998957 : MCPD consumes excessive CPU while collecting statistics

Links to More Info: BT998957

Component: TMOS

Symptoms:
MCPD CPU utilization is 100%.

Conditions:
This condition can occur when the BIG-IP system has a large number of virtual servers, pools, and pool members for which statistics are being collected. The CPU impact is proportional to the number of objects configured. It appears unlikely to see a significant impact when under 1000 objects.

Impact:
CPU utilization by MCPD is excessive.

Workaround:
None

Fix:
N/A

Fixed Versions:
17.1.0

997429-2 : When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled

Links to More Info: BT997429

Component: Advanced Firewall Manager

Symptoms:
Some DoS-related log messages may be missing

Conditions:
-- Static DDoS vector is configured with the same mitigation threshold and detection threshold setpoint.
-- The platform supports Hardware DDoS mitigation and hardware mitigation and hardware mitigation is not disabled.

Impact:
Applications dependent on log frequency may be impacted.

Workaround:
Configure the mitigation limit about 10% over the attack limit.

Fixed Versions:
17.1.0

995937 : In IPsec, support AES-GCM on IKE Peer phase 1

Component: TMOS

Symptoms:
The IKEv2 phase 1 does not support AES-GCM protocol for Authentication and Encryption algorithms.

Conditions:
Configuring IKE Peer.

Impact:
Cannot establish IKEv2 phase 1 using AES-GCM.

Workaround:
None

Fix:
Added AES-GCM support for IKEv2 phase 1. Configure AES-GCM at IKE Peer and establish an IKEv2 phase 1 tunnel.

Fixed Versions:
17.1.0

992865-1 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances

Links to More Info: BT992865

Component: TMOS

Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.

Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
  + BIG-IP i11000 series (C123)
  + BIG-IP i15000 series (D116)

Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.

Workaround:
None

Fix:
Virtual servers correctly enter hardware SYN cookie mode on all platforms.

Fixed Versions:
17.1.0, 16.1.2.2, 15.1.4

992053 : Pva_stats for server side connections do not update for redirected flows

Links to More Info: BT992053

Component: TMOS

Symptoms:
Pva_stats for server side connections do not update for the re-directed flows

Conditions:
-- Flows that are redirected to TMM.
-- Server flows are offloaded to PVA.

Impact:
PVA stats do not reflect the offloaded flow.

Workaround:
None

Fix:
Updated pva_stats to reflect server side flow.

Fixed Versions:
17.1.0, 15.1.4.1

990461 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★

Links to More Info: BT990461

Component: Advanced Firewall Manager

Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.

Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.

Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.

Workaround:
Manually update the SYN cookie threshold values after an upgrade.

Fixed Versions:
17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4

989517 : Acceleration section of virtual server page not available in DHD

Links to More Info: BT989517

Component: TMOS

Symptoms:
Cannot use Advanced Menu to create a virtual server for HTTP/2 on systems with DHD licenses. This occurs because the Acceleration section is not available.

You can via TMSH then it works, but at as soon as you use the GUI to modify the virtual server, it loses the HTTP/2 configuration.

Conditions:
The Acceleration section is not visible in case 'DoS' is provisioned (available with the DHD license).

Impact:
1) You are unable to use the GUI to modify any parameters of the Acceleration table in the virtual server page.

2) Loss of configuration items if making changes via the GUI.

Workaround:
A virtual server with parameters present in the Acceleration table can still be created using TMSH. However, do not edit that virtual server in the GUI, or the Acceleration parameters will be lost.

Fix:
The Acceleration table is now visible, and there is no loss of configuration items if making changes via the GUI.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1

988793-3 : SecureVault on BIG-IP tenant does not store unit key securely

Links to More Info: BT988793

Component: TMOS

Symptoms:
BIG-IP tenants running on the VELOS platform do not store the SecureVault unit key securely.

Conditions:
BIG-IP tenant running on the VELOS platform.

Impact:
The BIG-IP tenant does not utilize secure storage for unit key.

Workaround:
None

Fix:
BIG-IP tenants running on the VELOS platform now securely store the unit key.

Fixed Versions:
17.1.0, 15.1.4

988645-1 : Traffic may be affected after tmm is aborted and restarted

Links to More Info: BT988645

Component: TMOS

Symptoms:
Traffic may be affected after tmm is aborted and restarted.
/var/log/tmm contains a lot of "DAG Proxy failed" messages.

Conditions:
-- A BIG-IP device is deployed in a VELOS tenant
-- Tmm aborts and restarts for some reason.

Impact:
Traffic disrupted while tmm restarts. Traffic may be disrupted even after tmm has restarted.

Workaround:
Reboot the tenant

Fix:
Fixed system behavior when tmm is aborted and restarted.

Fixed Versions:
17.1.0, 15.1.4

987637-4 : DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware

Links to More Info: BT987637

Component: Advanced Firewall Manager

Symptoms:
BIG-IP systems mitigate traffic on all of the IP addresses in an address list when certain DoS vectors are detected on a virtual server.

Conditions:
-- BIG-IP hardware platform equipped with Neuron (BIG-IP iSeries)
-- Virtual server configured with a DoS profile
-- Flood traffic reaches the virtual server

Impact:
For Neuron-supported hardware, virtual servers with subnet destinations are not properly mitigated when flood vectors are detected.

Workaround:
None

Fixed Versions:
17.1.0, 17.0.0, 15.1.4

987113 : CMP state degraded while under heavy traffic

Links to More Info: BT987113

Component: TMOS

Symptoms:
When a VELOS 8 blade system is under heavy traffic, the clustered multiprocessing (CMP) state could become degraded. The symptom could exhibit a dramatic traffic performance drop.

Conditions:
Exact conditions are unknown; the issue was observed while under heavy traffic with all 8 blades configured for a tenant.

Impact:
System performance drops dramatically.

Workaround:
Lower traffic load.

Fix:
Fixed an inconsistent CMP state.

Fixed Versions:
17.1.0, 15.1.4, 14.1.5

977761-2 : Connections are dropped if a certificate is revoked.

Links to More Info: BT977761

Component: Local Traffic Manager

Symptoms:
SSL handshake failures occur with the backend server revoked certificate in case of reverse proxy.

Conditions:
1. BIG-IP LTM configured as SSL reverse proxy.
2. revoked-cert-status-response-control set to ignore in the server ssl profile.
3. server certificate authentication set to "require" in the server ssl profile.

Impact:
Ssl handshake failures due to revoked server certificate

Workaround:
1. Set the server certificate authentication to ignore in the server ssl profile.

Fix:
Added checks to validate the certificate as well as the flags set (ignore/drop) for the revoked certificate.

Fixed Versions:
17.1.0, 16.1.2.2

977153 : Packet with routing header IPv6 as next header in IP layer fails to be forwarded

Links to More Info: BT977153

Component: Advanced Firewall Manager

Symptoms:
BIG-IP systems fail to follow RFC 5095, which specifies the traffic should be forwarded.

Conditions:
This symptom is found when the following conditions are met:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.

Impact:
This failure in forwarding ICMP error message prevents the BIG-IP AFM product from completing certification.

Workaround:
None.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7

974205 : Unconstrained wr_urldbd size causing box to OOM

Links to More Info: BT974205

Component: Traffic Classification Engine

Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.

Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.

Impact:
The device eventually runs out of memory (OOM condition).

Workaround:
Restart the wr_urldbd process:
 restart sys service wr_urldbd

Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.

Added two sys DB variables:

-- wr_urldbd.cloud_cache.log.level

Value Range:
sys db wr_urldbd.cloud_cache.log.level {
    value "debug"
    default-value "none"
    value-range "debug none"
}

-- wr_urldbd.cloud_cache.limit

Value Range:
sys db wr_urldbd.cloud_cache.limit {
    value "5500000"
    default-value "5500000"
    value-range "integer min:5000000 max:10000000"
}

Note: Both these variables are introduced for debugging purpose.

Fixed Versions:
17.1.0, 15.1.4, 14.1.4.4, 12.1.6

966949 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node

Links to More Info: BT966949

Component: TMOS

Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.

Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230

This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.

Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.

Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")

Fixed Versions:
17.1.0

966541 : Improper data logged in plaintext

Component: TMOS

Symptoms:
Improper data may be logged when audit forwarding is enabled.

Conditions:
Enable TACACS+ authentication with audit forwarding enabled.

Impact:
Sensitive data exposure.

Workaround:
N/A

Fix:
Removed improper data from logging

Fixed Versions:
17.1.0

966461 : Tmm memory leak

Links to More Info: BT966461

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm leaks memory for DNSSEC requests.

Conditions:
NetHSM is configured but disconnected.

or

Internal FIPS card is configured and tmm receives more DNSSEC requests than the FIPS card is capable of handling.

Impact:
Tmm memory utilization increases over time.

Workaround:
None

Fix:
A new DB variable dnssec.fipswaitingqueuecap is introduced to configure the capacity of the FIPS card.

You can throttle the incoming DNSSEC requests based on the count of outstanding DNSSEC requests in netHSM/Internal FIPS queue.

tmsh modify sys db dnssec.fipswaitingqueuecap value <value>
this value sets the capacity per tmm process.

Fixed Versions:
17.1.0

965581-1 : Statistics are not reported to BIG-IQ

Links to More Info: BT965581

Component: Application Visibility and Reporting

Symptoms:
After a BIG-IP system is attached to BIG-IQ, there are no statistics reported. The 'avrd' process periodically fails with a core on the BIG-IP system.

Conditions:
A BIG-IP system is attached to BIG-IQ.

Impact:
No statistics collected.

Fix:
The avrd process no longer fails, and statistics are collected as expected.

Fixed Versions:
17.1.0, 15.1.4, 14.1.4

962249-1 : Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm

Links to More Info: BT962249

Component: TMOS

Symptoms:
Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm

Conditions:
This message shows always on all platforms.

Impact:
No functional impact.

Fix:
Does not show this message on non-epva platforms.

Fixed Versions:
17.1.0, 15.1.4

958773 : [SAML SP] Assertion canonicalization fails if <AttributeValue> contains spaces.

Links to More Info: BT958773

Component: Access Policy Manager

Symptoms:
In /var/log/apm

[apmd]modules/Authentication/Saml/SamlSPAgent.cpp: 'verifyAssertionSignature()': 5883: Verification of SAML signature #1 failed
[apmd]SAML Agent: /Common/xxxxxx failed to process signed assertion, error: Digest of SignedInfo mismatch

Conditions:
SAML attribute values have double-byte spaces.

Impact:
Verification of SAML signature fails.

Workaround:
Remove double-byte spaces from SAML Attribute values (consult a vendor who populates SAML attribute values for advice on how to remove double-byte spaces).

Fix:
N/A

Fixed Versions:
17.1.0

957637 : The pfmand daemon can crash when it starts.

Links to More Info: BT957637

Component: TMOS

Symptoms:
The pfmand process crashes and writes out a core file during bootup (or if the process is manually restarted by an Administrator for any reason) on certain platforms.

The crash may happen more than once, until the process finally settles and is able to start correctly.

Conditions:
-- Platforms i4000/i2000/i4800/i2800/i4600/i2600/i850.

Impact:
Network connection lost while pfmand restarts.

Workaround:
None

Fix:
The issue causing the pfmand daemon to occasionally crash has been resolved.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1

957453 : Javascript parser incompatible with ECMA6/7+

Component: Access Policy Manager

Symptoms:
A web application mis-functions on the client side

Conditions:
-- APM proxying a web application
-- Web-application uses ES6/7 or higher javascript

Impact:
Web application mis-function

Fix:
The fix is implemented in two steps

STEP 1:
Initial implementation with ID 592353, added support for Javascript ECMA6/7+. Optional internal wrapping is added into client-side includes.

With this fix, a custom iRule workaround can be applied to fix limited set of possible cases.
 
STEP 2:
With ID 957453, implementation of light rewriter on the server side is also completed.

No iRule workaround is required to support ES6/7+ after the implementation of ID 957453.

Fixed Versions:
17.1.0

950605 : openssh insecure client negotiation CVE-2020-14145

Links to More Info: K48050136

1097193-7 : Unable to SCP files using WinSCP or relative path name

Links to More Info: K000134769, BT1097193

Component: TMOS

Symptoms:
When attempting to retrieve a file with WinSCP, you receive an error dialog and the session will be terminated:

"SCP Protocol error: Invalid control record (r; elative addresses not allowed)

Copying files from remote side failed."

If attempting to transfer a file by relative path with a command line utility the transfer will fail with the message:
"relative addresses not allowed"

Conditions:
-- Running BIG-IP version with fix for ID 915981
-- Using WinSCP set to use SCP protocol to retrieve files from a BIG-IP system.
-- Using a relative remote path to transfer a file with command line scp utility.

Impact:
No longer able to use WinSCP to retrieve files such as packet captures, log archives, or other diagnostic data from the BIG-IP system.

Workaround:
Use a command line SCP tool that allows specifying an absolute path for the source and/or destination file (a path that starts with a forward slash /), when the source and/or destination locations are a BIG-IP device.

If the user ID is permitted to do so, you may use WinSCP in SFTP mode.

948305 : New iRule Commands for login result and username

Component: Application Security Manager

Symptoms:
The iRule commands are not available to retrieve the web-user login results or to take actions based on the result of a login request.

Conditions:
Configure login page and send login request.

Impact:
Not able to get the login_result and username details of a login request.

Workaround:
None

Fix:
Add iRules commands to retrieve login request result and username information.

Fixed Versions:
17.1.0

948241 : Count Stateful anomalies based only on Device ID

Links to More Info: BT948241

Component: Application Security Manager

Symptoms:
Currently when Device ID is enabled, the BIG-IP system counts stateful anomalies on both IP and Device ID. When a client has a proxy (without XFF), and many requests arrive with the same IP, this can cause false positives

Conditions:
- Bot Defense profile is attached to a virtual server.
- Bot Defense profile has "Browser Verification" set to "Verify After Access" or "Device ID Mode" set to "Generate After Access".

Impact:
False positives may occur in case of a proxy without XFF

Workaround:
None

Fix:
Stateful anomalies are no longer counted on IP when Device ID is enabled

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1

947333 : Irrelevant content profile diffs in Policy Diff

Links to More Info: BT947333

Component: Application Security Manager

Symptoms:
Defense attributes' grayed out values are shown in the policy diff even if "any" is selected

Conditions:
-- Import a policy
-- Perform a policy diff

Impact:
Policy diff showing irrelevant diffs

Workaround:
None

Fix:
Removed grayed out diffs from policy diff content profile section

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1

947125 : Unable to delete monitors after certain operations

Links to More Info: BT947125

Component: Local Traffic Manager

Symptoms:
Unable to delete monitor with an error similar to:

01070083:3: Monitor /Common/my-mon is in use.

Conditions:
-- Monitors are attached directly to pool members, or node-level monitors exist.
-- Issuing the "reloadlic" command, which causes the configuration to get rebuilt implicitly.

Impact:
Unable to delete object(s) no longer in use.

Workaround:
When the system enters this state, save and reload the configuration using the following command:
tmsh save sys config && tmsh load sys config

Fix:
None

Fixed Versions:
17.1.0

943101-1 : Tmm crash in cipher group delete.

Links to More Info: BT943101

Component: Local Traffic Manager

Symptoms:
Deleting a cipher group associated with multiple profiles could cause tmm crash.

Conditions:
Deleting a cipher group associated with multiple profiles.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed an issue with cipher group delete.

Fixed Versions:
17.1.0, 15.1.4, 14.1.3

940225 : Not able to add more than 6 NICs on VE running in Azure

Links to More Info: BT940225

Component: TMOS

Symptoms:
Azure BIG-IP Virtual Edition (VE) with more than 6 NICs fails to boot.

Conditions:
-- Standard_DS4_v2 Azure instance type.
-- Mellanox ConnectX-3 ethernet controller.
-- A greater-than-2-NIC template is used, for example https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/standalone/n-nic/existing-stack/byol with "numberOfAdditionalNics" set.
-- Accelerated networking is enabled on two or more NICs.

Impact:
Not able to boot BIG-IP VM with 8 NICs, which should be supported for Standard_DS4_v2 instance type:
8 vCPU
28 GiB
8 Max NICs

Adding more NICs to the instance makes the device fail to boot.

Workaround:
None

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1

937649 : Flow fwd broken with statemirror.verify enabled and source-port preserve strict

Links to More Info: BT937649

Component: Local Traffic Manager

Symptoms:
Flow forwarding does not work with statemirror.verify enabled and source-port is preserve strict. Depending on the number of tmms and the IP addresses/ports on the network, this causes return traffic to get dropped.

Traffic captures show packets leaving the BIG-IP system on one tmm and being returned on another. The return traffic that encounters the second tmm is dropped.

Conditions:
-- Mirroring is enabled.
-- High availability (HA) peer is connected.
-- The source-port setting is preserve-strict.
-- The statemirror.verify option is enabled.
-- There is more than one tmm.

Impact:
Server-side return traffic to the BIG-IP is dropped. This causes connection timeouts and resets.

Workaround:
-- Disable statemirror.verify, disable source-port preserve-strict, disable mirroring.

-- On BIG-IP Virtual Edition (VE), add the following to tmm_init.tcl on both units and restart tmm:
 ndal ignore_hw_dag yes

Fixed Versions:
17.1.0

936501 : Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled

Links to More Info: BT936501

Component: TMOS

Symptoms:
When attempting to Export/Import a file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf via SCP, you receive an error dialog:

"file not allowed"

Conditions:
-- fips140 or common criteria mode enabled
-- Export/Import file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf

Impact:
Import/Export file using scp tool from/to the BIG-IP file path(s) /var/local/ucs or /var/local/scf not allowed when fips140 or cc mode enabled even if the file is encrypted.

Workaround:
None

Fixed Versions:
17.1.0, 16.1.3.1

935945 : GTM HTTP/HTTPS monitors cannot be modified via GUI

Links to More Info: BT935945

Component: Global Traffic Manager (DNS)

Symptoms:
GUI reports an error when modifying DNS/GTM HTTP/HTTPS monitors:

01020036:3: The requested monitor parameter (/Common/http-default 2 RECV_STATUS_CODE=) was not found.

Conditions:
RECV_STATUS_CODE has never been set for the DNS/GTM HTTP/HTTPS monitors.

Impact:
Not able to make changes to DNS/GTM HTTP/HTTPS monitors through GUI.

Workaround:
If 'recv-status-code' has never been set, use tmsh instead.

Note: You can set 'recv-status-code' using tmsh, for example:

   tmsh modify gtm monitor http http-default recv-status-code 200

Fixed Versions:
17.1.0

934461-1 : Connection error with server with TLS1.3 single-dh-use.

Links to More Info: BT934461

Component: Local Traffic Manager

Symptoms:
Connection failure with TLS1.3 and single-dh-use configured.

Conditions:
14.1 with TLS1.3 single-dh-use.

Impact:
Connection failure in 14.1 versions.

Workaround:
Disable single-dh-use, or disable tls1.3.

Fix:
14.1 now supports TLS1.3 single-dh-use and hello retry on serverside.

Fixed Versions:
17.1.0, 15.1.4, 14.1.3

934393-1 : APM authentication fails due to delay in sessionDB readiness

Links to More Info: BT934393

Component: Access Policy Manager

Symptoms:
APM Authentication fails, and apmd cores when trying to connect to sessionDB.

Conditions:
-- APM configured.
-- SAML SP configured.

Impact:
It takes a long time to create the configuration snapshot. Authentication fails and apmd cores.

Workaround:
Restart all services by entering the following command:
tmsh restart /sys service all

Note: Restarting all services causes temporary traffic disruption.

Fix:
The sessionDB readiness has been corrected so that authentication succeeds.

Fixed Versions:
17.1.0, 15.1.4, 14.1.3

930393 : IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration

Links to More Info: BT930393

Component: TMOS

Symptoms:
-- IPsec tunnel does not start.
-- Remote IPsec networks unavailable.

Conditions:
-- Using IKEv1 and one of the following:
   + Performing an upgrade.
   + IPsec tunnel reconfiguration generally involving a change to, or addition of, a traffic-selector.

Impact:
IPsec tunnel is down permanently.

Workaround:
-- Reconfigure or delete and re-create the traffic selectors associated with the IPsec tunnel that does not start.

Special Notes:
-- This occurs rarely and does not happen spontaneously, without intentional changes (reconfiguration or upgrade).
-- A BIG-IP reboot or a restart of tmipsecd does not resolve this condition.
-- This symptom might also occur due to a genuine misconfiguration.
-- After major version upgrades, default ciphers can change, double-check the encryption and authentication ciphers for the tunnel.

Fixed Versions:
17.1.0

930385-2 : SSL filter does not re-initialize when an OCSP object is modified

Links to More Info: BT930385

Component: Local Traffic Manager

Symptoms:
Create an OCSP object using DNS resolver ns1, associate the OCSP object to SSL profile and a virtual.

Then, modify the OCSP object to DNS resolver ns2.

After the modification, wait for cache-timeout and cache-error-timeout and then connect to virtual again. The nameserver contacted is still ns1.

Conditions:
An OCSP object is configured and modified.

Impact:
The wrong nameserver is used after modification to the OCSP object.

Fix:
After the fix, the correct nameserver will be contacted after the OCSP object is modified.

Fixed Versions:
17.1.0, 15.1.4, 14.1.3

928029-1 : Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis

Links to More Info: BT928029

Component: TMOS

Symptoms:
Wrong popup message for switchboot popup "This will restart the chassis. Continue?".

Conditions:
Run "switchboot" command

Impact:
A confusing popup message is displayed.

Workaround:
NA

Fix:
Updated the switchboot popup message "This will restart BIG-IP tenant. Continue?"

Fixed Versions:
17.1.0, 15.1.4, 14.1.3

925469 : SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo

Links to More Info: BT925469

Component: TMOS

Symptoms:
When using the Certificate Order Manager to request new Multi-Domain certificate from the Sectigo Certificate Authority (CA), the request the BIG-IP sends is missing the field 'subjectAltName'.

Conditions:
-- Certificate Order Manager is configured to send requests to the Comodo/Sectigo CA.

-- Configure a new key with Subject Alternative Name (SAN).

Impact:
The BIG-IP system sends a request to the Sectigo CA that is missing the 'subjectAltName' field. That makes Certificate Order Manager not suitable for requesting Multi-Domain certificates.

Workaround:
There is no workaround other than not using Certificate Order Manager for Multi-Domain certificates.

Fixed Versions:
17.1.0

922737 : TMM crashes with a sigsegv while passing traffic

Links to More Info: BT922737

Component: SSL Orchestrator

Symptoms:
TMM crashes with a sigsegv while passing traffic.

Conditions:
Virtual server with a Connector profile that redirects to an internal virtual server on the same BIG-IP system.
Or
Service profile on the VIP causes TMM restarts.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
None

Fixed Versions:
17.1.0

922413-9 : Excessive memory consumption with ntlmconnpool configured

Links to More Info: BT922413

Component: Local Traffic Manager

Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.

Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.

Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.

Workaround:
None.

Fix:
When an NTLM Conn Pool profile is attached to a virtual server, it no longer causes memory pressure on a large number connections with NTLM authentication.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7

921149 : After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy

Links to More Info: BT921149

Component: TMOS

Symptoms:
All Bandwidth Controller (BWC) stats are 0 (zero) even though traffic is passing.

Conditions:
-- A BWC policy is attached to a virtual server.
-- The virtual server with the attached BWC policy is modified.

Impact:
The system disassociates the BWC policy from the virtual server. Traffic is no longer throttled according to the policy rules.

Workaround:
To reattach the policy, detach the Bandwidth Controller policy from the virtual server, and then reapply it.

Fixed Versions:
17.1.0

919357 : iControl REST hardening

Links to More Info: K22505850, BT919357

919305-1 : Appliance mode is not working on BIG-IP 14.1.x tenant deployed on VELOS.

Links to More Info: BT919305

Component: TMOS

Symptoms:
Appliance mode does not enable on BIG-IP 14.1.x tenants deployed on VELOS.

Conditions:
A BIG-IP 14.1.3 tenant is deployed on VELOS with Appliance Mode enabled.

Impact:
The appliance mode restriction is not working as expected. The root account still has bash access.

Workaround:
N/A

Fix:
Appliance mode will now function when configured on a BIG-IP tenant deployed on VELOS.

Fixed Versions:
17.1.0, 15.1.4

911629-5 : Manual upload of LiveUpdate image file results in NULL response

Links to More Info: BT911629

Component: Application Security Manager

Symptoms:
When uploading a LiveUpdate image file from the GUI, the upload fails.

In /var/log/restjavad.0.log you see the following error:

[SEVERE][768][25 May 2020 05:38:20 UTC][com.f5.rest.workers.liveupdate.LiveUpdateFileTransferWorker] null

Conditions:
LiveUpdate images are uploaded manually.

Impact:
LiveUpdate images fail to upload.

Workaround:
1. Upload the file to LiveUpdate files directory '/var/lib/hsqldb/live-update/update-files' on the host.

2. Send a POST request with the filename for inserting the file to the LiveUpdate
 database:
* url : https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/update-files
* payload - json:
{ "filename": "<FILE_NAME>",
  "fileLocationReference": {"link": "<FILE_NAME>"}}

3. Get the file link reference:
   https://{{big_ip1}}/mgmt/tm/live-update/asm-attack-signatures/update-files?$filter=filename eq '<FILE_NAME>'

4. From the response copy the "selfLink" part :
   "selfLink": "https://localhost/mgmt/tm/live-update/asm-attack-signatures/update-files/<UPDATE_FILE_ID>"

5. Create a POST request with the value above for creating a new installation record:
* url : https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/installations
* payload - json:
{ "updateFileReference": {
        "link": "https://localhost/mgmt/tm/live-update/asm-attack-signatures/update-files/<UPDATE_FILE_ID>"}
}

6. Now the file is available to install it from the GUI.

7. Another option is to install it via the PATCH request and the installation_id from the response received at step 5:
* url: https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/installations/<INSTALLATION_ID>
* payload: { "status" : "install" }

Fixed Versions:
17.1.0, 15.0.1.4, 14.1.2.8

911585-1 : PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval

Links to More Info: BT911585

Component: Policy Enforcement Manager

Symptoms:
PEM sessions go to a stale state and the Credit Control Request (CCRi) is not sent.

Conditions:
-- PEM is configured and passing normal PEM traffic.
-- Using BIG-IP Virtual Edition (VE)

Impact:
Session is not established.

Workaround:
None.

Fix:
Enhanced application to accept new sessions under problem conditions.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7

909673-2 : TMM crashes when VLAN SYN cookie feature is used on iSeries i2x00 and i4x00 platforms

Links to More Info: BT909673

Component: TMOS

Symptoms:
TMM crashes when VLAN SYN cookie feature is used.

Conditions:
-- Configuring for VLAN SYN cookie use.
-- Running on iSeries i2800/i2600 and i4800/i4600 platforms.

Impact:
Tmm crashes and traffic processing stops. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
VLAN SYN cookie processing now functions as expected.

Fixed Versions:
17.1.0, 15.1.0.4

905937 : TSIG key value logged in plaintext in log

Component: TMOS

Symptoms:
TSIG key is logged in /var/log/audit in clear text.

Conditions:
- TSIG key in the config.
- Key created via tmsh ltm dns tsig-key command

Impact:
TSIG key is logged in audit log file in clear text.

Fixed Versions:
17.1.0

904661-6 : Mellanox NIC speeds may be reported incorrectly on Virtual Edition

Links to More Info: BT904661

Component: TMOS

Symptoms:
Speeds for Mellanox NICs on BIG-IP Virtual Edition may be reported incorrectly. The behavior varies depending on what driver is in use:
- Speeds are always reported as 10G when the mlxvf5 driver is used, regardless of the actual speed of the interface.
- Speeds are reported as either 10G or 40G when the xnet driver is used. This is accurate unless the actual NIC speed is greater than 40G, in which is it will still be reported as 40G.

Conditions:
-- BIG-IP Virtual Edition
-- Using a Mellanox NIC with the mlxvf5 or xnet driver

Impact:
Possibly incorrect media speed reported. (Actual speed is correct, regardless of what is displayed.)

Fixed Versions:
17.1.0

897045 : Add support of BrainpoolP384r1 and Brainpool256r1

Component: Local Traffic Manager

Symptoms:
Support for BrainpoolP384r1 and Brainpool256r1 is not available in Cipher rule creation

Conditions:
You wish to configure TLS that uses these curves.

Impact:
You are unable to assign BrainpoolP384r1 and Brainpool256r1 curves to a Cipher rule.

Workaround:
None

Fix:
Support of brainpool curves is added for these functionalities:
   - Import of certificate/Key generated using brainpool256r1 /brainpool384r1
   - DH-group and signature algorithm can be customized for usgae of brainpool curve with TLS1.2 and TLS1.3.
   - Support this curve negotiation in both clientssl and serverssl side SSL handshakes
   - Support client authentication

Fixed Versions:
17.1.0

890917 : Performance may be reduced while processing SSL traffic

Links to More Info: K56412001, BT890917

889605-4 : iApp with Bot profile is unavailable if application folder includes a subpath

Links to More Info: BT889605

Component: iApp Technology

Symptoms:
iApp with Bot profile is unavailable if the application folder includes a subpath. If the subpath is not present then iApp with bot profile is available.

Conditions:
1) Create default "Bot Protection" or "Web Application Comprehensive Protection" with an enabled "Bot Defense" use case in WGC without a virtual server.
2) Go to "iApps >> Application Services: Applications" and refer to the created iApp.

Impact:
iApp cannot be loaded when tried to open through iApps >> Applications view in TMUI.

Workaround:
View the configuration created from Guided configuration as mentioned: iApps >> Application Services >> Applications LX menu

Fix:
Open the iApps >> Applications view in TMUI and load the iApp.

Fixed Versions:
17.1.0

886649 : Connections stall when dynamic BWC policy is changed via GUI and TMSH

Links to More Info: BT886649

Component: TMOS

Symptoms:
Connections stall when dynamic BWC policy is changed via GUI and TMSH.

Conditions:
Issue is seen when you have a dynamic bandwidth control policy configured, and you make a change to the policy via the GUI and TMSH.

Impact:
Connection does not transfer data.

Workaround:
Restart TMM. Delete the relevant configuration, create a new configuration, and apply it.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1

886533 : Icap server connection adjustments

Links to More Info: BT886533

Component: Application Security Manager

Symptoms:
Request getting to the ICAP server takes a long time to process (several seconds), which makes the whole transaction slower than expected. When testing the connection to the ICAP server itself, you determine that it is fast.

Conditions:
This happens especially with large file uploads that are mixed with smaller file uploads. The smaller uploads are waiting for the bigger upload.

Impact:
Slow responses to specific requests.

Workaround:
None.

Fix:
This release provides greater responsiveness of the internal queue to the ICAP thread.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1

884541 : Improper handling of cookies on VIPRION platforms

Component: Local Traffic Manager

Symptoms:
Some cookies are not always removed after the logout on VIPRION platforms

Conditions:
Mutli-slot VIPRION, vcmp guest or f5os tenant.

Impact:
The session cookie is not invalidated as expected

Workaround:
None

Fix:
Cookies are always deleted on logout.

Fixed Versions:
17.1.0

841513 : Client OS agent in Access Policy added iPadOS categorization option

Component: Access Policy Manager

Symptoms:
iPadOS is categorized as iOS.

Conditions:
Use F5 Access for iPadOS to access webtop or establish VPN.

Impact:
Client OS agent in Access Policy does have an iPadOS categorization option

Fix:
iPadOS option is added to Client OS agent in Access Policy.

Fixed Versions:
17.1.0

832133 : In-TMM monitors fail to match certain binary data in the response from the server

Links to More Info: BT832133

Component: In-tmm monitors

Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system marks them DOWN.

Conditions:
This issue occurs when all of the following conditions are met:

- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).

- One or more TCP or HTTP monitors specify a receive string using HEX encoding, in order to match binary data in the server's response.

- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.

Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.

Workaround:
Either one of the following workarounds can be used:

- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.

- Do not monitor the application through a binary response (if the application allows it).

Fix:
The monitor finds the recv string and shows the pool or member as available.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7

819645 : Reset Horizon View application does not work when accessing through F5 APM

Links to More Info: BT819645

Component: Access Policy Manager

Symptoms:
You are unable to reset VMware applications from a Windows VM client, Android VM client or HTML5 client.

Conditions:
-- VMware Horizon Proxy configured via an iApp on APM
-- Access the VM applications via APM webtop through native client /HTML5 client for windows or access applications via native client on android

Impact:
Impaired reset option functionality

Fixed Versions:
17.1.0

785933 : PKCE support for BIG-IP as a Client

Component: Access Policy Manager

Symptoms:
The BIG-IP system does not support PKCE for OAuth clients.

Conditions:
-- BIG-IP APM configured as an OAuth Authorization Server.
-- The environment requires PKCE

Impact:
You are unable to configure PKCE not the BIG-IP system.

Workaround:
None

Fix:
When BIG-IP requests access to the system as a client, a code challenge is sent along with authorization details to the authorization server to obtain the authorization code. In the token request, a code verifier is sent to the token endpoint along with the authorization code. Therefore, the server compares the code verifier to the code challenge and performs the proof of possession.

Fixed Versions:
17.1.0

785197 : binutils vulnerability CVE-2019-9075

Links to More Info: K42059040

760496 : Traffic processing interrupted by PF reset

Links to More Info: BT760496

Component: TMOS

Symptoms:
CPU usage increases after PF reset. Traffic between client and server is interrupted.

Conditions:
-- E710 NICs are used.
-- Reset PF.

Impact:
The BIG-IP instance requires a restart after PF reset to resume traffic processing.

Workaround:
Restart the BIG-IP device.

Fix:
A TMSH db variable ve.ndal.exit_on_ue, is introduced to enable/disable device restart on PF reset. On restart, a new error message within /var/log/tmm is written. Error message: "Restarting TMM on unrecoverable error."

Fixed Versions:
17.1.0

751719 : UDP::hold/UDP::release does not work correctly

Links to More Info: BT751719

Component: Carrier-Grade NAT

Symptoms:
UDP::hold/UDP::release do not work properly. Connections cannot be deleted and tmm logs an error:

crit tmm14[38818]: 01010289:2: Oops @ 0x2b6b31b:7903: Flow already has peer. Tried to overwrite.

Conditions:
iRule with UDP::hold/UDP::release

Impact:
UDP::hold/UDP::release does not work correctly

Fix:
UDP::hold/UDP::release now works correctly

Fixed Versions:
17.1.0

750723-1 : Incorrect bad-actor stats for IGMP fragment flood vector

Links to More Info: BT750723

Component: Advanced Firewall Manager

Symptoms:
For incorrect fragments, the bad actor stats for the IGMP fragment flood vector are displayed incorrectly.

Conditions:
When a DoS attack is sent for IGMP fragment flood vectors with incorrect fragments.

Impact:
Incorrect stats

Workaround:
None

Fix:
With this change, the stats are displayed correctly.

Fixed Versions:
17.1.0, 15.1.0

748886 : Virtual server stops passing traffic after modification

Links to More Info: BT748886

Component: Local Traffic Manager

Symptoms:
A virtual server stops passing traffic after changes are made to it.

Conditions:
-- Virtual server is using a port-list or address-list
-- High availability (HA) environment with multiple traffic groups
-- A change is made to the virtual server

Impact:
Every time you make changes to the virtual server, the traffic-group for the virtual address is changed, and traffic goes down.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1

740321 : iControl SOAP API does not follow current best practices

Links to More Info: K50310001, BT740321

672374 : Support of Elliptic Curve Digital Signature Algorithm (ECDSA) for DNSSEC and SHA-384 DS Records

Component: Global Traffic Manager (DNS)

Symptoms:
The BIG-IP system does not support ECDSA, which is important for DNS software vendors to comply with DNS standards.

Conditions:
Zone creation with ECDSA algorithms

Impact:
Won't be able to configure ECDSA keys.

Workaround:
None

Fix:
Now able to configure the ECDSA keys.

Fixed Versions:
17.1.0

662301 : 'Unlicensed objects' error message appears despite there being no unlicensed config

Links to More Info: BT662301

Component: TMOS

Symptoms:
An error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.

Examination of the configuration and license shows that there are no configuration errors or unlicensed configuration objects. The device is operational.

Conditions:
The BIG-IP system is licensed and the configuration loaded.

Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.

Workaround:
On an appliance, restart mcpd by running the following command:

    bigstart restart mcpd

On a VIPRION or vCMP guest running on a VIPRION, restart MCPD on all blades by running the following command:

    clsh bigstart restart mcpd

Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.

Fixed Versions:
17.1.0

652793 : "Signature Update Available" message is not cleared by UCS load/sync

Links to More Info: BT652793

Component: Application Security Manager

Symptoms:
If the most recent Signature Update was loaded by device group sync or UCS load, the "Signature Update Available" message is never cleared out.

Conditions:
ASM provisioned and "Signature Update Available" was indicated prior to loading the most recent Signature Update by device group sync or UCS load.

Impact:
The "Signature Update Available" message is never cleared out.

Fixed Versions:
17.1.0

651029 : Sensitive information exposed during incremental sync

Component: TMOS

Symptoms:
A device group using incremental sync may not properly handle values that should be protected by Secure Vault.

Conditions:
A device group configured to use incremental sync.

Impact:
Some values that should be protected by Secure Vault are not encrypted as expected.

Workaround:
N/A

Fix:
Secure configuration values are encrypted as expected.

Fixed Versions:
17.1.0

607697 : Improve 407 based authentication to allow flexible support for Basic, NTLM and Kerberos

Component: Access Policy Manager

Symptoms:
BIG-IP can only identify users based on NTLM Auth credentials, not combined with Kerberos and Basic.
Not all clients are capable of NTLM authentication (or behave erratically when HTTPS comes on top like Apple Safari on MacOS) and not all are capable of Kerberos authentication.
BIG-IP benefits from the speed and security of Kerberos authentication while leaving the option for the client to fall back to NTLM if the client is not able to present a Kerberos token instead of falling back directly to insecure Basic authentication.

Conditions:
In APM access policy, APM needs to have an option to authenticate user accounts with a 407 response and offer Kerberos, NTLM and Basic together.

Impact:
- performance lacks due to the regular authentications happening between the F5 SWG and the Active Directory. All requests for each element get a 407 back for another NTLM authentication that then leads to a communication between the SWG and the AD domain controller. If this were Kerberos the SWG would just need to verify if the Kerberos token is still valid.

- If a client does not support NTLM it has no chance to authenticate although it might still support basic authentication.

Workaround:
None

Fix:
None.

Fixed Versions:
17.1.0

586948 : Dynamic toggling for HSB hardware checksum validation

Component: TMOS

Symptoms:
Disabling hardware checksum validation on BIG-IP requires manually editing a config tcl file and restarting TMM.

Conditions:
- Configuring HSB hardware checksum validation.

Impact:
None

Workaround:
None

Fix:
HSB hardware checksum validation can now be configured by using the new DB variable "tmm.hsb.hwchecksumvalidation".

When the value of this DB variable is changed, the HSB will be updated immediately without requiring a TMM restart.

Fixed Versions:
17.1.0

490138 : Kerberos Auth might fail in case BIG-IP is configured with multiple AAA Kerberos Servers

Component: Access Policy Manager

Symptoms:
In case BIG-IP is configured with multiple AAA Kerberos Server objects and those Kerberos Server uses different keytabs for different service account but for the same realm,
authentication may fail intermittently

Conditions:
- multiple AAA Kerberos Servers created
- AAA Kerberos servers are configured with different keytabs
- the keytabs are for different service accounts but for the same realm

Impact:
Kerberos authentication fails, user cannot log in

Workaround:
As a workaround, it is suggested to merge keytab files and use cumulative keytab file for all AAA Kerberos Servers

Administrator can merge keytab files with "ktutil" kerberos utility that is installed at BIG-IP.
1. run ktutil
2. load all the keytab files to merge using:
rkt <file>
3. you cal list currently loaded entries with "l"
4. after you load all required keytabs, save new keytab with
wkt <newfile>

Fixed Versions:
17.1.0

1224125 : When you upgrade to 16.1.3.2 or 17.1, keys that are not approved in FIPS 140-3 are permitted to be used.

Links to More Info: BT1224125

Component: TMOS

Symptoms:
As part of the upgrade from older versions to 16.1.3.2 and 17.1, the use of non-approved keys as per FIPS 140-3 standards is permitted for RSA keys with a length of 1024 and 512 bits, as well as for EC521, DSA, and SM2 keys.
It should be noted that the creation of new keys is not permitted.

Conditions:
The FIPS 140-3 non-approved ciphers, that is, RSA keys with a length of 1024 and 512 bits, EC521, DSA and SM2 keys are only permitted in the following cases:
1) When upgrading from the older versions to FIPS 140-3 supported versions (16.1.3.2 and 17.1)
2) Importing UCS from the older versions to FIPS 140-3 supported versions (16.1.3.2 and 17.1)

Impact:
Non-Approved keys could exist in the configuration after the BigIP version upgrade and UCS installation on a FIPS 140-3 approved system.

Workaround:
When upgrading or installing UCS, ensure that you do not use any non-approved ciphers (as per FIPS 140-3) in the configuration.

Fix:
Added a warning message in /var/log/ltm when non-approved keys are imported during upgrade or UCS installation

Sample log:
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b5004e:4: /Common/TEST_KEY_SI_2.key: FIPS 140-3 mode does not support the use of key sizes 512 and 1024.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b5004e:4: /Common/TEST_KEY_SI_23.key: FIPS 140-3 mode does not support the use of key sizes 512 and 1024.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b50050:4: /Common/TEST_KEY_TYPE_DSA2.key: FIPS 140-3 mode does not support the use of private and public keys of type DSA and SM2.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b50050:4: /Common/TEST_KEY_TYPE_DSA.key: FIPS 140-3 mode does not support the use of private and public keys of type DSA and SM2.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b50052:4: /Common/TEST_KEY_curve3.key: FIPS 140-3 mode does not support EC curve secp521r1.

Fixed Versions:
17.1.0

1214073 : LACP Trunks are not created in TMM on R2800/R4800 platforms.

Component: Local Traffic Manager

Symptoms:
When a BIG-IP tenant is launched with LACP trunks on R2800/R4800 platforms, LACP Trunk is not being created at the TMM level.

Conditions:
When LACP Trunk is created with a VLAN associated to it and a tenant is launched with VLAN associated to LACP Trunk.

Impact:
LACP Trunks will not be created in TMM level.

Workaround:
Change the distribution hash configuration of the LACP Trunk being attached to the tenant on the platform.

Fixed Versions:
17.1.0

1214069 : Potential data leak inside Ethernet padding field on VELOS architecture products

Component: Local Traffic Manager

Symptoms:
Padding bytes added by TMM to bring packets up to the minimum Ethernet frame length of 64 bytes may contain contents of TMM's CPU memory.

Conditions:
Issue can occur whenever TMM creates a packet that is shorter than the 64 byte Ethernet minimum transmitted on a VELOS architecture platform.

Impact:
An unintentional leak of TMM memory contents in the Ethernet padding on VELOS architecture platforms.

Workaround:
Upgrade to latest BIG-IP version.

Fix:
Ethernet minimum frame padding explicitly zeroed by the TMM's data path driver used on VELOS architecture products.

Fixed Versions:
17.1.0

1211885 : Zone Based DDoS upgrade fails from 15.1.8 to 15.1.8.1

Component: Advanced Firewall Manager

Symptoms:
If the protected zone feature is enabled and configured, when the BIG-IP is upgraded from 15.1.8 to 15.1.8.1, then the loading of the configuration will fail as the feature is disabled in the 15.1.8.1 build.

Conditions:
Zone based DDoS feature enabled and provisioned on release 15.1.8.

Impact:
Upgrade from 15.1.8 to 15.1.8.1 will fail when the protected-zone object is provisioned in release 15.1.8 and the user upgrades to 15.1.8.1.

Note: The variable dos.protectedzone will be enabled by default in future releases (17.1.0, 16.1.4, and 15.1.9). Upgrading to a future releases will be successful.

Workaround:
Enable the variable dos.protectedzone manually and reload the configuration. The protected-zone configuration will load successfully.

Fix:
Enable the variable dos.protectedzone manually and reload the configuration. The protected-zone configuration will load successfully.

Fixed Versions:
17.1.0

1211341 : Failed to delete custom monitor after dissociating from virtual server

Component: Global Traffic Manager (DNS)

Symptoms:
When dissociated from virtual server, unable to delete custom monitor.

Conditions:
- Dissociate the custom monitor from virtual server
- Delete the custom monitor

Impact:
Unable to delete custom monitor.

Workaround:
None

Fix:
The custom monitor can be deleted after dissociating from virtual server.

Fixed Versions:
17.1.0

1211021 : Enforcement does not happen for entries in new and modified IPI feed lists due to lock issues

Component: Advanced Firewall Manager

Symptoms:
Entries added or updated in IP Intelligence (IPI) feed lists are not enforced. This occurs when threads in Dynamic White or Black Daemon (DWBLD) module are in deadlock.

Conditions:
- IPI license is enabled.
- Feed lists and policies are configured.

Impact:
Enforcement of entries in new and updated IPI feed lists does not happen.

Workaround:
Run the command "bigstart restart dwbld" to resolve the issue.

Check for "Empty items" message in /var/log/dwbld.log. If same message is seen for more than 100 times continuously, threads are in lock state and we can recover by restarting DWBLD module.

Fix:
The function "set_curl_state" was returning without unlocking mutex in a condition.
The mutex is now unlocked appropriately and prevents locking up of DWBLD threads.

Fixed Versions:
17.1.0

1210433 : Conversion between virtual-wire VLAN and normal VLAN

Component: Local Traffic Manager

Symptoms:
In tenant-based platforms, VLAN can be configured on the tenants. On platforms supported with virtual-wire, adding a virtual-wire would cause a conversion of normal VLAN to virtual-wire VLAN and vice-versa. After conversion, the following error message is displayed.
01070712:3: Internal error, object is not in a folder: type: vlan id: /Common/vlan-11-31.
This issue has been fixed with this.

Conditions:
Virtual-wire enabled tenants to see this issue.

Impact:
The tenant will not become operationally up.

Workaround:
None

Fix:
With the fix, normal VLAN and virtual-wire VLAN can co-exist.

Fixed Versions:
17.1.0

1209197 : Gtmd crash SIGSEGV - OBJ_sn2nid() in

Component: Local Traffic Manager

Symptoms:
The crash occurs while importing or exporting a key or certificate to the BIG-IP.

Conditions:
While importing the exported buffer, an improper initialization of the variable may create a condition leading to the crash.

Impact:
Tmm gets cored.

Workaround:
None

Fix:
Added a fix to handle this issue. Initialized the variable to 0. Hence, it will not have any other value which can be used for fetching the PEM string information.

Fixed Versions:
17.1.0

1208989 : Improper value handling in DOS Profile properties page

Component: Application Security Manager

Symptoms:
The DOS Profile properties page incorrectly renders certain data in the UI.

Conditions:
N/A

Impact:
Improper rendering of the DOS Profile.

Workaround:
N/A

Fix:
The DOS Profile Properties page now renders data correctly.

Fixed Versions:
17.1.0

1208529 : TMM crash when handling IPSEC traffic

Component: TMOS

Symptoms:
A TMM crash may occur when handling certain packets using an IPSEC listener.

Conditions:
An IPSEC listener processing traffic

Impact:
Core detected

Workaround:
N/A

Fix:
Connections are processed as expected.

Fixed Versions:
17.1.0

1208001 : iControl SOAP vulnerability CVE-2023-22374

Links to More Info: K000130415

1207661 : Datasafe UI hardening

Component: Fraud Protection Services

Symptoms:
The Datasafe UI does not follow best security practices.

Conditions:
N/A

Impact:
N/A

Workaround:
Restrict access to the BIG-IP control plane to only trusted users.

Fix:
The Datasafe UI now follows best practices.

Fixed Versions:
17.1.0

1207593 : Secure Shell (SSH) to BIG-IP is failing

Links to More Info: BT1207593

Component: TMOS

Symptoms:
Secure Shell (SSH) connection with the aes128-gcm and aes256-gcm ciphers to BIG-IP fails.

Conditions:
When you explicitly try to establish the connection using aes128-gcm and aes256-gcm ciphers.

Impact:
BIG-IP is unable to match the cipher requirement and an SSH connection is unable to establish.

Workaround:
Make use of other ciphers (aes128-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc) other than aes128-gcm and aes256-gcm.

Fix:
The aes128-gcm and aes256-gcm ciphers have been added. Now, the BIG-IP will be reachable with SSH using these ciphers.

Fixed Versions:
17.1.0

1205049 : Unable to access pages of global settings for GSLB, Zones, and Keys

Component: Global Traffic Manager (DNS)

Symptoms:
The pages containing global settings of GSLB, Zones, and Keys do not load in TMUI.

Conditions:
The BIG-IP box is provisioned with a DNS licence(and GTM licence as well if DNS WideIP capability is required).

Impact:
It is not possible to configure the global settings of GSLB, Zones and Keys.

Workaround:
Open DNS -> Setting - Caches before opening the pages where the issue is observed. This needs to be done once a session.
And afterward, other pages should show correctly.

Fix:
The pages load successfully.

Fixed Versions:
17.1.0

1200985 : While disabling Mobile Application type through WebUI, 'Mobile Identifier - Request Headers' list is getting set to null

Component: Bot Defense

Symptoms:
While disabling Mobile Application type through WebUI, the 'Mobile Identifier - Request Headers' list is deleted.

Conditions:
- Disabling and enabling Mobile Application type through WebUI.

Impact:
The 'Mobile Identifier - Request Headers' list is deleted.

Workaround:
Disable or enable Mobile Application type through TMSH.

Fix:
The 'Mobile Identifier - Request Headers' list is being preserved when enabling or disabling Mobile Application type.

Fixed Versions:
17.1.0

1200929 : GTM configuration objects larger than 16384 bytes can cause the GTM sync process to hang

Links to More Info: BT1200929

Component: Global Traffic Manager (DNS)

Symptoms:
If GTM objects larger than 16384 bytes are created, then the GTM sync process will not complete. In addition, the gtm_add process (which requests a GTM sync for all objects) will not complete.

Following is the symptom for gtm_add:
After "Retrieving remote GTM configuration...", the process will pause for 300 seconds (5 minutes), and then exit, with a message "Syncer failed to retrieve configuration".

For a normal GTM sync, where gtm_add is not being used, the symptom is that the synchronisation of configuration changes is not working.

Conditions:
The presence of any MCPD object in the GTM configuration (/config/bigip_gtm.conf) which is larger than 16384 bytes, for example a large GTM rule.

Note: The GTM iRules are distinct from LTM iRules. Only GTM objects, such as GTM rules (applied to wideIPs) are relevant to this issue.

Impact:
Unable to complete GTM sync, unable to add a new GTM into the sync group.

Workaround:
Reduce the size of the problematic object to lower than 16384 bytes. For example, if the issue is with a GTM iRule, then try removing comments, blank lines, or unnecessary log statements that do not affect the functionality of the rule.

Fix:
None

Fixed Versions:
17.1.0

1196665 : Required TCAM rules are deleted when virtual server configuration is modified

Links to More Info: BT1196665

Component: TMOS

Symptoms:
All TCAM rules of a virtual server, that has active protection offloaded to hardware, are deleted when a VLAN is removed from the VLAN list of the virtual server. The protection is handled in software afterwards.

Conditions:
- Virtual server is configured with an enable VLAN list.
- Security or SYN cookie protection is activated and offloaded to hardware.
- A VLAN is deleted from the VLAN list of the virtual server.

Impact:
The activated protection is handled by software only.

Workaround:
None

Fix:
Updated TCAM rule management logic of deleting VLANs, TCAM rules of a virtual server are not deleted.

Fixed Versions:
17.1.0

1196401 : Restarting TMM does not restart APM Daemon

Component: Access Policy Manager

Symptoms:
Due to asynchronous nature of TMM threads and APM plugin channel threads, a core can trigger when TMM exited and APM Daemon (APMD) is still available with earlier TMM plugin handlers.

Conditions:
When TMM restarts and APM still has old TMPLUGIN handle (which will become invalid eventually).

Impact:
Might observe APMD core.

Workaround:
Restart APM, when TMM is restarted.

Fix:
Updated TMM bigstart scripts to restart APMD and related tm_plugin services.

Fixed Versions:
17.1.0

1196173 : Bot Defense profile 'API Hostname - Web' configuration is hidden in case of Advanced/Premium service level

Component: Bot Defense

Symptoms:
The Bot Defense (BD) profile 'API Hostname - Web' configuration is hidden in case of Advanced/Premium service level.

Conditions:
- BD profile is configured from webUI
- Advance/Premium Service level is configured

Impact:
The configuration field 'API Hostname - Web' is unavailable in webUI.

Workaround:
Configure 'API Hostname - Web' using TMSH.

Fix:
The BD profile 'API Hostname - Web' configuration is visible when 'Web' application is in scope.

Fixed Versions:
17.1.0

1196033 : Improper value handling in DataSafe UI

Component: Fraud Protection Services

Symptoms:
The DataSafe UI does not properly handle certain requests.

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
Requests are now handled as expected.

Fixed Versions:
17.1.0

1195377-2 : Getting Service Indicator log for disallowed RSA-1024 crypto algorithm

Links to More Info: BT1195377

Component: TMOS

Symptoms:
Displaying disallowed algorithm as approved. It must not display approved log for disallowed algorithms when FIPS license is installed on the platform.

Conditions:
- FIPS license is installed on the platform.
- Creating a bit key.

Impact:
Creating keys for approved algorithms only

Workaround:
Change log statements or do not create a key for disallowed algorithms.

Fix:
Approved log for disallowed algorithms is not displayed.

Fixed Versions:
17.1.0

1195177-1 : TMM may crash during hardware offload on virtual-wire setup

Links to More Info: BT1195177

Component: TMOS

Symptoms:
TMM SIGSEGV may crash.

Conditions:
-- ePVA capable HSB based platform.
-- virtual-wire setup.

Impact:
Failover may occur.

Workaround:
Disable hardware offload of virtual-wire flows by setting the 'pva-acceleration' parameter of the related fastl4 profile to 'none'.

Fix:
None

Fixed Versions:
17.1.0

1191333 : AVR pdf or reports display F5 logo instead of YK logo

Component: Application Visibility and Reporting

Symptoms:
F5 logo is displayed on the reports.

Conditions:
- Navigate to Statistics ›› Analytics: CPU
- Click on Export button to download AVR reports in pdf format.

Impact:
In the OEM build, F5 logo is displayed instead of YK logo. This causes inconsistency in branding display.

Workaround:
None

Fix:
None

Fixed Versions:
17.1.0

1189877 : The option /dev/random is depreciated from rndc-confgen with the latest BIND 9.16

Component: Global Traffic Manager (DNS)

Symptoms:
The option /dev/random is deprecated from the rndc-confgen after the BIND upgrade.
The keygen.sysinit scripts using the rndc-confgen with the deprecated option /dev/random leading to the failure in creation of the rndc.key file.
The ZRD daemon waits for the rndc.key but as the key creation failed the daemon waits for the key creation infinitely and will be in a down state.

Conditions:
Upgrade the BIND package from 9.11 to 9.16.

Impact:
The ZRD daemon will be down till the rndc.key is created.

Workaround:
Create the key manually without the deprecated option.


Run the following command:
bigstart stop zrd

rm -f /config/rndc.key
/usr/sbin/rndc-confgen -t /var/named -a -c /config/rndc.key
ln -sf /var/named/config/rndc.key /config/rndc.key
chown -f named:named /var/named/config/rndc.key

bigstart start zrd

Fix:
The issue is fixed by removing the deprecated option when generating the rndc.key.

Fixed Versions:
17.1.0

1187157 : BD crashes when provisioning ASM and AVR together on VIPRION

Component: Application Security Manager

Symptoms:
BD crashes during provisioning of ASM and AVR together on VIPRION.

Conditions:
-Platform is VIPRION.
-Possibly only one slot is used out of many available.

Impact:
BD crashes which leads to reboot of BD services.

Workaround:
N/A

Fix:
Updated BD logic to handle slot names.

Fixed Versions:
17.1.0

1186249 : TMM crashes on reject rule

Links to More Info: BT1186249

Component: Local Traffic Manager

Symptoms:
The TMM crashes when the configuration has a rule that contains a reject in an HTTP_RESPONSE.

Conditions:
The crash happens when this rule is processed after a client has disconnected.

Impact:
TMM crashes every time this condition occurs.

Workaround:
If possible, avoid the use of reject or use HTTP::disable before the reject.

Fix:
Reject can be used without a crash.

Fixed Versions:
17.1.0

1185689 : In Bot Defense, TCP RST is sent if the complete body is not received in client request

Component: Bot Defense

Symptoms:
Client request's connection can get reset with reason "SAAS: not received complete body".

Conditions:
- Bot Defense profile configured with protected endpoint, client request is sent to protected endpoint without complete body.

Impact:
Client request's connection resets with reason "SAAS: not received complete body".

Workaround:
None

Fixed Versions:
17.1.0

1185133 : ILX streaming plugins limited to MCP OIDs less than 10 million

Links to More Info: BT1185133

Component: Local Traffic Manager

Symptoms:
When trying to get started with iRules LX, every script attempted results in the following error:
"Sep 16 11:16:26 pid[6958] streaming tm_register failed"

Conditions:
MCP configuration (MCP OID's) should go beyond 10 million.

Impact:
Unable to run iRules LX streaming plugins.

Workaround:
The below command forces MCPD to load the configuration from the text file with an empty database, thus the OID counter is reset to 0.

bigstart stop
rm -f /var/db/mcpdb*
bigstart start

Fix:
The TMSTAT segment names are limited to 31 characters (not including terminating NUL). With 23 characters used by the constant portion, 8 characters are left for both OID and CPU. The CPU will be 1 or 2 characters, leaving 6 or 7 characters for the OID. When exceeded, the tmstat_create fails.
tmplugin_nodejsplugin_1000000_0 err 0
tmplugin_nodejsplugin_10000000_0 err -1

Change the plugin class from "nodejsplugin" to "nodejs" or similar, to allow 6 more digits of OID space (allowing to 10 trillion).

Fixed Versions:
17.1.0

1184629 : Validate content length with respective to SIP header offset instead of parser offset

Component: Service Provider

Symptoms:
The SIP parser is validating the content length of the SIP message with respective to the parser offset instead of SIP actual header. Validating the content length with parser offset is inaccurate.

Conditions:
The SIP message should have content length greater than zero and should have content.

Impact:
The SIP parser is calculating the SIP message body size inaccurately.

Workaround:
None

Fix:
Validating the content length with respective to SIP header offset instead of parser offset.

Fixed Versions:
17.1.0

1184153 : TMM crashes when you use the rateshaper with packetfilter enabled

Links to More Info: BT1184153

Component: Local Traffic Manager

Symptoms:
Tmm might crash when you use the packet-filter with the packetfilter.established option enabled, and when rate-class is applied via packet-filter rule.

Conditions:
- packet-filter with packetfilter.established option enabled.
  AND
- rate-class is applied via packet-filter rule.

Impact:
TMM crash/failover.

Workaround:
Do not apply rate-class via packetfilter or disable the packetfilter.established option.

Fixed Versions:
17.1.0

1183581 : Encoded URLs are not normalised for protected endpoint check for Advanced/Premium service level for both Web and Mobile requests

Links to More Info: BT1183581

Component: Bot Defense

Symptoms:
Client requests with encoded URL are not normalised for protected endpoint check for Advanced/Premium service level for both Web and Mobile requests. This may cause these requests not to be treated as protected requests.

Conditions:
- In BD profile Advanced/Premium is set as service level
- Client request with encoded URL

Impact:
Requests with encoded URL may not be treated as protected requests.

Workaround:
None

Fixed Versions:
17.1.0

1183565 : Throttle reoccurring FPS warning messages

Component: Fraud Protection Services

Symptoms:
Some FPS warning messages sometimes have a reoccurring pattern.
They can come in overwhelming numbers.

Conditions:
One of the possibilities is client IP change.

Impact:
TMM logs are overwhelmed which causes a crash.

Workaround:
N/A

Fix:
Added a throttling mechanism, that limits warning messages originating from a specific line of code to be printed only once per 30 seconds.

Fixed Versions:
17.1.0

1183553-1 : The platform_mgr core dumps on token renewal intermittently

Links to More Info: BT1183553

Component: F5OS Messaging Agent

Symptoms:
The platform_mgr core dumps on token renewal.

Conditions:
On token renewal, gRPC is adding additional characters to token buffer in initial metadata of gRPC channel.

Impact:
The platform_agent core dumped and configuration related to tenant will be re-fetched on platform_agent startup.

Workaround:
None

Fix:
Token renewal handling is changed to read token considering token's length from initial metadata in gRPC channel.

Fixed Versions:
17.1.0, 15.1.8.1

1183453 : Local privilege escalation vulnerability (CVE-2022-31676)

Links to More Info: K87046687

1183161 : Performance improvement in policy creation/deletion

Component: Application Security Manager

Symptoms:
Policy creation/deletion takes more time than expected.

Conditions:
This issue occurs when there are multiple update_core events within a second.

Impact:
Policy creation/deletion takes time.

Workaround:
NA

Fix:
Performance improvement in policy creation/deletion.

Fixed Versions:
17.1.0

1183033 : TMM Core can occur when client requests are sent with Device ID profile configured and Domain pool is down

Component: Client-Side Defense

Symptoms:
TMM Cores

Conditions:
- Device ID profile configured and attached to a virtual server.
- Domain pool is unreachable or down.
- Certain requests received from the client.

Impact:
Traffic interruption can occur as TMM restarts

Fixed Versions:
17.1.0

1181613 : IPsec IKEv2: BIG-IP version 16.1.0 introduced RFC5996 non-compliance in IKE SA delete

Links to More Info: BT1181613

Component: TMOS

Symptoms:
After the deletion of an IKE SA, the child IPsec SAs will not be deleted.

Conditions:
-- IKEv2 IPsec tunnels
-- Tunnels use Route Domains.
-- An IPsec SA is deleted.

Impact:
The BIG-IP believes it still has valid IPsec SAs to use, while the remote peer does not. In this case, if the BIG-IP is normally the initiator, the tunnel will be unusable until the lifetime expires on the existing IPsec SAs.

Fix:
IPsec SAs are now deleted after the related IKE SA is deleted.

Fixed Versions:
17.1.0

1181345 : Fix for VLAN Group reconfiguration issue when an additional virutal-wire configuration is added on top of deployed tenant

Component: Local Traffic Manager

Symptoms:
Failed to create VLAN group when adding new virtual-wire config with different VLAN on a deployed tenant (reconfiguration issue).

Conditions:
Other virtual-wire configurations are added on top of the deployed tenant.

Impact:
Failed to create VLAN group when adding new virtual-wire config with different VLAN on a deployed tenant.

Workaround:
None

Fix:
With this fix, the VLAN group reconfiguration issue is resolved when an additional virtual-wire configuration is added on top of the deployed tenant.

Fixed Versions:
17.1.0

1178221 : In IPsec IKEv2, packet memory corruption after retransmitted ISAKMP with NAT

Links to More Info: BT1178221

Component: TMOS

Symptoms:
When the retransmit happens, and other side is not reachable, the BIG-IP logs the "err packet length does not match field of ikev2 header" and then "ERR dropping unordered message".

Conditions:
Tunnel is established between Initiatior and Responder.
Responder is able to send DPD request. but not able to receive response.

Impact:
Wrong information logged.
DPD response packet corruption.

Workaround:
None

Fix:
Logs will display correct message.
Packet will not corrupt.

Fixed Versions:
17.1.0

1174873 : The location header query string separate is converted from "?" to "%3F" breaking multi-domain

Links to More Info: BT1174873

Component: Access Policy Manager

Symptoms:
In muti-domain Single Sign-On (SSO), the location header query string separate is converted from "?" to "%3F" breaking multi-domain.

Conditions:
- Create an access policy with a redirect to login page.

Impact:
Breaking multi-domain.

Workaround:
None

Fix:
Issue is with the normalized URL function, removed the search filter parameters normalization.

Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3

1174033 : The UPDATE EVENT is triggered with faulty session_info and resulting in core

Links to More Info: BT1174033

Component: Policy Enforcement Manager

Symptoms:
The UPDATE EVENT requires a proper initialization of the session_info which in turn is used to set the tcl pcb's cmdctx. With properly defined cmdctx, the sess_data is populated successfully. But, without proper initialization of the session_info makes the cmdctx to carry incorrect vaules, thus resulting in a core when populating the sess_data.

Conditions:
Enable the Global UPDATE-EVENT option and make sure you log
some session attributes as part of the UPDATE EVENT.

Impact:
Results in a core.

Workaround:
None

Fix:
Triggering UPDATE EVENT is not causing any core.

Fixed Versions:
17.1.0

1173997 : BIG-IP Mac Edge client download failure from connectivity profile

Component: Access Policy Manager

Symptoms:
BIG-IP Mac Edge client download fails from the connectivity profile.

Conditions:
Create a connectivity profile.

Impact:
Mac Edge client download fails from the connectivity profile.

Workaround:
None

Fix:
BIG-IP Mac Edge client downloads successfully.

Fixed Versions:
17.1.0

1173669 : Unable to reach backend server with Per Request policy and Per Session together

Component: Access Policy Manager

Symptoms:
It is observed that backend pool is not reachable.

Conditions:
The OAuth case with Per Request policy and Per Session together.

Impact:
Backend Pool is not reachable.

Workaround:
None

Fix:
Variables pushed with server configuration into per request flow are accessed with last rather than the server configuration.

Fixed Versions:
17.1.0

1173625 : TMM core generate with SIGSEGV - mkv_free()

Component: TMOS

Symptoms:
TMM crash and restart.

Conditions:
TMM is receiving a delete message for a VLAN that does not exist.

Impact:
TMM restart.

Fixed Versions:
17.1.0

1173441 : The 'tmsh save sys config' call is being triggered when REST Authentication tokens (X-F5-Auth-Token) are deleted or expired

Component: TMOS

Symptoms:
The 'tmsh save sys config' call is being triggered when REST authentication tokens (X-F5-Auth-Token) are deleted or expired.

Conditions:
The REST authentication tokens (X-F5-Auth-Token) are deleted or expired.

Impact:
There is no functional impact. However, in the BIG-IPs where there is huge configuration, a 'tmsh save sys config' call takes a lot of time and thus impacts the performance.

Workaround:
None

Fix:
The REST authentication tokens (X-F5-Auth-Token) are deleted or expired without triggering the 'tmsh save sys config' call as the call is unnecessary.

Fixed Versions:
17.1.0

1169105 : Provide download links on BIG-IP for Linux ARM64 VPN Client

Component: Access Policy Manager

Symptoms:
No download links are available in the welcome page in BIG-IP for Linux ARM64 VPN Client.

Conditions:
- Login to BIG-IP.

Impact:
None

Workaround:
None

Fix:
Added download links in BIG-IP for Linux ARM64 VPN Client.

Fixed Versions:
17.1.0

1168309 : Virtual Wire traffic over trunk interface sometimes fail in Tenant based platforms

Component: Local Traffic Manager

Symptoms:
Traffic does not flow through the virtual-wire trunk. Traffic through the interface is not impacted.

Conditions:
When there is an overlap between the DID values of the interface and trunk, virtual-wire traffic does not pass through the trunk.

Impact:
Traffic outage might occur.

Workaround:
None

Fix:
The conflict between Interface DID values and Trunk DID values are avoided, by marking whether the DID value belongs to a trunk or interface.

Fixed Versions:
17.1.0

1168137 : PEM Classification Auto-Update for month is working as hourly

Component: Traffic Classification Engine

Symptoms:
After configuring PEM classification signature auto-update as monthly, but it runs on hourly.

If the update schedule is set to daily or weekly, then the latest IM package is downloaded based on the set update schedule. But, when it is set to monthly, it is working on hourly.

Conditions:
Automatic updates for classification signatures is configured and enabled, and update schedule should be set to monthly.

Impact:
Classification update is not working on monthly basis.

Workaround:
None

Fix:
None

Fixed Versions:
17.1.0

1167941 : CGNAT SIP ALG INVITE loops between BIG-IP and Server

Component: Service Provider

Symptoms:
On an inbound call on the ephemeral listener, if the INVITE message TO header is not registered, and From header is registered, then INVITE is sent out on the ephemeral listener which might cause a loop issue, if the server sends back the INVITE to BIG-IP again.

Conditions:
It occurs with inbound calls.

Impact:
It could lead to performance issue if the loop continues.

Workaround:
Step 1 or 2 can be used as a workaround based on the use case.
1)If the From and To headers are the same, 400 bad response is given.
Also, the packets are dropped in case the destination address is not translated.

ltm rule sip_in_rule {

    when SIP_REQUEST_SEND {
        if {[SIP::method] == "INVITE" && [IP::addr [IP::remote_addr] equals $localAddr]} {
            SIP::discard
        }
    }

    when SIP_REQUEST {
        set localAddr [IP::local_addr]
        set from [substr [SIP::header from] 0 ";"]
        set to [substr [SIP::header to] 0 ";"]
        if {[SIP::method] == "INVITE" && $from equals $to} {
            SIP::respond 400 "Bad Request"
        }
}

(tmos)# modify ltm virtual vs_alg_sip_private { rules { sip_in_rule } }


2)below Irule would drop all inbound calls.

ltm rule sip_drop_rule {
   when MR_INGRESS {
        if { [MR::transport] contains "_$" } {
            MR::message drop
        }
    }
(tmos)# modify ltm virtual vs_alg_sip_private { rules { sip_drop_rule } }

Fix:
BIG-IP will drop the messages in the following cases.
a)If From and To headers are the same in the sip INVITE message.
b)If the SIP INVITE message To header is not registered and From is registered.

Fixed Versions:
17.1.0

1167889-5 : PEM classification signature scheduled updates do not complete

Component: Traffic Classification Engine

Symptoms:
After configuring PEM classification signature updates to run at an defined interval, the updates may not actually occur.

Via tmsh:

   ltm classification auto-update settings { }

via GUI:

   Traffic Intelligence -> Applications -> Signature Update -> Automatic Update Settings


In the /var/log/ltm log, the following message may be seen

mcpd[xxxx]: 01070827:3: User login disallowed: User (guest) is not an administrator, does not have a UID of zero, and has not been assigned a role on a partition.

Conditions:
Automatic updates for classification signatures is configured and enabled.

Impact:
The classification updates do not occur.

Workaround:
Run the classification update manually.