDOMAIN flood attack is never detected/mitigated at the virtual server context.

Note this does not happen with other vectors like DNS A query flood attack, only for NXDOMAIN.

Conditions:
Issue is only seen When DNS cache is activated and for NXDOMAIN Dos Vector.

Impact:
NXDOMAIN flood attack is never detected/mitigated at virtual server context.

Workaround:
N/A

Fix:
Unbound is used to do the DNS query and the BIG-IP self IP is used to do the query instead of the listener at the server-side when DNS Cache is Enabled.

DOS on connflow is also done at the client-side egress when DNS Cache is enabled in case of NXDOMAIN.

Fixed Versions:
17.1.0


1070389 : Tightening HTTP RFC enforcement

Component: Local Traffic Manager

Symptoms:
BIG-IP allows non RFC-compliant http requests to the backend which may cause backend misbehavior

Conditions:
Basic Virtual Server with http profile

Impact:
Backend server may receive unexpectedly formatted http requests

Fix:
Big-IP more strictly enforces HTTP RFC compliance.

Fixed Versions:
17.1.0


1070197 : In a RPZ zone, unbound continues to process matching against the after-coming RPZ zones

Component: Global Traffic Manager (DNS)

Symptoms:
After detecting a rpz-passthru in a RPZ zone, unbound continues to process matching against the after-coming RPZ zones, removing the possibility to override entries in after-coming RPZ zones.

Conditions:
The rpz-passthru is enabled in RPZ Zone.

Impact:
A rpz-passthru action is not ending RPZ zone processing.

Workaround:
None

Fix:
When rpz-passthru is detected no RPZ policy processing takes place.

Fixed Versions:
17.1.0


1069337 : CVE-2016-1841 - Use after free in xsltDocumentFunctionLoadDocument

Component: TMOS

Symptoms:
libxslt, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

Impact:
Denial of service (memory corruption) via a crafted web site

Fix:
Fix use-after-free in xsltDocumentFunctionLoadDocument

Fixed Versions:
17.1.0


1068673 : SSL forward Proxy triggers CLIENTSSL_DATA event on bypass.

Links to More Info: BT1068673

Component: Local Traffic Manager

Symptoms:
The CLIENTSSL_DATA iRule event is triggered unexpectedly during SSL forward proxy bypass.

Conditions:
This issue is seen when SSL forward proxy with bypass is enabled on client & server SSL profiles.

Impact:
This can cause unexpected failure of existing iRules which only expect CLIENTSSL_DATA on intercepted (and decrypted) data.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.1.0


1067609 : Static keys were used while generating UUID's under OAuth module

Component: Access Policy Manager

Symptoms:
UUIDs generated by the OAuth module are incorrectly obfuscated.

Conditions:
N/A

Impact:
Static keys are only used during generation of UUIDs.

Workaround:
N/A

Fix:
Static keys were removed now and replaced with the dynamic generation of keys for the OAuth module during UUID generation.

Fixed Versions:
17.1.0


1067589 : Memory leak in nsyncd

Links to More Info: BT1067589

Component: Application Security Manager

Symptoms:
The memory usage for nsyncd increases over time, forcing the device into OOM (out of memory).

Conditions:
-- High availability (HA) environment with ASM sync failover device group.
-- ASU files are being installed by Live Update.

Impact:
OOM activity causes random process restarts and disruption.

Workaround:
Restart the nsyncd daemon.

Fix:
Added a new parameter 'maxMemory' to the nsyncd configuration file:
/usr/share/nsyncd/config/config.properties

# 450 MB
maxMemory=450000000


Nsyncd daemon will limit its memory usage to the configured value, and restart if the value is exceeded.

Fixed Versions:
17.1.0


1067105 : Racoon logging shows incorrect SA length.

Links to More Info: BT1067105

Component: TMOS

Symptoms:
Debug2 logs incorrect "total SA" length in racoon.log.

Conditions:
-- IKEv1 tunnels in use
-- ikedaemon in debug2 mode

Impact:
Troubleshooting is confused by misleading information about the SA payload length.

Workaround:
None. This is a cosmetic / logging issue.

Fix:
Clarified the log message to indicate what the logged length actually covers.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


1066673 : BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions

Links to More Info: K55580033, BT1066673


1066101 : In Bot Defense, the field "Check Mobile Identifier" for endpoints is available when "Applications in Scope" field is set to "Mobile"

Component: Bot Defense

Symptoms:
In Bot Defense profile, the field "Check Mobile Identifier" for endpoints is available when "Applications in Scope" field is set to only "Mobile".

Conditions:
Configuring Bot Defense profile using GUI.

Impact:
No functional Impact.

Workaround:
None

Fix:
In Bot Defense profile, settings related to "Check Mobile Identifier" for endpoints is hidden when "Applications in Scope" is set to only "Mobile".

Fixed Versions:
17.1.0


1065917 : BIG-IP APM Virtual Server does not follow security best practices

Links to More Info: K95503300, BT1065917


1065109 : In Bot Defense profile, tot_http_requests and tot_requests_forwarded_to_origin are not populated correctly

Links to More Info: BT1065109

Component: Bot Defense

Symptoms:
The tot_http_requests in Bot Defense profile is not populated for requests which are not matching with any endpoint.
The tot_requests_forwarded_to_origin is not updated for requests which are allowed or timeout occurred for Distributed Cloud API Request or scenario where protection pool is down.

Conditions:
Issue occurs when the following conditions are met:
1) Configure Bot Defense profile under Distributed Cloud Services.
2) Attach BD profile to Virtual Server.
3) Send requests from client.

Impact:
The tot_http_requests and tot_requests_forwarded_to_origin are not populated correctly.

Workaround:
None

Fix:
The tot_http_requests and tot_requests_forwarded_to_origin are populated correctly.

Fixed Versions:
17.1.0


1064785 : BIG-IP must respond return code 0x01 (unacceptable protocol level) if the MQTT protocol level is not supported

Links to More Info: BT1064785

Component: Local Traffic Manager

Symptoms:
BIG-IP aborts the connection abruptly.

Conditions:
Basic virtual server with MQTT profile.

Impact:
BIG-IP aborts the connection.

Workaround:
None

Fix:
BIG-IP responds with a CONNACK with a specific return of 0x02, an unacceptable protocol level.

Fixed Versions:
17.1.0


1064573 : JWE token generation in BIG-IP as Authorization Server

Component: Access Policy Manager

Symptoms:
The BIG-IP system supports only JWT tokens of type JWS, not JWE.

Conditions:
-- BIG-IP is configured as an authorization server
-- You need to generate JWE-type tokens

Impact:
JWE-type tokens cannot be generated on the BIG-IP system.

Workaround:
None

Fix:
JWE token generation functionality is available when the BIG-IP system is deployed as an Authorization Server.

Fixed Versions:
17.1.0


1063977 : Tmsh load sys config merge fails with "basic_string::substr" for non-existing key.

Links to More Info: BT1063977

Component: Local Traffic Manager

Symptoms:
"tmsh load sys config merge" fails with the following error.

Loading configuration...
  /var/tmp/repro.txt
01070711:3: basic_string::substr
Unexpected Error: Loading configuration process failed.

Conditions:
The key referenced in the configuration of the SSL profile does not exist in the BIG-IP.

Impact:
"tmsh load sys config merge" fails which is expected, but the error is not meaningful.

Workaround:
Identify the missing SSL key used in the configuration and correct it.

Fix:
You should now be able to see the error message "The requested certificate (<Cert Name>) was not found." or "The requested certificate (<Key Name>) was not found." if a non-existing key is used in the configuration.

Fixed Versions:
17.1.0, 16.1.3


1063641 : NTLM library hardening

Links to More Info: K23465404, BT1063641


1063637 : NTLM library hardening

Links to More Info: K23465404, BT1063637


1063473-4 : While establishing a high availability (HA) connection, the number of npus in DAG context may be overwritten incorrectly

Links to More Info: BT1063473

Component: TMOS

Symptoms:
Even though the platform is distributing packets to the TMM's SEPs evenly, virtual server connections are balanced unevenly.

Conditions:
Migrate vCMP guests to the VELOS chassis.

Impact:
Traffic is not distributed evenly across TMMs. LTM log shows a lot of RST packets and pool members go down and up continuously.

Workaround:
None

Fixed Versions:
17.1.0, 15.1.5.1, 14.1.5


1062569 : HTTP/2 stream bottom filter leaks memory at teardown under certain conditions

Links to More Info: K56676554, BT1062569


1062493 : BD crash close to it's startup

Links to More Info: BT1062493

Component: Application Security Manager

Symptoms:
BD crashes shortly after startup.

Conditions:
FTP or SMTP are in use. Other causes are unknown.

Impact:
Traffic disrupted while bd restarts.

Workaround:
No workaround except removal of the FTP/SMTP protection.

Fix:
Crashes close to startup coming from SMTP or FTP were fixed.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


1062385 : BIG-IP has an incorrect limit on the number of monitored HA-group entries.

Links to More Info: BT1062385

Component: TMOS

Symptoms:
BIG-IP has an incorrect limit on the number of monitored HA-group entries.

Conditions:
Large amount of traffic groups (over 50) with high availability (HA) Group monitoring attached.

Impact:
Not all traffic groups are properly monitored. Some traffic groups might not fail-over properly.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.1.0


1062069 : Online Help for " IP Address Exceptions": Policy Default does not specify an accurate GUI path

Component: Application Security Manager

Symptoms:
The online help for "Application Security > Policy > Blocking > Settings" is invalid. This navigation path was from older releases (e.g. 11.x) where the blocking setting page was located in Security ›› Application Security : Blocking : Settings

Conditions:
Navigating to the online help for "Application Security > Policy > Blocking > Settings"

Impact:
OLH for Policy Default is confusing.

Workaround:
None

Fix:
The instructions are to the Policy Building Settings and the Learning and Blocking Settings screens.

Fixed Versions:
17.1.0


1061537 : DNS cache support for Prefetch, Outbound Message Retry, and Server Stale Data Settings

Component: Global Traffic Manager (DNS)

Symptoms:
The BIG-IP does not have support for Prefetch, Outbound Message Retry, and Server Stale Data.

Conditions:
- Configuring unbound.

Impact:
DNS cache records updated earlier than before for prefetch and stale records provided when upstream servers are not available.

Workaround:
None

Fix:
The Prefetch, Outbound Message Retry, and Server Stale Data settings can be configured through both TMSH and GUI.

Fixed Versions:
17.1.0


1061481 : Denied strings were found in the /var/log/ folder after an update or reboot

Links to More Info: BT1061481

Component: TMOS

Symptoms:
Denied strings error message were found in /var/log/dmesg and /var/log/messages files after update or reboot.

For example, the string "denied" was found:[ 5.704716] type=1401 audit(1636790175.688:4): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:f5_jitter_entropy_t:s0

Conditions:
After update or reboot, check the following log files:
/var/log/dmesg and /var/log/messages.

Impact:
Error strings are observed in /var/log/dmesg and /var/log/messages.

Workaround:
None.

Fix:
No error strings are observed.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3


1060989-2 : Improper handling of HTTP::collect

Links to More Info: BT1060989

Component: Local Traffic Manager

Symptoms:
When a complete body has been received and a new HTTP::collect is attempted, an error occurs:

TCL error: /Common/rule_vs_server_15584 <HTTP_RESPONSE_DATA> - ERR_ARG (line 1) invoked from within "HTTP::collect 256000"

Conditions:
- HTTP Virtual server
- incremental HTTP::collect irule

Impact:
iRule failure

Workaround:
None

Fixed Versions:
17.1.0, 16.1.3.1


1060625 : Wrong INTERNAL_IP6_DNS length.

Links to More Info: BT1060625

Component: TMOS

Symptoms:
Tunnel establishment fails when an IPv6 DNS IP address is provided in the IKE_AUTH payload. As per RFC it should be 16 octets, but BIG-IP sends 17 octets(that is, it tries to provide the subnet info also).

Conditions:
Initiator requests an IPv6 DNS IP during tunnel negotiation.

Impact:
Tunnel will not establish.

Workaround:
None

Fix:
The INTERNAL_IP6_DNS payload is now filled with only the IPv6 address (the subnet is excluded).

Fixed Versions:
17.1.0, 17.0.0, 16.1.2.2


1060409 : Behavioral DoS enable checkbox is wrong.

Links to More Info: BT1060409

Component: Anomaly Detection Services

Symptoms:
Behavioral DoS Enabled indicator is wrongly reported after configuration change, when no traffic is injected to the virtual server.

Conditions:
Behavioral DoS is enabled and then disabled when no traffic is injected to the virtual server.

Impact:
After server health is stabilized and constant, the BIG-IP system doesn't report the configuration changes.

Workaround:
Send 1-2 requests to the server and the configuration will be updated.

Fix:
Behavioral DoS enabled/disabled flag is now reported correctly.

Fixed Versions:
17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


1060145 : Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2.

Links to More Info: BT1060145

Component: Global Traffic Manager (DNS)

Symptoms:
When secondary slot reboots and it gets the configuration from the primary blade, the secondary throws a validation error and enters into a restart loop.

The following error is logged:

Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/Common/bbt-generic-bigip 10.1.10.12 80 gtm-vs) was not found.... failed validation with error 16908342.

Conditions:
-- Change the virtual server address on the LTM (manual edit of bigip.conf and load).

-- Reboot the secondary slot.

Impact:
Mcpd enters a restart loop on the secondary slot.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.1.0


1060093-1 : Upgrading BIG-IP tenant from 14.1.4.4-0.0.4 to 15.1.5-0.0.3 with blade in the 8th slot causes backplane CDP clustering issues.

Links to More Info: BT1060093

Component: Local Traffic Manager

Symptoms:
When upgrading from 14.1.x to 15.1.5.x, the 8th slot in a VELOS chassis does not cluster.

Conditions:
Issue 'tmsh show sys cluster' shows 8th slot not active in the cluster.

Impact:
8th slot in a cluster is not active.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.1.0, 15.1.5


1060057-3 : Enable or Disable APM dynamically with Bados generates APM error

Links to More Info: BT1060057

Component: Anomaly Detection Services

Symptoms:
When APM & Bados configured together while APM is being enabled or disabled externally (which is an IRule). This will end up with an APM Error.

Conditions:
APM & Bados configured together while APM is being enabled/disabled externally (which is an IRule). This will end up with an APM Error.

Impact:
Unable to apply Application DoS profile to an existing APM Network Access setup.

Workaround:
No workaround. Do not enable or disable APM with iRules if Bados configured.

Fix:
No APM errors when PM & Bados configured together and APM is being enabled or disabled externally (which is an IRule).

Fixed Versions:
17.1.0


1060021 : Using OneConnect profile with RESOLVER::name_lookup iRule might result in core.

Links to More Info: BT1060021

Component: Local Traffic Manager

Symptoms:
Tmm might core while using a OneConnect profile with iRule command RESOLVER::name_lookup.

Conditions:
1. One connect profile attached.
2. iRules with RESOLVER::name_lookup command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Don't use RESOLVER::name_lookup iRule on virtual that uses the oneconnect profile.

Fix:
N/A

Fixed Versions:
17.1.0


1060009-1 : Platform Agent may run out of file descriptors

Links to More Info: BT1060009

Component: TMOS

Symptoms:
Platform Agent may run out of file descriptors.
The log is full of entries similar to:

err platform_agent[7704]: 01d50004:3: setup_new_connection: accept() failed
err platform_agent[7704]: 01d50004:3: wait_for_data: Failed to setup new connection

Conditions:
-- A number of tmm restarts is performed, for example by issuing a `bigstart restart tmm` command
-- `ss -nt` shows a large number of connections to port 5678.

Impact:
The system may fail to function correctly, especially with regards to updating platform settings.

Workaround:
Reboot the affected blades.

Fix:
Fixed platform agent running out of file descriptors.

Fixed Versions:
17.1.0, 15.1.6.1, 14.1.5


1059337-1 : Potential data leak inside Ethernet padding field on VELOS architecture products

Links to More Info: BT1059337

Component: Local Traffic Manager

Symptoms:
Padding bytes added by TMM to bring packets up to the minimum Ethernet frame length of 64 bytes may contain contents of TMM's CPU memory.

Conditions:
Issue can occur whenever TMM creates a packet that is shorter than the 64 byte Ethernet minimum transmitted on a VELOS architecture platform.

Impact:
Unintentional leak of TMM memory contents in Ethernet padding on VELOS architecture platforms.

Workaround:
Upgrade to latest BIG-IP version.

Fix:
Ethernet minimum frame padding explicitly zeroed by TMM's data path driver used on VELOS architecture products.

Fixed Versions:
17.1.0


1058509-2 : Platform_agent crash on tenant token renewal

Links to More Info: BT1058509

Component: TMOS

Symptoms:
When the tenant token id is renewed after 24 hours, the platform agent process crashes due to a race condition in updating token id

Conditions:
This can occur every 24 hours during normal system operation.

Impact:
Platform_agent process crashes and restarts

Workaround:
None

Fix:
Fixed code to avoid crash on token renewal

Fixed Versions:
17.1.0, 15.1.6


1058297 : Policy history values for 'max Size Of Saved Versions' and for 'min Retained Files In Dir' is reset during upgrade

Links to More Info: BT1058297

Component: Application Security Manager

Symptoms:
The values for "minRetainedFilesInDir" and "maxSizeOfSavedVersions" in /etc/ts/tools/policy_history.cfg
 are set back to default after an upgrade.

Conditions:
-- Non-default values for "minRetainedFilesInDir" and for "maxSizeOfSavedVersions"
-- An upgrade occurs

Impact:
After upgrade, the values in the configuration file are set back to default.

Workaround:
Update the values after the upgrade is complete.

Fix:
The usage of the configuration file /etc/ts/tools/policy_history.cfg is deprecated.

New internal config items have been added:
"policy_history_min_retained_versions" and "policy_history_max_total_size"

The internal variables are preserved during the upgrade.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


1056957 : An attack signature can be bypassed under some scenarios.

Links to More Info: BT1056957

Component: Application Security Manager

Symptoms:
An attack signature is not detected.

Conditions:
A specific condition.

Impact:
False negative - attack is not detected.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1


1053949-1 : AFM SSH proxy offering weak ciphers, the ciphers must be removed

Links to More Info: BT1053949

Component: Advanced Firewall Manager

Symptoms:
AFM SSH Proxy is offering following weak ciphers:
- hmac-sha1
- diffie-hellman-group14-sha1
- 3des-cbc

Conditions:
- Configure virtual server with AFM SSH profile attached.

Impact:
Selection of weak ciphers can break the the encryption scheme.

Workaround:
None

Fix:
The following three DB variables are made available to toggle the weak ciphers, by default the variable are disabled and if required they can be enabled explicitly:

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db sshplugin.enable_*
sys db sshplugin.enable_3des_and_blowfish_ciphers {
    value "false"
}
sys db sshplugin.enable_dh_group14_sha1_kex_alg {
    value "false"
}
sys db sshplugin.enable_hmac_sha1_mac {
    value "false"
}

Fixed Versions:
17.1.0


1053809-1 : TMM crashes while running L4 Max concurrent connections

Links to More Info: BT1053809

Component: Local Traffic Manager

Symptoms:
TMM crash is detected while executing L4 Max concurrent connection test.

Conditions:
- Execute L4 Max concurrent connection test.

Impact:
TMM crash leads to disruption in traffic.

Workaround:
None

Fix:
TMM does not crash while executing L4 Max concurrent connection test.

Fixed Versions:
17.1.0, 15.1.5


1053741 : Bigd may exit and restart abnormally without logging a reason

Links to More Info: BT1053741

Component: Local Traffic Manager

Symptoms:
Certain fatal errors may cause the bigd daemon to exit abnormally and restart to recover.
For many such fatal errors, bigd logs a message in the LTM log (/var/log/ltm) indicating the fatal error that occurred.
For some causes, no message is logged to indicate what error occurred to cause big to exit abnormally and restart

Conditions:
This may occur when bigd encounters a fatal error when monitoring LTM pool members, particularly (although not exclusively) when using In-TMM monitor functionality (sys db bigd.tmm = enable).

Impact:
It may be difficult to diagnose the reason that caused bigd to exit abnormally and restart.

Workaround:
To enable logging of all fatal errors that cause bigd to exit abnormally and restart, enable bigd debug logging:

tmsh modify sys db bigd.debug value enable

With bigd debug logging enabled, bigd messages (including such fatal errors) will be logged to /var/log/bigdlog

Fixed Versions:
17.1.0, 15.1.8


1053557 : Support for Mellanox CX-6

Component: TMOS

Symptoms:
The Mellanox CX-6 is not fully supported.

Conditions:
-- CX-6 network interface card is used with BIG-IP Virtual Edition.

Impact:
The BIG-IP system is unable to pass traffic through CX-6 interfaces.

Workaround:
None

Fix:
Traffic can be passed through CX-6 interfaces.

Fixed Versions:
17.1.0


1051797-8 : Linux kernel vulnerability: CVE-2018-18281

Links to More Info: K36462841, BT1051797


1050165-3 : APM - users end up with SSO disabled for their session, admin intervention required to clear session

Links to More Info: BT1050165

Component: Access Policy Manager

Symptoms:
If a user is trying to access a webtop resource that is configured behind APM single sign-on (SSO) which has failed for some reason, then the SSO process for that user is disabled for the rest of that session's life time.

Conditions:
-- Configure Kerberos SSO
-- Configure a network resource (a user's mail box configured on exchnage server, or an IIS based web service)

Impact:
BIG-IP Admin has to intervene to release the affected session manually.

Workaround:
None

Fixed Versions:
17.1.0


1050009 : Access encountered error:ERR_NOT_FOUND. File: <file name> messages in 'acs_cmp_acp_req_handler' function in APM logs

Links to More Info: BT1050009

Component: Access Policy Manager

Symptoms:
In /var/log/apm

<Date> <time> <bigip> err tmm1[12598]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: <file name>, Function: acs_cmp_acp_req_handler, Line: 576

Conditions:
While evaluating Access Policy created by irule

ACCESS::session create -timeout <timeout> -lifetime <lifetime>
ACCESS::policy evaluate -sid <session ID> -profile <profile name>

Impact:
/var/log/apm gets filled with many 'Access encountered error:ERR_NOT_FOUND' error logs and there is no functional imapct.

Fixed Versions:
17.1.0


1048989 : Slight correction of button titles in the Data Guard Protection Enforcement

Component: Application Security Manager

Symptoms:
A button title read as "Ignored URLs / Enforced URLs" instead of "Ignore URLs / Enforce URLs".

Conditions:
1. On the Security > Application Security > Security Policies > Policies List > <selected_policy> screen, click the Data Guard tab.

2. Look on the Data Guard Protection Enforcement (Wildcards Supported) button fields. The button title should appear as Ignore/Enforce URLs.

Impact:
The title of the button is misleading.

Workaround:
None

Fix:
The button title appears as Ignore URLs / Enforce URLs.

Fixed Versions:
17.1.0


1048977-1 : IPSec tunnel is not coming up after tmm/system restart when ipsec.removeredundantsa db variable is enabled

Links to More Info: BT1048977

Component: TMOS

Symptoms:
With an IPsec tunnel configured on the BIG-IP system, when tmm is restarted it fails to establish the IPsec tunnel.

Conditions:
-- VELOS platform
-- Tmm is restarted after a successful IPsec establishment with an appropriate IPSEC configuration.

Impact:
When tmm is restarted, it fails to setup the IPsec tunnel and IPSec traffic is disrupted.

Workaround:
After device reboot, re-apply the ipsec configuration to establish the tunnel again.

Fix:
IPSec tunnels are now re-established following a tmm restart.

Fixed Versions:
17.1.0, 15.1.6


1048709 : FCS errors between the switch and HSB

Links to More Info: BT1048709

Component: TMOS

Symptoms:
There are cases where FCS errors occur between the switch and HSB. This can be observed in the snmp_dot3_stat stats table, following is an example:

name fcs_errors
---- ----------
10.1 19729052

Conditions:
This requires a BIG-IP platform that has a switch and HSB.

Impact:
Networking traffic can be impacted when this condition occurs.

Workaround:
The device needs to be rebooted in order to clear the FCS errors.

Fix:
The improvement adds the ability to trigger an High Availability (HA) action when FCS errors are detected on the switch <-> HSB interfaces on the B4450 platform.

Fixed Versions:
17.1.0, 15.1.8


1048445 : Accept Request button is clickable for unlearnable violation illegal host name

Links to More Info: BT1048445

Component: Application Security Manager

Symptoms:
For the following violations:
- VIOL_HOSTNAME (Hostname violation)
- VIOL_HOSTNAME_MISMATCH (Hostname mismatch violation)

The accept button is clickable when it should not. Accept Request button should be disabled for this violations.

Conditions:
Generate an illegal host name or hostname mismatch violation.

Impact:
Request will not be accepted even though you have elected to accept the illegal request.

Workaround:
Do not accept the request to hostname and hostname mismatch violation, no ASM config changes will be triggered.

Fixed Versions:
17.1.0, 16.1.2.2, 15.1.6.1


1048077-2 : SELinux errors with gtmd when using internal FIPS card

Component: Global Traffic Manager (DNS)

Symptoms:
You can observe the following avc error logs when the gtmd process tries to interact with internal FIPS card for DNSSEC key and signature creation:


type=AVC msg=audit(1662044427.707:3960): avc: denied { create } for pid=39483 comm="gtmd" scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:system_r:gtmd_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1662044427.709:3961): avc: denied { search } for pid=39483 comm="gtmd" name="gtmd" dev="dm-20" ino=188725 scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:object_r:svc_svc_t:s0 tclass=dir
type=AVC msg=audit(1662044428.113:3962): avc: denied { create } for pid=39483 comm="gtmd" scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:system_r:gtmd_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1662044428.114:3963): avc: denied { search } for pid=39483 comm="gtmd" name="gtmd" dev="dm-20" ino=188725 scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:object_r:svc_svc_t:s0 tclass=dir

Conditions:
- Internal FIPS card present with FIPS 140-3 supported devices.
- DNSSEC Key and signature creation using internal keys.

Impact:
No Impact to DNSSEC deployment but gtmd throws SELinux errors.

Workaround:
None

Fixed Versions:
17.1.0


1047577 : System statistics may fail to update, or report negative deltas due to delayed stats merging

Component: TMOS

Symptoms:
Under some conditions, the BIG-IP might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (for example, all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.

The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.

Conditions:
An iRule is configured which uses SSL::profile.

Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.

Workaround:
This issue has two workarounds:

- Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following:

 -- Reduce the frequency of configuration changes.
 -- Reduce the use of 'SSL::profile' in iRules.
 -- Reduce the number/frequency of processes being spawned by the system.

or

As an alternate, the following is the second workaround which can be implemented in two parts:

- Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command:

    tmsh modify sys db merged.method value slow_merge

or

- To reduce CPU usage when merge-method is slow-merge, change the merge-interval value to two using the following command:

    tmsh modify /sys db merged.merge.interval {value "2"}

Note: Performing the second workaround has the drawback of disabling TMSTAT snapshots on the device. The TMSTAT snapshots are intended for F5-internal use only: the lack of snapshots will have no bearing on the functionality of the BIG-IP; however, F5 Support might be impacted in their ability to troubleshoot issues in BIG-IP.

Fix:
The db variable "defaultlistenerstatrow" when enabled will update the system statistics as expected.

Fixed Versions:
17.1.0


1046917 : In-TMM monitors do not work after TMM crashes

Links to More Info: BT1046917

Component: In-tmm monitors

Symptoms:
After TMM crashes and restarts, in-TMM monitors do not run. Monitored pool members are down.

Conditions:
-- In-TMM monitors are enabled.
-- TMM exits abnormally, as a result of one of the following:
  + TMM crashing and restarting
  + TMM being sent a termination signal (i.e. using 'pkill' to kill TMM)

Note: This issue does not occur if TMM is restarted using 'bigstart' or 'tmsh sys service'.

Impact:
Monitored pool members are offline.

Workaround:
One of the following:

1. Do not use in-TMM monitors.

2. After TMM restarts, manually restart bigd:
   tmsh restart sys service bigd

3. Add an entry to /config/user_alert.conf such as the following, so that the system restarts bigd when TMM starts up.

On an appliance or single-slot vCMP guest/tenant:

alert id1046917 "Tmm ready - links up." {
    exec command="bigstart restart bigd"
}

On a VIPRION or multi-slot vCMP guest/tenant:

alert id1046917 "Tmm ready - links up." {
    exec command="clsh --color=all bigstart restart bigd"
}

Note: This change must be made separately on each device in a ConfigSync device group.

Fixed Versions:
17.1.0, 15.1.8


1045629 : FastL4 TCP Fast Close with Reset

Component: Local Traffic Manager

Symptoms:
A complete TCP close requires cooperation from client and server applications. A client initiated close may not immediately elicit a corresponding server close. The server application may continue sending data, indefinitely delaying closing the socket. When the socket is closed, the kernel must continue flushing send buffers before continuing the TCP close handshake. Even when the client does not need to receive remaining server data, it must wait for the server to send the full response before the connection is closed.

Conditions:
-- The virtual server uses a FastL4 profile.
-- The client attempts to close the socket.
-- While the backend server receives the client close request (TCP FIN), the server application continues sending the complete response.

Impact:
Even though the client intends to close the socket immediately, the socket stays open while the server sends the full response leading to a long delay in closing the socket and wasting bandwidth.

Workaround:
None

Fix:
The feature is enabled with the FastL4 profile property reset-on-client-fin.

When enabled on a fastL4 profile, on a client-initiated close, bigproto will abort the connection, sending a reset to the client and server. For loose-close (nPath) connections, a reset is sent only to the server. Sending a reset to the client in this case is not useful since the BIG-IP does not have the latest SEQ number from the server. The client will get resets when it sends ACKs through the BIG-IP.

Fixed Versions:
17.1.0


1043821 : Inconsistent user permission handling across configuration UIs

Component: TMOS

Symptoms:
User permissions set by one configuration method may not transfer to another

Conditions:
USER access to REST/TMUI/TMSH interfaces.

Impact:
User permissions changes may not occur as expected

Workaround:
Use a single interface for modifying user settings.

Fix:
User privilege settings are consistent across interfaces

Fixed Versions:
17.1.0


1043009-4 : TMM dump capture for compression engine hang

Links to More Info: BT1043009

Component: Local Traffic Manager

Symptoms:
TMM crashes

Conditions:
The system detects a Nitrox hang and attempts to reset it.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Set Nitrox3.Compression.HangReset db variable to reset

Fixed Versions:
17.1.0


1042737 : BGP sending malformed update missing Tot-attr-len of '0.

Links to More Info: BT1042737

Component: TMOS

Symptoms:
BIG-IP might send a malformed BGP update missing Tot-attr-len of '0 when performing a soft reset out.

Conditions:
-- Multiple traffic groups configured.
-- A BGP soft reset occurs.

Impact:
BGP peering resets.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


1041985 : TMM memory utilization increases after upgrade

Links to More Info: BT1041985

Component: Access Policy Manager

Symptoms:
TMM memory utilization increases after upgrading.

The keep-alive interval of the _tmm_apm_portal_tcp default profile is set to a value that is less than the Idle Timeout setting.

Conditions:
-- APM enabled and passing traffic
-- The configuration has a profile that uses or is derived from _tmm_apm_portal_tcp where the keep-alive interval was reduced to 60

Note that this can be encountered any time a tcp profile contains a keep-alive interval setting that is less than the idle timeout.

For more information about the relationship between keep-alive and idle time out, see K13004262: Understanding Idle Timeout and Keep Alive Interval settings in the TCP profile, available at https://support.f5.com/csp/article/K13004262

Impact:
TMM memory may increase while passing traffic.

Workaround:
Change the tcp keep alive interval to the default setting of 1800 seconds.

Fixed Versions:
17.1.0


1041469 : Request Log Page: Line break in the middle of the word in the note next to Block this IP Address

Component: Application Security Manager

Symptoms:
Words may break in the middle before going to the next line.

Conditions:
1. Create Policy, for example Fundamental
2. Disable Alarm and Block flags for the "IP is blacklisted" violation in Learning and Blocking Settings
3. Apply Policy
4. Send request:

GET / HTTP/1.1
User-Agent: python-requests/2.21.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Request-Id: 003390
Host: 10.0.1.101:7000


5. open request details in Security ›› Event Logs : Application : Requests
6. click the arrow next to Source IP Address
7. Set Block this IP Address to Always

Impact:
Words at the end of the line and the beginning of the next line may seems broken. Only cosmetic impact.

Workaround:
None

Fix:
Words are breaking on the whole in the next line when needed.

Fixed Versions:
17.1.0


1040609 : RFC enforcement is bypassed when HTTP redirect irule is applied to the virtual server.

Component: Local Traffic Manager

Symptoms:
Specifically crafted HTTP request may lead the BIG-IP system to pass malformed HTTP requests to a target pool member web server.

Conditions:
RFC enforcement enabled from the HTTP profile or tmm.http.rfc.enforcement db variable.

HTTP redirect irule applied to virtual server.

Running a BIG-IP version that contains the fix for the issue described in K50375550: A specifically crafted HTTP request might lead the BIG-IP system to pass malformed HTTP requests to a backend server

Impact:
Specifically crafted HTTP request might lead the BIG-IP system to pass malformed HTTP requests to a target pool member web server.

Workaround:
N/A

Fix:
The issue is fixed with content-length header stripped off when both Content-Length and Transfer-Encoding present in the header.

Behavior Change:
The content-length header is removed when both content-length and Transfer-Encoding are present in the header.

Fixed Versions:
17.1.0


1040513 : The counter for "FTP commands" is always 0.

Links to More Info: BT1040513

Component: Application Security Manager

Symptoms:
On the FTP Statistics page, the "FTP Commands" value is always zero.

Conditions:
FTP security is applied and "FTP commands violations" is enforced.

Impact:
The FTP security does not show violations statistics regarding the FTP commands.

Workaround:
None

Fix:
"FTP commands statistics" now shows an accurate value in the UI.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


1040285 : Incident ID to log records that update incident properties is missing.

Component: Application Security Manager

Symptoms:
The incident ID is not included in the ASM event logs.

Conditions:
When ASM records an event correlation entry, it assigns a new "ID" and then associates all of the support IDs that make up this correlation. When the incident is added/updated, the log contains only the change without saying which incident ID got changed.

Impact:
Log records regarding incident add/update are missing the incident ID.

Workaround:
Use the timestamp.

Fix:
Now the incident ID is logged in /var/log/asm with the changes that were made in the incident.

Fixed Versions:
17.1.0


1038753 : OAuth Bearer with SSO does not process headers as expected

Component: Access Policy Manager

Symptoms:
Under certain conditions, OAuth Bearer SSO may forward HTTP headers as-is without the expected processing.

Conditions:
- APM Bearer SSO Configuration
- API Protection Profile
- OAuth token failure

Impact:
HTTP headers are forwarded without the expected processing, potentially leading to passthrough disclosure of request headers.

Workaround:
N/A

Fix:
HTTP headers are now processes as expected.

Fixed Versions:
17.1.0


1038117-1 : TMM SIGSEGV with BDoS attack signature

Links to More Info: BT1038117

Component: Advanced Firewall Manager

Symptoms:
TMM core dumped with segmentation fault showing the below stack. Sometimes the crash stack might be different possibly due to memory corruption caused by the stale BDoS entries in sPVA temp table.

#0 0x00007fbb0f05fa01 in __pthread_kill (threadid=?, signo=signo@entry=11) at ../nptl/sysdeps/unix/sysv/linux/pthread_kill.c:61
#1 0x0000000001587e86 in signal_handler (signum=11, info=0x400a254018f0, ctx=0x400a254017c0) at ../kern/sys.c:3837
#2 <signal handler called>
#3 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:164
#4 0x000000000156319b in spva_search_temp_table (p_arg=<synthetic pointer>, spva=0x400a25401e70) at ../base/tmm_spva.c:1827
#5 spva_dyentries_ack_nack_response (status=SPVA_STATUS_SUCCESS, spva=0x400a25401e70) at ../base/tmm_spva.c:1872
#6 spva_read (status=SPVA_STATUS_SUCCESS, spva=...) at ../base/tmm_spva.c:1560

Conditions:
BDoS enabled. The Dynamic BDoS signature created, attack detected, and signature is offloaded to hardware.

Impact:
TMM core dumped and restarted.

Workaround:
Disable BDoS.

Fixed Versions:
17.1.0, 15.1.4


1037877 : OAuth Claim display order incorrect in VPE

Links to More Info: BT1037877

Component: Access Policy Manager

Symptoms:
In the visual policy editor (VPE), it is difficult to re-order custom previously created Claims in the oAuth Authorization agent.

The following error is thrown in the developer tools screen of the client browser:
common.js?m=st&ver=15.1.2.1-0.0.10.0:902 Uncaught TypeError: Cannot read property 'row' of undefined
    at Object.common_class.swap (common.js?m=st&ver=15.1.2.1-0.0.10.0:902)
    at multipleObjectsSelectionCBDialogue_class.swapEntries (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263)
    at HTMLAnchorElement.<anonymous> (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185)
common_class.swap @ common.js?m=st&ver=15.1.2.1-0.0.10.0:902
multipleObjectsSelectionCBDialogue_class.swapEntries @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263
(anonymous) @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185

Conditions:
-- There are at least two claims in Access :: Federation : OAuth Authorization Server : Claim
-- You are attempting to reorder the claims in the visual policy editor

Impact:
It is not possible to re-order the claims

Workaround:
None

Fixed Versions:
17.1.0


1037265 : Improper handling of multiple cookies with the same name.

Component: Local Traffic Manager

Symptoms:
Multiple cookies with the same name are not handled as expected

Conditions:
Create a Virtual server with an HTTP profile and cookie encryption.

Impact:
BIG-IP may incorrectly process multiple cookies with the same name which may affect backend servers unexpectedly.

Fix:
Multiple cookies with the same name are processed as expected

Fixed Versions:
17.1.0


1037253 : No modal confirmation using "Enforce all Staged Signatures" button

Links to More Info: BT1037253

Component: Application Security Manager

Symptoms:
When enforcing signatures via "Enforce" button, a modal window appears and ask confirmation for the operation.

On the other hand if user enforces signatures via"Enforce all Staged Signatures" button, no modal window for a confirmation and signatures are immediately get enforced.

Conditions:
Use "Enforce all Staged Signatures" button

Impact:
The "Enforce all Staged Signatures" button does not have a safeguard and a miss operation can lead a site down.

Workaround:
None

Fix:
A modal window should appear and ask a confirmation.

Fixed Versions:
17.1.0


1036613 : Client flow might not get offloaded to PVA in embryonic state

Links to More Info: BT1036613

Component: TMOS

Symptoms:
The client flow is not offloaded in embryonic state, but only is only offloaded once the flow transitions to an established state.

Conditions:
-- FastL4 profile configured to offload TCP connections in embryonic state (this is the default)
-- Clientside and serverside ingress traffic is handled by different TMMs
-- Running on a platform with multiple HSB modules per TMM, i.e.:
--+ BIG-IP i11600 Series
--+ BIG-IP i15600 Series

Impact:
- minor performance degradation;
- PVA traffic counters show unexpectedly high values;

Fix:
Client flow is now offloaded in embryonic state (unless configured otherwise).

Fixed Versions:
17.1.0, 15.1.5.1


1036057 : Add support for line folding in multipart parser.

Links to More Info: BT1036057

Component: Application Security Manager

Symptoms:
RFC 2616 allowed HTTP header field values to be extended over multiple lines by preceding each extra line with at least one space or horizontal tab. This was then deprecated by RFC 7230.

The multipart parser of ASM does not support the multiple line header, so these requests cause false positives.

Conditions:
Multiline header in multipart request

Impact:
False positives.

Workaround:
None

Fix:
Introduced a new ASM internal parameter: multipart_allow_multiline_header

Note: default value is 0 (disabled)
Note: enabling/disabling the feature requires asm restart that triggers the unit going offline for a short time period. If the unit is a part of a high availability (HA) cluster, failover to the other unit will occur. If it is a standalone unit, traffic disruption until the unit comes back to online.

- Enable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 1
# bigstart restart asm

- Disable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 0
# bigstart restart asm

Behavior Change:
Introduced a new ASM internal parameter: multipart_allow_multiline_header

Note: default value is 0 (disabled)
Note: enabling/disabling the feature requires asm restart that triggers the unit going offline for a short time period. If the unit is a part of a high availability (HA) cluster, failover to the other unit will occur. If it is a standalone unit, traffic disruption until the unit comes back to online.

- Enable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 1
# bigstart restart asm

- Disable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 0
# bigstart restart asm

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


1035889 : Support of ECDSA for DNSSEC in Unbound

Component: Global Traffic Manager (DNS)

Symptoms:
In BIG-IP, DNS Cache does not support Elliptic Curve Digital Signature Algorithm (ECDSA), which is important for DNS software vendors to comply with DNS standards.

Conditions:
Listener is configured with cache (validating resolver) profile, and zone is signed with ECDSA algorithms.

Impact:
Unable to validate the zone, signed with ECDSA.

Workaround:
None

Fix:
Able to validate the zone, signed with ECDSA.

Fixed Versions:
17.1.0


1035361 : Illegal cross-origin after successful CAPTCHA

Links to More Info: BT1035361

Component: Application Security Manager

Symptoms:
After enabling CAPTCHA locally on BIG-IP with brute force, after configured login attempts, CAPTCHA appears, but after bypassing the CAPTCHA successfully the user receives a support ID with cross-origin violation.

Conditions:
- brute force with CAPTCHA mitigation enforced on login page.
- cross-origin violation is enforced on the login page.
- user fails to login until CAPTCHA appears
- user inserts the CAPTCHA correctly

Impact:
- blocking page appears.
- on the event log cross-origin violation is triggered.

Workaround:
- disable cross-origin violation enforcement.

Fix:
Fixing origin header offset in reconstruct challenge request.

Fixed Versions:
17.1.0, 16.1.2.2, 15.1.5.1, 14.1.5


1032761-2 : HA mirroring may not function correctly.

Links to More Info: BT1032761

Component: TMOS

Symptoms:
-- High availability (HA) mirroring might not function correctly.
-- Health monitors might fail intermittently (though this symptom is not always seen).
-- Application response latency might increase slightly.
-- Running 'tmctl -d blade tmm/sdaglib_hash_table' on the BIG-IP tenant shows a different sequence of values in the hash table when compared to the output of "show dag-states" in the F5OS Partition CLI. (Though the former renders the values using zero-based indexing, while the latter uses one-based indexing.)

Conditions:
-- VELOS chassis in use.
-- High availability (HA) pair is formed using BIG-IP tenants.
-- 'tmsh list cm device mirror-ip' shows a mirror-ip set for each BIG-IP.
-- sys db statemirror.clustermirroring is set to 'between'.

Impact:
High availability (HA) mirroring might not function correctly.
Degraded application traffic.

Workaround:
None.
To recover, set sys db statemirror.clustermirroring to 'within' and restart tmm on all slots of the affected tenant.

Fix:
Fixed high availability (HA) mirroring.

Fixed Versions:
17.1.0, 15.1.4


1032553 : Core when virtual server with destination NATing receives multicast

Links to More Info: K46048342, BT1032553


1032257 : Forwarded PVA offload requests fail on platforms with multiple PDE/TMM

Links to More Info: BT1032257

Component: TMOS

Symptoms:
Forwarded PVA requests use a static bigip_connection that does not have its pva_pde_info initialized, which results in offload failure on platforms that have multiple PDEs per TMM.

Conditions:
Pva_pde_info is not initialized and Forwarded PVA requests occur.

Impact:
Hardware offload does not occur.

Fixed Versions:
17.1.0, 15.1.5.1


1030133 : BD core on XML out of memory

Links to More Info: BT1030133

Component: Application Security Manager

Symptoms:
Missing error handling in lib xml parser.

Conditions:
XML parser going out of memory.

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
None

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1


1029689 : Incosnsitent username "SYSTEM" in Audit Log

Links to More Info: BT1029689

Component: Application Security Manager

Symptoms:
The Security Policy Auto Log in ASM displays the system component that triggered the event. The component name is sometimes shown as 'SYSTEM', other times shown as 'System'

Conditions:
The value is "SYSTEM" when Apply Policy was initiated locally.
The value is "System" when Apply Policy was initiated by the peer unit

Impact:
Component name inconsistency causing confusion

Workaround:
None

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


1029373 : Firefox 88+ raising Suspicious browser violations with bot defense

Links to More Info: BT1029373

Component: Application Security Manager

Symptoms:
Bot-defense might block legal traffic arriving from Firefox version 88

Conditions:
- ASM provisioned
- bot-defense profile assigned on a virtual server

Impact:
Legal traffic is blocked

Workaround:
Tmsh modify sys db botdefense.suspicious_js_score value 60

Fix:
Fixed testing legal traffic from browsers

Fixed Versions:
17.1.0


1029105-3 : Hardware SYN cookie mode state change logs bogus virtual server address

Links to More Info: BT1029105

Component: TMOS

Symptoms:
When a virtual server enters or exits hardware SYN cookie mode, a bogus IP address is logged in /var/log/ltm. For example:

Syncookie HW mode activated, server name = /Common/vs server IP = 0.0.0.3:0

Conditions:
A virtual server enters or exits hardware SYN cookie mode.

Impact:
Only the logging information is wrong, the hardware SYN cookie mode functions correctly.

Workaround:
None

Fix:
TMM now logs the correct IP address of the virtual server.

Fixed Versions:
17.1.0, 15.1.4


1027637-3 : System controller failover may cause dropped requests

Links to More Info: BT1027637

Component: TMOS

Symptoms:
A system controller failover may cause dropped requests to a change in the CMP hash algorithm.

Conditions:
1. The system controller fails over
2. The CMP hash algorithm changes

Impact:
Incorrect CMP hash settings

Workaround:
Change the CMP hash to another setting and back

Fix:
Fixed dropped requests to change CMP hash algorithm after a system controller failover

Fixed Versions:
17.1.0, 15.1.4


1025497 : BIG-IP may accept and forward invalid DNS responses

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP may forward invalid DNS responses to a client if the DNS server provides an invalid response.

Conditions:
BIG-IP configured as a proxy for a misbehaving backend DNS server.

Impact:
Invalid DNS responses are forwarded to client.

Fix:
The 'dns.responsematching' DB variable has been created to prevent forwarding invalid responses.

When the DB variable 'dns.responsematching' is enable, DNS responses will be matched by transaction ID, query name, and the client's and server's IP addresses and port numbers.

Fixed Versions:
17.1.0


1025261 : Restjavad uses more resident memory in control plane after software upgrade

Links to More Info: BT1025261

Component: TMOS

Symptoms:
The restjavad process immediately reserves more memory and the process size (as shown by RSS) increases as the starting heap size has been made to be the same as maximum heap size for performance reasons.

(Note the process name displays as 'java', but there are multiple independent Java processes on the system. The parent process of restjavad is 'runsv restjavad', and the command line arguments may have 'logging' in them.)

For restjavad with the default size, the increase is usually 200 MB-300 MB.

The increase is particularly apparent where restjavad.useextramb is set to the value 'true' and provision.extramb is set to a high value but restjavad had not required that much extra memory previously.

Conditions:
After upgrading to a BIG-IP software version with the fix for ID 776393 ( https://cdn.f5.com/product/bugtracker/ID776393.html ), where more memory has been allocated for restjavad.

Impact:
The memory Resident Set Size (RSS) of the restjavad process will be larger than needed, possibly constricting other processes in the control plane.

Workaround:
If restjavad.useextramb is set to value true you may find that if only a small amount of extra restjavad memory was required (~192 MB or less extra) that it can be set to false.

This is because the default size of restjavad has increased by 192 MB to 384MB.

Restart restjavad after the change.

Fix:
A new sys DB variable, provision.restjavad.extramb has been introduced to allow finer-grained control of restjavad memory.

It takes effect only if sys db restjavad.useextramb is true. It can be used to set restjavad heap size both above and below the default heap size of 384 MB.

Behavior Change:
A new sys DB variable, provision.restjavad.extramb has been introduced to allow finer-grained control of restjavad memory.

The variable is particularly useful when you need restjavad to be slightly bigger and also need a much larger provision.extramb without most of that being taken by restjavad.

For the variable to take effect, sys db restjavad.useextramb must be set to 'true'; otherwise, default memory values are used.

The variable sets the heap size, and defaults to and has a minimum value of 192 MB.

If the value of provision.restjavad.extramb is set above a certain cap value, the heap size will be set to the cap value. In this release, the cap value 384 MB + 80% of provision.extramb.

So with restjavad.useextramb set to 'true', you can set the restjavad heap size from 192 MB to 384 MB + 80% of provision.extramb using the provision.restjavad.extramb variable.

After changing value of provision.restjavad.extramb, restart restjavad to enable the change in memory size:

bigstart restart restjavad

Or on multi-blade systems:

clsh bigstart restart restjavad

If using a sys db restjavad.useextramb value of true and needing to restore your previous restjavad memory setting ( based on maximum heap size) please look at advice below.

Before upgrade - if you set sys db restjavad.useextramb to value false before install of new version you will have more restjavad memory, the default 384MB, after upgrade.

  tmsh modify sys db restjavad.useextramb value false

If you restart restjavad you can see if that value works before upgrade. If you don't restart then it will come into effect after reboot.

If that no longer has issues after update then leave that setting at false. Otherwise set back to true (no restart) and increase provision.restjavad.extramb as in After upgrade section below.

After upgrade:
Set sys db provision.restjavad.extramb to an appropriate value and restart restjavad.

Run the following command:

  tmsh modify sys db provision.restjavad.extramb value X
  bigstart restart restjavad

Iterate as necessary.

The value of X is derived by using one of the following formulae:

- When updating from versions before 14.1.4 and 15.1.3, to affected versions, a value that preserves the maximum previous restjavad heap size is:
  192MB + 80% of MIN(provision.extramb|2500)
the minimum possible heap size was:
  192MB + 20% of MIN(provision.extramb|2500)
The actual restjavad heap size would be between those extremes. SSLO systems would typically need a higher amount towards the maximum.

  Example 1: If provision.restjavad was 1000 MB on previous version, the possible range of restjavad heap size would have been between (20% of 1000 + 192) = 392 MB and (80% of 1000 + 192) = 992 MB.
  Example 2: If provision.extramb was 4000 MB, the possible range would be between (20 % of 2500 + 192) = 692 MB and (80% of 2500 + 192) = 2192 MB.

- When updating from 14.1.4-14.1.5, from 15.1.3-15.1.6.1 or from 16.0.x to affected versions:
  384MB + 80% of MIN(provision.extramb|2500)

  Example 3: If provision.extramb was 500 MB, the restjavad heap size on the previous version would have been 80% of 500 + 384 = 784 MB.

- When updating from 16.1.0-16.1.3 or from 17.0.0.0 to affected versions:
  384MB + 90% of MIN(provision.extramb|4000)

  Example 4: If provision.extramb was 2000 MB, the restjavad heap size on the previous version would have been 90% of 2000 + 384 = 2184 MB.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1


1024661 : SCTP forwarding flows based on VTAG for bigproto

Links to More Info: BT1024661

Component: TMOS

Symptoms:
Sometimes SCTP traffic is unidirectionally dropped on one link after an SCTP link down occurs.

Conditions:
-- SCTP configured and BIG-IP is passing traffic
-- A link goes down

Impact:
Flow creation on the wrong TMM and some traffic is dropped.

Workaround:
Disable SCTP flow redirection.
tmm.sctp.redirect_packets == disable

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


1024421 : At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log

Links to More Info: BT1024421

Component: TMOS

Symptoms:
TMM log shows clock advancing and MPI timeout messages:

notice slot1 MPI stream: connection to node aborted for reason: TCP RST from remote system (tcp.c:5201)
notice slot1 tmm[42900]: 01010029:5: Clock advanced by 6320 ticks

Conditions:
-- pva.standby.flush DB key set to 1 (enabled). The default is 0.
-- Processing high traffic volume for some time

Impact:
Upstream switch could receive flow response from both active and standby units and cause a traffic disturbance.

Fix:
Modified the "Pva.Standby.Flush" DB key to take two new values ("2" and "3"). This DB key defines actions that the system takes when a traffic-group goes standby.

The values of this DB key are now:

-- 0: do nothing (the default)
-- 1: evict all ePVA accelerated flows for all traffic-groups
-- 2: inform the ePVA to stop processing traffic destined for the MAC masquerade address for this traffic-group
-- 3: perform both of the above actions (evict all ePVA accelerated flows, and inform the ePVA to stop processing traffic for the MAC masquerade address)

Behavior Change:
The DB variable Pva.Standby.Flush accepts two new values ("2" and "3"). This DB key defines actions that the system takes when a traffic-group goes standby.

The values of this DB key are now:

-- 0: do nothing (the default)
-- 1: evict all ePVA accelerated flows for all traffic-groups
-- 2: inform the ePVA to stop processing traffic destined for the MAC masquerade address for this traffic-group
-- 3: perform both of the above actions (evict all ePVA accelerated flows, and inform the ePVA to stop processing traffic for the MAC masquerade address)

Fixed Versions:
17.1.0, 15.1.3.1


1023229 : False negative on specific authentication header issue

Links to More Info: BT1023229

Component: Application Security Manager

Symptoms:
Blocking does not occur on a specific authentication header issue when a non-default internal parameter is set.

Conditions:
ignore_authorization_header_decode_failure is not set to 0

Impact:
A request with an authentication header issue can pass.

Workaround:
None

Fix:
The system alerts on a decoding failure when configured so.

Fixed Versions:
17.1.0


1022453 : IPv6 fragments are dropped when packet filtering is enabled.

Links to More Info: BT1022453

Component: Local Traffic Manager

Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.

Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.

Impact:
Some or all of the fragments of an IPv6 packet are lost.

Workaround:
Disable packet filtering

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


1021637 : In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs

Links to More Info: BT1021637

Component: Application Security Manager

Symptoms:
CSRF is sometimes enforced on URLs that do not match the CSRF URLs list

Conditions:
ASM policy with CSRF settings

Impact:
URLs that do not match the CSRF URLs list can be blocked due to CSRF violation.

Workaround:
None

Fix:
N/A

Fixed Versions:
17.1.0, 16.1.2.2, 15.1.6.1


1021245 : CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive

Links to More Info: K78284681


1020717 : Policy versions cleanup process sometimes removes newer versions

Links to More Info: BT1020717

Component: Application Security Manager

Symptoms:
The policy versions cleanup process sometimes removes versions in incorrect order. Newer versions are removed while older versions are preserved.

Conditions:
"maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg" has very low value.

Impact:
Newer versions are removed.

Workaround:
increase value of "maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg"

Fixed Versions:
17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


1020645-5 : When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered

Links to More Info: BT1020645

Component: Local Traffic Manager

Symptoms:
In an explicit proxy configuration when an HTTP request is sent to an HTTPS destination server via proxy, the HTTP CONNECT method is sent, but the iRule event HTTP_RESPONSE_RELEASE is not fired.

Conditions:
- Simple HTTP explicit proxy virtual server
- An HTTP request from the client is sent to an 'https://' destination server

Impact:
iRule event HTTP_RESPONSE_RELEASE does not get triggered.

Workaround:
None

Fix:
When HTTP CONNECT is sent, the iRule event HTTP_RESPONSE_RELEASE is now triggered.

Fixed Versions:
17.1.0, 16.1.3.1, 15.1.4.1


1019793-3 : Image2disk does not work on F5OS BIG-IP tenant.

Links to More Info: BT1019793

Component: TMOS

Symptoms:
Image2disk fails to recognize the correct disk to install and installation fails.

Conditions:
This occurs with BIG-IP tenants that are running in F5OS partitions.

Impact:
Installation fails.

Workaround:
None

Fixed Versions:
17.1.0, 15.1.5


1019481-2 : Unable to provision PEM on VELOS platform

Links to More Info: BT1019481

Component: Policy Enforcement Manager

Symptoms:
Unable to provision PEM on VELOS platform

Conditions:
When trying to provision PEM

Impact:
PEM functionality cannot be achieved

Workaround:
Change sys db provision.enforce value to false and load sys config

Fix:
Added VELOS platform to PEM provision list

Fixed Versions:
17.1.0, 15.1.4


1018997 : Improper logging of sensitive DB variables

Component: TMOS

Symptoms:
Certain DB variables related to configsync and management port proxying may be improperly logged.

Conditions:
Configuring configsync or a management port proxy.

Impact:
Undisclosed DB variables are logged.

Workaround:
Follow current guidance for transferring and accessing files from the BIG-IP device.

https://support.f5.com/csp/article/K58243048

Fix:
The DB variables are treated as expected.

Fixed Versions:
17.1.0


1017557 : ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN

Links to More Info: BT1017557

Component: Application Security Manager

Symptoms:
ASM BD sends a reset back to the client when the backend server sends a response without proper terminating 0 chunk followed by FIN.

Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Backed server sends a bad chunked response

Impact:
Valid requests can be reset.

Workaround:
Any one of the following workarounds can be applied.

-- Fix backed server behavior.
-- Fix bad response using iRule, appending proper terminating 0 chunk
-- Change ASM internal /usr/share/ts/bin/add_del_internal update bypass_upon_load 1

Fix:
Fix ASM to properly handle bad chunked response followed by FIN

Fixed Versions:
17.1.0


1015881 : TMM might crash after configuration failure

Links to More Info: BT1015881

Component: Application Security Manager

Symptoms:
TMM crashes after DoSL7 application configuration failure

Conditions:
DoSL7 configuration is changed, and the configuration change fails in TMM.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None

Fixed Versions:
17.1.0, 16.1.3.1, 15.1.7


1014973 : ASM changed cookie value.

Links to More Info: BT1014973

Component: Application Security Manager

Symptoms:
ASM changes the value of a cookie going to the server.

Conditions:
Specific conditions.

Impact:
Domain cookie will reach the server with a wrong value. Can cause different malfunctions depending on the application.

Workaround:
Change the following db variable:
tmsh modify sys db asm.strip_asm_cookies (https://support.f5.com/csp/article/K30023210) value false.

There is no need to restart asm.

Add an iRule without the use of strip_asm_cookies:
https://support.f5.com/csp/article/K13693.

Fix:
Original cookies not being deleted/modified after the removing of TS cookies in ASM.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


1014573 : Several large arrays/objects in JSON payload may core the enforcer

Links to More Info: BT1014573

Component: Application Security Manager

Symptoms:
Requests with JSON payload that consists of more than one object with elements, such as a couple of large arrays, may cause the enforcer to crash.

Conditions:
Each of the objects/arrays in JSON payload has to consist lesser amount of elements than defined in the "Maximum Array Length" JSON profile attribute.

Impact:
Large enough arrays may cause performance decrease, in addition, the enforcer may crash.

Workaround:
Set "Maximum Array Length" to a lower value than the requests array length.

Fix:
Added internal param "count_overall_child_elements_in_json" to control "Maximum Array/Object Elements" behaviour:
0 (default) - retain current behaviour (check max elements in each array/object separately);
1 - count overall elements in all arrays/objects.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1


1010961 : Redirect fails when accessing SAML Resource more than once in SAML IDP initiated Flow

Links to More Info: BT1010961

Component: Access Policy Manager

Symptoms:
In SAML idp initiated Flow, redirects fails on accessing SAML Resource second time as multiple assertions are posted to the SP on same access session

Conditions:
1. BIG-IP SAML SP and IDP configured for IDP initiated Flow
2. Access SAML Resource first time is successful but fails second time for same access session

Impact:
Multiple assertions are sent to SP on same access session and fails to render the backend application second time.

Workaround:
For Access policy contains an allow ending:

when HTTP_REQUEST {
    if { [HTTP::uri] eq "/saml/sp/profile/post/acs" && [ACCESS::session exists -state_allow -sid [ACCESS::session sid]] } {
        HTTP::redirect "/"
    }
}

For access policy contains a redirect ending:
when HTTP_REQUEST {
    if { [HTTP::uri] eq "/saml/sp/profile/post/acs" && [ACCESS::session exists -state_redirect -sid [ACCESS::session sid]] } {
        HTTP::redirect "/"
    }
}

If relay-state implemented, edit the iRule's redirect uri to match that configured in the relay-state.

Fix:
BIG-IP as SP processes all of the assertions received on a single access session and successfully renders the backend application.

Fixed Versions:
17.1.0


1010809 : Connection is reset when sending a HTTP HEAD request to APM Virtual Server

Links to More Info: BT1010809

Component: Access Policy Manager

Symptoms:
Connection is reset when sending a HTTP HEAD request to APM Virtual Server

Conditions:
-- A virtual server with APM implemented
-- A HTTP HEAD request is sent to the virtual server

Impact:
Connection is reset

Workaround:
To work around this issue, implement the following iRule on the virtual server:

when HTTP_REQUEST priority 500 {
    if {[HTTP::method] equals "HEAD"
       && [HTTP::path] equals "/"} {
        HTTP::respond 404
    }
}

Fixed Versions:
17.1.0


1007153 : Selected Attack type is not shown properly in the Attack Signature Set Properties screen

Component: Application Security Manager

Symptoms:
The text title of the selected Attack type is not aligned with the input boundaries.

Conditions:
This issue occurs when creating or editing a user-defined signature set under the following path:
Security > Options > Application Security > Attack Signatures > Attack Signature Sets.

Impact:
The text of the attack type appears a bit off the input boundaries. Only cosmetic impact.

Fix:
The text appears within the input boundary.

Fixed Versions:
17.1.0


1006921 : iRules Hardening

Links to More Info: K80970653, BT1006921


1006157 : FQDN nodes not repopulated immediately after 'load sys config'

Links to More Info: BT1006157

Component: Local Traffic Manager

Symptoms:
A DNS query is not sent for configured FQDN nodes until the TTL value expires.

Conditions:
This occurs when 'load sys config' is executed.

Impact:
Name addresses do not resolve to IP addresses until the TTL expires.

Workaround:
You can use either of the following workarounds:

-- Change the default TTL value to be fewer than 300 seconds (the default value is 3600 seconds).

-- Restart dynconfd daemon:
tmsh restart sys service dynconfd

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1


1004517 : BIG-IP tenants on VELOS cannot install EHFs

Links to More Info: BT1004517

Component: TMOS

Symptoms:
BIG-IP tenants created on VELOS using v14.1.4 software earlier than v14.1.4.3 cannot accept engineering hotfixes (EHF).

Conditions:
Installing EHF updates to BIG-IP tenants on VELOS running BIG-IP v14.1.4 software earlier than v14.1.4.3.

Impact:
EHF installation fails.

Workaround:
None

Fix:
BIG-IP tenants on VELOS can now install EHFs.

Fixed Versions:
17.1.0, 15.1.4, 14.1.4.3


1003765 : Authorization header signature triggered even when explicitly disabled

Links to More Info: BT1003765

Component: Application Security Manager

Symptoms:
Requests with base64 encoded Authorization header with disabled signatures might result in a blocking page even though the specific signature is disabled.

Conditions:
Base64 encoded Authorization header is included in the request.

Impact:
A signature violation is detected, even though the signature is disabled.

Workaround:
None

Fix:
No violation for disabled signatures.

Fixed Versions:
17.1.0, 15.1.4.1


1001865-4 : No platform trunk information passed to tenant

Component: TMOS

Symptoms:
Trunk information is not being published to BIG-IP tenants for use in high availability (HA) group definitions.

Conditions:
When defining high availability (HA) groups.

Impact:
No trunk or trunk member information is reported. This reduces the usefulness of information used to compare the relative health of high availability (HA) peers and potentially initiating a tenant failover, depending on that output.

Workaround:
None

Fix:
Trunk information is now synchronized between the VELOS system and tenants, enhancing the tenant high availability (HA) health check.

Behavior Change:
Trunk information is now synchronized between the VELOS system and tenants, which increases the usefulness of information used to compare the relative health of high availability (HA) peers and potentially initiating a tenant failover, depending on that output.

Fixed Versions:
17.1.0, 15.1.4


1001069-2 : VE CPU usage higher after upgrade, given same throughput

Links to More Info: BT1001069

Component: TMOS

Symptoms:
Significant increase in CPU usage post-upgrade.

Conditions:
- Upgrading from version 13.x to a later version.
- Configured BIG-IP Virtual Edition (VE) that uses the sock driver.

Impact:
Significant increase in CPU usage, leading to potential degradation or disruption of traffic.

Workaround:
Create the following overrides:
- In '/config/tmm_init.tcl' add or append the following:
ndal mtu 1500 1137:0043
device driver vendor_dev 1137:0043 xnet

- In '/config/xnet_init.tcl' add or append the following:
device driver vendor_dev 1137:0043 dpdk

Note: These overrides must be re-applied every time an upgrade is done.

Fix:
Changed configuration to use DPDK-XNet as the default driver for Cisco eNIC.

Fixed Versions:
17.1.0


1000069 : Virtual server does not create the listener

Links to More Info: BT1000069

Component: Local Traffic Manager

Symptoms:
A virtual-address is in an offline state.

Conditions:
An address-list is used on a virtual server in a non-default route domain.

Impact:
The virtual IP address remains in an offline state.

Workaround:
Using tmsh, create the traffic-matching-criteria. Specify the route domain, and attach it to the virtual server.

Fixed Versions:
17.1.0



Known Issues in BIG-IP v17.1.x


TMOS Issues

ID Number Severity Links to More Info Description
1226585-1 1-Blocking   Some SSL Orchestrator rest endpoints not loading on startup after BIG-IP is rebooted when it is set to CC/STIP mode
1190777 1-Blocking   Unable to add a device to a device trust when the BigDB variable icontrol.basic_auth is set to disable on target device
994033-4 2-Critical BT994033 The daemon httpd_sam does not recover automatically when terminated
993481-5 2-Critical BT993481 Jumbo frame issue with DPDK eNIC
950201-6 2-Critical BT950201 Tmm core on GCP
776117-6 2-Critical BT776117 BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type
1209709-5 2-Critical BT1209709 Memory leak in icrd_child when license is applied through BIG-IQ
989501-3 3-Major BT989501 A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus
988745-8 3-Major BT988745 On reboot, 'could not find platform object' errors may be seen in /var/log/ltm
936093-7 3-Major BT936093 Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline
906273-4 3-Major BT906273 MCPD crashes receiving a message from bcm56xxd
778513-5 3-Major BT778513 APM intermittently drops log messages for per-request policies
757787-6 3-Major BT757787 Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI.
690928-8 3-Major BT690928 System posts error message: 01010054:3: tmrouted connection closed
1238693-1 3-Major BT1238693 Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519
1217473-1 3-Major BT1217473 All the UDP traffic is sent to a single TMM
1215613-3 3-Major BT1215613 ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address
1211089-4 3-Major BT1211089 Traffic to IPv6 all nodes address not received by TMM on VE with ixlv driver
1160805-4 3-Major BT1160805 The scp-checkfp fail to cat scp.whitelist for remote admin
1124733-3 3-Major   Unnecessary internal traffic is observed on the internal tmm_bp vlan
1117305-8 3-Major BT1117305 The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials
1112537-6 3-Major BT1112537 LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete.
1102425-1 3-Major BT1102425 F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary
1090313-5 3-Major BT1090313 Virtual server may remain in hardware SYN cookie mode longer than expected
1067797 3-Major BT1067797 Trunked interfaces that share a MAC address may be assigned in the incorrect order.
1012377-3 3-Major BT1012377 Unable to display/edit 'management route' via GUI
1009337-4 3-Major BT1009337 LACP trunk down due to bcm56xxd send failure
976517-4 4-Minor BT976517 Tmsh run sys failover standby with a device specified but no traffic group fails
895669-4 4-Minor BT895669 VCMP host does not validate when an unsupported TurboFlex profile is configured
857045-5 4-Minor BT857045 LDAP system authentication may stop working
1229325-1 4-Minor BT1229325 Unable to configure IP OSPF retransmit-interval as intended
1217077-1 4-Minor BT1217077 Race condition processing network failover heartbeats with timeout of 1 second
1211617-2 4-Minor BT1211617 High CPU utilisation observed during startup when forced BIG-IP system set offline
1209589-5 4-Minor BT1209589 BFD multihop does not work with ECMP routes
1185257-6 4-Minor BT1185257 BGP confederations do not support 4-byte ASNs
1154685-4 4-Minor BT1154685 Error logged "01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object..." during startup
1121169-5 4-Minor BT1121169 Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use
1064753-6 4-Minor BT1064753 OSPF LSAs are dropped/rate limited incorrectly.


Local Traffic Manager Issues

ID Number Severity Links to More Info Description
752766-4 1-Blocking BT752766 The BIG-IP system might fail to read SFPs after a reboot
1205501-4 2-Critical BT1205501 The iRule command SSL::profile can select server SSL profile with outdated configuration
1024241-5 2-Critical BT1024241 Empty TLS records from client to BIG-IP results in SSL session termination
878641-7 3-Major BT878641 TLS1.3 certificate request message does not contain CAs
842425-7 3-Major BT842425 Mirrored connections on standby are never removed in certain configurations
693473-3 3-Major BT693473 The iRulesLX RPC completion can cause invalid or premature TCL rule resumption
1238529-3 3-Major BT1238529 TMM might crash when modifying a virtual server in low memory conditions
1238413-4 3-Major BT1238413 The BIG-IP might fail to update ARL entry for a host in a VLAN-group
1235085 3-Major   Reinitialization of FIPS HSM in BIG-IP tenant.
1229369-4 3-Major BT1229369 The fastl4 TOS mimic setting towards client may not function
1210469-1 3-Major BT1210469 TMM can crash when processing AXFR query for DNSX zone
1209945-2 3-Major BT1209945 Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs
1205045-6 3-Major BT1205045 WMI monitor does not put pool members into an offline/unchecked state when BIG-IP receives HTTP responses other than 200
1191229 3-Major BT1191229 The virtual-wire tenant upgrade from 15.1.8 to 17.1.0 results in tenant to stuck in offline state
1166481-5 3-Major BT1166481 The vip-targeting-vip fastL4 may core
1110485-5 3-Major BT1110485 SSL handshake failures with invalid profile error
1083589 3-Major BT1083589 Some connections are dropped on chained IPv6 to IPv4 virtual servers.
1064725-5 3-Major BT1064725 CHMAN request for tag:19 as failed.
1026781-5 3-Major BT1026781 Standard HTTP monitor send strings have double CRLF appended
1025089-7 3-Major BT1025089 Pool members marked DOWN by database monitor under heavy load and/or unstable connections
1240937-4 4-Minor BT1240937 The FastL4 TOS specify setting towards server may not function for IPv6 traffic
1238897-1 4-Minor BT1238897 TMM TCL interpreter's non-TMM "compat" memcasechr broken in 64-bit build
1211189-4 4-Minor BT1211189 Stale connections observed and handshake failures observed with errors
1167609-4 4-Minor BT1167609 The messages msg->ref > 0 are seen in TMM logs with websockets/ASM plugin
926085-4 5-Cosmetic BT926085 In WebUI node or port monitor test is not possible, but it works in TMSH


Global Traffic Manager (DNS) Issues

ID Number Severity Links to More Info Description
940733 2-Critical BT940733 Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt
1225061-1 2-Critical BT1225061 The zxfrd segfault with numerous zone transfers
1212081-5 2-Critical BT1212081 The zxfrd segfault and restart loop due to incorrect packet processing
1250077-6 3-Major BT1250077 TMM memory leak
1182353-6 3-Major BT1182353 DNS cache consumes more memory because of the accumulated mesh_states
1082197-5 3-Major BT1082197 RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response


Application Security Manager Issues

ID Number Severity Links to More Info Description
923821-5 2-Critical BT923821 Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack
850141-5 2-Critical BT850141 Possible tmm core when using Dosl7/Bot Defense profile
1217549-4 2-Critical BT1217549 Missed ASM Sync on startup
890169-6 3-Major BT890169 URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
1250209-1 3-Major BT1250209 The message "ERR: in Graphql disallowed response, pcre is null" appears in BD logs
1235337-2 3-Major BT1235337 The 'JSON profile' with 'JSON schema validation' was not created for the body parameter in the OpenAPI URL
1216297-3 3-Major   TMM core occurs when using disabling ASM of request_send event
1211905-3 3-Major BT1211905 Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts"
1210321-2 3-Major BT1210321 Parameters are not created for properties defined in multipart request body when URL include path parameter
1196537-5 3-Major BT1196537 BD process crashes when you use SMTP security profile
1196185-1 3-Major   Policy Version History is not presented correctly with scrolling
1194173-5 3-Major   BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value
1190365-1 3-Major BT1190365 OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly
1186401-4 3-Major BT1186401 Using REST API to change policy signature settings changes all the signatures.
1184841-6 3-Major   Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API
1173493-2 3-Major BT1173493 Bot signature staging timestamp corrupted after modifying the profile
1156889-5 3-Major BT1156889 TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions
1148009-8 3-Major BT1148009 Cannot sync an ASM logging profile on a local-only VIP
1144497-5 3-Major   Base64 encoded metachars are not detected on HTTP headers
1137993-6 3-Major BT1137993 Violation is not triggered on specific configuration
1132981-5 3-Major BT1132981 Standby not persisting manually added session tracking records
1132741-7 3-Major BT1132741 Tmm core when html parser scans endless html tag of size more then 50MB
1117245-5 3-Major BT1117245 Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file
1098609-3 3-Major   BD crash on specific scenario
1078065-5 3-Major BT1078065 The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA.
1069729-4 3-Major BT1069729 TMM might crash after a configuration change.
1067557-5 3-Major   Value masking under XML and JSON content profiles does not follow policy case sensitivity
1059513-3 3-Major BT1059513 Virtual servers may appear as detached from security policy when they are not.
1048949-8 3-Major BT1048949 TMM xdata leak on websocket connection with asm policy without websocket profile
1023889-5 3-Major BT1023889 HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message
987977-1 4-Minor BT987977 VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation
1245209-1 4-Minor BT1245209 Introspection query violation is reported regardless the flag status
1210569-1 4-Minor BT1210569 User defined signature rule disappears when using high ASCII in rule
1210053-3 4-Minor BT1210053 The cred_stuffing_fail_open Internal Parameter does not cause Leaked Credential violation in case of expiration or error
1189865-5 4-Minor BT1189865 "Cookie not RFC-compliant" violation missing the "Description" in the event logs
1123153-5 4-Minor   "Such URL does not exist in policy" error in the GUI
1113753-5 4-Minor   Signatures might not be detected when using truncated multipart requests
1084857-6 4-Minor BT1084857 ASM::support_id iRule command does not display the 20th digit
1083513-4 4-Minor BT1083513 BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd
1076825-3 4-Minor BT1076825 "Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.
1030129-5 5-Cosmetic BT1030129 iHealth unnecessarily flags qkview for H701182 with mcp_module.xml


Access Policy Manager Issues

ID Number Severity Links to More Info Description
1111149-4 2-Critical BT1111149 Nlad core observed due to ERR_func_error_string can return NULL
1110489-4 2-Critical BT1110489 TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event
1083053-4 2-Critical BT1083053 Apmd memory grows over time in AD auth scenarios
967185-3 3-Major BT967185 Increase the size limit of JWT for OAuth
868557 3-Major BT868557 Unable to initiate SWG database download from Admin UI when management network has no direct internet connectivity.
1232977-4 3-Major BT1232977 TMM leaking memory in OAuth scope identifiers when parsing scope lists
1180365-3 3-Major   APM Integration with Citrix Cloud Connector
1060477-2 3-Major BT1060477 iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]".
1044457-4 3-Major BT1044457 APM webtop VPN is no longer working for some users when CodeIntegrity is enabled.
936061-4 4-Minor BT936061 Variable session.user.agent missing for Edge Client & F5 Access clients
1239061 4-Minor   Endpoint Inspection may fail when using Symantec Endpoint Protection with EPSEC version 1356 release
1218813-6 4-Minor BT1218813 "Timeout waiting for TMM to release running semaphore" after running platform_diag


Service Provider Issues

ID Number Severity Links to More Info Description
1239901-3 2-Critical   LTM crashes while running SIP traffic
1189513-6 3-Major BT1189513 SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header
1156149-5 3-Major BT1156149 Early responses on standby may cause TMM to crash
1038057-5 3-Major BT1038057 Unable to add a serverssl profile into a virtual server containing a FIX profile
1251013-1 4-Minor BT1251013 Allow non-RFC compliant URI characters
1249929-2 4-Minor BT1249929 Diameter MRF sends CER to pool-member even after peer sent DPR and force-offline the pool member
1213469-5 4-Minor BT1213469 MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP dropped


Advanced Firewall Manager Issues

ID Number Severity Links to More Info Description
609878-8 2-Critical BT609878 Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server
1215161-4 2-Critical BT1215161 A new CLI option introduced to display rule-number for policy, rules and rule-lists
1048425-6 2-Critical BT1048425 Packet tester crashes TMM when vlan external source-checking is enabled
1199025-3 3-Major BT1199025 DNS vectors auto-threshold events are not seen in webUI
1196053-4 3-Major BT1196053 The autodosd log file is not truncating when it rotates
1190765-1 3-Major   VelOS | Zone Base DDOS | Aggregation, BD | Seeing Entries in sPVA Registers are not getting reset once the attack is completed
1167969-2 3-Major BT1167969 In DoS Profile level, the Flood attack Vectors with TCP and UDP, Hardware offloading is not working as expected
1110281-7 3-Major BT1110281 Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable
1251105-1 4-Minor BT1251105 DoS Overview (non-HTTP) - A null pointer was passed into a function
1215401-2 4-Minor   Under Shared Objects, some country names are not available to select in the Address List


Policy Enforcement Manager Issues

ID Number Severity Links to More Info Description
1186925-6 2-Critical BT1186925 When FUA in CCA-i, PEM does not send CCR-u for other rating-groups
1226121-5 3-Major BT1226121 TMM crashes when using PEM logging enabled on session
1207381 3-Major BT1207381 PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored
1190353-4 3-Major BT1190353 The wr_urldbd BrightCloud database downloading from a proxy server is not working
1174085-7 3-Major BT1174085 spmdb_session_hash_entry_delete releases the hash's reference


Carrier-Grade NAT Issues

ID Number Severity Links to More Info Description
1128429-7 4-Minor BT1128429 Rebooting one or more blades at different times may cause traffic imbalance results High CPU


Anomaly Detection Services Issues

ID Number Severity Links to More Info Description
1211297-1 2-Critical   Handling DoS profiles created dynamically using iRule and L7Policy
1046469-4 3-Major BT1046469 Memory leak during large attack


Device Management Issues

ID Number Severity Links to More Info Description
1196477-8 3-Major BT1196477 Request timeout in restnoded


In-tmm monitors Issues

ID Number Severity Links to More Info Description
1211985-6 3-Major BT1211985 BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring


Account Protection & Authentication Intelligence Issues

ID Number Severity Links to More Info Description
1147545 3-Major   AP cookie might be missing for first request when AP profile is being used with ASM policy

 

Known Issue details for BIG-IP v17.1.x

994033-4 : The daemon httpd_sam does not recover automatically when terminated

Links to More Info: BT994033

Component: TMOS

Symptoms:
APM policy redirecting users to incorrect domain, the httpd_sam daemon not running.

Conditions:
Daemon httpd_sam stopped with the terminate command.

Impact:
APM policy performing incorrect redirects.

Workaround:
Restart the daemons httpd_apm and httpd_sam.


993481-5 : Jumbo frame issue with DPDK eNIC

Links to More Info: BT993481

Component: TMOS

Symptoms:
TMM crashes

Conditions:
-- TMM is using DPDK driver with Cisco eNIC
-- TMM receives jumbo sized packet

Impact:
Traffic disrupted while TMM restarts.

Workaround:
- Use a different driver such as sock.
- Do not use or accept jumbo frames, use the following TMSH command to set the MTU to less than or equal to 1500:
tmsh modify net vlan external mtu 1500


989501-3 : A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus

Links to More Info: BT989501

Component: TMOS

Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might fall or drop off of PCI bus, resulting in the BIG-IP system not being able to process traffic. If this happens, a daemon_heartbeat failsafe gets triggered instead of dataplane_inoperable_t action.

Conditions:
The conditions that lead to HSB to fall off of PCI bus are unknown at this time.

Impact:
The BIG-IP system unable to pass traffic and a failover is triggered.

Workaround:
Reboot the device or the blade to recover from the situation and monitor for re-occurrence. If it happens again, it could indicate potential underlying hardware issue.


988745-8 : On reboot, 'could not find platform object' errors may be seen in /var/log/ltm

Links to More Info: BT988745

Component: TMOS

Symptoms:
During a reboot, several error messages are logged in /var/log/ltm:

-- err mcpd[9401]: 01070710:3: Database error (0), get_platform_obj: could not find platform object - sys/validation/Platform.cpp, line 188.

-- err chmand[6578]: 012a0003:3: hal_mcp_process_error: result_code=0x1070710 for result_operation=eom result_type=eom

Conditions:
This occurs when either of the following conditions is met:
-- A fresh installation of a BIG-IP system.
-- A reboot after forcing the mcpd process to reload the BIG-IP configuration,

Impact:
There is no functional impact to these error messages.

Workaround:
None.


987977-1 : VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation

Links to More Info: BT987977

Component: Application Security Manager

Symptoms:
Remote logging message, violation_details field, includes XML document for VIOL_HTTP_RESPONSE_STATUS even though there was no VIOL_HTTP_RESPONSE_STATUS violation triggered.

Conditions:
When all the following conditions are met

-- Response status code is not one of 'Allowed Response Status Codes'.
-- Alarm/Block flags are disabled with 'Illegal HTTP status in response'.
-- Logging profile is configured for remote storage.
-- Storage format is comma-separated.
-- Both violation_details and violations fields are set.

Impact:
Remote logging server receives inaccurate message.

Workaround:
None


976517-4 : Tmsh run sys failover standby with a device specified but no traffic group fails

Links to More Info: BT976517

Component: TMOS

Symptoms:
The tmsh run /sys failiover standby device <device> command fails and returns an error if no traffic-group is specified:

Syntax Error: There is no failover device with a name (/Common/bigip2.localhost).

Conditions:
Two or more BIG-IPs configured with high availability (HA)

Impact:
You are required to specify all the traffic groups you want to failover to a peer.

Workaround:
For each traffic group that you want to failover to a peer run the tmsh run /sys failover standby.

For example if you want to fail over both traffic groups traffic-group-1 and traffic-group-2 to failover to bigip2.localhost, run the following:

tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-1

tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-2

If you want the device to be standby for all traffic groups but you don't care what device takes over as active, run the following command (note there is no traffic-group nor device):

tmsh run /sys failover standby


967185-3 : Increase the size limit of JWT for OAuth

Links to More Info: BT967185

Component: Access Policy Manager

Symptoms:
Currently, the allowed payload size for JWT is 4K. Users whose claims of length exceed the limit are unable to authenticate.

Conditions:
OAuth is configured with JWT.

Impact:
Users whose claims of length are more than the limit are unable to authenticate.


950201-6 : Tmm core on GCP

Links to More Info: BT950201

Component: TMOS

Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.

TMM panic with this message in a tmm log file:

panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.

Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141

-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.


Note: Using either workaround has a performance impact.


940733 : Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt

Links to More Info: BT940733

Component: Global Traffic Manager (DNS)

Symptoms:
The system fails during the boot-up process, reports a libcrypto validation error, and the system halts. The console will show this error:

Power-up self-test failures:
OpenSSL: Integrity test failed for libcrypto.so

This occurs after one of the following:
-- Upgrading a FIPS-enabled BIG-IP system, booting to a volume running an earlier software version
-- Running big3d_install from a BIG-IP GTM configuration to a BIG-IP LTM


On a FIPS-licensed BIG-IP LTM configuration, when checking the big3d version you may see something similar to this:

 /shared/bin/big3d -V
fips.c:204:f5_get_library_path: failed to dlopen libcrypto.so.1.0.2za
./big3d version big3d Version 17.0.0.0.0.22 for linux

Conditions:
-- FIPS-licensed BIG-IP system.
-- Upgrade.
-- Boot into a volume running an earlier version of the software.

Another way to encounter the issue is:

-- FIPS-licensed BIG-IP LTM.
-- BIG-IP DNS (GTM) device running a higher software version than the LTM.
-- Run big3d_install from a BIG-IP GTM-configuration pointing to FIPS-licensed BIG-IP LTM configuration.

Impact:
System boots to a halted state or big3d may continuously restart.

Workaround:
Before booting to the volume with the earlier version, delete /shared/bin/big3d.

Note: This issue might have ramifications for DNS/GTM support. DNS/GTM is not FIPS-certified.

If the target software volume has already experienced this issue (the system boots to a halted state), addition to deleting /shared/bin/big3d, follow the instructions in K25205233: BIG-IP System halted while booting. Halt at boot after FIPS Integrity Check Result FAIL :: https://support.f5.com/csp/article/K25205233 .

For additional information, see K29290121: Rollback after upgrade or big3d_install may cause FIPS to halt system on boot :: https://support.f5.com/csp/article/K29290121.


936093-7 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline

Links to More Info: BT936093

Component: TMOS

Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.

Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.

Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.

Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:

/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr

This can be accomplished using a command such as:

truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr


936061-4 : Variable session.user.agent missing for Edge Client & F5 Access clients

Links to More Info: BT936061

Component: Access Policy Manager

Symptoms:
When connecting with Edge Client & F5 Access clients the BIG-IP APM session variable session.user.agent is missing from APM sessions.

Conditions:
BIG-IP APM
Edge Client & F5 Access clients

Impact:
Session variable session.user.agent cannot be used for BIG-IP APM Access Policy logic flows

Workaround:
An iRule can be used to generate a like session variable. For example:

# This event fires once per session
when ACCESS_SESSION_STARTED {
  log local0. "Setting User-Agent based on HTTP data - [HTTP::header User-Agent]"
  ACCESS::session data set session.custom.client.useragent [HTTP::header User-Agent]
  #Use this variable in the VPE to make some decision
}


926085-4 : In WebUI node or port monitor test is not possible, but it works in TMSH

Links to More Info: BT926085

Component: Local Traffic Manager

Symptoms:
When attempting to test a newly created Pool Member monitor, node address field is disabled, you cannot enter a node address. This prevents from using the Test operation to test this type of monitor in the WebUI.

Conditions:
-- Create a new Pool Member monitor (not a Node Address monitor). For example, HTTP, HTTPS, FTP, TCP, or Gateway ICMP.
-- With the monitor configuration displayed in the WebUI, click the Test tab.
-- View the Address field, and try to run the test.

Impact:
The Address field is disabled, with *.* in the field. You cannot enter a node address. The test fails with following message:

invalid monitor destination of *.*:80.
invalid monitor destination of *.*:443. (:port used to test)

Workaround:
Run either of the following TMSH commands:

-- tmsh run ltm monitor <type> <name> destination <IP address>:<port>
-- tmsh modify ltm monitor <type> <name> destination *:*

For example, for HTTP:
-- tmsh run ltm monitor http my_http destination <IP address>:<port>
-- tmsh modify ltm monitor http my_http destination *:*

For example, for HTTPS:
-- tmsh run ltm monitor https my_https destination <IP address>:<port>
-- tmsh modify ltm monitor https my_https destination *:*


923821-5 : Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack

Links to More Info: BT923821

Component: Application Security Manager

Symptoms:
When mitigated action is set to CSI followed by captcha for credential stuffing attack, captcha is not triggered even after successful CSI challenge.

Conditions:
1) Mitigated action is set to CSI followed by captcha for credential stuffing attack.
2) Credential stuffing attack occurs.
3) CSI challenge is success.

Impact:
Captcha is not triggered leading to less than configured mitigation action for credential stuffing attack.

Workaround:
None


906273-4 : MCPD crashes receiving a message from bcm56xxd

Links to More Info: BT906273

Component: TMOS

Symptoms:
Under rare circumstances, the Broadcom switch daemon bcm56xxd, can send more then one message at a time to MCPD.
This can cause MCPD to either fail immediately or have it hang and be terminated by sod 5 minutes later.

One of the messages being sent is in response to a link status change. The second message is a reply to a query, for instance a query for l2 forward statistics.

Conditions:
- BIG-IP with a Broadcom switch.
- Link status change is available.
- MCPD sends a query to bcm56xxd, that is, for l2 forward statistics.

Impact:
MCPD failure and restarts causing a failover.

Workaround:
None


895669-4 : VCMP host does not validate when an unsupported TurboFlex profile is configured

Links to More Info: BT895669

Component: TMOS

Symptoms:
There is no validation error for when unsupported TurboFlex profiles are configured on vCMP hosts for relevant platforms. Due to this lack of validation, it can result in incorrect FPGA firmware being loaded on the host and thus a guest may fail to start or reboot constantly.

Conditions:
(1) Provision vCMP on the host and deploy 2x guests with 4 cores
(2) On the vCMP host, manually change TurboFlex profile type to be one that it does not support.

Impact:
Incorrect FPGA firmware is loaded on the host, which can cause problems with the data plane on the guest.

Workaround:
Only use supported turboflex profiles.


890169-6 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.

Links to More Info: BT890169

Component: Application Security Manager

Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.

Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.

Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.

Workaround:
None.


878641-7 : TLS1.3 certificate request message does not contain CAs

Links to More Info: BT878641

Component: Local Traffic Manager

Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4

Conditions:
TLS1.3 and client authentication

Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected


868557 : Unable to initiate SWG database download from Admin UI when management network has no direct internet connectivity.

Links to More Info: BT868557

Component: Access Policy Manager

Symptoms:
If the management network is not directly connected to the internet, 'Download Now' action on 'Access ›› Secure Web Gateway : Database Settings : Database Download' fails the connectivity check and refuses to start database download.

Conditions:
-- Configure proxy in the same subnet and block BIG-IP management traffic on the gateway
-- Remove default routes from linux routing table and add route to the proxy server if necessary.

Impact:
Database download fails and you see an error message:

"Database download server (download.websense.com) could not be reached. Please verify the correctness of the DNS lookup server configured on this BIG-IP system."

Workaround:
-- Run the following tmsh command:
tmsh modify sys url-db download-schedule urldb download-now true

-or-

-- Configure download settings and wait until the scheduled database download.


857045-5 : LDAP system authentication may stop working

Links to More Info: BT857045

Component: TMOS

Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.

In /var/log/daemon.log, you may see the following:

warning systemd[1]: nslcd.service failed

Conditions:
Nslcd daemon crashed, and it fails to restart.

Impact:
System authentication stops working until nslcd is restarted.

Workaround:
Manually restart nslcd daemon:

systemctl start nslcd



nslcd can be reconfigured to restart automatically and create core files when it crashes, though these changes will be lost across software installs (and is not backed up as part of a UCS archive):

1. Run "systemctl edit nslcd", which will open a text editor (by default, nano).

2. In the text editor, add these contents:

[Service]

# Allow core files
LimitCORE=infinity
# Try to keep auth daemon running, even if it crashes
Restart=always

3. Exit the text editor and save the file

4. Check the output of "systemctl status nslcd" for any warnings/errors from systemd as a result of editing the file; there should not be any.

5. Restart nslcd:
   systemctl restart nslcd


850141-5 : Possible tmm core when using Dosl7/Bot Defense profile

Links to More Info: BT850141

Component: Application Security Manager

Symptoms:
Tmm crashes.

Conditions:
-- Dosl7/Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- An asynchronous iRule is attached to the virtual server

OR:
-- Device ID feature is enabled, and the current request requires a complex Device ID generation.
-- The connection is closed before the response arrives.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


842425-7 : Mirrored connections on standby are never removed in certain configurations

Links to More Info: BT842425

Component: Local Traffic Manager

Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.

Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.

Impact:
Leaking connections on the standby system.

Workaround:
You can use either of the following workarounds:

-- Use auto-lasthop with mirrored connections.

-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.


778513-5 : APM intermittently drops log messages for per-request policies

Links to More Info: BT778513

Component: TMOS

Symptoms:
APM may intermittently drop log messages, leading to missing information on policy execution or other events.

Conditions:
This might occur under either of the following conditions:

 -- Using APM per-request policies, or ACCESS::log iRule commands.
 -- APM is configured to use multiple log destinations (such as: local-db and local-syslog).

Impact:
Administrator may fail to report certain logging events, hindering troubleshooting or auditing efforts.

Workaround:
No workaround is possible.

When reviewing APM logs, keep in mind that during periods of high activity (greater than 100 log messages in 1-to-2 seconds) that the system may drop some log messages.


776117-6 : BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type

Links to More Info: BT776117

Component: TMOS

Symptoms:
The BIG-IP Virtual Edition's virtio driver is incompatible with the Q35 machine type.

Conditions:
-- BIG-IP Virtual Edition with the virtio driver.
-- Setting the machine type to Q35 on the hypervisor.

Impact:
The BIG-IP will not use the virtio driver, using the sock (or unic, in versions prior to 14.1.0) driver instead.


757787-6 : Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI.

Links to More Info: BT757787

Component: TMOS

Symptoms:
When creating a new rule or modifying an existing rule in a LTM/AFM Policy policy using the WebUI, the operation fails and an error similar to the following example is returned:

Transaction failed:010715bd:3: The parent folder is owned by application service (/Common/MyPolicy.app/MyPolicy), the object ownership cannot be changed to ().

Conditions:
-- The LTM/AFM Policy belongs to an Application Service (iApp).
-- The modification is attempted via the WebUI.

Impact:
Unable to make changes to existing LTM/AFM Policies.

Workaround:
Use the tmsh utility to make the necessary modifications to the LTM/AFM Policy. For example, the following command modifies an existing rule:

tmsh modify ltm policy myapp.app/Drafts/myapp_l7policy rules modify { 0 { conditions modify { 0 { http-method equals values { GET POST } } } } }


752766-4 : The BIG-IP system might fail to read SFPs after a reboot

Links to More Info: BT752766

Component: Local Traffic Manager

Symptoms:
SFP interfaces are reported as missing:
# tmsh show net interface 2.0
--------------------------------------------------------
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
                In Out In Out
--------------------------------------------------------
2.0 miss 0 0 0 0 0 0 none

sys ha-status will report tmm ready-for-world as failed:
  # tmsh show sys ha-status
  -------------------------------------------------------------------------
  Sys::HA Status
  Feature Key Action Fail
  -------------------------------------------------------------------------
  ready-for-world tmm none yes
  ready-for-world tmm1 none yes
  ready-for-world tmm2 none yes
  ready-for-world tmm3 none yes
  ready-for-world tmm4 none yes
  ready-for-world tmm5 none yes

Conditions:
This has been seen on the i15800 and i11000 series BIG-IP platforms immediately after the system boots.

Impact:
The BIG-IP system does not become ready after a reboot.

Workaround:
Mitigation if the system is in this state, restart tmm:
# tmsh restart sys service tmm


693473-3 : The iRulesLX RPC completion can cause invalid or premature TCL rule resumption

Links to More Info: BT693473

Component: Local Traffic Manager

Symptoms:
RPC completion will attempt to resume the RPC iRule execution when there is subsequent iRule activity on the flow - CLIENT/SERVER_CLOSED, for instance, which keeps the flow alive and blocks in an iRule event.

Conditions:
Blocking the iRule event When an RPC call is outstanding and the flow is aborted.

Impact:
It will cause the iRule event blocking when RPC call is outstanding and the flow is aborted

Workaround:
None


690928-8 : System posts error message: 01010054:3: tmrouted connection closed

Links to More Info: BT690928

Component: TMOS

Symptoms:
Beginning in BIG-IP 12.0.0, the tmrouted process pushes dynamic routes directly to the Traffic Management Microkernel (TMM). This message indicates the system is shutting down and is expected behavior during the reboot or shutdown process. The appearance of this message on a stable running system may indicate an issue with tmrouted functionality.

System posts the following message in /var/log/ltm: 01010054:3: tmrouted connection closed

Conditions:
This message occurs when all of the following conditions are met:

-- You have configured the BIG-IP system to use dynamic routing.
-- The BIG-IP system is in the process of shutting down or rebooting.

Impact:
This message is benign, unless you view the message on a stable running system. In this case, the message may indicate an issue with the tmrouted process.

Workaround:
None.


609878-8 : Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server

Links to More Info: BT609878

Component: Advanced Firewall Manager

Symptoms:
When loose-init is set, which has the implicit semantics of "every ACK packet can create a connection". Hence, there is never a "Bad ACK" to drop. This behavior is expected as per design, so while enabling this option one should aware of the side effects it will cause.

Conditions:
This issue will be seen when loose-init is enabled on the fastL4 profile and when the box is flooded with asymmetric ACK packets (or) Bad-Acks.

Impact:
Enabling loose initiation may make it more vulnerable to denial of service attacks.

Workaround:
When loose-init is set in the fastL4 profile, we need to turn on connection-limits on the virtual and also Eviction Policy to prevent flow-table exhaustion.


1251105-1 : DoS Overview (non-HTTP) - A null pointer was passed into a function

Links to More Info: BT1251105

Component: Advanced Firewall Manager

Symptoms:
In BIG-IP version all 15.1 builds, when protected object filter is selected in Security > DoS overview page, it displays following error:

Error : DoS Overview (non-HTTP) - A null pointer was passed into a function

Schema changes updated in BIG-IP version 15.1.8 which added context_name and context_type to the mcp_network_attack_data_stat_t structure used to report DoS attack stats.

The MCP code that fills in these fields in the structure when responding to the stats request was not inculded, thus an attempt to get the stats, result in detection of a NULL pointer.

Conditions:
Configure a protection profile.
Create a protected object by attaching the protection profile.
Select protected object filter in DoS Overview (non-HTTP) page.

Impact:
This issue avoids usage of GUI partially.

Workaround:
None


1251013-1 : Allow non-RFC compliant URI characters

Links to More Info: BT1251013

Component: Service Provider

Symptoms:
The MRF Parser fails if the URIs are not as per RFC.
It is required to not validate against the RFC for proper URI formatting, required message headers, and usage of defined method names.

Conditions:
- SIP URIs are not formatted as per RFC.

Impact:
MRF parser allows URI formats which are not comply with RFC.

Workaround:
None


1250209-1 : The message "ERR: in Graphql disallowed response, pcre is null" appears in BD logs

Links to More Info: BT1250209

Component: Application Security Manager

Symptoms:
The following message can appear in BD logs during response enforcement:

"ERR: in Graphql disallowed response, pcre is null"

Conditions:
Two different GraphQL profiles assigned to two different URLs, one of the profiles has "Block Error Responses" enabled, the other does not.

Impact:
Error message in BD logs.

Workaround:
None


1250077-6 : TMM memory leak

Links to More Info: BT1250077

Component: Global Traffic Manager (DNS)

Symptoms:
TMM leaks memory for Domain Name System Security Extensions (DNSSEC) requests.

Conditions:
DNSSEC signing can not catch up with incoming DNSSEC requests.

Impact:
TMM memory utilization increases over time, sometimes could crash with Out of Memory (OOM).

Workaround:
None


1249929-2 : Diameter MRF sends CER to pool-member even after peer sent DPR and force-offline the pool member

Links to More Info: BT1249929

Component: Service Provider

Symptoms:
If Disconnect Peer Action is configured to force-offline and when server peer sends Disconnect Peer Request (DPR), then MRF force-offline the pool-member as expected. However, MRF continues to send CER towards pool member, which means MRF is trying to connect the forced-offline peer and also it sends DPR towards pool member.

Conditions:
In diameter session profile, Disconnect Peer Action is configured to force-offline.

Impact:
Unnecessary CER and DPR messages towards down pool member.

Workaround:
Set auto-initialization to disabled in diameter peer if it does agree with the requirement.


1245209-1 : Introspection query violation is reported regardless the flag status

Links to More Info: BT1245209

Component: Application Security Manager

Symptoms:
The "GraphQL Introspection Query" violation is reported even though introspection queries are allowed.

Conditions:
In the GraphQL profile "Allow Introspection Queries" and "Maximum Query Cost" should be enabled.

Impact:
The "GraphQL Introspection Query" violation is reported while the "Allow Introspection Queries" flag is enabled.

Workaround:
None


1240937-4 : The FastL4 TOS specify setting towards server may not function for IPv6 traffic

Links to More Info: BT1240937

Component: Local Traffic Manager

Symptoms:
The ip-tos-to-server setting in a FastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a serverside flow. There are three special values mimic, pass-through, and specify.

The "specify" setting causes the TMM to set the egress TOS to the specific value configured from GUI for that connflow.

The IPv6 serverside egress TOS is not set to the expected "specify" value. No issue is observed with IPv4 connflow.

Conditions:
- FastL4 profile with ip-tos-to-client set to "specify" with value.
-Connflow is IPv6.

Impact:
The IPv6 serverside egress TOS is not set to the expected value.

Workaround:
None


1239901-3 : LTM crashes while running SIP traffic

Component: Service Provider

Symptoms:
LTM crashes are observed while running SIP traffic.

Conditions:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer

Impact:
TMM is inoperative while reloading after crash.

Workaround:
Avoid use of the following pick_host, particularly the use of carp:

MR::message pick_host peer <peer-object-name> [carp <carp-key>]


1239061 : Endpoint Inspection may fail when using Symantec Endpoint Protection with EPSEC version 1356 release

Component: Access Policy Manager

Symptoms:
Endpoint Inspection may fail when using Symantec Endpoint Protection with EPSEC version 1356 release.

Conditions:
APM deployments with Client side inspection configured with Symantec Endpoint Protection software and installed EPSEC version 1356.

Impact:
VPN Access could be denied as the EPI check will fail.

Workaround:
This issue is fixed in the latest EPSEC version 1372 release. Upgrading EPSEC version to 1372 should fix the issue.


1238897-1 : TMM TCL interpreter's non-TMM "compat" memcasechr broken in 64-bit build

Links to More Info: BT1238897

Component: Local Traffic Manager

Symptoms:
The TMM's base TCL interpreter (tmm_tcl) is used both in TMM and in non-TMM environments like APMD. The TMM has it's own implementation of memcasechr which is preferred to the "compat" implementation in the TCL interpreter itself as TMM statically links tmm_tcl while non-TMM usage is dynamically linked.

Conditions:
Following VPE rule does not work (option -nocase):

expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}

Impact:
The memcasechr is broken in 64-bit build.

Following VPE rule does not work (option -nocase):

expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}

Workaround:
Change the VPE rule to the following:

expr {[string first -nocase "bid" [mcget {session.oauth.scope.last.jwt.scope}]] >= 0}


1238693-1 : Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519

Links to More Info: BT1238693

Component: TMOS

Symptoms:
In FIPS 140-3 mode, SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.

Conditions:
System must be in FIPS 140-3 mode.

Impact:
SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.

Workaround:
None


1238529-3 : TMM might crash when modifying a virtual server in low memory conditions

Links to More Info: BT1238529

Component: Local Traffic Manager

Symptoms:
Messages similar to the following are seen in the LTM log:
Feb 1 14:17:09 BIG-IP err tmm[1139]: 01010008:3: Listener config update failed for /Common/virtual: ERR:ERR_MEM

TMM restarts and writes a core file.

Conditions:
- Low memory available in TMM.
- A virtual server modification is made.

Impact:
Traffic is interrupted while TMM writes a core file and restarts.

Workaround:
None


1238413-4 : The BIG-IP might fail to update ARL entry for a host in a VLAN-group

Links to More Info: BT1238413

Component: Local Traffic Manager

Symptoms:
ARP requests through a transparent or translucent VLAN-group might fail.

The command "tmsh show net arp" displays the VLAN as the VLAN-group rather than a child VLAN. This symptom might be intermittent.

Conditions:
- A transparent or translucent VLAN-group is configured.

- ARP requests passing through the VLAN-group.

- Higher gaps (approximately 9 hours) in layer 2 traffic seen by the BIG-IP from the target of the ARP request.

Impact:
ARP resolution failure.

Workaround:
Create a monitor on the BIG-IP to monitor the target of the ARP resolution. This will ensure that layer 2 traffic is seen by the BIG-IP from that host, keeping the ARL entries current.


1235337-2 : The 'JSON profile' with 'JSON schema validation' was not created for the body parameter in the OpenAPI URL

Links to More Info: BT1235337

Component: Application Security Manager

Symptoms:
The 'JSON profile' with 'JSON schema validation' was not created for the OpenAPI parameters with 'body' location and has 'schema' definitions in case the 'schema' type is 'array' (if the type is 'object' and the 'JSON profile' is created properly).

Conditions:
OpenAPI parameter with 'body' location having schema type 'array'.

Impact:
Some OpenAPI parameters will not include JSON content profile validation.

Workaround:
JSON content profile with JSON schema validation can be created manually after creating a security policy from the OpenAPI file.


1235085 : Reinitialization of FIPS HSM in BIG-IP tenant.

Component: Local Traffic Manager

Symptoms:
During reinitialization of FIPS HSM in BIG-IP tenant, the presence of existing keys is not validated.

Conditions:
When FIPS HSM in BIG-IP tenant is already initialized and keys are created. Then the reinitialization is triggered.

Impact:
When reinitialization triggered, the existing keys are erased without a warning to the user.

Workaround:
Before reinitialization of FIPS HSM in BIG-IP tenant, make sure the existing keys are deleted.
Use following TMSH command to view the current keys:

"show sys crypto fips keys"


1232977-4 : TMM leaking memory in OAuth scope identifiers when parsing scope lists

Links to More Info: BT1232977

Component: Access Policy Manager

Symptoms:
It is observed that oauth_parse_scope fails to increment the index then storing discrete scope identifiers into the output array. Thus all scope identifiers are stored in element 0 and all but the last element parsed are leaked.

Conditions:
OAuth functionality, scope comparisons happen if a scope is provided in request.

Impact:
Failure of High Availability (HA) due to memory issues in TMM over time.

Workaround:
None


1229369-4 : The fastl4 TOS mimic setting towards client may not function

Links to More Info: BT1229369

Component: Local Traffic Manager

Symptoms:
The ip-tos-to-client setting in a fastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a clientside flow. There are two special values - 'mimic' and 'pass-through'.

The mimic setting causes tmm to set the egress TOS to the value seen on the last ingress packet for that connflow.

In affected versions of BIG-IP, this is not set correctly, and behaves like pass-through (uses the TOS value seen arriving on the serverside flow)

Conditions:
FastL4 profile with ip-tos-to-client set to "mimic" (shown as the value 65534 in tmsh)

Impact:
The clientside egress TOS is not set to the expected value

Workaround:
Use an irule to set IP::tos to the desired value. Note that processing every packet with an irule will incur a performance penalty.


1229325-1 : Unable to configure IP OSPF retransmit-interval as intended

Links to More Info: BT1229325

Component: TMOS

Symptoms:
The CLI configuration of OSPF retransmit-interval results in error when retransmit-interval value is less than 5 seconds.

Conditions:
- Configure IP OSPF retransmit-interval.

Impact:
The CLI error even when IP OSPF retransmit-interval value is within range.

Workaround:
None


1226585-1 : Some SSL Orchestrator rest endpoints not loading on startup after BIG-IP is rebooted when it is set to CC/STIP mode

Component: TMOS

Symptoms:
Restnoded framework availability monitor times out while waiting for the dependencies(/mgmt/tm/*/** APIs/endpoints registration w.r.t all the provisioned modules) that are initialized during the restjavad startup.

Conditions:
STIP Mode is enabled, hence the below DB variables values are set to true,
tmsh list sys db security.commoncriteria
tmsh list sys db security.commoncriteria.stip

Impact:
Certain functionalities in SSL Orchestrator config GUI are not operational or operational in a limited manner.


1226121-5 : TMM crashes when using PEM logging enabled on session

Links to More Info: BT1226121

Component: Policy Enforcement Manager

Symptoms:
TMM may crash when using PEM logging.

Conditions:
When a sessions has PEM logging enabled on it:
pem global-settings subscriber-activity-log

Impact:
TMM crashes and restarts, losing all prior connection.

Workaround:
Disabling PEM logging on sessions will avoid the issue.


1225061-1 : The zxfrd segfault with numerous zone transfers

Links to More Info: BT1225061

Component: Global Traffic Manager (DNS)

Symptoms:
the zxfrd restart loop with cores occasionally.

Conditions:
Numerous dns express zones are doing zone transfers at the same time.

Impact:
he zxfrd restart loops or cores.

Workaround:
Do not add large number of DNS express zones at the same time and also reduce the total number of DNS express zones.


1218813-6 : "Timeout waiting for TMM to release running semaphore" after running platform_diag

Links to More Info: BT1218813

Component: Access Policy Manager

Symptoms:
The platform_diag might not complete properly leaving TMM in an inoperational state. The 'bigstart restart' is required to recover.

Conditions:
Running platform_diag tool on a platform licensed with URL filtering.

Impact:
Unable to run platform_diag tool. TMM remains inoperative.

Workaround:
Open /etc/bigstart/scripts/urldb and modify the dependency list to be:


# wait for processes we are dependent on
depend ${service} mcpd running 1 ${start_cnt}
require ${service} urldbmgrd running 1 ${start_cnt}
require ${service} tmm running 1 ${start_cnt}

Then restart urldb:

> bigstart restart urldb


1217549-4 : Missed ASM Sync on startup

Links to More Info: BT1217549

Component: Application Security Manager

Symptoms:
In few deployment environments, if a device is configured to be part of a device-group before the ASM startup has finished initializing, then it may miss the initial sync from its peer, and not re-request it until another event happens in the system.

Conditions:
Devices are in an auto-sync ASM enabled device-group and a new device is brought into the device-group while initializing the device settings.

Impact:
The devices are out of sync until another action occurs and the sync is requested again.

Workaround:
Restarting ASM on the affected device or causing another sync event will resolve the issue.


1217473-1 : All the UDP traffic is sent to a single TMM

Links to More Info: BT1217473

Component: TMOS

Symptoms:
BIG-IP dataplane's VMXNET3 driver implementation is missing the Receive Side Scaling (RSS) support for the User Datagram Protocol (UDP) available as part of the VMXNET3 version 4.

Conditions:
BIG-IP VE instance is running on a VMWare host and handling UDP traffic.

Impact:
The traffic distribution does not happen evenly across all TMMs but rather all of the UDP traffic is sent to a single TMM.

Workaround:
None


1217077-1 : Race condition processing network failover heartbeats with timeout of 1 second

Links to More Info: BT1217077

Component: TMOS

Symptoms:
Unexpected failover or log messages similar to the following:
sod[1234]: 010c0083:4: No failover status messages received for 1.100 seconds, from device bigip02(192.0.0.1) (unicast: -> 192.0.0.2)

Conditions:
- HA configuration network failover configured
- DB variable 'failover.nettimeoutsec' set to a value of 1 second.

Impact:
A failover event could impact traffic flow.

Workaround:
Following recommended practices of configuring network failover addresses using both the Management IP and Self IP addresses will reduce the chances of initiating a failover. Log messages may still be observed.

Setting the DB variable 'failover.nettimeoutsec' to a value of 2 or greater should avoid the issue.


1216297-3 : TMM core occurs when using disabling ASM of request_send event

Component: Application Security Manager

Symptoms:
When adding an iRule to disable ASM on request_send event, the TMM core occurs.

Conditions:
ASM is provisioned and attached to policy.
Add iRule that disables ASM and HTTP on HTTP_REQUEST_SEND event.

Impact:
TMM cores, system is down.

Workaround:
Remove the iRule, or disable ASM for all events of the URL.


1215613-3 : ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address

Links to More Info: BT1215613

Component: TMOS

Symptoms:
In var/log/ltm following error log is available:

0107146f:3: Self-device config sync address cannot reference the non-existent Self IP (10.155.119.13); Create it in the /Common folder first.

Conditions:
- In High Availability (HA) system ConfigSync-IP is set to IPv6 management address.
[root@00327474-bigip1:Standby:Disconnected] config # tmsh list cm device | grep -iE 'cm device|configsync-ip'
cm device 00327474-bigip1.lucas {
    configsync-ip 10.155.119.12
cm device 00327474-bigip2.lucas {
    configsync-ip 2001:dead:beef::13 <<-------


- Modifying the ConfigSync-IP to IPv4.

tmsh modify cm device 00327474-bigip2.lucas configsync-ip 10.155.119.13

Impact:
Device is not able to configure the ConfigSync-IP for IPv4 once IPv6 is configured.

Workaround:
None


1215401-2 : Under Shared Objects, some country names are not available to select in the Address List

Component: Advanced Firewall Manager

Symptoms:
Users can create a shared object list to define countries to block traffic from. On searching a name, a list will be shown from which the user can choose and add it to the address list.

There is a limit of only 8 entries in the drop-down menu to choose from.

Some countries are not shown in this list due to the ordering of entries returned from the database.

Conditions:
DOS is enabled

Impact:
As some countries are not available to select, they cannot be included in the Address List to block traffic.

Workaround:
Instead of the country (which is not available to select), all the regions within the country can be added to the block list. This is very cumbersome and error-prone as the list of regions should be known that are configurable in BIG IP.


1215161-4 : A new CLI option introduced to display rule-number for policy, rules and rule-lists

Links to More Info: BT1215161

Component: Advanced Firewall Manager

Symptoms:
If a large number of rules and rule-lists are configured, it takes more than 10 minutes to display the output with rule-numbers.
Ex:
tmsh - "list security firewall rule-list"
icrd - "restcurl -u admin /tm/security/firewall/rule-list"

AFM service discovery of BIG-IP fails in BIG-IQ when upgraded to a newer version.

Conditions:
- AFM license is enabled
- Large number of rules and rule-lists are configured

Impact:
AFM service discovery from BIG-IQ fails on upgrade.

Workaround:
-


1213469-5 : MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP dropped

Links to More Info: BT1213469

Component: Service Provider

Symptoms:
BIG-IP not translating SDP or via headers IP with listener IP for an outbound call which causes to drop the 200 OK response.

Conditions:
In SIP ALG, INVITE request with FQDN Route header.

Impact:
Media pinholes are not created for INVITE.

Workaround:
In the SIP_REQUEST event, a specific Route header could be removed and Insert it again in the SIP_REQUEST_SEND event before sending the request out. For example,

when SIP_REQUEST {
    set pd_route_hdr_count [SIP::header count Route]
    set pd_route_unset 0
    set pd_route [SIP::header Route]

    if {[SIP::method] == "INVITE" && ($pd_route_hdr_count equals 1) && $pd_route contains "sip:total.acc.nl;lr" } then {
SIP::header remove "Route"
set pd_route_unset 1
    }
}

when SIP_REQUEST_SEND {

if {[SIP::method] == "INVITE" && ($pd_route_unset == 1)} then {
SIP::header insert "Route" $pd_route
    }
}


1212081-5 : The zxfrd segfault and restart loop due to incorrect packet processing

Links to More Info: BT1212081

Component: Global Traffic Manager (DNS)

Symptoms:
The zxfrd is in restart loop and cores.

Conditions:
During the no transfer of zone, the zxfrd is cored when performing the packet processing.

Impact:
DNS express does not work properly.

Workaround:
None


1211985-6 : BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring

Links to More Info: BT1211985

Component: In-tmm monitors

Symptoms:
When configured with a high number of In-TMM monitors and a high portion are configured as either Reverse monitors or as monitors using the Receive Disable field, the BIG-IP may not mark Nodes and Pool Members DOWN immediately once the configured timeout lapses for non-responsive targets.

Conditions:
This may occur when both:
- In-TMM monitoring is enabled through sys db bigd.tmm.
- A portion of the monitors are configured as Reverse monitors or use the Receive Disable field.

Impact:
Non-Responsive Nodes or Pool Members may not be marked DOWN.

Workaround:
You can work around this issue by disabling In-TMM monitoring, at the expense of decreased monitoring performance (higher CPU usage by the bigd daemon).


1211905-3 : Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts"

Links to More Info: BT1211905

Component: Application Security Manager

Symptoms:
Unable to import the XML format policy.

Conditions:
Having an XML policy with violation_rating_counts elements.

Impact:
Unable to import XML policy.

Workaround:
1) Remove the elements from an exported policy file.

sed -i '/<violation_rating_counts\/>/d' *xml

2) Import the policy again.


1211617-2 : High CPU utilisation observed during startup when forced BIG-IP system set offline

Links to More Info: BT1211617

Component: TMOS

Symptoms:
When BIG-IP is restarted, TMM0 is consuming extremely high CPU.

Conditions:
When set to offline (sys failover offline) and the configuration saved, it happens when BIG-IP is restarted.

Impact:
Box is slow to respond. The impact is minor because the box is in offline state.

Workaround:
None


1211297-1 : Handling DoS profiles created dynamically using iRule and L7Policy

Component: Anomaly Detection Services

Symptoms:
Persistant connections with HTTP requests that may switch according to dynamic change of DoS policy (using iRule or L7Policy) can cause a TMM crash.

Conditions:
A request arrives to BIG-IP and is waiting to be served (it is delayed using iRule), however, if the DoS profile is unbound during that time from the virtual server and a dynamic DoS profile change decision is made, it could potentially cause the request to be incorrectly associated with a context that has already been freed.

Impact:
In few scenarios, when DoS policy is changed during connection lifetime, TMM might crash.

Workaround:
None


1211189-4 : Stale connections observed and handshake failures observed with errors

Links to More Info: BT1211189

Component: Local Traffic Manager

Symptoms:
SSL handshake fails.
Invalid or expired certificates are being used in the handshake.

Conditions:
- When the certificates in BIG-IP are expired and being renewed remotely.
- When the clientssl or serverssl profiles are dynamically being attached to a virtual server through iRule.

Impact:
SSL handshake fails.
Vitual server (SSL Profiles) use old or expired certificates.

Workaround:
Restart the TMM or BIG-IP to resolve the issue temporarily (until next expiry time of the certificates).


1211089-4 : Traffic to IPv6 all nodes address not received by TMM on VE with ixlv driver

Links to More Info: BT1211089

Component: TMOS

Symptoms:
Traffic sent to the IPv6 all nodes multicast address is not seen by TMM.

Conditions:
A virtual environment utilizing TMM's ixlv driver.
Traffic is sent to the IPv6 all nodes multicast address.

Impact:
TMM fails to receive and process traffic to the IPv6 all nodes multicast address.

Workaround:
None


1210569-1 : User defined signature rule disappears when using high ASCII in rule

Links to More Info: BT1210569

Component: Application Security Manager

Symptoms:
WebUI display is empty.

Conditions:
When the configured rule has high ASCII (greater than 127) value.

Impact:
Unable to see the rule in webUI.

Workaround:
Use the following steps:

1. Navigate to Security > Options > Application Security > Attack Signatures.

2. Create a new signature in Advanced Edit Mode. After setting, confirm the setting value with the developer tool.

3. Add it to the signature set (backed by actual signature detection confirmation).

4. Remove the old signatures from signature set.


1210469-1 : TMM can crash when processing AXFR query for DNSX zone

Links to More Info: BT1210469

Component: Local Traffic Manager

Symptoms:
TMM crash with SIGABRT and multiple log messages with "Clock advanced by" messages.

Conditions:
Client querying AXFR to a virtual server or wideip listener that has DNSX enabled in the DNS profile and has a large amount of DNSX zones with a large amount of resource records.

Impact:
TMM cores and runs slow with "Clock advanced by" messages.

Workaround:
Disable zone transfer for the DNS profile associated with the virtual server.


1210321-2 : Parameters are not created for properties defined in multipart request body when URL include path parameter

Links to More Info: BT1210321

Component: Application Security Manager

Symptoms:
Security policy parameters are not created for OpenAPI schema properties in multipart request body section.

Conditions:
Request body defined for URL that include path parameter.

Impact:
Some parameters defined by OpenAPI file will not be created in security policy.

Workaround:
Missed parameters should be created manually through GUI, REST, or TMSH.


1210053-3 : The cred_stuffing_fail_open Internal Parameter does not cause Leaked Credential violation in case of expiration or error

Links to More Info: BT1210053

Component: Application Security Manager

Symptoms:
In case of Leaked Credential server error, there is an internal parameter to raise Leaked Credentials Violation:
cred_stuffing_fail_open (default value is not to raise violation)
Changing the internal parameter value does not trigger the violation.

Conditions:
- ASM is provisioned.
- WAF Policy is attached to virtual server with Credential Stuffing enabled.
- Internal Parameter cred_stuffing_fail_open is set to 0.
- A server error (or timeout) occurred during leaked credential check.

Impact:
Leaked Credential violation is not raised.

Workaround:
None


1209945-2 : Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs

Links to More Info: BT1209945

Component: Local Traffic Manager

Symptoms:
In a case where traffic is not properly egressing a BIG-IP tenant running on rSeries or VELOS platforms, if any TMM log file contains any line with the text "notice SEP: Tx completion failed", that tenant VM may need to be manually restarted. The BIG-IP is unable to detect the traffic degradation automatically and recover or fail-over; the user must manually intervene to restart the tenant.

Conditions:
This is specific to rSeries and VELOS platforms, and does not affect other BIG-IP platforms or virtual editions.

Egress traffic from the affected tenant may appear to be degraded or non-functional. There may be a high number of transmit packet drops.

Check the tenant TMM log files for any line containing the text "notice SEP: Tx completion failed" (which may include additional trailing text). The log files of concern reside in the tenant at paths:
/var/log/tmm*

Impact:
Egress traffic may be severely degraded until the tenant with the offending log messages is manually restarted.

Workaround:
Restart the tenant VM by moving the tenant from deployed -> provisioned -> deployed in the partition or system ConfD command line interface.

Alternatively, issue the "reboot" command from the tenant bash shell.


1209709-5 : Memory leak in icrd_child when license is applied through BIG-IQ

Links to More Info: BT1209709

Component: TMOS

Symptoms:
The memory use for icrd_child may slowly increase, eventually leading to an OOM condition.

Conditions:
License applied through BIG-IQ.

Impact:
Higher than normal control-plane memory usage, possible OOM related crash.

Workaround:
Periodically kill the icrd_child processes. The restjavad will restart them automatically.


1209589-5 : BFD multihop does not work with ECMP routes

Links to More Info: BT1209589

Component: TMOS

Symptoms:
BFD multihop does not work with ECMP routes. TMMs are unable to agree on session ownership and dropping the session after 30 seconds.

Conditions:
On a multi-TMM box, configure BFD multihop peer reachable over ECMP route.

Impact:
BFD multihop does not work with ECMP routes and BFD session is getting dropped every 30 seconds.

Workaround:
None


1207381 : PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored

Links to More Info: BT1207381

Component: Policy Enforcement Manager

Symptoms:
From the following example, a PEM policy rule flow filter
 matches the traffic from any source address and any port, to any destination address and port 81 (the port number is an example):

Source Address    Source Port     VLAN     Destination Address      Destination Port
0.0.0.0/0         0               ANY      0.0.0.0/0                81

When the rule is updated through the GUI or CLI to match traffic from any source address and any port, to any destination address and any port:

Source Address    Source Port     VLAN     Destination Address      Destination Port
0.0.0.0/0         0               ANY      0.0.0.0/0                0

The updated rule is correctly saved into the configuration as shown by the GUI and the CLI, but the new flow filter does not filter the traffic as expected.

The actual flow filter being applied is still the one from the previous version of the policy rule (destination port 81 in the example).

Conditions:
An existing PEM policy rule flow filter that is updated through GUI or CLI selecting Source Port '0' ('any') and/or destination port '0' ('any').

Impact:
The updated flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule.

Workaround:
- Restart TMM to make the updated flow filter effective.

or

- Remove the flow filter altogether instead of replacing it with a filter like '0.0.0.0/0:0 --> 0.0.0.0/0:0' .
The intended result is the same: the rule will catch all traffic.

or

- Create a new additional rule with port number 0 and place in higher precedence (under the same policy).
    - For example, rule with precedence 10 allow flow for port 80 (instead of modifying this rule) and
    - Create a new rule with precedence 9 to allow flow for port "0" and delete the old rule.


1205501-4 : The iRule command SSL::profile can select server SSL profile with outdated configuration

Links to More Info: BT1205501

Component: Local Traffic Manager

Symptoms:
Under few circumstances, an iRule selected server SSL profile can send previously configured certificate to the peer.

Conditions:
The iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made to the profile.

Impact:
The TLS handshake may use an outdated certificate that does not match the current configuration, potentially leading to handshake failures.

Workaround:
Terminate all traffic running on the virtual servers that are using the iRule command for the update to take effect.

or

Do not make changes to a profile that is actively being used by the iRule command.


1205045-6 : WMI monitor does not put pool members into an offline/unchecked state when BIG-IP receives HTTP responses other than 200

Links to More Info: BT1205045

Component: Local Traffic Manager

Symptoms:
With no credentials, WMI monitor status still displays "UP".

Conditions:
With no credentials or stale/expired credentials, the WMI monitor stats displays "UP".

Impact:
The user is misinformed about the status of the WMI monitor.

Workaround:
None


1199025-3 : DNS vectors auto-threshold events are not seen in webUI

Links to More Info: BT1199025

Component: Advanced Firewall Manager

Symptoms:
No option to see DNS auto-threshold event logs from webUI.

Conditions:
- DNS profile configured with fully automatic mode.

Impact:
DNS auto-threshold event logs are not visible from webUI.

Workaround:
None


1196537-5 : BD process crashes when you use SMTP security profile

Links to More Info: BT1196537

Component: Application Security Manager

Symptoms:
The BD process may crash when an SMTP security profile is attached to a virtual server, and the SMTP request is sent to the same virtual server.

Conditions:
- SMTP security profile is attached to VS
- SMTP request is sent to VS

Impact:
Intermittent BD crash

Workaround:
N/A


1196477-8 : Request timeout in restnoded

Links to More Info: BT1196477

Component: Device Management

Symptoms:
The below exception can be observed in restnoded log

Request timeout., stack=Error: [RestOperationNetworkHandler] request timeout.
At ClientRequest. <anonymous> (/usr/share/rest/node/src/infrastructure/restOperationNetworkHandler.js:195:19)

Conditions:
When BIG-IP is loaded with a heavy configuration.

Impact:
SSL Orchestrator deployment will not be successful.

Workaround:
1. mount -o remount,rw /usr
2. In getDefaultTimeout : function() at /usr/share/rest/node/src/infrastructure/restHelper.js

replace 60000 with required required timeout.
3. bigstart restart restnoded
4. mount -o remount /usr


1196185-1 : Policy Version History is not presented correctly with scrolling

Component: Application Security Manager

Symptoms:
When higher version history is available, then modal window becomes scrollable, and gets distorted.

Conditions:
- Apply Policy multiple times.
- Open Policy Version History in General Settings ->
Version -> Date Link.

Impact:
Policy history modal window gets distorted.

Workaround:
None


1196053-4 : The autodosd log file is not truncating when it rotates

Links to More Info: BT1196053

Component: Advanced Firewall Manager

Symptoms:
The autodosd file size increasing continuously irrespective of log rotation occurring every hour.

Conditions:
- DOS profiles (at Device/VS) configured with fully automatic, autodosd daemon will calculate the thresholds periodically and updates the log file with relevant logs.

Impact:
Logs are not truncated as expected. The autodosd log file size continue to increase even though it is rotated every hour.

Workaround:
Restarting autodosd daemon will truncate the log file content to zero.


1194173-5 : BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value

Component: Application Security Manager

Symptoms:
Attack signature check is not run on normalised parameter value.

Conditions:
- A parameter with location configured as a cookie is present
  in the parameters list.
- Request contains the explicit parameter with URL encoded
  base64 padding value.

Impact:
- Attack signature not detected.

Workaround:
None


1191229 : The virtual-wire tenant upgrade from 15.1.8 to 17.1.0 results in tenant to stuck in offline state

Links to More Info: BT1191229

Component: Local Traffic Manager

Symptoms:
The virtual-wire VLAN implementation has changed in 17.1.0. With this, the VLANs after upgrade would need to re-initialized.

Conditions:
- The virtual-wire configuration should be enabled in tenant based platforms.

Impact:
The virtual-wire functionality may not work as expected.

Workaround:
After the upgrade, delete the virtual-wire VLANs and restart chmand process.


1190777 : Unable to add a device to a device trust when the BigDB variable icontrol.basic_auth is set to disable on target device

Component: TMOS

Symptoms:
When the DB variable "icontrol.basic_auth" is set to "disable" on a device, that device cannot be added to a device trust.

The system from which an administrator is attempting to add the new device will log an error:

err devmgmtd[5541]: 015a0000:3: getDeviceInfo failed: iControl authorization failed

Conditions:
DB variable "icontrol.basic_auth" is set to disable

Impact:
Unable to add a device to a device trust.

Workaround:
On the device being added to the trust:

1. Enable basic auth for iControl

tmsh modify /sys db icontrol.basic_auth value enable

2. Restart httpd on the device being added.

bigstart restart httpd

3. Add the device to the trust.

4. If you want mitigate ID1143073 (https://support.f5.com/csp/article/K94221585), disable basic authentication again.

tmsh modify /sys db icontrol.basic_auth value disable
bigstart restart httpd
    
The dbvar is synchronized if you add the new device to a sync/failover device group, so check each device in the device group.

Use the following to command to check if it's disabled.

# tmsh list /sys db icontrol.basic_auth
sys db icontrol.basic_auth {
    value "disable"
}

If any device has basic auth enabled, disable it and restart httpd on all devices in the device group.


1190765-1 : VelOS | Zone Base DDOS | Aggregation, BD | Seeing Entries in sPVA Registers are not getting reset once the attack is completed

Component: Advanced Firewall Manager

Symptoms:
In VELOS platform, the ideal timeout for HW entries is 5 mins(Hw eviction timeout). However, when you delete the VS/Zone configuration it will initiate the eviction immediately(Software eviction). In this case, the eviction does not happen as expected and causes the entry to continue to stay at sPVA for some time.

Conditions:
This issue happens when we configure Zone based DDOS with Aggregation or BD in VELOS platform.

Impact:
This issue causes the sPVA entries to stay for 5 minutes(Ideal eviction timeout) even after the Corresponding Zone configuration is deleted.

Workaround:
Not available


1190365-1 : OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly

Links to More Info: BT1190365

Component: Application Security Manager

Symptoms:
The method used by ASM enforcer to serialize an OpenAPI object configured with "style:form", "explode:true", and "type:object" is not functioning as expected.

Conditions:
Repeated occurrences of parameter names in the query string with "type:object/explode:true/style:form" configured OpenAPI file.

Impact:
The violation "JSON data does not comply with JSON schema" is raised due to the repeated parameters from the query string with "array" configuration.

Workaround:
None


1190353-4 : The wr_urldbd BrightCloud database downloading from a proxy server is not working

Links to More Info: BT1190353

Component: Policy Enforcement Manager

Symptoms:
Downloading BrightCloud database is not working with the proxy.

Conditions:
BrightCloud database download through Proxy management.

Impact:
URL categorization disruption as database not getting downloaded.

Workaround:
None


1189865-5 : "Cookie not RFC-compliant" violation missing the "Description" in the event logs

Links to More Info: BT1189865

Component: Application Security Manager

Symptoms:
When a request is blocked due to "Cookie not RFC-compliant' violation, the description field in the request log details is shown as "N/A" instead of having the description (for example "Invalid equal sign preceding cookie name" or "Invalid space in cookie name").

Conditions:
The violation is blocked due to "Cookie not RFC-compliant" violation and we are looking at the request log details.

Impact:
The description is empty and we can't know what is the problem with the request.


1189513-6 : SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header

Links to More Info: BT1189513

Component: Service Provider

Symptoms:
The SIP MRF failed to extract the SDP data and not created media flow pinholes, if SDP Multipurpose Internet Mail Extensions (MIME) multipart body is not generated with content-length header.

Conditions:
An INVITE message contained a MIME multipart payload and body parts miss content-length header.

Impact:
Media flow pinholes are not created.

Workaround:
None


1186925-6 : When FUA in CCA-i, PEM does not send CCR-u for other rating-groups

Links to More Info: BT1186925

Component: Policy Enforcement Manager

Symptoms:
When Final Unit Action (FUA) in CCA-i, the traffic is immediately blocked for that rating-group.
But, PEM does not send CCR-u for other rating-groups any more, which causes all other rating-groups traffic to pass through.
If FUA in CCA-u, everything works as expected.

Conditions:
When FUA received in in CCA-i.

Impact:
PEM receives FUA redirect first and ignores further requests.

Workaround:
Use iRule to remove FUA in CCA-i.


1186401-4 : Using REST API to change policy signature settings changes all the signatures.

Links to More Info: BT1186401

Component: Application Security Manager

Symptoms:
When you use iControl REST to modify the signatures associated with a policy, the modifications are applied to all the signatures.

Conditions:
-- Create a policy named 'test'

-- Associate a signature set like "SQL Injection Signatures" to the policy
  For example, remove the "Generic Detection Signatures (High/Medium Accuracy)" set

-- Look at the low-risk signatures associated with the policy
 Commmand:
     curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' | jq . | head


-- Turn off staging for these signatures:
  Commands:
      curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": false }' -X PATCH | jq . | head
      curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": true }' -X PATCH | jq . | head

-- The "totalItems" shows that 187 signatures were changed

Impact:
The user was unable to leverage the REST API to make the desired changes to the ASM signature policy.

Workaround:
Add 'inPolicy eq true' to the filter
  Command :
      curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low+and+inPolicy+eq+true' -d '{ "performStaging": false }' -X PATCH | jq . | head


1185257-6 : BGP confederations do not support 4-byte ASNs

Links to More Info: BT1185257

Component: TMOS

Symptoms:
The BGP confederations do not support 4-byte AS numbers. Only 2-byte ASNs are supported.

Conditions:
Using BGP confederations.

Impact:
Unable to configure 4-byte AS number under BGP confederation.

Workaround:
None


1184841-6 : Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API

Component: Application Security Manager

Symptoms:
Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API.

Conditions:
- ASM-Sync enabled
- Auto-Sync enabled
- Updating URL through REST API

Impact:
Configuration will be de-synced.

Workaround:
Use TMUI to update configuration.


1182353-6 : DNS cache consumes more memory because of the accumulated mesh_states

Links to More Info: BT1182353

Component: Global Traffic Manager (DNS)

Symptoms:
DNS cache consumes more memory and the mesh_states are accumulated quickly.

Conditions:
Mixed queries with rd flag set and cd flag set/unset.

Impact:
TMM runs out of memory.


1180365-3 : APM Integration with Citrix Cloud Connector

Component: Access Policy Manager

Symptoms:
* Configure Citrix cloud connector instead of Citrix Delivery controller to publish apps and desktops from the cloud configured using DaaS.
* Apps/Desktop will not be published.

Conditions:
* When Citrix cloud connector is used to publish apps instead of Citrix Delivery controller, once the user clicks on the App/Desktop, the cloud connector sends an empty response.
* Hence user will not be able to publish any apps/ Desktop.

Impact:
Users will not be able to publish any Apps/Desktops in webtop which are published through Citrix Cloud Connector.


1174085-7 : spmdb_session_hash_entry_delete releases the hash's reference

Links to More Info: BT1174085

Component: Policy Enforcement Manager

Symptoms:
multiple references accessing and trying to modify the same entry

Conditions:
when failover from active to stand by while stalling the connection

Impact:
Illegal access of the memory.

Workaround:
NA


1173493-2 : Bot signature staging timestamp corrupted after modifying the profile

Links to More Info: BT1173493

Component: Application Security Manager

Symptoms:
Bot signature timestamp is not accurate.

Conditions:
Have a bot signature "A" in staging, record the timestamp.
Using webUI, set another bot signature "B" to be in staging and click Save.
The time stamp on "A" is updated and shows the year 1970 in webUI.

Impact:
Can not verify from when the signature was in staging.

Workaround:
Use TMSH, instead of webUI, to update the profile.


1167969-2 : In DoS Profile level, the Flood attack Vectors with TCP and UDP, Hardware offloading is not working as expected

Links to More Info: BT1167969

Component: Advanced Firewall Manager

Symptoms:
In Multiblade platforms which support high number of TMM threads, bigger per HSB rate limit values are received and it is causing the hardware to not trigger offload, even though the attack traffic matching the configured rate limits.

Conditions:
This occurs only in the platforms which supports high number of TMMs (more than 20).

Impact:
Hardware offload for the Flood attack vectors will not trigger as expected.

Workaround:
None


1167609-4 : The messages msg->ref > 0 are seen in TMM logs with websockets/ASM plugin

Links to More Info: BT1167609

Component: Local Traffic Manager

Symptoms:
With web security enabled and ASM policies attached to virtual server, in an unknown scenario, msg->ref > 0 are appearing in TMM logs.

Conditions:
-- ASM is provisioned
-- ASM policy attached to virtual server
-- Web security configured

Impact:
The /var/log/tmm files may be flooded with the messages.

Workaround:
None


1166481-5 : The vip-targeting-vip fastL4 may core

Links to More Info: BT1166481

Component: Local Traffic Manager

Symptoms:
The TMM cores or VIP does not behave as expected.

Conditions:
- fastL4 virtual
- iRule uses virtual command to redirect flows to a second fastL4 virtual
- first virtual configuration is changed before a flow times out

Impact:
Configuration data is freed but continued to be used by the flow, leading to the configuration appearing to be corrupted causing cores or unexpected behavior.

Workaround:
Ensure that there are no active flows for the virtual being changed.


1160805-4 : The scp-checkfp fail to cat scp.whitelist for remote admin

Links to More Info: BT1160805

Component: TMOS

Symptoms:
Attempt SCP file to BIG-IP:
/shared/images
root user success
remote admin user fails, following is an example:
sinkhole3:~$ scp test.iso apiuser@10.201.69.106:/shared/images
Password:
cat: /co: No such file or directory
cat: fig/ssh/scp.whitelist: No such file or directory
"/shared/images/test.iso": path not allowed

Conditions:
-- Running BIG-IP version with fix for ID 1097193.
-- Create remote admin user.
-- Use SCP command to transfer a file to remote admin user path.

Impact:
SCP command is not working for the remote admin users.

Workaround:
None


1156889-5 : TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions

Links to More Info: BT1156889

Component: Application Security Manager

Symptoms:
When using bot-defense profile with a browser verification and performing redirect actions, there is a memory leak in TMM.

Conditions:
- The bot-defense profile with "Verify After Access" or "Verify Before Access" browser verification is configured.
- Surfing using a browser, during grace period (5 Minutes after config change) to a non-qualified URL, or configuring "Validate Upon Request" in "Cross Domain Requests" configuration, and configuring A and B as "Related Site Domains".
- Surfing using a browser from Domain A to Domain B.

Impact:
Degraded performance, potential eventual out-of-memory.

Workaround:
None


1156149-5 : Early responses on standby may cause TMM to crash

Links to More Info: BT1156149

Component: Service Provider

Symptoms:
TMM cores with an early response and retransmit mechanism and has also happened during a failover event.

Conditions:
If the response of the request message reaches before the request on standby box.

Impact:
Causes a failover while TMM is restarting.

Workaround:
None


1154685-4 : Error logged "01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object..." during startup

Links to More Info: BT1154685

Component: TMOS

Symptoms:
Database error (13) will be logged in /var/log/ltm during startup:

err mcpd[]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:private_mac_addr_freelist status:13 - EdbCfgObj.cpp, line 127.

Conditions:
-- 15.1.8 or later 15.1.x

Impact:
It is a cosmetic error and observed only once during startup.

Workaround:
None


1148009-8 : Cannot sync an ASM logging profile on a local-only VIP

Links to More Info: BT1148009

Component: Application Security Manager

Symptoms:
If an ASM profile, such as a logging profile is applied to a virtual that is local-only, then the state changes to "Changes Pending" but configuration sync breaks.

Conditions:
- ASM provisioned
- high availability (HA) pair
- ASM profile, such as a logging profile is applied to a virtual that is local-only.

Impact:
The state changes to "Changes Pending" but configuration sync breaks.

Workaround:
None


1147545 : AP cookie might be missing for first request when AP profile is being used with ASM policy

Component: Account Protection & Authentication Intelligence

Symptoms:
AP cookie might not be added from the client browser for the initial request towards virtual server when ASM policy is being used.

Conditions:
1. ASM policy is configured.
2. AP and AI profile is created with a Protected Endpoint that has Enforcement Mode configured to Mitigate.
3. The Mitigate Missing Cookie field is enabled on the protected endpoint.
4. AP and AI profile is attached to virtual server.

Impact:
Very first client request towards AP endpoint might get blocked due to missing AP cookie.

Workaround:
Disable 'Mitigate Missing Cookie' for the particular endpoint.


1144497-5 : Base64 encoded metachars are not detected on HTTP headers

Component: Application Security Manager

Symptoms:
Base64 encoded illegal metachars are not detected.

Conditions:
No specific condition.

Impact:
False negative, illegal characters are not detected and request not blocked.

Workaround:
None


1137993-6 : Violation is not triggered on specific configuration

Links to More Info: BT1137993

Component: Application Security Manager

Symptoms:
The HTTP compliance violation is not triggered for the unparsable requests due to a specific scenario.

Conditions:
A microservice is configured in the security policy.

Impact:
Specific violation is not triggered. A possible false negative.

Workaround:
It is possible to do an irule workaround that checks the length of the URL and issues a custom violation.


1132981-5 : Standby not persisting manually added session tracking records

Links to More Info: BT1132981

Component: Application Security Manager

Symptoms:
The Session tracking records, with Infinite Block-All period, have an expiration time on the Standby unit after sync.

Conditions:
ASM provisioned
Session Tracking enabled
session tracking records, with Infinite Block-All period, are added

Impact:
Infinite Session Tracking records being removed from standby ASMs.

Workaround:
Use auto-sync DG (instead of manual sync).

After changing the configuration on UI at Security->Application Security: Sessions and Logins: Session Tracking.

You must "Apply Policy" and wait for the DG status to become In-Sync before adding new data-points on UI at Security->Reporting: Application: Session Tracking Status.


1132741-7 : Tmm core when html parser scans endless html tag of size more then 50MB

Links to More Info: BT1132741

Component: Application Security Manager

Symptoms:
Tmm core, clock advanced by X ticks printed

Conditions:
- Dos Application or Bot defense profile assigned to a virtual server
- Single Page Application or Validate After access.
- 50MB response with huge html tag length.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Exclude html parser for url in question.
tmsh modify sys db dosl7.parse_html_excluded_urls value <url>


1128429-7 : Rebooting one or more blades at different times may cause traffic imbalance results High CPU

Links to More Info: BT1128429

Component: Carrier-Grade NAT

Symptoms:
One or more TMMs are consuming more CPU cycles than the other TMMs. The increased CPU usage is caused by a significant number of internal TMM traffic redirections.

Conditions:
- LSN pools enabled.
- The sp-dag configured on the client-side and server-side VLANs (cmp-hash src-ip and cmp-hash dst-ip respectively).

Impact:
Increased TMM CPU usage on one or more TMMs.

Workaround:
- Set up an High Availability (HA) pair of VIPRIONs and make an active VIPRION cluster standby before doing any operation that involves the rebooting, insertion, or removal of one or more blades.

Or if the VIPRION is a stand-alone cluster:

- Stop all external traffic to the VIPRION before rebooting, inserting, or removing one or more blades.

- Restart or reboot all the blades at the same time from the primary, using the following "clsh" command:
"clsh reboot volume <NEW_VOLUME>" or "clsh bigstart restart".


1124733-3 : Unnecessary internal traffic is observed on the internal tmm_bp vlan

Component: TMOS

Symptoms:
Unnecessary internal traffic can be observed on the internal tmm_bp vlan. It is a UDP broadcast on 62965 port.

Conditions:
Always

Impact:
Unnecessary traffic that does not disrupt normal operation.

Workaround:
None


1123153-5 : "Such URL does not exist in policy" error in the GUI

Component: Application Security Manager

Symptoms:
Unable to create a parameter under Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs ›› URL Parameters

Conditions:
When the policy setting "Differentiate between HTTP/WS and HTTPS/WSS URLs" is set to "Disabled".

Impact:
User is unable to create a Parameter with a URL.

Workaround:
N/A


1121169-5 : Unable to resize the /appdata: /dev/mapper/vg--db--sda-dat.appdata when in use

Links to More Info: BT1121169

Component: TMOS

Symptoms:
On systems where ID1004833 has been fixed, the resizing instructions for /appdata from K74200262 no longer work.

Conditions:
When the jitterentropy-rngd is started by systemd which is the default state of the BIG-IP.

Impact:
A filesystem resize operation may fail with the following error:

# lvreduce --resizefs --size -40G /dev/mapper/vg--db--sda-dat.appdata
Do you want to unmount "/appdata"? [Y|n] y
fsck from util-linux 2.23.2
/dev/mapper/vg--db--sda-dat.appdata is in use.
e2fsck: Cannot continue, aborting.

resize2fs 1.42.9 (28-Dec-2013)
resize2fs: Device or resource busy while trying to open /dev/mapper/vg--db--sda-dat.appdata
Couldn't find valid filesystem superblock.
fsadm: Resize ext3 failed
  fsadm failed: 1
  Filesystem resize failed.

Workaround:
Unmount /appdata and restart the jitterentropy-rngd, and then retry the resize operation.


1117305-8 : The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials

Links to More Info: BT1117305

Component: TMOS

Symptoms:
The /api returns 401 when incorrect Basic Authorization credentials are supplied.
The /api returns 404 when correct Basic Authorization credentials are supplied.

Conditions:
Irrespective of the DB variable "httpd.basic_auth" value set to enable or disable.

Impact:
There is no functional impact, but all other non-existent URIs return a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials, /api should also be invariably exhibiting the same behavior.

Workaround:
None


1117245-5 : Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file

Links to More Info: BT1117245

Component: Application Security Manager

Symptoms:
You only see this message in /var/log/tomcat/liveupdate.log file. No other log messages are written, causing troubleshooting capability with LiveUpdate.

liveupdate.script file is corrupted, live update repository initialized with default schema


This error is emitted during tomcat startup.

/var/log/tomcat/catalina.out
java.io.FileNotFoundException: /usr/share/tomcat/logs/liveupdate.log (Permission denied)

Conditions:
You are running on a version which has a bug fix for ID907025. For more information see https://cdn.f5.com/product/bugtracker/ID907025.html

Impact:
Losing troubleshooting capability with LiveUpdate

Workaround:
chown tomcat:tomcat /var/log/tomcat/liveupdate.log
bigstart restart tomcat


1113753-5 : Signatures might not be detected when using truncated multipart requests

Component: Application Security Manager

Symptoms:
On special cases when sending long requests that include a multipart section, signatures that should be detected in the multipart body might not be detected.

Conditions:
1. WAF-policy is attached to virtual server.
2. Signatures are enabled in the WAF policy.
3. Signatures contain special characters, i.e. ;"=\n
4. Request is longer than the value in max_raw_request_len.
5. Sending a multipart request.

Impact:
Signature is not detected.

Workaround:
None


1112537-6 : LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete.

Links to More Info: BT1112537

Component: TMOS

Symptoms:
Upon attempting to delete a LTM or GTM monitor, the system returns an error similar to the following example, even though the monitor being deleted is no longer in use anywhere:

01070083:3: Monitor /Common/my-tcp is in use.

Conditions:
-- The configuration was loaded from file (for example, as restoring a UCS archive would do).

-- A BIG-IP Administrator deletes all objects using the monitor, and then attempts to delete the monitor itself.

Impact:
LTM or GTM monitor no longer in use anywhere cannot be deleted from the configuration.

Workaround:
Run one of the following sets of commands (depending on the affected module) and then try to delete the monitor again:

tmsh save sys config
tmsh load sys config

tmsh save sys config gtm-only
tmsh load sys config gtm-only


1111149-4 : Nlad core observed due to ERR_func_error_string can return NULL

Links to More Info: BT1111149

Component: Access Policy Manager

Symptoms:
The following symptoms are observed

In /var/log/ltm:
err nlad[17535]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.

Nlad core is observed
/var/log/kern.log:Apr 7 03:46:53 <vs name > info kernel: nlad[13119]: segfault at 0 ip <> sp <> error 4.

Conditions:
NLAD core is SIGSEGV - crashing while processing a SSL Certificate via a SAML login.

Impact:
Core results in disruption of APM sessions

Workaround:
None


1110489-4 : TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event

Links to More Info: BT1110489

Component: Access Policy Manager

Symptoms:
Tmm crashes.
/var/log/tmm contains
May 24 18:06:24 sslo.test.local notice panic: ../net/nexthop.c:165: Assertion "nexthop ref valid" failed.

Conditions:
An iRule is applied to a virtual Server containing a ACCESS_ACL_ALLOWED iRule event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


1110485-5 : SSL handshake failures with invalid profile error

Links to More Info: BT1110485

Component: Local Traffic Manager

Symptoms:
1. TMM reports SSL handshake failures with reason "hud_ssl_handler:1208: alert(40) invalid profile unknown on VIP"

2. There will be Certificate read errors in the ltm log "reading: Unknown error."

Conditions:
-- The certificates associated with the SSL profile are corrupted by modifying/adding/deleting them manually/Venafi

-- There are frequent unintentional Certificate updates

Impact:
-- The BIG-IP system will not be able process the traffic
-- All traffic to particular virtual servers fails

Workaround:
1. Correct the certificates which are corrupted and make them valid.

2. Deattach/Remove the corresponding SSL profile from all virtual servers to which it is applied.

3. In the GUI open the virtual server and click on update and make sure there are no errors shown on the screen.

4. Now re-apply the SSL profile to the virtual server


1110281-7 : Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable

Links to More Info: BT1110281

Component: Advanced Firewall Manager

Symptoms:
Non-HTTP traffic is not forwarded to the backend server.

Conditions:
- ASM provisioned
- Behavioral DoS profile assigned to a virtual server
- DOSL7::disable and HTTP::disable applied at when CLIENT_ACCEPTED {}

Impact:
Broken webapps with non-HTTP traffic.

Workaround:
Instead of using DOSL7::disable, redirect non-HTTP traffic to a non-HTTP aware virtual server using the iRule command virtual <virtual_server_name>.


1102425-1 : F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary

Links to More Info: BT1102425

Component: TMOS

Symptoms:
The secondary blades are inoperative when MCPD is restarted on the primary slot, or the license is installed on the F5OS chassis.

Following are the symptoms:

- Following log message is logged in /var/log/ltm:

mprov:29790:[29790]: 'FPGA change is taking a long time. Unable to start the daemons.' for the secondary slots.

- The presence of the file /var/run/fpga_mcpd_lockfile on the secondary slots.

Conditions:
- Multi-Slot F5OS tenant.
- Restarting MCPD on the primary blade or installing the license from the F5OS chassis.

Impact:
Secondary blades are inoperative.

Workaround:
Execute the following command on the secondary blades that are inoperative:
bigstart restart mcpd


1098609-3 : BD crash on specific scenario

Component: Application Security Manager

Symptoms:
BD crashes while passing traffic.

Conditions:
Specific request criterias that happens while there is a configuration change.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None


1090313-5 : Virtual server may remain in hardware SYN cookie mode longer than expected

Links to More Info: BT1090313

Component: TMOS

Symptoms:
A virtual server may remain in hardware SYN cookie mode longer than expected after the SYN flood attack has stopped. The TMSH 'show ltm virtual' command shows that the virtual has already exited SYN Cookie mode, but the SYN packets are still responded from hardware for a few minutes longer.

Conditions:
The problem is a result of a race condition in TMM, so the issue might show up intermittently.

Impact:
Discrepancy between the actual SYN Cookie mode and the reported SYN Cookie mode for a short period of time after a SYN flood attack.

Workaround:
Disable hardware SYN Cookie mode.


1084857-6 : ASM::support_id iRule command does not display the 20th digit

Links to More Info: BT1084857

Component: Application Security Manager

Symptoms:
ASM::support_id iRule command does not display the 20th digit.

A support id seen in REST/TMUI that has 20 digits, e.g 13412620314886537617 is displayed as 1341262031488653761 with the iRule command ( the last digit '7' is stripped ).

Conditions:
ASM::support_id iRule command

Impact:
Inability to trace request events using the support id


1083589 : Some connections are dropped on chained IPv6 to IPv4 virtual servers.

Links to More Info: BT1083589

Component: Local Traffic Manager

Symptoms:
IPv6 virtual servers targeting IPv4 virtual servers (for example, using the 'virtual' iRule command) might drop traffic coming from some clients unexpectedly.

Note: See also ID1002945 (https://cdn.f5.com/product/bugtracker/ID1002945.html), which is a closely related issue.

Conditions:
- IPv6 to IPv4 virtual server chaining.

Impact:
Traffic is dropped.

Workaround:
Apply a SNAT with an IPv4 address to the IPv6 virtual server.


1083513-4 : BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd

Links to More Info: BT1083513

Component: Application Security Manager

Symptoms:
"Challenge Failure Reason" field in a request event log shows N/A.

Conditions:
The db key has not been changed manually on the system.

Impact:
"Challenge Failure Reason" field is disabled.

Workaround:
Disable the key and re-enable, then save.

tmsh modify sys db botdefense.disable_challenge_failure_reporting value disable
tmsh modify sys db botdefense.disable_challenge_failure_reporting value enable
tmsh save sys config


1083053-4 : Apmd memory grows over time in AD auth scenarios

Links to More Info: BT1083053

Component: Access Policy Manager

Symptoms:
Apmd memory grows over time. It is not a memory leak. It is mainly due to memory fragmentation due to memory sharing among apmd threads.

Conditions:
The access policy in use has Active Directory auth as one of the agents

Impact:
Apmd memory grows over time. After it grows beyond a limit, oom killer might kill apmd thereby lead to a traffic disruption.

Workaround:
None


1082197-5 : RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response

Links to More Info: BT1082197

Component: Global Traffic Manager (DNS)

Symptoms:
Synthetic SOA returned by BIG-IP has the MNAME and RNAME fields reversed, resulting in the wrong values being noted as the primary name server and mailbox of administrator, respectively.

Conditions:
-- Set the failure-rcode-response enabled and failure-rcode-ttl on a down WIP.
-- Perform a DNS query.
-- Observe the SOA.

Impact:
Per RFC (rfc1035) the order of the fields is significant and MNAME must come before RNAME. When reversed, consumers of the synthetic SOA will associate the wrong values with the wrong fields.


1078065-5 : The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA.

Links to More Info: BT1078065

Component: Application Security Manager

Symptoms:
The login page shows a blocking page instead of CAPTCHA or shows the blocking page after resolving a CAPTCHA.

Make five (configured in brute force configuration) failed login attempts and you will receive a blocking page.

Blocking Reason: Resource not qualified for injection.

Conditions:
HTML response message has an html page with a length greater than 32000 bytes.

Impact:
Users are blocked after failed login attempts.

Workaround:
Run tmsh modify sys db asm.cs_qualified_urls value <url value>.


1076825-3 : "Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.

Links to More Info: BT1076825

Component: Application Security Manager

Symptoms:
"Installation of Automatically Downloaded Updates" configuration reverts to default after upgrade to v16.1.x from earlier releases.

Conditions:
Upgrading to v16.1.x from earlier releases.

Impact:
Configuration of "Installation of Automatically Downloaded Updates" is lost and reverts to default.

Workaround:
Manually configure "Installation of Automatically Downloaded Updates" after the upgrade.


1069729-4 : TMM might crash after a configuration change.

Links to More Info: BT1069729

Component: Application Security Manager

Symptoms:
After modifying a dosl7 profile, on rare cases TMM might crash.

Conditions:
Modifying DoSl7 profile attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A


1067797 : Trunked interfaces that share a MAC address may be assigned in the incorrect order.

Links to More Info: BT1067797

Component: TMOS

Symptoms:
Interfaces that are trunked together and use the same MAC address may end up in an incorrect order when the system is restarted.

Conditions:
Trunked interfaces that use the same MAC address. On reboot the f5-swap-eth script will incorrectly reorder the affected interfaces.

Impact:
Incorrect ordering could result in a failover or outage.

Workaround:
N/A


1067557-5 : Value masking under XML and JSON content profiles does not follow policy case sensitivity

Component: Application Security Manager

Symptoms:
Value masking is always case sensitive regardless of policy case sensitivity.

Conditions:
- Parse Parameters is unchecked under JSON content profile.
- Value masking section contains element/attribute names under
  XML and JSON content profiles.

Impact:
- Value is not masked in a case insensitive manner even when the policy is case insensitive.

Workaround:
None


1064753-6 : OSPF LSAs are dropped/rate limited incorrectly.

Links to More Info: BT1064753

Component: TMOS

Symptoms:
Some LSAs are dropped on BIG-IP with a log similar to:
"LSA is received recently".

Conditions:
Tuning OSPF min LSA arrival has no effect on some LSA handling.

Impact:
OSPF LSAs are dropped/rate limited incorrectly.

Workaround:
N/A


1064725-5 : CHMAN request for tag:19 as failed.

Links to More Info: BT1064725

Component: Local Traffic Manager

Symptoms:
The following log is seen in /var/log/ltm when a qkview is generated:

warning chmand[6307]: 012a0004:4: CHMAN request (from qkview) for tag:19 failed.

or when a tcpdump capture is started:

warning chmand[792]: 012a0004:4: CHMAN request (from bigpcapq33E5-24) for tag:19 failed

or when get a dossier from GUI/CLI:

warning chmand[4319]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed

or when reboot:

warning chmand[8263]: 012a0004:4: CHMAN request (from mcpd) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from DossierValidator) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from LACPD_USER) for tag:19 failed
warning chmand[8263]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed

Conditions:
Any one of the following:

-- Generate a qkview file from the GUI/CLI
-- Start a tcpdump command from the CLI
-- Get a dossier from GUI/CLI
-- Reboot

Impact:
No functional impact.

Workaround:
None


1060477-2 : iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]".

Links to More Info: BT1060477

Component: Access Policy Manager

Symptoms:
Apmd crashes after setting the userName field via an iRule.

Conditions:
1.Setting the userName field:

set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]

2.Getting the sid feild
[ACCESS::session data get session.user.sessionid]

Impact:
APM traffic disrupted while apmd restarts.

Workaround:
Check the username before setting it from iRule.


1059513-3 : Virtual servers may appear as detached from security policy when they are not.

Links to More Info: BT1059513

Component: Application Security Manager

Symptoms:
When browsing Security >> Overview: Summary page, the virtual servers may appear as detached. The larger the number of virtual servers are, the more likely you are to see all the virtual servers as detached from the security policy.

Conditions:
From a certain amount of virtual servers (20) that are attached to a security policy, the virtual servers may appear as detached from any security policy.

Impact:
Virtual servers are displayed as detached from any security policy, but this is not the case.

Workaround:
None


1048949-8 : TMM xdata leak on websocket connection with asm policy without websocket profile

Links to More Info: BT1048949

Component: Application Security Manager

Symptoms:
Excessive memory consumption, tmm core.

Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Websocket profile isn't attached to the virtual server
- Long lived websocket connection with messages

Impact:
Excessive memory consumption, tmm crash. Traffic disrupted while tmm restarts.

Workaround:
Attach the websocket profile to the virtual server


1048425-6 : Packet tester crashes TMM when vlan external source-checking is enabled

Links to More Info: BT1048425

Component: Advanced Firewall Manager

Symptoms:
TMM SIGFPE Core Assertion "packet must already have an ethernet header".

Conditions:
Run the AFM Packet Tracer when external source-checking is enabled on the VLAN.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable source checking on the vlan.


1046469-4 : Memory leak during large attack

Links to More Info: BT1046469

Component: Anomaly Detection Services

Symptoms:
ADMD daemon memory consumption increases over several days until it causes OOM.

Conditions:
A large DoS attack occurs and is not mitigated.

Impact:
ADMD daemon will get killed and restarted. Due to the restart, the BADoS protection might be disabled for a couple of seconds.

Workaround:
To workaround the issue before installing the fix, ADMD could be monitored by a script and restarted as needed. This is similar to the current behavior, but it will avoid reaching OOM which might affect other daemons.


1044457-4 : APM webtop VPN is no longer working for some users when CodeIntegrity is enabled.

Links to More Info: BT1044457

Component: Access Policy Manager

Symptoms:
Users are unable to use the BIG-IP VPN in Edge, Internet Explorer, Firefox, and Chrome.
Microsoft believes the issue is because the Network Access webtop is using MSXML 2.0a which is blocked by their desktop policy

Conditions:
-- Attempting to connect to Network Access VPN using Edge, Internet Explorer, Chrome and Firefox.
-- CodeIntegrity is enabled

Impact:
Users are not able to connect to F5 VPN through APM Browser.

Workaround:
Workaround is to use the BIG-IP Edge client.


1038057-5 : Unable to add a serverssl profile into a virtual server containing a FIX profile

Links to More Info: BT1038057

Component: Service Provider

Symptoms:
You are unable to configure a virtual server to use server SSL encryption with FIX protocol messages.

Conditions:
This is encountered when serverssl needs to be configured for FIX profiles

Impact:
You are unable to assign a server-ssl profile to the virtual server.

Workaround:
None


1030129-5 : iHealth unnecessarily flags qkview for H701182 with mcp_module.xml

Links to More Info: BT1030129

Component: Application Security Manager

Symptoms:
iHealth unnecessarily flags the uploaded qkview for Heuristic H701182 "Non-ASCII characters removed from Qkview XML files".

Conditions:
Qkview generated from an unit with asm provisioned is uploaded to iHealth

Impact:
Inaccurate Heuristic on iHealth

Workaround:
None.


1026781-5 : Standard HTTP monitor send strings have double CRLF appended

Links to More Info: BT1026781

Component: Local Traffic Manager

Symptoms:
Standard (bigd-based, not In-TMM) HTTP monitors have a double CRLF appended (\r\n\r\n) to the send string. This does not comply with RFC1945 section 5.1 which states requests must terminate with a single CRLF (\r\n). This non-compliant behavior can lead to unexpected results when probing servers.

Conditions:
Standard bigd (not In-TMM) HTTP monitors

Impact:
Servers probed by these non-RFC-compliant HTTP monitors may respond in an unexpected manner, resulting in false negative or false positive monitor results.

Workaround:
There are several workarounds:

1. If running 13.1.0 or later, switch monitoring from bigd-based to In-TMM. In-TMM monitors properly follow RFC1945 and will send only a single CRLF (\r\n)

2. Remain with bigd-based monitoring and configure probed servers to respond to double CRLF (\r\n\r\n) in a desired fashion

Depending on server configuration, a customized send string, even with the double CRLF, may still yield expected responses.


1025089-7 : Pool members marked DOWN by database monitor under heavy load and/or unstable connections

Links to More Info: BT1025089

Component: Local Traffic Manager

Symptoms:
BIG-IP database monitors (mssql, mysql, oracle, postgresql) may exhibit one of the following symptoms:

- Under heavy, sustained load, the database monitoring subsystem may become unresponsive, causing pool members to be marked DOWN and eventually causing the database monitoring daemon (DBDaemon) to restart unexpectedly.

- If the network connection to a monitored database server is unstable (experiences intermittent interruptions, drops, or latency), pool members may be marked DOWN as the result of a momentary loss of connectivity. This is more likely to occur when a database monitor is used to monitor a GTM pool member instead of an LTM pool member, due to differences between how monitors are configured for GTM versus LTM.

Conditions:
These symptoms may occur under the following conditions:

- The database monitoring subsystem may become unresponsive, and the database monitoring daemon (DBDaemon) may restart unexpectedly, if a large number of LTM or GTM pool members are being monitored by database monitors, and/or with short polling intervals ("interval" of 10 seconds or less), or when GTM pool members are monitored by database monitors with a short "probe-timeout" value (10 seconds or less).

- The GTM pool members may be marked DOWN after a single interrupted connection if they are monitored by a database monitor, configured with a short "probe-timeout" value (10 seconds or less) and "ignore-down-response" configured as "disabled" (default).

Impact:
-- High CPU utilization is observed on control plane cores.

-- The database monitoring daemon (DBDaemon) may restart unexpectedly, causing GTM or LTM pool members monitored by a database monitor to be marked DOWN temporarily.

-- GTM or LTM pool members monitored by a database monitor may be marked DOWN temporarily if the network connection to the database server is dropped or times out.

Workaround:
Perform one of the following actions:

-- Configure the database (mssql, mysql, oracle, postgresql) monitor with a "count" value of "1". This prevents the caching or reuse of network connections to the database server between probes. Thus there is no cached connection to time out or get dropped. However, the overhead of establishing the network connection to the database server will be incurred for each probe and will result in generally higher (but more consistent) CPU usage by the database monitoring daemon (DBDaemon).

-- Configure the database monitor "interval" and "timeout" values (for an LTM monitor), or the "interval", "timeout", "probe-attempts", "probe-interval" and "probe-timeout" values (for a GTM monitor) such that multiple failed monitor probes are required before the monitored member is marked DOWN, and with a minimum value of 10 seconds or greater.

Note: A restart of bigd (and consequently the DBDaemon) might be necessary to properly clear any currently stale/stuck database connections.


1024241-5 : Empty TLS records from client to BIG-IP results in SSL session termination

Links to More Info: BT1024241

Component: Local Traffic Manager

Symptoms:
After client completes TLS handshake with BIG-IP, when it sends an empty TLS record (zero-length cleartext), the client BIG-IP SSL connection is terminated.

Conditions:
This is reported on i7800 which has Intel QAT crypto device
The issue was not reported on Nitrox crypto based BIG-IP platforms. Issue is not seen when hardware crypto is disabled.

Impact:
SSL connection termination is seen in TLS clients.

Workaround:
Disable hardware crypto acceleration.


1023889-5 : HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message

Links to More Info: BT1023889

Component: Application Security Manager

Symptoms:
Protocol filter does not suppress WS/WSS server->client message.

Conditions:
- protocol filter is set to HTTP, HTTPS or HTTP/HTTPS
- response logging is set to For All Requests

Impact:
Remote log server receives unexpected messages

Workaround:
None


1012377-3 : Unable to display/edit 'management route' via GUI

Links to More Info: BT1012377

Component: TMOS

Symptoms:
Unable to display/edit 'management route' via GUI

Conditions:
-- Viewing the management route in the GUI via System -> Platform
-- The management route is configured manually

Impact:
The management route field is blank, and you cannot make changes.

Workaround:
Display/edit the management route via tmsh:

tmsh list sys management-route
tmsh modify sys management-route <settings>


1009337-4 : LACP trunk down due to bcm56xxd send failure

Links to More Info: BT1009337

Component: TMOS

Symptoms:
Lacp reports trunk(s) down. lacpd reports having trouble writing to bcm56xxd over the unix domain socket /var/run/uds_bcm56xxd.

Conditions:
Not known at this time.

Impact:
An outage was observed.

Workaround:
Restart bcm56xxd, lacpd, and lldpd daemons.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************